> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/google-cybersecurity-professional-cert/2.-play-it-safe-manage-security-risks/use-siem-tools-to-protect-organizations.md).

# Use SIEM tools to protect organizations

Alright, let's break this down into an ADHD-friendly explanation while still keeping all the details. Imagine you’re a security analyst in charge of protecting a large, complex organization from cyber threats. You’re like a digital detective, and the tools you use to keep an eye on everything are SIEM (Security Information and Event Management) tools. These tools organize and show you data from all over the network so you can spot anything fishy, like a cyberattack or a suspicious user behavior. It's a bit like being a detective at a command center, watching a bunch of monitors, looking for clues to prevent something bad from happening.

#### Splunk Overview

Splunk is one of these detective tools. Think of it as a high-tech magnifying glass. There are two versions: Splunk Enterprise (which runs in your organization) and Splunk Cloud (which lives in the cloud). Both help you monitor your organization’s data, from logs (which are like a record of everything happening on a computer system) to activity across all your systems. The point is to give you a bird’s-eye view of what's going on, so if something is off, you can catch it.

Splunk provides several different dashboards, which are like different sets of glasses you can put on to look at the data from different angles. Here are the key ones:

**1. Security Posture Dashboard**

Think of this as a quick snapshot of the organization’s security health in the last 24 hours. It’s like looking at a dashboard in a car. You see your speed, fuel, and any warnings like engine lights. Similarly, this dashboard shows security events, like whether there's a flood of suspicious traffic coming from a specific IP address. It’s designed for Security Operations Centers (SOCs), the teams that watch over everything in real-time. Analysts here are like cops monitoring a city from a central station, and this dashboard helps them catch crimes in progress.

**2. Executive Summary Dashboard**

This dashboard is more for the big picture—a longer-term view of security. It’s like the car's trip history. You might use it to show high-level insights to your boss or other stakeholders. For instance, it might summarize security incidents over the past month and reveal patterns like, "Hey, there’s been a rise in phishing attempts." It helps security teams make better decisions to improve overall safety, rather than just focusing on putting out fires day to day.

**3. Incident Review Dashboard**

This one’s like a detective board showing you everything leading up to a big incident. You see timelines of events, such as when a breach started and what actions led up to it. It’s very visual, so you can spot patterns easily. Think of it as the board where detectives pin photos and connect clues with red string to figure out who the culprit is.

**4. Risk Analysis Dashboard**

Imagine a spotlight shining on risky stuff. This dashboard points out who or what (e.g., users, computers, IP addresses) poses a risk. It's like being able to zoom in on specific suspects in a crowd. It might tell you something like, "This user has been logging in during strange hours," which could be a red flag. Analysts use this to prioritize what needs the most attention, like figuring out which threats are the most dangerous.

#### Chronicle Overview

Chronicle is another SIEM tool, but this one is made by Google and runs completely in the cloud. Chronicle helps you search and analyze logs from all over the organization. It’s like a giant filter for your detective work, helping you hone in on specific assets (like computers or users), domain names, or IP addresses. You use Chronicle to detect patterns and spot the bad guys lurking in your systems.

Chronicle also has its own set of dashboards, which, like Splunk’s, help you visualize all this data.

**1. Enterprise Insights Dashboard**

This dashboard highlights suspicious stuff. Imagine it as a radar showing blips on the screen, like unusual activity or domain names that are known to be associated with bad actors (called "indicators of compromise" or IOCs). Each blip comes with a "confidence score" (how likely it is to be a real threat) and a "severity level" (how serious the threat is). It’s like scoring a detective lead—some clues are more solid than others.

**2. Data Ingestion and Health Dashboard**

This is the techy side of things. Think of it like checking the pipes that bring all the data into your system. It shows you how many logs are coming in, where they’re coming from, and if there are any problems in the flow. If something’s broken, the logs (your clues!) won’t get to you properly. Analysts use this to make sure the data keeps flowing smoothly.

**3. IOC Matches Dashboard**

This dashboard is your "top threats" list. It’s like a most-wanted board in a police station. It shows you the riskiest domain names, IP addresses, or devices, helping you figure out which threats need the most attention. This helps the security team focus on the bad guys who are causing the most trouble, like spotting patterns of suspicious login attempts from odd places.

**4. Main Dashboard**

The main dashboard is your command center overview. It's a high-level summary of all the data going through Chronicle, alerting you to any unusual activity. It’s like looking at the overall crime map of the city, giving you a bird’s-eye view of all the security events happening over time.

**5. Rule Detections Dashboard**

This dashboard tracks the rules you've set up to detect specific security incidents. Imagine you’ve set a rule to get an alert anytime a user tries to open a malicious email attachment. This dashboard shows how often that rule gets triggered, giving you a feel for which incidents happen most frequently. This way, you can prioritize the recurring issues and figure out long-term solutions.

**6. User Sign-in Overview Dashboard**

Lastly, this one’s like monitoring who’s coming in and out of the building, but digitally. It tracks all user sign-in events, helping you spot weird patterns, like someone logging in from two different countries at the same time. This dashboard helps you sniff out suspicious behavior that might indicate a user’s account is compromised.

#### Key Takeaways

The key idea here is that these SIEM dashboards help cybersecurity professionals get organized. They simplify the huge amount of data flowing into an organization’s systems, letting analysts focus on the highest-priority risks, vulnerabilities, and threats. It’s like having a bunch of specialized detective tools to keep an eye on everything, so you can quickly figure out where the real dangers are and handle them before they cause too much damage.

#### To make sure we’re on the same page:

Before we dig deeper into more technical details about SIEM tools, I want to check your familiarity with a few core concepts:

1. **Log data**: How familiar are you with what logs are and how they’re used in cybersecurity?
2. **IP addresses and domains**: Are you comfortable with how IP addresses and domain names work?
3. **Indicators of Compromise (IOCs)**: Have you worked with IOCs before or know what they signify?
4. **Risk analysis and prioritization**: How comfortable are you with assessing risk and determining what to focus on first?

Let me know, and I’ll tailor the next part of the lesson based on your answers!
