[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:01.50,0:00:03.71,Default,,0000,0000,0000,,foreign
Dialogue: 0,0:00:03.71,0:00:10.79,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:00:10.80,0:00:14.70,Default,,0000,0000,0000,,welcome to my Enterprise security uh
Dialogue: 0,0:00:14.70,0:00:17.10,Default,,0000,0000,0000,,video playlist this time we're going to
Dialogue: 0,0:00:17.10,0:00:19.92,Default,,0000,0000,0000,,be covering correlation searches this is
Dialogue: 0,0:00:19.92,0:00:22.68,Default,,0000,0000,0000,,a fancy word for a safe search that
Dialogue: 0,0:00:22.68,0:00:25.74,Default,,0000,0000,0000,,creates an alert that's really what it
Dialogue: 0,0:00:25.74,0:00:29.22,Default,,0000,0000,0000,,comes down to they call them notables
Dialogue: 0,0:00:29.22,0:00:30.78,Default,,0000,0000,0000,,there's a lot of terminology involved
Dialogue: 0,0:00:30.78,0:00:33.24,Default,,0000,0000,0000,,but the ultimate concept is a
Dialogue: 0,0:00:33.24,0:00:35.82,Default,,0000,0000,0000,,correlation search is a search that
Dialogue: 0,0:00:35.82,0:00:38.82,Default,,0000,0000,0000,,fires off at predefined periods of time
Dialogue: 0,0:00:38.82,0:00:40.50,Default,,0000,0000,0000,,maybe every five minutes every hour
Dialogue: 0,0:00:40.50,0:00:42.72,Default,,0000,0000,0000,,searches back across your logs for
Dialogue: 0,0:00:42.72,0:00:45.36,Default,,0000,0000,0000,,certain behaviors and if it sees it it
Dialogue: 0,0:00:45.36,0:00:48.30,Default,,0000,0000,0000,,creates a it creates an alert you can
Dialogue: 0,0:00:48.30,0:00:50.76,Default,,0000,0000,0000,,make it create a notable technically it
Dialogue: 0,0:00:50.76,0:00:52.14,Default,,0000,0000,0000,,doesn't have to create a notable and
Dialogue: 0,0:00:52.14,0:00:54.66,Default,,0000,0000,0000,,I'll explain how that works but it's
Dialogue: 0,0:00:54.66,0:00:56.82,Default,,0000,0000,0000,,really just just save search so let's go
Dialogue: 0,0:00:56.82,0:00:58.20,Default,,0000,0000,0000,,break right into Enterprise security and
Dialogue: 0,0:00:58.20,0:00:59.82,Default,,0000,0000,0000,,let's talk about that
Dialogue: 0,0:00:59.82,0:01:01.92,Default,,0000,0000,0000,,so I come into Enterprise security we're
Dialogue: 0,0:01:01.92,0:01:04.50,Default,,0000,0000,0000,,going to show what is already outcomes
Dialogue: 0,0:01:04.50,0:01:07.14,Default,,0000,0000,0000,,out of the box so if I go configure I'm
Dialogue: 0,0:01:07.14,0:01:08.70,Default,,0000,0000,0000,,in my Enterprise security and I come
Dialogue: 0,0:01:08.70,0:01:09.78,Default,,0000,0000,0000,,into
Dialogue: 0,0:01:09.78,0:01:13.04,Default,,0000,0000,0000,,content and I go to content management
Dialogue: 0,0:01:13.04,0:01:15.90,Default,,0000,0000,0000,,these are all the knowledge objects that
Dialogue: 0,0:01:15.90,0:01:19.14,Default,,0000,0000,0000,,come with Enterprise security and I'm
Dialogue: 0,0:01:19.14,0:01:21.90,Default,,0000,0000,0000,,going to flip this to a correlation
Dialogue: 0,0:01:21.90,0:01:24.26,Default,,0000,0000,0000,,search
Dialogue: 0,0:01:25.40,0:01:27.80,Default,,0000,0000,0000,,I click that
Dialogue: 0,0:01:27.80,0:01:29.88,Default,,0000,0000,0000,,we can see that it's going to come back
Dialogue: 0,0:01:29.88,0:01:33.44,Default,,0000,0000,0000,,with lots and lots of results 58 Pages
Dialogue: 0,0:01:33.44,0:01:38.76,Default,,0000,0000,0000,,plus of them and multiple to a page you
Dialogue: 0,0:01:38.76,0:01:41.16,Default,,0000,0000,0000,,can read this so I I'm just going to go
Dialogue: 0,0:01:41.16,0:01:43.92,Default,,0000,0000,0000,,to the very first one and this is
Dialogue: 0,0:01:43.92,0:01:46.44,Default,,0000,0000,0000,,abnormally High number of endpoint
Dialogue: 0,0:01:46.44,0:01:49.50,Default,,0000,0000,0000,,changes by a user if I go and open this
Dialogue: 0,0:01:49.50,0:01:51.78,Default,,0000,0000,0000,,up a little bit
Dialogue: 0,0:01:51.78,0:01:53.94,Default,,0000,0000,0000,,detection abnormally hard number of
Dialogue: 0,0:01:53.94,0:01:55.56,Default,,0000,0000,0000,,endpoint change by user account as it
Dialogue: 0,0:01:55.56,0:01:58.02,Default,,0000,0000,0000,,relate to restart audits file system
Dialogue: 0,0:01:58.02,0:02:00.72,Default,,0000,0000,0000,,user registry notifications if I go into
Dialogue: 0,0:02:00.72,0:02:02.28,Default,,0000,0000,0000,,this
Dialogue: 0,0:02:02.28,0:02:04.50,Default,,0000,0000,0000,,I'm actually going to be able to see
Dialogue: 0,0:02:04.50,0:02:07.02,Default,,0000,0000,0000,,the query I'm not going to go explain it
Dialogue: 0,0:02:07.02,0:02:08.22,Default,,0000,0000,0000,,because I can already tell you it's
Dialogue: 0,0:02:08.22,0:02:09.48,Default,,0000,0000,0000,,probably going to be written with lots
Dialogue: 0,0:02:09.48,0:02:13.32,Default,,0000,0000,0000,,of data models and macros but out of the
Dialogue: 0,0:02:13.32,0:02:15.72,Default,,0000,0000,0000,,box you can see here's the query and
Dialogue: 0,0:02:15.72,0:02:16.98,Default,,0000,0000,0000,,it's basically it's going to look at
Dialogue: 0,0:02:16.98,0:02:19.08,Default,,0000,0000,0000,,your data model you'll hear me talk
Dialogue: 0,0:02:19.08,0:02:21.60,Default,,0000,0000,0000,,about data models I've discussed data
Dialogue: 0,0:02:21.60,0:02:23.04,Default,,0000,0000,0000,,model but this is going to be the
Dialogue: 0,0:02:23.04,0:02:24.84,Default,,0000,0000,0000,,endpoint data model and it's going to
Dialogue: 0,0:02:24.84,0:02:28.02,Default,,0000,0000,0000,,look at file systems for changes by the
Dialogue: 0,0:02:28.02,0:02:29.40,Default,,0000,0000,0000,,user it's going to do a bunch of other
Dialogue: 0,0:02:29.40,0:02:30.42,Default,,0000,0000,0000,,things that ultimately it's going to
Dialogue: 0,0:02:30.42,0:02:32.58,Default,,0000,0000,0000,,come back and say if you meet a certain
Dialogue: 0,0:02:32.58,0:02:35.16,Default,,0000,0000,0000,,criteria and you can see that it's
Dialogue: 0,0:02:35.16,0:02:36.36,Default,,0000,0000,0000,,actually using the machine learning
Dialogue: 0,0:02:36.36,0:02:38.64,Default,,0000,0000,0000,,toolkit so down here it's actually
Dialogue: 0,0:02:38.64,0:02:41.28,Default,,0000,0000,0000,,building a threshold saying what is the
Dialogue: 0,0:02:41.28,0:02:43.98,Default,,0000,0000,0000,,normal amount of use of changes and is
Dialogue: 0,0:02:43.98,0:02:46.08,Default,,0000,0000,0000,,it jumping out of that at normal level
Dialogue: 0,0:02:46.08,0:02:49.34,Default,,0000,0000,0000,,it's really cool put some really cool uh
Dialogue: 0,0:02:49.34,0:02:52.20,Default,,0000,0000,0000,,analytics out there for you you can just
Dialogue: 0,0:02:52.20,0:02:55.56,Default,,0000,0000,0000,,use what they've got what I love is I
Dialogue: 0,0:02:55.56,0:02:57.42,Default,,0000,0000,0000,,don't want to I don't want to I hear oh
Dialogue: 0,0:02:57.42,0:02:59.66,Default,,0000,0000,0000,,well aren't correlation searches
Dialogue: 0,0:02:59.66,0:03:03.48,Default,,0000,0000,0000,,attached to now Frameworks well you can
Dialogue: 0,0:03:03.48,0:03:05.04,Default,,0000,0000,0000,,see the very first ones sometimes they
Dialogue: 0,0:03:05.04,0:03:07.38,Default,,0000,0000,0000,,are but here these are Frameworks I've
Dialogue: 0,0:03:07.38,0:03:09.48,Default,,0000,0000,0000,,heard this in my own work well they're
Dialogue: 0,0:03:09.48,0:03:12.12,Default,,0000,0000,0000,,all mapped to the miter well
Dialogue: 0,0:03:12.12,0:03:14.58,Default,,0000,0000,0000,,are they I'll just grab the very first
Dialogue: 0,0:03:14.58,0:03:17.28,Default,,0000,0000,0000,,one and there's no miter technique
Dialogue: 0,0:03:17.28,0:03:20.22,Default,,0000,0000,0000,,mapped what should it be well there's a
Dialogue: 0,0:03:20.22,0:03:23.34,Default,,0000,0000,0000,,lot of things that could cause a miter
Dialogue: 0,0:03:23.34,0:03:25.86,Default,,0000,0000,0000,,technique to uh if there's endpoint
Dialogue: 0,0:03:25.86,0:03:27.48,Default,,0000,0000,0000,,changes it could be many different types
Dialogue: 0,0:03:27.48,0:03:29.82,Default,,0000,0000,0000,,of tact then I'll have a mapped you
Dialogue: 0,0:03:29.82,0:03:31.20,Default,,0000,0000,0000,,could come in here and you could map it
Dialogue: 0,0:03:31.20,0:03:33.66,Default,,0000,0000,0000,,we'll discuss that later but point is we
Dialogue: 0,0:03:33.66,0:03:35.64,Default,,0000,0000,0000,,come down here uh
Dialogue: 0,0:03:35.64,0:03:37.56,Default,,0000,0000,0000,,make that go away that's all
Dialogue: 0,0:03:37.56,0:03:40.26,Default,,0000,0000,0000,,we can see that it's looking back 1450
Dialogue: 0,0:03:40.26,0:03:43.74,Default,,0000,0000,0000,,minutes and the latest time is zero this
Dialogue: 0,0:03:43.74,0:03:48.00,Default,,0000,0000,0000,,runs at five after the hour that's how I
Dialogue: 0,0:03:48.00,0:03:50.52,Default,,0000,0000,0000,,read that five after the hour
Dialogue: 0,0:03:50.52,0:03:52.98,Default,,0000,0000,0000,,um it's if the results are greater than
Dialogue: 0,0:03:52.98,0:03:56.54,Default,,0000,0000,0000,,zero it groups by user and change type
Dialogue: 0,0:03:56.54,0:03:59.88,Default,,0000,0000,0000,,and we see that it creates it does not
Dialogue: 0,0:03:59.88,0:04:01.56,Default,,0000,0000,0000,,create a notable it actually just
Dialogue: 0,0:04:01.56,0:04:03.96,Default,,0000,0000,0000,,provides a risk analysis and we'll
Dialogue: 0,0:04:03.96,0:04:05.84,Default,,0000,0000,0000,,discuss risk analysis when we talk about
Dialogue: 0,0:04:05.84,0:04:08.70,Default,,0000,0000,0000,,RBA but the point is you can make it do
Dialogue: 0,0:04:08.70,0:04:10.32,Default,,0000,0000,0000,,a bunch of adaptive responses
Dialogue: 0,0:04:10.32,0:04:12.24,Default,,0000,0000,0000,,I my job here is not to help you
Dialogue: 0,0:04:12.24,0:04:13.50,Default,,0000,0000,0000,,understand every correlation search
Dialogue: 0,0:04:13.50,0:04:15.60,Default,,0000,0000,0000,,comes out of the box I'm here to discuss
Dialogue: 0,0:04:15.60,0:04:17.28,Default,,0000,0000,0000,,the part that most people don't know how
Dialogue: 0,0:04:17.28,0:04:20.22,Default,,0000,0000,0000,,to do create your own so I've shown you
Dialogue: 0,0:04:20.22,0:04:23.40,Default,,0000,0000,0000,,that you can go look through there's
Dialogue: 0,0:04:23.40,0:04:26.40,Default,,0000,0000,0000,,uh the documentation on Splunk says 1400
Dialogue: 0,0:04:26.40,0:04:29.04,Default,,0000,0000,0000,,plus I don't know how they Define what a
Dialogue: 0,0:04:29.04,0:04:31.44,Default,,0000,0000,0000,,correlation search is I'm going to tell
Dialogue: 0,0:04:31.44,0:04:34.98,Default,,0000,0000,0000,,you that it's it's it's a lot there's a
Dialogue: 0,0:04:34.98,0:04:37.76,Default,,0000,0000,0000,,lot of them and by default
Dialogue: 0,0:04:37.76,0:04:41.04,Default,,0000,0000,0000,,uh Enterprise security is smart they do
Dialogue: 0,0:04:41.04,0:04:43.44,Default,,0000,0000,0000,,not come enabled if I look at the
Dialogue: 0,0:04:43.44,0:04:46.20,Default,,0000,0000,0000,,enabled correlation searches
Dialogue: 0,0:04:46.20,0:04:48.84,Default,,0000,0000,0000,,this is mine that I was using as I
Dialogue: 0,0:04:48.84,0:04:49.98,Default,,0000,0000,0000,,started to help understand Enterprise
Dialogue: 0,0:04:49.98,0:04:52.80,Default,,0000,0000,0000,,security and these two were turned on
Dialogue: 0,0:04:52.80,0:04:55.02,Default,,0000,0000,0000,,and this is for risk-based approach
Dialogue: 0,0:04:55.02,0:04:57.66,Default,,0000,0000,0000,,other than that there are no correlation
Dialogue: 0,0:04:57.66,0:04:59.76,Default,,0000,0000,0000,,searches that come out of the box why
Dialogue: 0,0:04:59.76,0:05:01.62,Default,,0000,0000,0000,,well one they don't want to turn
Dialogue: 0,0:05:01.62,0:05:03.30,Default,,0000,0000,0000,,something on that doesn't fit your data
Dialogue: 0,0:05:03.30,0:05:06.00,Default,,0000,0000,0000,,set to often you have to tweak them the
Dialogue: 0,0:05:06.00,0:05:07.68,Default,,0000,0000,0000,,correlation search is great but it's not
Dialogue: 0,0:05:07.68,0:05:08.88,Default,,0000,0000,0000,,always going to be perfect for your
Dialogue: 0,0:05:08.88,0:05:10.86,Default,,0000,0000,0000,,environment and so as a general rule
Dialogue: 0,0:05:10.86,0:05:12.48,Default,,0000,0000,0000,,they're there as a guidance use them
Dialogue: 0,0:05:12.48,0:05:14.88,Default,,0000,0000,0000,,when they make sense turn one on test it
Dialogue: 0,0:05:14.88,0:05:17.16,Default,,0000,0000,0000,,see how it works if it doesn't modify it
Dialogue: 0,0:05:17.16,0:05:19.14,Default,,0000,0000,0000,,and typically you'll just clone the
Dialogue: 0,0:05:19.14,0:05:21.12,Default,,0000,0000,0000,,correlation search and build your own
Dialogue: 0,0:05:21.12,0:05:23.22,Default,,0000,0000,0000,,anyway enough talking about that let's
Dialogue: 0,0:05:23.22,0:05:24.84,Default,,0000,0000,0000,,talk about actually building my own
Dialogue: 0,0:05:24.84,0:05:27.54,Default,,0000,0000,0000,,correlation search so I'm in configure
Dialogue: 0,0:05:27.54,0:05:29.82,Default,,0000,0000,0000,,content and I went to content management
Dialogue: 0,0:05:29.82,0:05:32.40,Default,,0000,0000,0000,,if I do create new content that's how
Dialogue: 0,0:05:32.40,0:05:34.80,Default,,0000,0000,0000,,I'm going to build one and so we're
Dialogue: 0,0:05:34.80,0:05:36.30,Default,,0000,0000,0000,,going to create a new content we're
Dialogue: 0,0:05:36.30,0:05:38.70,Default,,0000,0000,0000,,going to make a correlation search
Dialogue: 0,0:05:38.70,0:05:42.48,Default,,0000,0000,0000,,this is the way that I do correlation
Dialogue: 0,0:05:42.48,0:05:44.16,Default,,0000,0000,0000,,searches that doesn't mean it's the way
Dialogue: 0,0:05:44.16,0:05:45.30,Default,,0000,0000,0000,,that has to be done but it's the way it
Dialogue: 0,0:05:45.30,0:05:47.52,Default,,0000,0000,0000,,works for me I'm going to call this I
Dialogue: 0,0:05:47.52,0:05:49.56,Default,,0000,0000,0000,,would hopefully have a much better name
Dialogue: 0,0:05:49.56,0:05:52.46,Default,,0000,0000,0000,,for this but I'm going to do YouTube
Dialogue: 0,0:05:52.46,0:05:56.46,Default,,0000,0000,0000,,correlation search
Dialogue: 0,0:06:00.74,0:06:03.00,Default,,0000,0000,0000,,horrible name because someone who comes
Dialogue: 0,0:06:03.00,0:06:05.16,Default,,0000,0000,0000,,across this will have no idea what it's
Dialogue: 0,0:06:05.16,0:06:06.54,Default,,0000,0000,0000,,for but for me when I need to purchase
Dialogue: 0,0:06:06.54,0:06:08.46,Default,,0000,0000,0000,,stuff from my system it's really easy
Dialogue: 0,0:06:08.46,0:06:09.84,Default,,0000,0000,0000,,and it stands out so I'm going to put it
Dialogue: 0,0:06:09.84,0:06:12.12,Default,,0000,0000,0000,,that way then here in my description I'm
Dialogue: 0,0:06:12.12,0:06:13.86,Default,,0000,0000,0000,,going to go
Dialogue: 0,0:06:13.86,0:06:14.82,Default,,0000,0000,0000,,um
Dialogue: 0,0:06:14.82,0:06:20.48,Default,,0000,0000,0000,,grab one event from Network logs
Dialogue: 0,0:06:20.58,0:06:22.14,Default,,0000,0000,0000,,I'm not actually going to build
Dialogue: 0,0:06:22.14,0:06:23.94,Default,,0000,0000,0000,,something that I'm looking for that
Dialogue: 0,0:06:23.94,0:06:25.68,Default,,0000,0000,0000,,that's not the point of this video I'm
Dialogue: 0,0:06:25.68,0:06:27.60,Default,,0000,0000,0000,,just showing how to build one and I want
Dialogue: 0,0:06:27.60,0:06:30.84,Default,,0000,0000,0000,,them to always fire so I'm going to
Dialogue: 0,0:06:30.84,0:06:33.06,Default,,0000,0000,0000,,uh fudge the numbers so that I always
Dialogue: 0,0:06:33.06,0:06:35.40,Default,,0000,0000,0000,,get what I want and so the first thing I
Dialogue: 0,0:06:35.40,0:06:36.72,Default,,0000,0000,0000,,do is I don't try to build a search
Dialogue: 0,0:06:36.72,0:06:38.52,Default,,0000,0000,0000,,through here you can use a guided
Dialogue: 0,0:06:38.52,0:06:41.16,Default,,0000,0000,0000,,guidance cool it'll allow you it'll pick
Dialogue: 0,0:06:41.16,0:06:43.14,Default,,0000,0000,0000,,data models you can pick fields from it
Dialogue: 0,0:06:43.14,0:06:45.66,Default,,0000,0000,0000,,so if I enable the guided mode you'll
Dialogue: 0,0:06:45.66,0:06:47.46,Default,,0000,0000,0000,,see the data it'll say all right what
Dialogue: 0,0:06:47.46,0:06:49.74,Default,,0000,0000,0000,,data model do you want to look at I
Dialogue: 0,0:06:49.74,0:06:52.46,Default,,0000,0000,0000,,might come down to network traffic
Dialogue: 0,0:06:52.46,0:06:55.68,Default,,0000,0000,0000,,and what data set do I want to use all
Dialogue: 0,0:06:55.68,0:06:58.28,Default,,0000,0000,0000,,traffic do I want to use summaries only
Dialogue: 0,0:06:58.28,0:07:01.08,Default,,0000,0000,0000,,I'll discuss summaries only when later
Dialogue: 0,0:07:01.08,0:07:04.20,Default,,0000,0000,0000,,this is not the place for it time range
Dialogue: 0,0:07:04.20,0:07:07.68,Default,,0000,0000,0000,,and there is your basic query I can run
Dialogue: 0,0:07:07.68,0:07:10.26,Default,,0000,0000,0000,,the search and see how it looks
Dialogue: 0,0:07:10.26,0:07:12.98,Default,,0000,0000,0000,,um then I'm going to hit
Dialogue: 0,0:07:13.34,0:07:18.54,Default,,0000,0000,0000,,filter and filter would be like
Dialogue: 0,0:07:18.54,0:07:22.40,Default,,0000,0000,0000,,all DOT traffic
Dialogue: 0,0:07:23.46,0:07:28.74,Default,,0000,0000,0000,,all traffic dot best IP
Dialogue: 0,0:07:28.74,0:07:30.72,Default,,0000,0000,0000,,oh
Dialogue: 0,0:07:30.72,0:07:34.10,Default,,0000,0000,0000,,it's a Boolean where
Dialogue: 0,0:07:34.56,0:07:36.66,Default,,0000,0000,0000,,and I actually don't know how to make
Dialogue: 0,0:07:36.66,0:07:40.22,Default,,0000,0000,0000,,this work all traffic Dot
Dialogue: 0,0:07:42.78,0:07:44.76,Default,,0000,0000,0000,,I'd have to go look this up well that's
Dialogue: 0,0:07:44.76,0:07:46.38,Default,,0000,0000,0000,,not very good helpful there the point is
Dialogue: 0,0:07:46.38,0:07:47.58,Default,,0000,0000,0000,,I'm not actually going through the
Dialogue: 0,0:07:47.58,0:07:49.56,Default,,0000,0000,0000,,guided search tour I'm going to stay
Dialogue: 0,0:07:49.56,0:07:51.72,Default,,0000,0000,0000,,right here with a manual query where I
Dialogue: 0,0:07:51.72,0:07:54.12,Default,,0000,0000,0000,,can write it it does have guided again
Dialogue: 0,0:07:54.12,0:07:55.50,Default,,0000,0000,0000,,you got to understand exactly what
Dialogue: 0,0:07:55.50,0:07:57.36,Default,,0000,0000,0000,,you're polling guided is nice if you
Dialogue: 0,0:07:57.36,0:08:00.00,Default,,0000,0000,0000,,know follow the docs I'm not here for
Dialogue: 0,0:08:00.00,0:08:02.04,Default,,0000,0000,0000,,following the docs I'm here to take a
Dialogue: 0,0:08:02.04,0:08:04.26,Default,,0000,0000,0000,,query this is my home network I'm going
Dialogue: 0,0:08:04.26,0:08:05.52,Default,,0000,0000,0000,,to look at the correlate logs I'm going
Dialogue: 0,0:08:05.52,0:08:07.50,Default,,0000,0000,0000,,to look at my core light con logs I'm
Dialogue: 0,0:08:07.50,0:08:10.16,Default,,0000,0000,0000,,going to say where Source IP is
Dialogue: 0,0:08:10.16,0:08:13.26,Default,,0000,0000,0000,,192.1680.star that is only so I make
Dialogue: 0,0:08:13.26,0:08:15.18,Default,,0000,0000,0000,,sure that I'm looking at a specific
Dialogue: 0,0:08:15.18,0:08:17.64,Default,,0000,0000,0000,,subnet section of my network this is
Dialogue: 0,0:08:17.64,0:08:20.52,Default,,0000,0000,0000,,primarily my network designed for doing
Dialogue: 0,0:08:20.52,0:08:23.82,Default,,0000,0000,0000,,Splunk videos and so this isn't my whole
Dialogue: 0,0:08:23.82,0:08:25.38,Default,,0000,0000,0000,,this is part of my home network but it's
Dialogue: 0,0:08:25.38,0:08:28.14,Default,,0000,0000,0000,,a subnet on my network that I use for
Dialogue: 0,0:08:28.14,0:08:31.68,Default,,0000,0000,0000,,testing pen testing setup of systems
Dialogue: 0,0:08:31.68,0:08:33.30,Default,,0000,0000,0000,,that I tear up and pick up and tear down
Dialogue: 0,0:08:33.30,0:08:35.22,Default,,0000,0000,0000,,and so I just want to know what they're
Dialogue: 0,0:08:35.22,0:08:37.26,Default,,0000,0000,0000,,doing and so I wanted the source IP
Dialogue: 0,0:08:37.26,0:08:39.30,Default,,0000,0000,0000,,maybe you don't want the source AP all I
Dialogue: 0,0:08:39.30,0:08:40.44,Default,,0000,0000,0000,,really cared about though is I just
Dialogue: 0,0:08:40.44,0:08:42.42,Default,,0000,0000,0000,,wanted this because ultimately later
Dialogue: 0,0:08:42.42,0:08:44.34,Default,,0000,0000,0000,,down I'm going to do inventory and I'm
Dialogue: 0,0:08:44.34,0:08:46.14,Default,,0000,0000,0000,,going to have a very simple inventory of
Dialogue: 0,0:08:46.14,0:08:48.54,Default,,0000,0000,0000,,that subnet and so I only want IPS that
Dialogue: 0,0:08:48.54,0:08:50.70,Default,,0000,0000,0000,,at least at least one piece of the data
Dialogue: 0,0:08:50.70,0:08:53.52,Default,,0000,0000,0000,,ties to my inventory and so as you can
Dialogue: 0,0:08:53.52,0:08:55.68,Default,,0000,0000,0000,,see this here has nothing to do with my
Dialogue: 0,0:08:55.68,0:08:58.32,Default,,0000,0000,0000,,network but this one does and I'm going
Dialogue: 0,0:08:58.32,0:09:00.54,Default,,0000,0000,0000,,to do a headwind one because I don't
Dialogue: 0,0:09:00.54,0:09:02.76,Default,,0000,0000,0000,,want lots and lots of results
Dialogue: 0,0:09:02.76,0:09:05.46,Default,,0000,0000,0000,,basically I want to query
Dialogue: 0,0:09:05.46,0:09:07.14,Default,,0000,0000,0000,,and I'm always going to return one
Dialogue: 0,0:09:07.14,0:09:09.54,Default,,0000,0000,0000,,result as long and that's what I built
Dialogue: 0,0:09:09.54,0:09:12.00,Default,,0000,0000,0000,,this isn't bad this isn't actually a
Dialogue: 0,0:09:12.00,0:09:13.98,Default,,0000,0000,0000,,known bad I just wanted data to come
Dialogue: 0,0:09:13.98,0:09:16.20,Default,,0000,0000,0000,,back so then I can put other stuff on it
Dialogue: 0,0:09:16.20,0:09:18.66,Default,,0000,0000,0000,,I'm doing this as a demo for you guys to
Dialogue: 0,0:09:18.66,0:09:21.30,Default,,0000,0000,0000,,understand how
Dialogue: 0,0:09:21.30,0:09:23.52,Default,,0000,0000,0000,,to build a query you would want to build
Dialogue: 0,0:09:23.52,0:09:25.14,Default,,0000,0000,0000,,a query that actually is looking for
Dialogue: 0,0:09:25.14,0:09:27.42,Default,,0000,0000,0000,,something malicious right now I just
Dialogue: 0,0:09:27.42,0:09:30.12,Default,,0000,0000,0000,,want a query to return a result so that
Dialogue: 0,0:09:30.12,0:09:32.12,Default,,0000,0000,0000,,I can when I do my next video about
Dialogue: 0,0:09:32.12,0:09:35.10,Default,,0000,0000,0000,,triage and the triage system there are
Dialogue: 0,0:09:35.10,0:09:37.56,Default,,0000,0000,0000,,actually tickets coming in if I write a
Dialogue: 0,0:09:37.56,0:09:39.42,Default,,0000,0000,0000,,query that's looking for bad well that
Dialogue: 0,0:09:39.42,0:09:41.10,Default,,0000,0000,0000,,bad better be occurring on my network or
Dialogue: 0,0:09:41.10,0:09:43.02,Default,,0000,0000,0000,,it's not going to fire and so it's a lot
Dialogue: 0,0:09:43.02,0:09:44.40,Default,,0000,0000,0000,,harder to troubleshoot if the thing is
Dialogue: 0,0:09:44.40,0:09:45.90,Default,,0000,0000,0000,,working if you're building queries right
Dialogue: 0,0:09:45.90,0:09:48.60,Default,,0000,0000,0000,,if you build something that isn't you
Dialogue: 0,0:09:48.60,0:09:50.04,Default,,0000,0000,0000,,hope to not actually see on your network
Dialogue: 0,0:09:50.04,0:09:52.14,Default,,0000,0000,0000,,so I actually hope to see correlatecon
Dialogue: 0,0:09:52.14,0:09:54.48,Default,,0000,0000,0000,,logs I sure hope so that means my
Dialogue: 0,0:09:54.48,0:09:56.58,Default,,0000,0000,0000,,network has traffic anyway and I'm just
Dialogue: 0,0:09:56.58,0:09:57.78,Default,,0000,0000,0000,,going to put the head 1 because I only
Dialogue: 0,0:09:57.78,0:10:00.36,Default,,0000,0000,0000,,wanted to create one alert if I let it
Dialogue: 0,0:10:00.36,0:10:02.22,Default,,0000,0000,0000,,come back it's every event that comes
Dialogue: 0,0:10:02.22,0:10:04.98,Default,,0000,0000,0000,,back in here would be a notable alert I
Dialogue: 0,0:10:04.98,0:10:06.96,Default,,0000,0000,0000,,don't want my triage system getting
Dialogue: 0,0:10:06.96,0:10:08.70,Default,,0000,0000,0000,,inundated so I'm just going to do this
Dialogue: 0,0:10:08.70,0:10:09.96,Default,,0000,0000,0000,,head one
Dialogue: 0,0:10:09.96,0:10:11.94,Default,,0000,0000,0000,,now I'm going to map it I'm going to go
Dialogue: 0,0:10:11.94,0:10:15.00,Default,,0000,0000,0000,,to miter and I'm going to
Dialogue: 0,0:10:15.00,0:10:17.64,Default,,0000,0000,0000,,put in some
Dialogue: 0,0:10:17.64,0:10:20.46,Default,,0000,0000,0000,,tickets so I'm going to go t1143 I
Dialogue: 0,0:10:20.46,0:10:21.60,Default,,0000,0000,0000,,actually can't remember what all these
Dialogue: 0,0:10:21.60,0:10:23.46,Default,,0000,0000,0000,,mean off the top of my head you can go
Dialogue: 0,0:10:23.46,0:10:26.52,Default,,0000,0000,0000,,look them up I'm going to say this and
Dialogue: 0,0:10:26.52,0:10:28.80,Default,,0000,0000,0000,,this has note no bases whatsoever but
Dialogue: 0,0:10:28.80,0:10:30.90,Default,,0000,0000,0000,,again it's this is this these videos are
Dialogue: 0,0:10:30.90,0:10:32.70,Default,,0000,0000,0000,,going to build on themselves and so I'm
Dialogue: 0,0:10:32.70,0:10:34.98,Default,,0000,0000,0000,,building these minor attacks so when I
Dialogue: 0,0:10:34.98,0:10:37.44,Default,,0000,0000,0000,,go to the RBA section of this video
Dialogue: 0,0:10:37.44,0:10:40.68,Default,,0000,0000,0000,,playlist you'll see how it maps all the
Dialogue: 0,0:10:40.68,0:10:42.42,Default,,0000,0000,0000,,different techniques together and so I'm
Dialogue: 0,0:10:42.42,0:10:45.42,Default,,0000,0000,0000,,going to put this down here and and
Dialogue: 0,0:10:45.42,0:10:49.02,Default,,0000,0000,0000,,actually because I want this to work on
Dialogue: 0,0:10:49.02,0:10:51.00,Default,,0000,0000,0000,,um my system I'm going to actually do I
Dialogue: 0,0:10:51.00,0:10:53.58,Default,,0000,0000,0000,,want it always to be 0.128.
Dialogue: 0,0:10:53.58,0:10:57.24,Default,,0000,0000,0000,,that way I'm only going to get alerts
Dialogue: 0,0:10:57.24,0:10:59.64,Default,,0000,0000,0000,,that are relating to this system that
Dialogue: 0,0:10:59.64,0:11:01.92,Default,,0000,0000,0000,,means my risk-based Approach will cross
Dialogue: 0,0:11:01.92,0:11:03.78,Default,,0000,0000,0000,,the threshold that actually makes a lot
Dialogue: 0,0:11:03.78,0:11:06.36,Default,,0000,0000,0000,,more sense for me I'll explain that when
Dialogue: 0,0:11:06.36,0:11:08.76,Default,,0000,0000,0000,,we actually get to RBA but basically I'm
Dialogue: 0,0:11:08.76,0:11:11.28,Default,,0000,0000,0000,,going to give me give me an alert every
Dialogue: 0,0:11:11.28,0:11:12.38,Default,,0000,0000,0000,,time
Dialogue: 0,0:11:12.38,0:11:15.42,Default,,0000,0000,0000,,0.128 is the source of network traffic
Dialogue: 0,0:11:15.42,0:11:17.04,Default,,0000,0000,0000,,and that should fire off quite
Dialogue: 0,0:11:17.04,0:11:18.66,Default,,0000,0000,0000,,frequently
Dialogue: 0,0:11:18.66,0:11:19.32,Default,,0000,0000,0000,,um
Dialogue: 0,0:11:19.32,0:11:21.48,Default,,0000,0000,0000,,ignore the picture up in the top we're
Dialogue: 0,0:11:21.48,0:11:24.36,Default,,0000,0000,0000,,just going to move on had one my videos
Dialogue: 0,0:11:24.36,0:11:26.70,Default,,0000,0000,0000,,are done rendering anyway so I'm going
Dialogue: 0,0:11:26.70,0:11:29.58,Default,,0000,0000,0000,,to map it to these ttps again this is
Dialogue: 0,0:11:29.58,0:11:31.38,Default,,0000,0000,0000,,all for demo purposes so I just pick
Dialogue: 0,0:11:31.38,0:11:35.76,Default,,0000,0000,0000,,some tptps and I can come down here and
Dialogue: 0,0:11:35.76,0:11:37.68,Default,,0000,0000,0000,,I can put a confidence score an impact
Dialogue: 0,0:11:37.68,0:11:38.96,Default,,0000,0000,0000,,score
Dialogue: 0,0:11:38.96,0:11:40.86,Default,,0000,0000,0000,,contacts analytics we're just gonna
Dialogue: 0,0:11:40.86,0:11:42.66,Default,,0000,0000,0000,,leave that alone for now I can create my
Dialogue: 0,0:11:42.66,0:11:44.76,Default,,0000,0000,0000,,own framework and now here it's going to
Dialogue: 0,0:11:44.76,0:11:47.28,Default,,0000,0000,0000,,say how far back do I want to look do I
Dialogue: 0,0:11:47.28,0:11:49.26,Default,,0000,0000,0000,,look back 24 hours I could but I know
Dialogue: 0,0:11:49.26,0:11:51.24,Default,,0000,0000,0000,,how often my logs are firing I'm going
Dialogue: 0,0:11:51.24,0:11:53.16,Default,,0000,0000,0000,,to look back one hour doesn't really
Dialogue: 0,0:11:53.16,0:11:54.42,Default,,0000,0000,0000,,matter because I'm just grabbing head
Dialogue: 0,0:11:54.42,0:11:55.52,Default,,0000,0000,0000,,one
Dialogue: 0,0:11:55.52,0:11:59.46,Default,,0000,0000,0000,,and I'm I have you I probably get I get
Dialogue: 0,0:11:59.46,0:12:01.68,Default,,0000,0000,0000,,hundreds of events every probably
Dialogue: 0,0:12:01.68,0:12:03.60,Default,,0000,0000,0000,,thousands of events every hour
Dialogue: 0,0:12:03.60,0:12:06.30,Default,,0000,0000,0000,,on this particular subnet and so I it's
Dialogue: 0,0:12:06.30,0:12:07.50,Default,,0000,0000,0000,,not going to be a problem getting data
Dialogue: 0,0:12:07.50,0:12:09.30,Default,,0000,0000,0000,,I'm going to go look back one hour to
Dialogue: 0,0:12:09.30,0:12:11.58,Default,,0000,0000,0000,,now and how often do I want it to run
Dialogue: 0,0:12:11.58,0:12:13.26,Default,,0000,0000,0000,,you know what I'm going to let it run
Dialogue: 0,0:12:13.26,0:12:16.32,Default,,0000,0000,0000,,every five minutes and that's going to
Dialogue: 0,0:12:16.32,0:12:17.76,Default,,0000,0000,0000,,be important so that I actually have
Dialogue: 0,0:12:17.76,0:12:21.78,Default,,0000,0000,0000,,events and that'll work I'm going to
Dialogue: 0,0:12:21.78,0:12:23.46,Default,,0000,0000,0000,,come down here and I'm going to say do I
Dialogue: 0,0:12:23.46,0:12:25.38,Default,,0000,0000,0000,,want it to run as real time or
Dialogue: 0,0:12:25.38,0:12:27.48,Default,,0000,0000,0000,,continuous we'll just leave it at its
Dialogue: 0,0:12:27.48,0:12:28.56,Default,,0000,0000,0000,,default
Dialogue: 0,0:12:28.56,0:12:30.90,Default,,0000,0000,0000,,uh what's my scheduling window again
Dialogue: 0,0:12:30.90,0:12:33.48,Default,,0000,0000,0000,,these are I'm not going over these this
Dialogue: 0,0:12:33.48,0:12:36.06,Default,,0000,0000,0000,,is just basically how oft how you want
Dialogue: 0,0:12:36.06,0:12:37.68,Default,,0000,0000,0000,,to run your times I'm going to run this
Dialogue: 0,0:12:37.68,0:12:39.42,Default,,0000,0000,0000,,every five minutes schedule priorities
Dialogue: 0,0:12:39.42,0:12:41.46,Default,,0000,0000,0000,,in case there's conflicts hopefully with
Dialogue: 0,0:12:41.46,0:12:43.26,Default,,0000,0000,0000,,your Enterprise security you actually do
Dialogue: 0,0:12:43.26,0:12:45.84,Default,,0000,0000,0000,,not overload your system so these become
Dialogue: 0,0:12:45.84,0:12:47.04,Default,,0000,0000,0000,,a big deal
Dialogue: 0,0:12:47.04,0:12:48.66,Default,,0000,0000,0000,,trigger conditions number of results
Dialogue: 0,0:12:48.66,0:12:50.40,Default,,0000,0000,0000,,greater than zero that's always going to
Dialogue: 0,0:12:50.40,0:12:51.66,Default,,0000,0000,0000,,be the case because I'm getting back one
Dialogue: 0,0:12:51.66,0:12:53.82,Default,,0000,0000,0000,,but if I was doing this if I want to do
Dialogue: 0,0:12:53.82,0:12:55.92,Default,,0000,0000,0000,,thresholds I could make it the thing has
Dialogue: 0,0:12:55.92,0:12:58.44,Default,,0000,0000,0000,,to occur at least 10 times or 15 times
Dialogue: 0,0:12:58.44,0:13:01.32,Default,,0000,0000,0000,,or whatever then Windows durations
Dialogue: 0,0:13:01.32,0:13:04.14,Default,,0000,0000,0000,,filled to group by that's it that's all
Dialogue: 0,0:13:04.14,0:13:06.54,Default,,0000,0000,0000,,I want to deal with I really the only
Dialogue: 0,0:13:06.54,0:13:08.52,Default,,0000,0000,0000,,places I put around with this is I wrote
Dialogue: 0,0:13:08.52,0:13:10.98,Default,,0000,0000,0000,,a query in the most basic format to get
Dialogue: 0,0:13:10.98,0:13:13.20,Default,,0000,0000,0000,,your correlation searches going pick a
Dialogue: 0,0:13:13.20,0:13:15.84,Default,,0000,0000,0000,,search I would tie it to an annotation
Dialogue: 0,0:13:15.84,0:13:18.60,Default,,0000,0000,0000,,but you don't have to not required you
Dialogue: 0,0:13:18.60,0:13:20.10,Default,,0000,0000,0000,,come down here pick your time window
Dialogue: 0,0:13:20.10,0:13:22.26,Default,,0000,0000,0000,,these three boxes how far back do you
Dialogue: 0,0:13:22.26,0:13:24.12,Default,,0000,0000,0000,,want to look latest time earliest time
Dialogue: 0,0:13:24.12,0:13:26.46,Default,,0000,0000,0000,,and your cron schedule and then you
Dialogue: 0,0:13:26.46,0:13:27.78,Default,,0000,0000,0000,,really don't have to touch anything else
Dialogue: 0,0:13:27.78,0:13:31.74,Default,,0000,0000,0000,,except this add adaptive response I'm
Dialogue: 0,0:13:31.74,0:13:33.30,Default,,0000,0000,0000,,going to come and modify this in a
Dialogue: 0,0:13:33.30,0:13:35.70,Default,,0000,0000,0000,,minute there is when we talk about RBA
Dialogue: 0,0:13:35.70,0:13:38.04,Default,,0000,0000,0000,,I'm going to put a risk analysis for the
Dialogue: 0,0:13:38.04,0:13:40.20,Default,,0000,0000,0000,,sake of keeping this simple I am only
Dialogue: 0,0:13:40.20,0:13:41.46,Default,,0000,0000,0000,,going to do
Dialogue: 0,0:13:41.46,0:13:43.80,Default,,0000,0000,0000,,notables for now so I'm going to come in
Dialogue: 0,0:13:43.80,0:13:44.88,Default,,0000,0000,0000,,here and I'm going to click a notable
Dialogue: 0,0:13:44.88,0:13:47.22,Default,,0000,0000,0000,,and notable is an alert that goes to
Dialogue: 0,0:13:47.22,0:13:48.78,Default,,0000,0000,0000,,your triage system
Dialogue: 0,0:13:48.78,0:13:52.26,Default,,0000,0000,0000,,gonna go YouTube
Dialogue: 0,0:13:52.26,0:13:55.44,Default,,0000,0000,0000,,notable give a description
Dialogue: 0,0:13:55.44,0:13:57.90,Default,,0000,0000,0000,,I can actually use
Dialogue: 0,0:13:57.90,0:13:59.82,Default,,0000,0000,0000,,um foreign
Dialogue: 0,0:13:59.82,0:14:01.98,Default,,0000,0000,0000,,variable substitution so I'm going to do
Dialogue: 0,0:14:01.98,0:14:06.18,Default,,0000,0000,0000,,alert for dollar sign Source IP
Dialogue: 0,0:14:06.18,0:14:07.86,Default,,0000,0000,0000,,I need to make sure that field comes
Dialogue: 0,0:14:07.86,0:14:10.86,Default,,0000,0000,0000,,back and this does have a source IP so I
Dialogue: 0,0:14:10.86,0:14:12.72,Default,,0000,0000,0000,,can use it and you just call it like you
Dialogue: 0,0:14:12.72,0:14:15.18,Default,,0000,0000,0000,,do in with the dollar sign on both sides
Dialogue: 0,0:14:15.18,0:14:17.34,Default,,0000,0000,0000,,of a variable and that'll be dynamic and
Dialogue: 0,0:14:17.34,0:14:19.68,Default,,0000,0000,0000,,so my description will come back with
Dialogue: 0,0:14:19.68,0:14:22.68,Default,,0000,0000,0000,,this and just because I
Dialogue: 0,0:14:22.68,0:14:24.84,Default,,0000,0000,0000,,want to what if I do yeah we'll just
Dialogue: 0,0:14:24.84,0:14:26.22,Default,,0000,0000,0000,,leave it at that
Dialogue: 0,0:14:26.22,0:14:29.16,Default,,0000,0000,0000,,YouTube notable security domain there
Dialogue: 0,0:14:29.16,0:14:31.50,Default,,0000,0000,0000,,are a bunch of domains this is dealing
Dialogue: 0,0:14:31.50,0:14:33.72,Default,,0000,0000,0000,,with access areas that would be
Dialogue: 0,0:14:33.72,0:14:35.88,Default,,0000,0000,0000,,authentication endpoint a lot of your
Dialogue: 0,0:14:35.88,0:14:39.42,Default,,0000,0000,0000,,host logs Network logs threat identity
Dialogue: 0,0:14:39.42,0:14:41.46,Default,,0000,0000,0000,,and audit and so those are the six areas
Dialogue: 0,0:14:41.46,0:14:43.98,Default,,0000,0000,0000,,splunkcast as security domains we'll
Dialogue: 0,0:14:43.98,0:14:46.68,Default,,0000,0000,0000,,just leave it as a we'll put as a
Dialogue: 0,0:14:46.68,0:14:47.58,Default,,0000,0000,0000,,network
Dialogue: 0,0:14:47.58,0:14:49.80,Default,,0000,0000,0000,,in the network domain I'm going to put
Dialogue: 0,0:14:49.80,0:14:52.58,Default,,0000,0000,0000,,the severity
Dialogue: 0,0:14:53.90,0:14:56.30,Default,,0000,0000,0000,,as low
Dialogue: 0,0:14:56.30,0:14:59.76,Default,,0000,0000,0000,,and default owner I can put in these I
Dialogue: 0,0:14:59.76,0:15:01.56,Default,,0000,0000,0000,,can leave it unassigned
Dialogue: 0,0:15:01.56,0:15:03.06,Default,,0000,0000,0000,,I'm going to put it as unassigned to
Dialogue: 0,0:15:03.06,0:15:05.10,Default,,0000,0000,0000,,start with again you don't have to
Dialogue: 0,0:15:05.10,0:15:07.32,Default,,0000,0000,0000,,default status I'm going to put it as
Dialogue: 0,0:15:07.32,0:15:09.12,Default,,0000,0000,0000,,unassigned
Dialogue: 0,0:15:09.12,0:15:11.58,Default,,0000,0000,0000,,and I could put a drill down search in
Dialogue: 0,0:15:11.58,0:15:15.08,Default,,0000,0000,0000,,there and let's do that
Dialogue: 0,0:15:15.48,0:15:17.88,Default,,0000,0000,0000,,we're going to take this very same query
Dialogue: 0,0:15:17.88,0:15:20.22,Default,,0000,0000,0000,,just to keep things really simple one of
Dialogue: 0,0:15:20.22,0:15:21.66,Default,,0000,0000,0000,,the very first drill Downs I want to put
Dialogue: 0,0:15:21.66,0:15:23.52,Default,,0000,0000,0000,,in there
Dialogue: 0,0:15:23.52,0:15:25.92,Default,,0000,0000,0000,,is the actual query
Dialogue: 0,0:15:25.92,0:15:28.68,Default,,0000,0000,0000,,that created this log
Dialogue: 0,0:15:28.68,0:15:30.90,Default,,0000,0000,0000,,but in this case I'm not going to put
Dialogue: 0,0:15:30.90,0:15:32.88,Default,,0000,0000,0000,,head 1 I'm going to put I'm going to
Dialogue: 0,0:15:32.88,0:15:34.38,Default,,0000,0000,0000,,take the head out
Dialogue: 0,0:15:34.38,0:15:36.48,Default,,0000,0000,0000,,oh it looks like I've lost the 128 on
Dialogue: 0,0:15:36.48,0:15:38.94,Default,,0000,0000,0000,,there 128.
Dialogue: 0,0:15:38.94,0:15:41.46,Default,,0000,0000,0000,,make sure 128 is up here
Dialogue: 0,0:15:41.46,0:15:44.70,Default,,0000,0000,0000,,yeah it is okay and I can choose the
Dialogue: 0,0:15:44.70,0:15:46.50,Default,,0000,0000,0000,,drill down search will be
Dialogue: 0,0:15:46.50,0:15:49.16,Default,,0000,0000,0000,,C
Dialogue: 0,0:15:49.26,0:15:53.88,Default,,0000,0000,0000,,what caused alert
Dialogue: 0,0:15:55.08,0:15:56.88,Default,,0000,0000,0000,,there are other ways of doing this I'll
Dialogue: 0,0:15:56.88,0:15:58.02,Default,,0000,0000,0000,,show but I'm just I'm just going to
Dialogue: 0,0:15:58.02,0:16:00.12,Default,,0000,0000,0000,,create a few ad drill down searches and
Dialogue: 0,0:16:00.12,0:16:02.46,Default,,0000,0000,0000,,here we're going to just do
Dialogue: 0,0:16:02.46,0:16:04.52,Default,,0000,0000,0000,,um
Dialogue: 0,0:16:04.56,0:16:07.56,Default,,0000,0000,0000,,Y is
Dialogue: 0,0:16:07.56,0:16:10.40,Default,,0000,0000,0000,,this
Dialogue: 0,0:16:10.46,0:16:14.00,Default,,0000,0000,0000,,drill down exist
Dialogue: 0,0:16:14.88,0:16:16.38,Default,,0000,0000,0000,,I just want to show I can go search
Dialogue: 0,0:16:16.38,0:16:17.58,Default,,0000,0000,0000,,anything
Dialogue: 0,0:16:17.58,0:16:21.20,Default,,0000,0000,0000,,index equals internal
Dialogue: 0,0:16:21.20,0:16:22.98,Default,,0000,0000,0000,,why would you be looking at your
Dialogue: 0,0:16:22.98,0:16:26.28,Default,,0000,0000,0000,,internal logs it doesn't really matter
Dialogue: 0,0:16:26.28,0:16:28.34,Default,,0000,0000,0000,,um
Dialogue: 0,0:16:28.50,0:16:30.18,Default,,0000,0000,0000,,well actually let's just do this I'm
Dialogue: 0,0:16:30.18,0:16:33.18,Default,,0000,0000,0000,,going to put in dollar sign Source IP
Dialogue: 0,0:16:33.18,0:16:35.46,Default,,0000,0000,0000,,so I'm basically looking in my internal
Dialogue: 0,0:16:35.46,0:16:37.14,Default,,0000,0000,0000,,logs and I'm going to see if I find that
Dialogue: 0,0:16:37.14,0:16:40.20,Default,,0000,0000,0000,,IP address popping up it it's just kind
Dialogue: 0,0:16:40.20,0:16:41.82,Default,,0000,0000,0000,,of an interesting way you can add
Dialogue: 0,0:16:41.82,0:16:45.66,Default,,0000,0000,0000,,additional searches to your information
Dialogue: 0,0:16:45.66,0:16:46.50,Default,,0000,0000,0000,,um
Dialogue: 0,0:16:46.50,0:16:48.36,Default,,0000,0000,0000,,so I'm going to be searching my internal
Dialogue: 0,0:16:48.36,0:16:50.46,Default,,0000,0000,0000,,logs for the source IP
Dialogue: 0,0:16:50.46,0:16:53.16,Default,,0000,0000,0000,,and I hope you saw this earliest offset
Dialogue: 0,0:16:53.16,0:16:56.40,Default,,0000,0000,0000,,latest Offset you can change this or you
Dialogue: 0,0:16:56.40,0:16:57.96,Default,,0000,0000,0000,,can you can let it just go by its
Dialogue: 0,0:16:57.96,0:17:00.06,Default,,0000,0000,0000,,default or you can say for here I'm
Dialogue: 0,0:17:00.06,0:17:01.14,Default,,0000,0000,0000,,going to go
Dialogue: 0,0:17:01.14,0:17:05.40,Default,,0000,0000,0000,,plus this is a earliest for example one
Dialogue: 0,0:17:05.40,0:17:06.48,Default,,0000,0000,0000,,hour
Dialogue: 0,0:17:06.48,0:17:08.22,Default,,0000,0000,0000,,and I'm going to leave the other one as
Dialogue: 0,0:17:08.22,0:17:10.64,Default,,0000,0000,0000,,zero
Dialogue: 0,0:17:10.92,0:17:12.36,Default,,0000,0000,0000,,does that make sense so I hope this
Dialogue: 0,0:17:12.36,0:17:14.64,Default,,0000,0000,0000,,makes this helps I can change my time
Dialogue: 0,0:17:14.64,0:17:16.56,Default,,0000,0000,0000,,it's basically going to look in this
Dialogue: 0,0:17:16.56,0:17:22.22,Default,,0000,0000,0000,,window one hour back of based off of
Dialogue: 0,0:17:22.92,0:17:24.98,Default,,0000,0000,0000,,um
Dialogue: 0,0:17:25.08,0:17:27.78,Default,,0000,0000,0000,,the the time this event occurred
Dialogue: 0,0:17:27.78,0:17:29.22,Default,,0000,0000,0000,,so this might actually look a little bit
Dialogue: 0,0:17:29.22,0:17:30.36,Default,,0000,0000,0000,,in the future this can look a little bit
Dialogue: 0,0:17:30.36,0:17:32.04,Default,,0000,0000,0000,,in the future it's going to use time in
Dialogue: 0,0:17:32.04,0:17:35.30,Default,,0000,0000,0000,,the back so let's go
Dialogue: 0,0:17:35.58,0:17:37.86,Default,,0000,0000,0000,,we're going to go one hour one way this
Dialogue: 0,0:17:37.86,0:17:40.50,Default,,0000,0000,0000,,is going to go one hour and in the
Dialogue: 0,0:17:40.50,0:17:43.32,Default,,0000,0000,0000,,future and one hour in the past
Dialogue: 0,0:17:43.32,0:17:45.84,Default,,0000,0000,0000,,sounds good I'm going to leave my
Dialogue: 0,0:17:45.84,0:17:48.24,Default,,0000,0000,0000,,investigation profile alone and these
Dialogue: 0,0:17:48.24,0:17:50.88,Default,,0000,0000,0000,,are I uh extractions and these what it's
Dialogue: 0,0:17:50.88,0:17:52.44,Default,,0000,0000,0000,,going to do is it's going to it's going
Dialogue: 0,0:17:52.44,0:17:55.92,Default,,0000,0000,0000,,to identify identities these are users
Dialogue: 0,0:17:55.92,0:17:57.24,Default,,0000,0000,0000,,and stuff like that on your network
Dialogue: 0,0:17:57.24,0:18:00.24,Default,,0000,0000,0000,,assets would be like IPS and machines
Dialogue: 0,0:18:00.24,0:18:02.94,Default,,0000,0000,0000,,and files and URLs that it might have
Dialogue: 0,0:18:02.94,0:18:06.02,Default,,0000,0000,0000,,found I'm going to we got assets here
Dialogue: 0,0:18:06.02,0:18:08.76,Default,,0000,0000,0000,,Source test
Dialogue: 0,0:18:08.76,0:18:10.50,Default,,0000,0000,0000,,um does my lock do my logs contain
Dialogue: 0,0:18:10.50,0:18:11.76,Default,,0000,0000,0000,,source and test
Dialogue: 0,0:18:11.76,0:18:14.94,Default,,0000,0000,0000,,well let's go look had one do I actually
Dialogue: 0,0:18:14.94,0:18:18.20,Default,,0000,0000,0000,,have a source and a desk here
Dialogue: 0,0:18:18.30,0:18:21.30,Default,,0000,0000,0000,,I have a source IP but no source so I
Dialogue: 0,0:18:21.30,0:18:23.46,Default,,0000,0000,0000,,don't have the field it's looking for to
Dialogue: 0,0:18:23.46,0:18:25.44,Default,,0000,0000,0000,,be able to identify it so what I need to
Dialogue: 0,0:18:25.44,0:18:26.70,Default,,0000,0000,0000,,do is I need to come in here and I'm
Dialogue: 0,0:18:26.70,0:18:27.96,Default,,0000,0000,0000,,going to go
Dialogue: 0,0:18:27.96,0:18:30.78,Default,,0000,0000,0000,,source IP
Dialogue: 0,0:18:30.78,0:18:33.54,Default,,0000,0000,0000,,except it's on identity
Dialogue: 0,0:18:33.54,0:18:35.94,Default,,0000,0000,0000,,the identity it's an asset so I'm going
Dialogue: 0,0:18:35.94,0:18:36.72,Default,,0000,0000,0000,,to come in here and I'm going to go
Dialogue: 0,0:18:36.72,0:18:39.68,Default,,0000,0000,0000,,Source IP
Dialogue: 0,0:18:40.40,0:18:43.50,Default,,0000,0000,0000,,and just because it's we might we might
Dialogue: 0,0:18:43.50,0:18:46.32,Default,,0000,0000,0000,,want to identify the uh the other
Dialogue: 0,0:18:46.32,0:18:47.70,Default,,0000,0000,0000,,machine in question we're going to put
Dialogue: 0,0:18:47.70,0:18:50.16,Default,,0000,0000,0000,,desktop in there as well so I'm going to
Dialogue: 0,0:18:50.16,0:18:52.26,Default,,0000,0000,0000,,have my source IP and my destination IP
Dialogue: 0,0:18:52.26,0:18:54.06,Default,,0000,0000,0000,,they're going to be assets that are
Dialogue: 0,0:18:54.06,0:18:56.10,Default,,0000,0000,0000,,extracted and that's all I'm going to do
Dialogue: 0,0:18:56.10,0:18:57.54,Default,,0000,0000,0000,,I just want to make sure that the
Dialogue: 0,0:18:57.54,0:19:00.00,Default,,0000,0000,0000,,anything that might be identifiable in
Dialogue: 0,0:19:00.00,0:19:01.50,Default,,0000,0000,0000,,these queries not these queries the
Dialogue: 0,0:19:01.50,0:19:04.20,Default,,0000,0000,0000,,query up here let's call them out and I
Dialogue: 0,0:19:04.20,0:19:05.76,Default,,0000,0000,0000,,hope all this will make more sense as
Dialogue: 0,0:19:05.76,0:19:07.14,Default,,0000,0000,0000,,you actually see the stuff come back
Dialogue: 0,0:19:07.14,0:19:09.36,Default,,0000,0000,0000,,there's just a lot of capabilities here
Dialogue: 0,0:19:09.36,0:19:12.90,Default,,0000,0000,0000,,I can write steps if I want to I can set
Dialogue: 0,0:19:12.90,0:19:14.94,Default,,0000,0000,0000,,things up to uh for example send an
Dialogue: 0,0:19:14.94,0:19:17.64,Default,,0000,0000,0000,,email stream capture if you have uh
Dialogue: 0,0:19:17.64,0:19:20.40,Default,,0000,0000,0000,,Splunk stream nbstat and it's look up
Dialogue: 0,0:19:20.40,0:19:21.60,Default,,0000,0000,0000,,you can make your system do a lot of
Dialogue: 0,0:19:21.60,0:19:23.82,Default,,0000,0000,0000,,things like I could have Splunk go ping
Dialogue: 0,0:19:23.82,0:19:26.22,Default,,0000,0000,0000,,an IP address you know what
Dialogue: 0,0:19:26.22,0:19:28.44,Default,,0000,0000,0000,,um in a little bit I'll actually show me
Dialogue: 0,0:19:28.44,0:19:30.36,Default,,0000,0000,0000,,doing that I can have it do a risk
Dialogue: 0,0:19:30.36,0:19:32.40,Default,,0000,0000,0000,,analysis run a scripts and a uba send a
Dialogue: 0,0:19:32.40,0:19:34.20,Default,,0000,0000,0000,,split mobile Splunk mobile is really
Dialogue: 0,0:19:34.20,0:19:36.78,Default,,0000,0000,0000,,cool now it's being sent to my phone add
Dialogue: 0,0:19:36.78,0:19:38.88,Default,,0000,0000,0000,,thread intelligence from it web hooks
Dialogue: 0,0:19:38.88,0:19:40.86,Default,,0000,0000,0000,,whatever you have a lots of capabilities
Dialogue: 0,0:19:40.86,0:19:43.80,Default,,0000,0000,0000,,don't need to do it the the minimum you
Dialogue: 0,0:19:43.80,0:19:45.12,Default,,0000,0000,0000,,need for a notable
Dialogue: 0,0:19:45.12,0:19:48.06,Default,,0000,0000,0000,,title description
Dialogue: 0,0:19:48.06,0:19:50.10,Default,,0000,0000,0000,,you don't even need these drill Downs
Dialogue: 0,0:19:50.10,0:19:52.32,Default,,0000,0000,0000,,you can let this be set as default
Dialogue: 0,0:19:52.32,0:19:54.08,Default,,0000,0000,0000,,probably should pick a security domain
Dialogue: 0,0:19:54.08,0:19:57.78,Default,,0000,0000,0000,,and literally that's it make sure it's a
Dialogue: 0,0:19:57.78,0:19:59.52,Default,,0000,0000,0000,,lot more helpful if you can identify
Dialogue: 0,0:19:59.52,0:20:01.14,Default,,0000,0000,0000,,your stuff coming back as identities and
Dialogue: 0,0:20:01.14,0:20:03.06,Default,,0000,0000,0000,,sources and I'm going to show you that
Dialogue: 0,0:20:03.06,0:20:05.88,Default,,0000,0000,0000,,in the next video with workbenches and
Dialogue: 0,0:20:05.88,0:20:07.80,Default,,0000,0000,0000,,stuff like that but for the sake of this
Dialogue: 0,0:20:07.80,0:20:09.30,Default,,0000,0000,0000,,don't worry about it
Dialogue: 0,0:20:09.30,0:20:10.92,Default,,0000,0000,0000,,um just know that it's it's good if you
Dialogue: 0,0:20:10.92,0:20:12.60,Default,,0000,0000,0000,,can call it out but if you don't you're
Dialogue: 0,0:20:12.60,0:20:14.58,Default,,0000,0000,0000,,it's not like the query will break
Dialogue: 0,0:20:14.58,0:20:17.54,Default,,0000,0000,0000,,I'm going to hit save
Dialogue: 0,0:20:18.30,0:20:20.34,Default,,0000,0000,0000,,and I should have a correlation search
Dialogue: 0,0:20:20.34,0:20:22.32,Default,,0000,0000,0000,,done now I'm going to have to wait I
Dialogue: 0,0:20:22.32,0:20:24.78,Default,,0000,0000,0000,,probably just missed my window it's
Dialogue: 0,0:20:24.78,0:20:26.40,Default,,0000,0000,0000,,supposed to be kicking off five minutes
Dialogue: 0,0:20:26.40,0:20:28.50,Default,,0000,0000,0000,,after the hour
Dialogue: 0,0:20:28.50,0:20:30.84,Default,,0000,0000,0000,,so I can almost guarantee that if I come
Dialogue: 0,0:20:30.84,0:20:33.66,Default,,0000,0000,0000,,to incident review I will not find an
Dialogue: 0,0:20:33.66,0:20:35.40,Default,,0000,0000,0000,,alert
Dialogue: 0,0:20:35.40,0:20:38.64,Default,,0000,0000,0000,,called YouTube notable
Dialogue: 0,0:20:38.64,0:20:40.68,Default,,0000,0000,0000,,I'm gonna have to wait till five more
Dialogue: 0,0:20:40.68,0:20:43.02,Default,,0000,0000,0000,,minutes to go by but let's go ahead and
Dialogue: 0,0:20:43.02,0:20:44.70,Default,,0000,0000,0000,,check that so I can come down I can
Dialogue: 0,0:20:44.70,0:20:47.46,Default,,0000,0000,0000,,refresh the page here or I can refresh
Dialogue: 0,0:20:47.46,0:20:50.46,Default,,0000,0000,0000,,the page here but either way that is not
Dialogue: 0,0:20:50.46,0:20:52.38,Default,,0000,0000,0000,,the purpose of this video is to look at
Dialogue: 0,0:20:52.38,0:20:54.42,Default,,0000,0000,0000,,the incidents coming in mine was to talk
Dialogue: 0,0:20:54.42,0:20:56.22,Default,,0000,0000,0000,,about correlation searches and how to
Dialogue: 0,0:20:56.22,0:20:58.32,Default,,0000,0000,0000,,make my own I have set up a correlation
Dialogue: 0,0:20:58.32,0:21:00.96,Default,,0000,0000,0000,,search and so I've accomplished my task
Dialogue: 0,0:21:00.96,0:21:03.12,Default,,0000,0000,0000,,I'm gonna I'm gonna come see it here
Dialogue: 0,0:21:03.12,0:21:04.62,Default,,0000,0000,0000,,with a configure
Dialogue: 0,0:21:04.62,0:21:06.96,Default,,0000,0000,0000,,content
Dialogue: 0,0:21:06.96,0:21:10.86,Default,,0000,0000,0000,,configure content content management my
Dialogue: 0,0:21:10.86,0:21:13.68,Default,,0000,0000,0000,,new correlation search is in here we can
Dialogue: 0,0:21:13.68,0:21:16.14,Default,,0000,0000,0000,,see that when I go all
Dialogue: 0,0:21:16.14,0:21:17.64,Default,,0000,0000,0000,,correlation search and when you create
Dialogue: 0,0:21:17.64,0:21:20.70,Default,,0000,0000,0000,,them by default they are enabled
Dialogue: 0,0:21:20.70,0:21:24.00,Default,,0000,0000,0000,,so if I come in here and I enable
Dialogue: 0,0:21:24.00,0:21:26.34,Default,,0000,0000,0000,,I can see YouTube correlation search for
Dialogue: 0,0:21:26.34,0:21:27.48,Default,,0000,0000,0000,,line Creations if I want to make any
Dialogue: 0,0:21:27.48,0:21:29.70,Default,,0000,0000,0000,,changes to it
Dialogue: 0,0:21:29.70,0:21:32.16,Default,,0000,0000,0000,,I just hit search now that's interesting
Dialogue: 0,0:21:32.16,0:21:33.48,Default,,0000,0000,0000,,that it doesn't say that it's actually
Dialogue: 0,0:21:33.48,0:21:36.14,Default,,0000,0000,0000,,scheduled
Dialogue: 0,0:21:40.74,0:21:42.96,Default,,0000,0000,0000,,all right well probably because it
Dialogue: 0,0:21:42.96,0:21:44.94,Default,,0000,0000,0000,,hasn't run the very first time once it
Dialogue: 0,0:21:44.94,0:21:47.04,Default,,0000,0000,0000,,runs I should see
Dialogue: 0,0:21:47.04,0:21:50.22,Default,,0000,0000,0000,,here the next schedule time but it's
Dialogue: 0,0:21:50.22,0:21:51.42,Default,,0000,0000,0000,,really easy just keep it under the
Dialogue: 0,0:21:51.42,0:21:53.90,Default,,0000,0000,0000,,enabled
Dialogue: 0,0:21:54.54,0:21:58.14,Default,,0000,0000,0000,,and correlation searches
Dialogue: 0,0:21:58.14,0:21:59.40,Default,,0000,0000,0000,,so
Dialogue: 0,0:21:59.40,0:22:01.50,Default,,0000,0000,0000,,yep there it is now I've got a time for
Dialogue: 0,0:22:01.50,0:22:03.24,Default,,0000,0000,0000,,the next scheduled time stored in the
Dialogue: 0,0:22:03.24,0:22:05.04,Default,,0000,0000,0000,,Enterprise Security app what have we
Dialogue: 0,0:22:05.04,0:22:06.78,Default,,0000,0000,0000,,covered we've talked about correlation
Dialogue: 0,0:22:06.78,0:22:09.42,Default,,0000,0000,0000,,searches what they are they're saved
Dialogue: 0,0:22:09.42,0:22:11.64,Default,,0000,0000,0000,,searches that can be used to create
Dialogue: 0,0:22:11.64,0:22:15.72,Default,,0000,0000,0000,,notables notables fill out tickets that
Dialogue: 0,0:22:15.72,0:22:17.76,Default,,0000,0000,0000,,you will go into a ticket triaging
Dialogue: 0,0:22:17.76,0:22:19.62,Default,,0000,0000,0000,,system which we will cover in the next
Dialogue: 0,0:22:19.62,0:22:21.60,Default,,0000,0000,0000,,video in this playlist please look at
Dialogue: 0,0:22:21.60,0:22:23.34,Default,,0000,0000,0000,,the link below notice that this is a
Dialogue: 0,0:22:23.34,0:22:25.14,Default,,0000,0000,0000,,playlist go ahead and join the playlist
Dialogue: 0,0:22:25.14,0:22:27.30,Default,,0000,0000,0000,,and watch the videos this is meant to be
Dialogue: 0,0:22:27.30,0:22:29.52,Default,,0000,0000,0000,,a comprehensive training to help you
Dialogue: 0,0:22:29.52,0:22:31.62,Default,,0000,0000,0000,,understand Enterprise security
Dialogue: 0,0:22:31.62,0:22:32.22,Default,,0000,0000,0000,,um
Dialogue: 0,0:22:32.22,0:22:35.10,Default,,0000,0000,0000,,click that link we have now create I've
Dialogue: 0,0:22:35.10,0:22:36.48,Default,,0000,0000,0000,,shown you how to see the correlation
Dialogue: 0,0:22:36.48,0:22:38.16,Default,,0000,0000,0000,,search that come out of the box and I've
Dialogue: 0,0:22:38.16,0:22:40.08,Default,,0000,0000,0000,,shown you how to create your own from
Dialogue: 0,0:22:40.08,0:22:42.42,Default,,0000,0000,0000,,scratch I hope this has been helpful I
Dialogue: 0,0:22:42.42,0:22:44.30,Default,,0000,0000,0000,,hope this helps you move from being a
Dialogue: 0,0:22:44.30,0:22:47.70,Default,,0000,0000,0000,,lame analyst to a Splunk ninja that
Dialogue: 0,0:22:47.70,0:22:49.26,Default,,0000,0000,0000,,you'll keep following particularly this
Dialogue: 0,0:22:49.26,0:22:51.12,Default,,0000,0000,0000,,playlist watch the videos in it and that
Dialogue: 0,0:22:51.12,0:22:52.80,Default,,0000,0000,0000,,they're helpful anyway hope to see you
Dialogue: 0,0:22:52.80,0:22:54.92,Default,,0000,0000,0000,,around