foreign
[Music]
welcome to my Enterprise security uh
video playlist this time we're going to
be covering correlation searches this is
a fancy word for a safe search that
creates an alert that's really what it
comes down to they call them notables
there's a lot of terminology involved
but the ultimate concept is a
correlation search is a search that
fires off at predefined periods of time
maybe every five minutes every hour
searches back across your logs for
certain behaviors and if it sees it it
creates a it creates an alert you can
make it create a notable technically it
doesn't have to create a notable and
I'll explain how that works but it's
really just just save search so let's go
break right into Enterprise security and
let's talk about that
so I come into Enterprise security we're
going to show what is already outcomes
out of the box so if I go configure I'm
in my Enterprise security and I come
into
content and I go to content management
these are all the knowledge objects that
come with Enterprise security and I'm
going to flip this to a correlation
search
I click that
we can see that it's going to come back
with lots and lots of results 58 Pages
plus of them and multiple to a page you
can read this so I I'm just going to go
to the very first one and this is
abnormally High number of endpoint
changes by a user if I go and open this
up a little bit
detection abnormally hard number of
endpoint change by user account as it
relate to restart audits file system
user registry notifications if I go into
this
I'm actually going to be able to see
the query I'm not going to go explain it
because I can already tell you it's
probably going to be written with lots
of data models and macros but out of the
box you can see here's the query and
it's basically it's going to look at
your data model you'll hear me talk
about data models I've discussed data
model but this is going to be the
endpoint data model and it's going to
look at file systems for changes by the
user it's going to do a bunch of other
things that ultimately it's going to
come back and say if you meet a certain
criteria and you can see that it's
actually using the machine learning
toolkit so down here it's actually
building a threshold saying what is the
normal amount of use of changes and is
it jumping out of that at normal level
it's really cool put some really cool uh
analytics out there for you you can just
use what they've got what I love is I
don't want to I don't want to I hear oh
well aren't correlation searches
attached to now Frameworks well you can
see the very first ones sometimes they
are but here these are Frameworks I've
heard this in my own work well they're
all mapped to the miter well
are they I'll just grab the very first
one and there's no miter technique
mapped what should it be well there's a
lot of things that could cause a miter
technique to uh if there's endpoint
changes it could be many different types
of tact then I'll have a mapped you
could come in here and you could map it
we'll discuss that later but point is we
come down here uh
make that go away that's all
we can see that it's looking back 1450
minutes and the latest time is zero this
runs at five after the hour that's how I
read that five after the hour
um it's if the results are greater than
zero it groups by user and change type
and we see that it creates it does not
create a notable it actually just
provides a risk analysis and we'll
discuss risk analysis when we talk about
RBA but the point is you can make it do
a bunch of adaptive responses
I my job here is not to help you
understand every correlation search
comes out of the box I'm here to discuss
the part that most people don't know how
to do create your own so I've shown you
that you can go look through there's
uh the documentation on Splunk says 1400
plus I don't know how they Define what a
correlation search is I'm going to tell
you that it's it's it's a lot there's a
lot of them and by default
uh Enterprise security is smart they do
not come enabled if I look at the
enabled correlation searches
this is mine that I was using as I
started to help understand Enterprise
security and these two were turned on
and this is for risk-based approach
other than that there are no correlation
searches that come out of the box why
well one they don't want to turn
something on that doesn't fit your data
set to often you have to tweak them the
correlation search is great but it's not
always going to be perfect for your
environment and so as a general rule
they're there as a guidance use them
when they make sense turn one on test it
see how it works if it doesn't modify it
and typically you'll just clone the
correlation search and build your own
anyway enough talking about that let's
talk about actually building my own
correlation search so I'm in configure
content and I went to content management
if I do create new content that's how
I'm going to build one and so we're
going to create a new content we're
going to make a correlation search
this is the way that I do correlation
searches that doesn't mean it's the way
that has to be done but it's the way it
works for me I'm going to call this I
would hopefully have a much better name
for this but I'm going to do YouTube
correlation search
horrible name because someone who comes
across this will have no idea what it's
for but for me when I need to purchase
stuff from my system it's really easy
and it stands out so I'm going to put it
that way then here in my description I'm
going to go
um
grab one event from Network logs
I'm not actually going to build
something that I'm looking for that
that's not the point of this video I'm
just showing how to build one and I want
them to always fire so I'm going to
uh fudge the numbers so that I always
get what I want and so the first thing I
do is I don't try to build a search
through here you can use a guided
guidance cool it'll allow you it'll pick
data models you can pick fields from it
so if I enable the guided mode you'll
see the data it'll say all right what
data model do you want to look at I
might come down to network traffic
and what data set do I want to use all
traffic do I want to use summaries only
I'll discuss summaries only when later
this is not the place for it time range
and there is your basic query I can run
the search and see how it looks
um then I'm going to hit
filter and filter would be like
all DOT traffic
all traffic dot best IP
oh
it's a Boolean where
and I actually don't know how to make
this work all traffic Dot
I'd have to go look this up well that's
not very good helpful there the point is
I'm not actually going through the
guided search tour I'm going to stay
right here with a manual query where I
can write it it does have guided again
you got to understand exactly what
you're polling guided is nice if you
know follow the docs I'm not here for
following the docs I'm here to take a
query this is my home network I'm going
to look at the correlate logs I'm going
to look at my core light con logs I'm
going to say where Source IP is
192.1680.star that is only so I make
sure that I'm looking at a specific
subnet section of my network this is
primarily my network designed for doing
Splunk videos and so this isn't my whole
this is part of my home network but it's
a subnet on my network that I use for
testing pen testing setup of systems
that I tear up and pick up and tear down
and so I just want to know what they're
doing and so I wanted the source IP
maybe you don't want the source AP all I
really cared about though is I just
wanted this because ultimately later
down I'm going to do inventory and I'm
going to have a very simple inventory of
that subnet and so I only want IPS that
at least at least one piece of the data
ties to my inventory and so as you can
see this here has nothing to do with my
network but this one does and I'm going
to do a headwind one because I don't
want lots and lots of results
basically I want to query
and I'm always going to return one
result as long and that's what I built
this isn't bad this isn't actually a
known bad I just wanted data to come
back so then I can put other stuff on it
I'm doing this as a demo for you guys to
understand how
to build a query you would want to build
a query that actually is looking for
something malicious right now I just
want a query to return a result so that
I can when I do my next video about
triage and the triage system there are
actually tickets coming in if I write a
query that's looking for bad well that
bad better be occurring on my network or
it's not going to fire and so it's a lot
harder to troubleshoot if the thing is
working if you're building queries right
if you build something that isn't you
hope to not actually see on your network
so I actually hope to see correlatecon
logs I sure hope so that means my
network has traffic anyway and I'm just
going to put the head 1 because I only
wanted to create one alert if I let it
come back it's every event that comes
back in here would be a notable alert I
don't want my triage system getting
inundated so I'm just going to do this
head one
now I'm going to map it I'm going to go
to miter and I'm going to
put in some
tickets so I'm going to go t1143 I
actually can't remember what all these
mean off the top of my head you can go
look them up I'm going to say this and
this has note no bases whatsoever but
again it's this is this these videos are
going to build on themselves and so I'm
building these minor attacks so when I
go to the RBA section of this video
playlist you'll see how it maps all the
different techniques together and so I'm
going to put this down here and and
actually because I want this to work on
um my system I'm going to actually do I
want it always to be 0.128.
that way I'm only going to get alerts
that are relating to this system that
means my risk-based Approach will cross
the threshold that actually makes a lot
more sense for me I'll explain that when
we actually get to RBA but basically I'm
going to give me give me an alert every
time
0.128 is the source of network traffic
and that should fire off quite
frequently
um
ignore the picture up in the top we're
just going to move on had one my videos
are done rendering anyway so I'm going
to map it to these ttps again this is
all for demo purposes so I just pick
some tptps and I can come down here and
I can put a confidence score an impact
score
contacts analytics we're just gonna
leave that alone for now I can create my
own framework and now here it's going to
say how far back do I want to look do I
look back 24 hours I could but I know
how often my logs are firing I'm going
to look back one hour doesn't really
matter because I'm just grabbing head
one
and I'm I have you I probably get I get
hundreds of events every probably
thousands of events every hour
on this particular subnet and so I it's
not going to be a problem getting data
I'm going to go look back one hour to
now and how often do I want it to run
you know what I'm going to let it run
every five minutes and that's going to
be important so that I actually have
events and that'll work I'm going to
come down here and I'm going to say do I
want it to run as real time or
continuous we'll just leave it at its
default
uh what's my scheduling window again
these are I'm not going over these this
is just basically how oft how you want
to run your times I'm going to run this
every five minutes schedule priorities
in case there's conflicts hopefully with
your Enterprise security you actually do
not overload your system so these become
a big deal
trigger conditions number of results
greater than zero that's always going to
be the case because I'm getting back one
but if I was doing this if I want to do
thresholds I could make it the thing has
to occur at least 10 times or 15 times
or whatever then Windows durations
filled to group by that's it that's all
I want to deal with I really the only
places I put around with this is I wrote
a query in the most basic format to get
your correlation searches going pick a
search I would tie it to an annotation
but you don't have to not required you
come down here pick your time window
these three boxes how far back do you
want to look latest time earliest time
and your cron schedule and then you
really don't have to touch anything else
except this add adaptive response I'm
going to come and modify this in a
minute there is when we talk about RBA
I'm going to put a risk analysis for the
sake of keeping this simple I am only
going to do
notables for now so I'm going to come in
here and I'm going to click a notable
and notable is an alert that goes to
your triage system
gonna go YouTube
notable give a description
I can actually use
um foreign
variable substitution so I'm going to do
alert for dollar sign Source IP
I need to make sure that field comes
back and this does have a source IP so I
can use it and you just call it like you
do in with the dollar sign on both sides
of a variable and that'll be dynamic and
so my description will come back with
this and just because I
want to what if I do yeah we'll just
leave it at that
YouTube notable security domain there
are a bunch of domains this is dealing
with access areas that would be
authentication endpoint a lot of your
host logs Network logs threat identity
and audit and so those are the six areas
splunkcast as security domains we'll
just leave it as a we'll put as a
network
in the network domain I'm going to put
the severity
as low
and default owner I can put in these I
can leave it unassigned
I'm going to put it as unassigned to
start with again you don't have to
default status I'm going to put it as
unassigned
and I could put a drill down search in
there and let's do that
we're going to take this very same query
just to keep things really simple one of
the very first drill Downs I want to put
in there
is the actual query
that created this log
but in this case I'm not going to put
head 1 I'm going to put I'm going to
take the head out
oh it looks like I've lost the 128 on
there 128.
make sure 128 is up here
yeah it is okay and I can choose the
drill down search will be
C
what caused alert
there are other ways of doing this I'll
show but I'm just I'm just going to
create a few ad drill down searches and
here we're going to just do
um
Y is
this
drill down exist
I just want to show I can go search
anything
index equals internal
why would you be looking at your
internal logs it doesn't really matter
um
well actually let's just do this I'm
going to put in dollar sign Source IP
so I'm basically looking in my internal
logs and I'm going to see if I find that
IP address popping up it it's just kind
of an interesting way you can add
additional searches to your information
um
so I'm going to be searching my internal
logs for the source IP
and I hope you saw this earliest offset
latest Offset you can change this or you
can you can let it just go by its
default or you can say for here I'm
going to go
plus this is a earliest for example one
hour
and I'm going to leave the other one as
zero
does that make sense so I hope this
makes this helps I can change my time
it's basically going to look in this
window one hour back of based off of
um
the the time this event occurred
so this might actually look a little bit
in the future this can look a little bit
in the future it's going to use time in
the back so let's go
we're going to go one hour one way this
is going to go one hour and in the
future and one hour in the past
sounds good I'm going to leave my
investigation profile alone and these
are I uh extractions and these what it's
going to do is it's going to it's going
to identify identities these are users
and stuff like that on your network
assets would be like IPS and machines
and files and URLs that it might have
found I'm going to we got assets here
Source test
um does my lock do my logs contain
source and test
well let's go look had one do I actually
have a source and a desk here
I have a source IP but no source so I
don't have the field it's looking for to
be able to identify it so what I need to
do is I need to come in here and I'm
going to go
source IP
except it's on identity
the identity it's an asset so I'm going
to come in here and I'm going to go
Source IP
and just because it's we might we might
want to identify the uh the other
machine in question we're going to put
desktop in there as well so I'm going to
have my source IP and my destination IP
they're going to be assets that are
extracted and that's all I'm going to do
I just want to make sure that the
anything that might be identifiable in
these queries not these queries the
query up here let's call them out and I
hope all this will make more sense as
you actually see the stuff come back
there's just a lot of capabilities here
I can write steps if I want to I can set
things up to uh for example send an
email stream capture if you have uh
Splunk stream nbstat and it's look up
you can make your system do a lot of
things like I could have Splunk go ping
an IP address you know what
um in a little bit I'll actually show me
doing that I can have it do a risk
analysis run a scripts and a uba send a
split mobile Splunk mobile is really
cool now it's being sent to my phone add
thread intelligence from it web hooks
whatever you have a lots of capabilities
don't need to do it the the minimum you
need for a notable
title description
you don't even need these drill Downs
you can let this be set as default
probably should pick a security domain
and literally that's it make sure it's a
lot more helpful if you can identify
your stuff coming back as identities and
sources and I'm going to show you that
in the next video with workbenches and
stuff like that but for the sake of this
don't worry about it
um just know that it's it's good if you
can call it out but if you don't you're
it's not like the query will break
I'm going to hit save
and I should have a correlation search
done now I'm going to have to wait I
probably just missed my window it's
supposed to be kicking off five minutes
after the hour
so I can almost guarantee that if I come
to incident review I will not find an
alert
called YouTube notable
I'm gonna have to wait till five more
minutes to go by but let's go ahead and
check that so I can come down I can
refresh the page here or I can refresh
the page here but either way that is not
the purpose of this video is to look at
the incidents coming in mine was to talk
about correlation searches and how to
make my own I have set up a correlation
search and so I've accomplished my task
I'm gonna I'm gonna come see it here
with a configure
content
configure content content management my
new correlation search is in here we can
see that when I go all
correlation search and when you create
them by default they are enabled
so if I come in here and I enable
I can see YouTube correlation search for
line Creations if I want to make any
changes to it
I just hit search now that's interesting
that it doesn't say that it's actually
scheduled
all right well probably because it
hasn't run the very first time once it
runs I should see
here the next schedule time but it's
really easy just keep it under the
enabled
and correlation searches
so
yep there it is now I've got a time for
the next scheduled time stored in the
Enterprise Security app what have we
covered we've talked about correlation
searches what they are they're saved
searches that can be used to create
notables notables fill out tickets that
you will go into a ticket triaging
system which we will cover in the next
video in this playlist please look at
the link below notice that this is a
playlist go ahead and join the playlist
and watch the videos this is meant to be
a comprehensive training to help you
understand Enterprise security
um
click that link we have now create I've
shown you how to see the correlation
search that come out of the box and I've
shown you how to create your own from
scratch I hope this has been helpful I
hope this helps you move from being a
lame analyst to a Splunk ninja that
you'll keep following particularly this
playlist watch the videos in it and that
they're helpful anyway hope to see you
around