1 00:00:01,500 --> 00:00:03,710 foreign 2 00:00:03,710 --> 00:00:10,789 [Music] 3 00:00:10,800 --> 00:00:14,700 welcome to my Enterprise security uh 4 00:00:14,700 --> 00:00:17,100 video playlist this time we're going to 5 00:00:17,100 --> 00:00:19,920 be covering correlation searches this is 6 00:00:19,920 --> 00:00:22,680 a fancy word for a safe search that 7 00:00:22,680 --> 00:00:25,740 creates an alert that's really what it 8 00:00:25,740 --> 00:00:29,220 comes down to they call them notables 9 00:00:29,220 --> 00:00:30,779 there's a lot of terminology involved 10 00:00:30,779 --> 00:00:33,239 but the ultimate concept is a 11 00:00:33,239 --> 00:00:35,820 correlation search is a search that 12 00:00:35,820 --> 00:00:38,820 fires off at predefined periods of time 13 00:00:38,820 --> 00:00:40,500 maybe every five minutes every hour 14 00:00:40,500 --> 00:00:42,719 searches back across your logs for 15 00:00:42,719 --> 00:00:45,360 certain behaviors and if it sees it it 16 00:00:45,360 --> 00:00:48,300 creates a it creates an alert you can 17 00:00:48,300 --> 00:00:50,760 make it create a notable technically it 18 00:00:50,760 --> 00:00:52,140 doesn't have to create a notable and 19 00:00:52,140 --> 00:00:54,660 I'll explain how that works but it's 20 00:00:54,660 --> 00:00:56,820 really just just save search so let's go 21 00:00:56,820 --> 00:00:58,199 break right into Enterprise security and 22 00:00:58,199 --> 00:00:59,820 let's talk about that 23 00:00:59,820 --> 00:01:01,920 so I come into Enterprise security we're 24 00:01:01,920 --> 00:01:04,500 going to show what is already outcomes 25 00:01:04,500 --> 00:01:07,140 out of the box so if I go configure I'm 26 00:01:07,140 --> 00:01:08,700 in my Enterprise security and I come 27 00:01:08,700 --> 00:01:09,780 into 28 00:01:09,780 --> 00:01:13,040 content and I go to content management 29 00:01:13,040 --> 00:01:15,900 these are all the knowledge objects that 30 00:01:15,900 --> 00:01:19,140 come with Enterprise security and I'm 31 00:01:19,140 --> 00:01:21,900 going to flip this to a correlation 32 00:01:21,900 --> 00:01:24,259 search 33 00:01:25,400 --> 00:01:27,799 I click that 34 00:01:27,799 --> 00:01:29,880 we can see that it's going to come back 35 00:01:29,880 --> 00:01:33,439 with lots and lots of results 58 Pages 36 00:01:33,439 --> 00:01:38,759 plus of them and multiple to a page you 37 00:01:38,759 --> 00:01:41,159 can read this so I I'm just going to go 38 00:01:41,159 --> 00:01:43,920 to the very first one and this is 39 00:01:43,920 --> 00:01:46,439 abnormally High number of endpoint 40 00:01:46,439 --> 00:01:49,500 changes by a user if I go and open this 41 00:01:49,500 --> 00:01:51,780 up a little bit 42 00:01:51,780 --> 00:01:53,939 detection abnormally hard number of 43 00:01:53,939 --> 00:01:55,560 endpoint change by user account as it 44 00:01:55,560 --> 00:01:58,020 relate to restart audits file system 45 00:01:58,020 --> 00:02:00,720 user registry notifications if I go into 46 00:02:00,720 --> 00:02:02,280 this 47 00:02:02,280 --> 00:02:04,500 I'm actually going to be able to see 48 00:02:04,500 --> 00:02:07,020 the query I'm not going to go explain it 49 00:02:07,020 --> 00:02:08,220 because I can already tell you it's 50 00:02:08,220 --> 00:02:09,479 probably going to be written with lots 51 00:02:09,479 --> 00:02:13,319 of data models and macros but out of the 52 00:02:13,319 --> 00:02:15,720 box you can see here's the query and 53 00:02:15,720 --> 00:02:16,980 it's basically it's going to look at 54 00:02:16,980 --> 00:02:19,080 your data model you'll hear me talk 55 00:02:19,080 --> 00:02:21,599 about data models I've discussed data 56 00:02:21,599 --> 00:02:23,040 model but this is going to be the 57 00:02:23,040 --> 00:02:24,840 endpoint data model and it's going to 58 00:02:24,840 --> 00:02:28,020 look at file systems for changes by the 59 00:02:28,020 --> 00:02:29,400 user it's going to do a bunch of other 60 00:02:29,400 --> 00:02:30,420 things that ultimately it's going to 61 00:02:30,420 --> 00:02:32,580 come back and say if you meet a certain 62 00:02:32,580 --> 00:02:35,160 criteria and you can see that it's 63 00:02:35,160 --> 00:02:36,360 actually using the machine learning 64 00:02:36,360 --> 00:02:38,640 toolkit so down here it's actually 65 00:02:38,640 --> 00:02:41,280 building a threshold saying what is the 66 00:02:41,280 --> 00:02:43,980 normal amount of use of changes and is 67 00:02:43,980 --> 00:02:46,080 it jumping out of that at normal level 68 00:02:46,080 --> 00:02:49,340 it's really cool put some really cool uh 69 00:02:49,340 --> 00:02:52,200 analytics out there for you you can just 70 00:02:52,200 --> 00:02:55,560 use what they've got what I love is I 71 00:02:55,560 --> 00:02:57,420 don't want to I don't want to I hear oh 72 00:02:57,420 --> 00:02:59,660 well aren't correlation searches 73 00:02:59,660 --> 00:03:03,480 attached to now Frameworks well you can 74 00:03:03,480 --> 00:03:05,040 see the very first ones sometimes they 75 00:03:05,040 --> 00:03:07,379 are but here these are Frameworks I've 76 00:03:07,379 --> 00:03:09,480 heard this in my own work well they're 77 00:03:09,480 --> 00:03:12,120 all mapped to the miter well 78 00:03:12,120 --> 00:03:14,580 are they I'll just grab the very first 79 00:03:14,580 --> 00:03:17,280 one and there's no miter technique 80 00:03:17,280 --> 00:03:20,220 mapped what should it be well there's a 81 00:03:20,220 --> 00:03:23,340 lot of things that could cause a miter 82 00:03:23,340 --> 00:03:25,860 technique to uh if there's endpoint 83 00:03:25,860 --> 00:03:27,480 changes it could be many different types 84 00:03:27,480 --> 00:03:29,819 of tact then I'll have a mapped you 85 00:03:29,819 --> 00:03:31,200 could come in here and you could map it 86 00:03:31,200 --> 00:03:33,659 we'll discuss that later but point is we 87 00:03:33,659 --> 00:03:35,640 come down here uh 88 00:03:35,640 --> 00:03:37,560 make that go away that's all 89 00:03:37,560 --> 00:03:40,260 we can see that it's looking back 1450 90 00:03:40,260 --> 00:03:43,739 minutes and the latest time is zero this 91 00:03:43,739 --> 00:03:48,000 runs at five after the hour that's how I 92 00:03:48,000 --> 00:03:50,519 read that five after the hour 93 00:03:50,519 --> 00:03:52,980 um it's if the results are greater than 94 00:03:52,980 --> 00:03:56,540 zero it groups by user and change type 95 00:03:56,540 --> 00:03:59,879 and we see that it creates it does not 96 00:03:59,879 --> 00:04:01,560 create a notable it actually just 97 00:04:01,560 --> 00:04:03,959 provides a risk analysis and we'll 98 00:04:03,959 --> 00:04:05,840 discuss risk analysis when we talk about 99 00:04:05,840 --> 00:04:08,700 RBA but the point is you can make it do 100 00:04:08,700 --> 00:04:10,319 a bunch of adaptive responses 101 00:04:10,319 --> 00:04:12,239 I my job here is not to help you 102 00:04:12,239 --> 00:04:13,500 understand every correlation search 103 00:04:13,500 --> 00:04:15,599 comes out of the box I'm here to discuss 104 00:04:15,599 --> 00:04:17,280 the part that most people don't know how 105 00:04:17,280 --> 00:04:20,220 to do create your own so I've shown you 106 00:04:20,220 --> 00:04:23,400 that you can go look through there's 107 00:04:23,400 --> 00:04:26,400 uh the documentation on Splunk says 1400 108 00:04:26,400 --> 00:04:29,040 plus I don't know how they Define what a 109 00:04:29,040 --> 00:04:31,440 correlation search is I'm going to tell 110 00:04:31,440 --> 00:04:34,979 you that it's it's it's a lot there's a 111 00:04:34,979 --> 00:04:37,759 lot of them and by default 112 00:04:37,759 --> 00:04:41,040 uh Enterprise security is smart they do 113 00:04:41,040 --> 00:04:43,440 not come enabled if I look at the 114 00:04:43,440 --> 00:04:46,199 enabled correlation searches 115 00:04:46,199 --> 00:04:48,840 this is mine that I was using as I 116 00:04:48,840 --> 00:04:49,979 started to help understand Enterprise 117 00:04:49,979 --> 00:04:52,800 security and these two were turned on 118 00:04:52,800 --> 00:04:55,020 and this is for risk-based approach 119 00:04:55,020 --> 00:04:57,660 other than that there are no correlation 120 00:04:57,660 --> 00:04:59,759 searches that come out of the box why 121 00:04:59,759 --> 00:05:01,620 well one they don't want to turn 122 00:05:01,620 --> 00:05:03,300 something on that doesn't fit your data 123 00:05:03,300 --> 00:05:06,000 set to often you have to tweak them the 124 00:05:06,000 --> 00:05:07,680 correlation search is great but it's not 125 00:05:07,680 --> 00:05:08,880 always going to be perfect for your 126 00:05:08,880 --> 00:05:10,860 environment and so as a general rule 127 00:05:10,860 --> 00:05:12,479 they're there as a guidance use them 128 00:05:12,479 --> 00:05:14,880 when they make sense turn one on test it 129 00:05:14,880 --> 00:05:17,160 see how it works if it doesn't modify it 130 00:05:17,160 --> 00:05:19,139 and typically you'll just clone the 131 00:05:19,139 --> 00:05:21,120 correlation search and build your own 132 00:05:21,120 --> 00:05:23,220 anyway enough talking about that let's 133 00:05:23,220 --> 00:05:24,840 talk about actually building my own 134 00:05:24,840 --> 00:05:27,539 correlation search so I'm in configure 135 00:05:27,539 --> 00:05:29,820 content and I went to content management 136 00:05:29,820 --> 00:05:32,400 if I do create new content that's how 137 00:05:32,400 --> 00:05:34,800 I'm going to build one and so we're 138 00:05:34,800 --> 00:05:36,300 going to create a new content we're 139 00:05:36,300 --> 00:05:38,699 going to make a correlation search 140 00:05:38,699 --> 00:05:42,479 this is the way that I do correlation 141 00:05:42,479 --> 00:05:44,160 searches that doesn't mean it's the way 142 00:05:44,160 --> 00:05:45,300 that has to be done but it's the way it 143 00:05:45,300 --> 00:05:47,520 works for me I'm going to call this I 144 00:05:47,520 --> 00:05:49,560 would hopefully have a much better name 145 00:05:49,560 --> 00:05:52,460 for this but I'm going to do YouTube 146 00:05:52,460 --> 00:05:56,460 correlation search 147 00:06:00,740 --> 00:06:03,000 horrible name because someone who comes 148 00:06:03,000 --> 00:06:05,160 across this will have no idea what it's 149 00:06:05,160 --> 00:06:06,539 for but for me when I need to purchase 150 00:06:06,539 --> 00:06:08,460 stuff from my system it's really easy 151 00:06:08,460 --> 00:06:09,840 and it stands out so I'm going to put it 152 00:06:09,840 --> 00:06:12,120 that way then here in my description I'm 153 00:06:12,120 --> 00:06:13,860 going to go 154 00:06:13,860 --> 00:06:14,820 um 155 00:06:14,820 --> 00:06:20,479 grab one event from Network logs 156 00:06:20,580 --> 00:06:22,139 I'm not actually going to build 157 00:06:22,139 --> 00:06:23,940 something that I'm looking for that 158 00:06:23,940 --> 00:06:25,680 that's not the point of this video I'm 159 00:06:25,680 --> 00:06:27,600 just showing how to build one and I want 160 00:06:27,600 --> 00:06:30,840 them to always fire so I'm going to 161 00:06:30,840 --> 00:06:33,060 uh fudge the numbers so that I always 162 00:06:33,060 --> 00:06:35,400 get what I want and so the first thing I 163 00:06:35,400 --> 00:06:36,720 do is I don't try to build a search 164 00:06:36,720 --> 00:06:38,520 through here you can use a guided 165 00:06:38,520 --> 00:06:41,160 guidance cool it'll allow you it'll pick 166 00:06:41,160 --> 00:06:43,139 data models you can pick fields from it 167 00:06:43,139 --> 00:06:45,660 so if I enable the guided mode you'll 168 00:06:45,660 --> 00:06:47,460 see the data it'll say all right what 169 00:06:47,460 --> 00:06:49,740 data model do you want to look at I 170 00:06:49,740 --> 00:06:52,460 might come down to network traffic 171 00:06:52,460 --> 00:06:55,680 and what data set do I want to use all 172 00:06:55,680 --> 00:06:58,280 traffic do I want to use summaries only 173 00:06:58,280 --> 00:07:01,080 I'll discuss summaries only when later 174 00:07:01,080 --> 00:07:04,199 this is not the place for it time range 175 00:07:04,199 --> 00:07:07,680 and there is your basic query I can run 176 00:07:07,680 --> 00:07:10,259 the search and see how it looks 177 00:07:10,259 --> 00:07:12,979 um then I'm going to hit 178 00:07:13,340 --> 00:07:18,539 filter and filter would be like 179 00:07:18,539 --> 00:07:22,400 all DOT traffic 180 00:07:23,460 --> 00:07:28,740 all traffic dot best IP 181 00:07:28,740 --> 00:07:30,720 oh 182 00:07:30,720 --> 00:07:34,099 it's a Boolean where 183 00:07:34,560 --> 00:07:36,660 and I actually don't know how to make 184 00:07:36,660 --> 00:07:40,220 this work all traffic Dot 185 00:07:42,780 --> 00:07:44,759 I'd have to go look this up well that's 186 00:07:44,759 --> 00:07:46,380 not very good helpful there the point is 187 00:07:46,380 --> 00:07:47,580 I'm not actually going through the 188 00:07:47,580 --> 00:07:49,560 guided search tour I'm going to stay 189 00:07:49,560 --> 00:07:51,720 right here with a manual query where I 190 00:07:51,720 --> 00:07:54,120 can write it it does have guided again 191 00:07:54,120 --> 00:07:55,500 you got to understand exactly what 192 00:07:55,500 --> 00:07:57,360 you're polling guided is nice if you 193 00:07:57,360 --> 00:08:00,000 know follow the docs I'm not here for 194 00:08:00,000 --> 00:08:02,039 following the docs I'm here to take a 195 00:08:02,039 --> 00:08:04,259 query this is my home network I'm going 196 00:08:04,259 --> 00:08:05,520 to look at the correlate logs I'm going 197 00:08:05,520 --> 00:08:07,500 to look at my core light con logs I'm 198 00:08:07,500 --> 00:08:10,160 going to say where Source IP is 199 00:08:10,160 --> 00:08:13,259 192.1680.star that is only so I make 200 00:08:13,259 --> 00:08:15,180 sure that I'm looking at a specific 201 00:08:15,180 --> 00:08:17,639 subnet section of my network this is 202 00:08:17,639 --> 00:08:20,520 primarily my network designed for doing 203 00:08:20,520 --> 00:08:23,819 Splunk videos and so this isn't my whole 204 00:08:23,819 --> 00:08:25,379 this is part of my home network but it's 205 00:08:25,379 --> 00:08:28,139 a subnet on my network that I use for 206 00:08:28,139 --> 00:08:31,680 testing pen testing setup of systems 207 00:08:31,680 --> 00:08:33,300 that I tear up and pick up and tear down 208 00:08:33,300 --> 00:08:35,219 and so I just want to know what they're 209 00:08:35,219 --> 00:08:37,260 doing and so I wanted the source IP 210 00:08:37,260 --> 00:08:39,300 maybe you don't want the source AP all I 211 00:08:39,300 --> 00:08:40,440 really cared about though is I just 212 00:08:40,440 --> 00:08:42,419 wanted this because ultimately later 213 00:08:42,419 --> 00:08:44,339 down I'm going to do inventory and I'm 214 00:08:44,339 --> 00:08:46,140 going to have a very simple inventory of 215 00:08:46,140 --> 00:08:48,540 that subnet and so I only want IPS that 216 00:08:48,540 --> 00:08:50,700 at least at least one piece of the data 217 00:08:50,700 --> 00:08:53,519 ties to my inventory and so as you can 218 00:08:53,519 --> 00:08:55,680 see this here has nothing to do with my 219 00:08:55,680 --> 00:08:58,320 network but this one does and I'm going 220 00:08:58,320 --> 00:09:00,540 to do a headwind one because I don't 221 00:09:00,540 --> 00:09:02,760 want lots and lots of results 222 00:09:02,760 --> 00:09:05,459 basically I want to query 223 00:09:05,459 --> 00:09:07,140 and I'm always going to return one 224 00:09:07,140 --> 00:09:09,540 result as long and that's what I built 225 00:09:09,540 --> 00:09:12,000 this isn't bad this isn't actually a 226 00:09:12,000 --> 00:09:13,980 known bad I just wanted data to come 227 00:09:13,980 --> 00:09:16,200 back so then I can put other stuff on it 228 00:09:16,200 --> 00:09:18,660 I'm doing this as a demo for you guys to 229 00:09:18,660 --> 00:09:21,300 understand how 230 00:09:21,300 --> 00:09:23,519 to build a query you would want to build 231 00:09:23,519 --> 00:09:25,140 a query that actually is looking for 232 00:09:25,140 --> 00:09:27,420 something malicious right now I just 233 00:09:27,420 --> 00:09:30,120 want a query to return a result so that 234 00:09:30,120 --> 00:09:32,120 I can when I do my next video about 235 00:09:32,120 --> 00:09:35,100 triage and the triage system there are 236 00:09:35,100 --> 00:09:37,560 actually tickets coming in if I write a 237 00:09:37,560 --> 00:09:39,420 query that's looking for bad well that 238 00:09:39,420 --> 00:09:41,100 bad better be occurring on my network or 239 00:09:41,100 --> 00:09:43,019 it's not going to fire and so it's a lot 240 00:09:43,019 --> 00:09:44,399 harder to troubleshoot if the thing is 241 00:09:44,399 --> 00:09:45,899 working if you're building queries right 242 00:09:45,899 --> 00:09:48,600 if you build something that isn't you 243 00:09:48,600 --> 00:09:50,040 hope to not actually see on your network 244 00:09:50,040 --> 00:09:52,140 so I actually hope to see correlatecon 245 00:09:52,140 --> 00:09:54,480 logs I sure hope so that means my 246 00:09:54,480 --> 00:09:56,580 network has traffic anyway and I'm just 247 00:09:56,580 --> 00:09:57,779 going to put the head 1 because I only 248 00:09:57,779 --> 00:10:00,360 wanted to create one alert if I let it 249 00:10:00,360 --> 00:10:02,220 come back it's every event that comes 250 00:10:02,220 --> 00:10:04,980 back in here would be a notable alert I 251 00:10:04,980 --> 00:10:06,959 don't want my triage system getting 252 00:10:06,959 --> 00:10:08,700 inundated so I'm just going to do this 253 00:10:08,700 --> 00:10:09,959 head one 254 00:10:09,959 --> 00:10:11,940 now I'm going to map it I'm going to go 255 00:10:11,940 --> 00:10:15,000 to miter and I'm going to 256 00:10:15,000 --> 00:10:17,640 put in some 257 00:10:17,640 --> 00:10:20,459 tickets so I'm going to go t1143 I 258 00:10:20,459 --> 00:10:21,600 actually can't remember what all these 259 00:10:21,600 --> 00:10:23,459 mean off the top of my head you can go 260 00:10:23,459 --> 00:10:26,519 look them up I'm going to say this and 261 00:10:26,519 --> 00:10:28,800 this has note no bases whatsoever but 262 00:10:28,800 --> 00:10:30,899 again it's this is this these videos are 263 00:10:30,899 --> 00:10:32,700 going to build on themselves and so I'm 264 00:10:32,700 --> 00:10:34,980 building these minor attacks so when I 265 00:10:34,980 --> 00:10:37,440 go to the RBA section of this video 266 00:10:37,440 --> 00:10:40,680 playlist you'll see how it maps all the 267 00:10:40,680 --> 00:10:42,420 different techniques together and so I'm 268 00:10:42,420 --> 00:10:45,420 going to put this down here and and 269 00:10:45,420 --> 00:10:49,019 actually because I want this to work on 270 00:10:49,019 --> 00:10:51,000 um my system I'm going to actually do I 271 00:10:51,000 --> 00:10:53,579 want it always to be 0.128. 272 00:10:53,579 --> 00:10:57,240 that way I'm only going to get alerts 273 00:10:57,240 --> 00:10:59,640 that are relating to this system that 274 00:10:59,640 --> 00:11:01,920 means my risk-based Approach will cross 275 00:11:01,920 --> 00:11:03,779 the threshold that actually makes a lot 276 00:11:03,779 --> 00:11:06,360 more sense for me I'll explain that when 277 00:11:06,360 --> 00:11:08,760 we actually get to RBA but basically I'm 278 00:11:08,760 --> 00:11:11,279 going to give me give me an alert every 279 00:11:11,279 --> 00:11:12,380 time 280 00:11:12,380 --> 00:11:15,420 0.128 is the source of network traffic 281 00:11:15,420 --> 00:11:17,040 and that should fire off quite 282 00:11:17,040 --> 00:11:18,660 frequently 283 00:11:18,660 --> 00:11:19,320 um 284 00:11:19,320 --> 00:11:21,480 ignore the picture up in the top we're 285 00:11:21,480 --> 00:11:24,360 just going to move on had one my videos 286 00:11:24,360 --> 00:11:26,700 are done rendering anyway so I'm going 287 00:11:26,700 --> 00:11:29,579 to map it to these ttps again this is 288 00:11:29,579 --> 00:11:31,380 all for demo purposes so I just pick 289 00:11:31,380 --> 00:11:35,760 some tptps and I can come down here and 290 00:11:35,760 --> 00:11:37,680 I can put a confidence score an impact 291 00:11:37,680 --> 00:11:38,959 score 292 00:11:38,959 --> 00:11:40,860 contacts analytics we're just gonna 293 00:11:40,860 --> 00:11:42,660 leave that alone for now I can create my 294 00:11:42,660 --> 00:11:44,760 own framework and now here it's going to 295 00:11:44,760 --> 00:11:47,279 say how far back do I want to look do I 296 00:11:47,279 --> 00:11:49,260 look back 24 hours I could but I know 297 00:11:49,260 --> 00:11:51,240 how often my logs are firing I'm going 298 00:11:51,240 --> 00:11:53,160 to look back one hour doesn't really 299 00:11:53,160 --> 00:11:54,420 matter because I'm just grabbing head 300 00:11:54,420 --> 00:11:55,519 one 301 00:11:55,519 --> 00:11:59,459 and I'm I have you I probably get I get 302 00:11:59,459 --> 00:12:01,680 hundreds of events every probably 303 00:12:01,680 --> 00:12:03,600 thousands of events every hour 304 00:12:03,600 --> 00:12:06,300 on this particular subnet and so I it's 305 00:12:06,300 --> 00:12:07,500 not going to be a problem getting data 306 00:12:07,500 --> 00:12:09,300 I'm going to go look back one hour to 307 00:12:09,300 --> 00:12:11,579 now and how often do I want it to run 308 00:12:11,579 --> 00:12:13,260 you know what I'm going to let it run 309 00:12:13,260 --> 00:12:16,320 every five minutes and that's going to 310 00:12:16,320 --> 00:12:17,760 be important so that I actually have 311 00:12:17,760 --> 00:12:21,779 events and that'll work I'm going to 312 00:12:21,779 --> 00:12:23,459 come down here and I'm going to say do I 313 00:12:23,459 --> 00:12:25,380 want it to run as real time or 314 00:12:25,380 --> 00:12:27,480 continuous we'll just leave it at its 315 00:12:27,480 --> 00:12:28,560 default 316 00:12:28,560 --> 00:12:30,899 uh what's my scheduling window again 317 00:12:30,899 --> 00:12:33,480 these are I'm not going over these this 318 00:12:33,480 --> 00:12:36,060 is just basically how oft how you want 319 00:12:36,060 --> 00:12:37,680 to run your times I'm going to run this 320 00:12:37,680 --> 00:12:39,420 every five minutes schedule priorities 321 00:12:39,420 --> 00:12:41,459 in case there's conflicts hopefully with 322 00:12:41,459 --> 00:12:43,260 your Enterprise security you actually do 323 00:12:43,260 --> 00:12:45,839 not overload your system so these become 324 00:12:45,839 --> 00:12:47,040 a big deal 325 00:12:47,040 --> 00:12:48,660 trigger conditions number of results 326 00:12:48,660 --> 00:12:50,399 greater than zero that's always going to 327 00:12:50,399 --> 00:12:51,660 be the case because I'm getting back one 328 00:12:51,660 --> 00:12:53,820 but if I was doing this if I want to do 329 00:12:53,820 --> 00:12:55,920 thresholds I could make it the thing has 330 00:12:55,920 --> 00:12:58,440 to occur at least 10 times or 15 times 331 00:12:58,440 --> 00:13:01,320 or whatever then Windows durations 332 00:13:01,320 --> 00:13:04,139 filled to group by that's it that's all 333 00:13:04,139 --> 00:13:06,540 I want to deal with I really the only 334 00:13:06,540 --> 00:13:08,519 places I put around with this is I wrote 335 00:13:08,519 --> 00:13:10,980 a query in the most basic format to get 336 00:13:10,980 --> 00:13:13,200 your correlation searches going pick a 337 00:13:13,200 --> 00:13:15,839 search I would tie it to an annotation 338 00:13:15,839 --> 00:13:18,600 but you don't have to not required you 339 00:13:18,600 --> 00:13:20,100 come down here pick your time window 340 00:13:20,100 --> 00:13:22,260 these three boxes how far back do you 341 00:13:22,260 --> 00:13:24,120 want to look latest time earliest time 342 00:13:24,120 --> 00:13:26,459 and your cron schedule and then you 343 00:13:26,459 --> 00:13:27,779 really don't have to touch anything else 344 00:13:27,779 --> 00:13:31,740 except this add adaptive response I'm 345 00:13:31,740 --> 00:13:33,300 going to come and modify this in a 346 00:13:33,300 --> 00:13:35,700 minute there is when we talk about RBA 347 00:13:35,700 --> 00:13:38,040 I'm going to put a risk analysis for the 348 00:13:38,040 --> 00:13:40,200 sake of keeping this simple I am only 349 00:13:40,200 --> 00:13:41,459 going to do 350 00:13:41,459 --> 00:13:43,800 notables for now so I'm going to come in 351 00:13:43,800 --> 00:13:44,880 here and I'm going to click a notable 352 00:13:44,880 --> 00:13:47,220 and notable is an alert that goes to 353 00:13:47,220 --> 00:13:48,779 your triage system 354 00:13:48,779 --> 00:13:52,260 gonna go YouTube 355 00:13:52,260 --> 00:13:55,440 notable give a description 356 00:13:55,440 --> 00:13:57,899 I can actually use 357 00:13:57,899 --> 00:13:59,820 um foreign 358 00:13:59,820 --> 00:14:01,980 variable substitution so I'm going to do 359 00:14:01,980 --> 00:14:06,180 alert for dollar sign Source IP 360 00:14:06,180 --> 00:14:07,860 I need to make sure that field comes 361 00:14:07,860 --> 00:14:10,860 back and this does have a source IP so I 362 00:14:10,860 --> 00:14:12,720 can use it and you just call it like you 363 00:14:12,720 --> 00:14:15,180 do in with the dollar sign on both sides 364 00:14:15,180 --> 00:14:17,339 of a variable and that'll be dynamic and 365 00:14:17,339 --> 00:14:19,680 so my description will come back with 366 00:14:19,680 --> 00:14:22,680 this and just because I 367 00:14:22,680 --> 00:14:24,839 want to what if I do yeah we'll just 368 00:14:24,839 --> 00:14:26,220 leave it at that 369 00:14:26,220 --> 00:14:29,160 YouTube notable security domain there 370 00:14:29,160 --> 00:14:31,500 are a bunch of domains this is dealing 371 00:14:31,500 --> 00:14:33,720 with access areas that would be 372 00:14:33,720 --> 00:14:35,880 authentication endpoint a lot of your 373 00:14:35,880 --> 00:14:39,420 host logs Network logs threat identity 374 00:14:39,420 --> 00:14:41,459 and audit and so those are the six areas 375 00:14:41,459 --> 00:14:43,980 splunkcast as security domains we'll 376 00:14:43,980 --> 00:14:46,680 just leave it as a we'll put as a 377 00:14:46,680 --> 00:14:47,579 network 378 00:14:47,579 --> 00:14:49,800 in the network domain I'm going to put 379 00:14:49,800 --> 00:14:52,579 the severity 380 00:14:53,899 --> 00:14:56,300 as low 381 00:14:56,300 --> 00:14:59,760 and default owner I can put in these I 382 00:14:59,760 --> 00:15:01,560 can leave it unassigned 383 00:15:01,560 --> 00:15:03,060 I'm going to put it as unassigned to 384 00:15:03,060 --> 00:15:05,100 start with again you don't have to 385 00:15:05,100 --> 00:15:07,320 default status I'm going to put it as 386 00:15:07,320 --> 00:15:09,120 unassigned 387 00:15:09,120 --> 00:15:11,579 and I could put a drill down search in 388 00:15:11,579 --> 00:15:15,079 there and let's do that 389 00:15:15,480 --> 00:15:17,880 we're going to take this very same query 390 00:15:17,880 --> 00:15:20,220 just to keep things really simple one of 391 00:15:20,220 --> 00:15:21,660 the very first drill Downs I want to put 392 00:15:21,660 --> 00:15:23,519 in there 393 00:15:23,519 --> 00:15:25,920 is the actual query 394 00:15:25,920 --> 00:15:28,680 that created this log 395 00:15:28,680 --> 00:15:30,899 but in this case I'm not going to put 396 00:15:30,899 --> 00:15:32,880 head 1 I'm going to put I'm going to 397 00:15:32,880 --> 00:15:34,380 take the head out 398 00:15:34,380 --> 00:15:36,480 oh it looks like I've lost the 128 on 399 00:15:36,480 --> 00:15:38,940 there 128. 400 00:15:38,940 --> 00:15:41,459 make sure 128 is up here 401 00:15:41,459 --> 00:15:44,699 yeah it is okay and I can choose the 402 00:15:44,699 --> 00:15:46,500 drill down search will be 403 00:15:46,500 --> 00:15:49,160 C 404 00:15:49,260 --> 00:15:53,880 what caused alert 405 00:15:55,079 --> 00:15:56,880 there are other ways of doing this I'll 406 00:15:56,880 --> 00:15:58,019 show but I'm just I'm just going to 407 00:15:58,019 --> 00:16:00,120 create a few ad drill down searches and 408 00:16:00,120 --> 00:16:02,459 here we're going to just do 409 00:16:02,459 --> 00:16:04,519 um 410 00:16:04,560 --> 00:16:07,560 Y is 411 00:16:07,560 --> 00:16:10,399 this 412 00:16:10,459 --> 00:16:14,000 drill down exist 413 00:16:14,880 --> 00:16:16,380 I just want to show I can go search 414 00:16:16,380 --> 00:16:17,579 anything 415 00:16:17,579 --> 00:16:21,199 index equals internal 416 00:16:21,199 --> 00:16:22,980 why would you be looking at your 417 00:16:22,980 --> 00:16:26,279 internal logs it doesn't really matter 418 00:16:26,279 --> 00:16:28,339 um 419 00:16:28,500 --> 00:16:30,180 well actually let's just do this I'm 420 00:16:30,180 --> 00:16:33,180 going to put in dollar sign Source IP 421 00:16:33,180 --> 00:16:35,459 so I'm basically looking in my internal 422 00:16:35,459 --> 00:16:37,139 logs and I'm going to see if I find that 423 00:16:37,139 --> 00:16:40,199 IP address popping up it it's just kind 424 00:16:40,199 --> 00:16:41,820 of an interesting way you can add 425 00:16:41,820 --> 00:16:45,660 additional searches to your information 426 00:16:45,660 --> 00:16:46,500 um 427 00:16:46,500 --> 00:16:48,360 so I'm going to be searching my internal 428 00:16:48,360 --> 00:16:50,459 logs for the source IP 429 00:16:50,459 --> 00:16:53,160 and I hope you saw this earliest offset 430 00:16:53,160 --> 00:16:56,399 latest Offset you can change this or you 431 00:16:56,399 --> 00:16:57,959 can you can let it just go by its 432 00:16:57,959 --> 00:17:00,060 default or you can say for here I'm 433 00:17:00,060 --> 00:17:01,139 going to go 434 00:17:01,139 --> 00:17:05,400 plus this is a earliest for example one 435 00:17:05,400 --> 00:17:06,480 hour 436 00:17:06,480 --> 00:17:08,220 and I'm going to leave the other one as 437 00:17:08,220 --> 00:17:10,640 zero 438 00:17:10,919 --> 00:17:12,360 does that make sense so I hope this 439 00:17:12,360 --> 00:17:14,640 makes this helps I can change my time 440 00:17:14,640 --> 00:17:16,559 it's basically going to look in this 441 00:17:16,559 --> 00:17:22,220 window one hour back of based off of 442 00:17:22,919 --> 00:17:24,980 um 443 00:17:25,079 --> 00:17:27,780 the the time this event occurred 444 00:17:27,780 --> 00:17:29,220 so this might actually look a little bit 445 00:17:29,220 --> 00:17:30,360 in the future this can look a little bit 446 00:17:30,360 --> 00:17:32,040 in the future it's going to use time in 447 00:17:32,040 --> 00:17:35,299 the back so let's go 448 00:17:35,580 --> 00:17:37,860 we're going to go one hour one way this 449 00:17:37,860 --> 00:17:40,500 is going to go one hour and in the 450 00:17:40,500 --> 00:17:43,320 future and one hour in the past 451 00:17:43,320 --> 00:17:45,840 sounds good I'm going to leave my 452 00:17:45,840 --> 00:17:48,240 investigation profile alone and these 453 00:17:48,240 --> 00:17:50,880 are I uh extractions and these what it's 454 00:17:50,880 --> 00:17:52,440 going to do is it's going to it's going 455 00:17:52,440 --> 00:17:55,919 to identify identities these are users 456 00:17:55,919 --> 00:17:57,240 and stuff like that on your network 457 00:17:57,240 --> 00:18:00,240 assets would be like IPS and machines 458 00:18:00,240 --> 00:18:02,940 and files and URLs that it might have 459 00:18:02,940 --> 00:18:06,020 found I'm going to we got assets here 460 00:18:06,020 --> 00:18:08,760 Source test 461 00:18:08,760 --> 00:18:10,500 um does my lock do my logs contain 462 00:18:10,500 --> 00:18:11,760 source and test 463 00:18:11,760 --> 00:18:14,940 well let's go look had one do I actually 464 00:18:14,940 --> 00:18:18,200 have a source and a desk here 465 00:18:18,299 --> 00:18:21,299 I have a source IP but no source so I 466 00:18:21,299 --> 00:18:23,460 don't have the field it's looking for to 467 00:18:23,460 --> 00:18:25,440 be able to identify it so what I need to 468 00:18:25,440 --> 00:18:26,700 do is I need to come in here and I'm 469 00:18:26,700 --> 00:18:27,960 going to go 470 00:18:27,960 --> 00:18:30,780 source IP 471 00:18:30,780 --> 00:18:33,539 except it's on identity 472 00:18:33,539 --> 00:18:35,940 the identity it's an asset so I'm going 473 00:18:35,940 --> 00:18:36,720 to come in here and I'm going to go 474 00:18:36,720 --> 00:18:39,679 Source IP 475 00:18:40,400 --> 00:18:43,500 and just because it's we might we might 476 00:18:43,500 --> 00:18:46,320 want to identify the uh the other 477 00:18:46,320 --> 00:18:47,700 machine in question we're going to put 478 00:18:47,700 --> 00:18:50,160 desktop in there as well so I'm going to 479 00:18:50,160 --> 00:18:52,260 have my source IP and my destination IP 480 00:18:52,260 --> 00:18:54,059 they're going to be assets that are 481 00:18:54,059 --> 00:18:56,100 extracted and that's all I'm going to do 482 00:18:56,100 --> 00:18:57,539 I just want to make sure that the 483 00:18:57,539 --> 00:19:00,000 anything that might be identifiable in 484 00:19:00,000 --> 00:19:01,500 these queries not these queries the 485 00:19:01,500 --> 00:19:04,200 query up here let's call them out and I 486 00:19:04,200 --> 00:19:05,760 hope all this will make more sense as 487 00:19:05,760 --> 00:19:07,140 you actually see the stuff come back 488 00:19:07,140 --> 00:19:09,360 there's just a lot of capabilities here 489 00:19:09,360 --> 00:19:12,900 I can write steps if I want to I can set 490 00:19:12,900 --> 00:19:14,940 things up to uh for example send an 491 00:19:14,940 --> 00:19:17,640 email stream capture if you have uh 492 00:19:17,640 --> 00:19:20,400 Splunk stream nbstat and it's look up 493 00:19:20,400 --> 00:19:21,600 you can make your system do a lot of 494 00:19:21,600 --> 00:19:23,820 things like I could have Splunk go ping 495 00:19:23,820 --> 00:19:26,220 an IP address you know what 496 00:19:26,220 --> 00:19:28,440 um in a little bit I'll actually show me 497 00:19:28,440 --> 00:19:30,360 doing that I can have it do a risk 498 00:19:30,360 --> 00:19:32,400 analysis run a scripts and a uba send a 499 00:19:32,400 --> 00:19:34,200 split mobile Splunk mobile is really 500 00:19:34,200 --> 00:19:36,780 cool now it's being sent to my phone add 501 00:19:36,780 --> 00:19:38,880 thread intelligence from it web hooks 502 00:19:38,880 --> 00:19:40,860 whatever you have a lots of capabilities 503 00:19:40,860 --> 00:19:43,799 don't need to do it the the minimum you 504 00:19:43,799 --> 00:19:45,120 need for a notable 505 00:19:45,120 --> 00:19:48,059 title description 506 00:19:48,059 --> 00:19:50,100 you don't even need these drill Downs 507 00:19:50,100 --> 00:19:52,320 you can let this be set as default 508 00:19:52,320 --> 00:19:54,080 probably should pick a security domain 509 00:19:54,080 --> 00:19:57,780 and literally that's it make sure it's a 510 00:19:57,780 --> 00:19:59,520 lot more helpful if you can identify 511 00:19:59,520 --> 00:20:01,140 your stuff coming back as identities and 512 00:20:01,140 --> 00:20:03,059 sources and I'm going to show you that 513 00:20:03,059 --> 00:20:05,880 in the next video with workbenches and 514 00:20:05,880 --> 00:20:07,799 stuff like that but for the sake of this 515 00:20:07,799 --> 00:20:09,299 don't worry about it 516 00:20:09,299 --> 00:20:10,919 um just know that it's it's good if you 517 00:20:10,919 --> 00:20:12,600 can call it out but if you don't you're 518 00:20:12,600 --> 00:20:14,580 it's not like the query will break 519 00:20:14,580 --> 00:20:17,539 I'm going to hit save 520 00:20:18,299 --> 00:20:20,340 and I should have a correlation search 521 00:20:20,340 --> 00:20:22,320 done now I'm going to have to wait I 522 00:20:22,320 --> 00:20:24,780 probably just missed my window it's 523 00:20:24,780 --> 00:20:26,400 supposed to be kicking off five minutes 524 00:20:26,400 --> 00:20:28,500 after the hour 525 00:20:28,500 --> 00:20:30,840 so I can almost guarantee that if I come 526 00:20:30,840 --> 00:20:33,660 to incident review I will not find an 527 00:20:33,660 --> 00:20:35,400 alert 528 00:20:35,400 --> 00:20:38,640 called YouTube notable 529 00:20:38,640 --> 00:20:40,679 I'm gonna have to wait till five more 530 00:20:40,679 --> 00:20:43,020 minutes to go by but let's go ahead and 531 00:20:43,020 --> 00:20:44,700 check that so I can come down I can 532 00:20:44,700 --> 00:20:47,460 refresh the page here or I can refresh 533 00:20:47,460 --> 00:20:50,460 the page here but either way that is not 534 00:20:50,460 --> 00:20:52,380 the purpose of this video is to look at 535 00:20:52,380 --> 00:20:54,419 the incidents coming in mine was to talk 536 00:20:54,419 --> 00:20:56,220 about correlation searches and how to 537 00:20:56,220 --> 00:20:58,320 make my own I have set up a correlation 538 00:20:58,320 --> 00:21:00,960 search and so I've accomplished my task 539 00:21:00,960 --> 00:21:03,120 I'm gonna I'm gonna come see it here 540 00:21:03,120 --> 00:21:04,620 with a configure 541 00:21:04,620 --> 00:21:06,960 content 542 00:21:06,960 --> 00:21:10,860 configure content content management my 543 00:21:10,860 --> 00:21:13,679 new correlation search is in here we can 544 00:21:13,679 --> 00:21:16,140 see that when I go all 545 00:21:16,140 --> 00:21:17,640 correlation search and when you create 546 00:21:17,640 --> 00:21:20,700 them by default they are enabled 547 00:21:20,700 --> 00:21:24,000 so if I come in here and I enable 548 00:21:24,000 --> 00:21:26,340 I can see YouTube correlation search for 549 00:21:26,340 --> 00:21:27,480 line Creations if I want to make any 550 00:21:27,480 --> 00:21:29,700 changes to it 551 00:21:29,700 --> 00:21:32,159 I just hit search now that's interesting 552 00:21:32,159 --> 00:21:33,480 that it doesn't say that it's actually 553 00:21:33,480 --> 00:21:36,140 scheduled 554 00:21:40,740 --> 00:21:42,960 all right well probably because it 555 00:21:42,960 --> 00:21:44,940 hasn't run the very first time once it 556 00:21:44,940 --> 00:21:47,039 runs I should see 557 00:21:47,039 --> 00:21:50,220 here the next schedule time but it's 558 00:21:50,220 --> 00:21:51,419 really easy just keep it under the 559 00:21:51,419 --> 00:21:53,900 enabled 560 00:21:54,539 --> 00:21:58,140 and correlation searches 561 00:21:58,140 --> 00:21:59,400 so 562 00:21:59,400 --> 00:22:01,500 yep there it is now I've got a time for 563 00:22:01,500 --> 00:22:03,240 the next scheduled time stored in the 564 00:22:03,240 --> 00:22:05,039 Enterprise Security app what have we 565 00:22:05,039 --> 00:22:06,780 covered we've talked about correlation 566 00:22:06,780 --> 00:22:09,419 searches what they are they're saved 567 00:22:09,419 --> 00:22:11,640 searches that can be used to create 568 00:22:11,640 --> 00:22:15,720 notables notables fill out tickets that 569 00:22:15,720 --> 00:22:17,760 you will go into a ticket triaging 570 00:22:17,760 --> 00:22:19,620 system which we will cover in the next 571 00:22:19,620 --> 00:22:21,600 video in this playlist please look at 572 00:22:21,600 --> 00:22:23,340 the link below notice that this is a 573 00:22:23,340 --> 00:22:25,140 playlist go ahead and join the playlist 574 00:22:25,140 --> 00:22:27,299 and watch the videos this is meant to be 575 00:22:27,299 --> 00:22:29,520 a comprehensive training to help you 576 00:22:29,520 --> 00:22:31,620 understand Enterprise security 577 00:22:31,620 --> 00:22:32,220 um 578 00:22:32,220 --> 00:22:35,100 click that link we have now create I've 579 00:22:35,100 --> 00:22:36,480 shown you how to see the correlation 580 00:22:36,480 --> 00:22:38,159 search that come out of the box and I've 581 00:22:38,159 --> 00:22:40,080 shown you how to create your own from 582 00:22:40,080 --> 00:22:42,419 scratch I hope this has been helpful I 583 00:22:42,419 --> 00:22:44,299 hope this helps you move from being a 584 00:22:44,299 --> 00:22:47,700 lame analyst to a Splunk ninja that 585 00:22:47,700 --> 00:22:49,260 you'll keep following particularly this 586 00:22:49,260 --> 00:22:51,120 playlist watch the videos in it and that 587 00:22:51,120 --> 00:22:52,799 they're helpful anyway hope to see you 588 00:22:52,799 --> 00:22:54,919 around