foreign [Music] welcome to my Enterprise security uh video playlist this time we're going to be covering correlation searches this is a fancy word for a safe search that creates an alert that's really what it comes down to they call them notables there's a lot of terminology involved but the ultimate concept is a correlation search is a search that fires off at predefined periods of time maybe every five minutes every hour searches back across your logs for certain behaviors and if it sees it it creates a it creates an alert you can make it create a notable technically it doesn't have to create a notable and I'll explain how that works but it's really just just save search so let's go break right into Enterprise security and let's talk about that so I come into Enterprise security we're going to show what is already outcomes out of the box so if I go configure I'm in my Enterprise security and I come into content and I go to content management these are all the knowledge objects that come with Enterprise security and I'm going to flip this to a correlation search I click that we can see that it's going to come back with lots and lots of results 58 Pages plus of them and multiple to a page you can read this so I I'm just going to go to the very first one and this is abnormally High number of endpoint changes by a user if I go and open this up a little bit detection abnormally hard number of endpoint change by user account as it relate to restart audits file system user registry notifications if I go into this I'm actually going to be able to see the query I'm not going to go explain it because I can already tell you it's probably going to be written with lots of data models and macros but out of the box you can see here's the query and it's basically it's going to look at your data model you'll hear me talk about data models I've discussed data model but this is going to be the endpoint data model and it's going to look at file systems for changes by the user it's going to do a bunch of other things that ultimately it's going to come back and say if you meet a certain criteria and you can see that it's actually using the machine learning toolkit so down here it's actually building a threshold saying what is the normal amount of use of changes and is it jumping out of that at normal level it's really cool put some really cool uh analytics out there for you you can just use what they've got what I love is I don't want to I don't want to I hear oh well aren't correlation searches attached to now Frameworks well you can see the very first ones sometimes they are but here these are Frameworks I've heard this in my own work well they're all mapped to the miter well are they I'll just grab the very first one and there's no miter technique mapped what should it be well there's a lot of things that could cause a miter technique to uh if there's endpoint changes it could be many different types of tact then I'll have a mapped you could come in here and you could map it we'll discuss that later but point is we come down here uh make that go away that's all we can see that it's looking back 1450 minutes and the latest time is zero this runs at five after the hour that's how I read that five after the hour um it's if the results are greater than zero it groups by user and change type and we see that it creates it does not create a notable it actually just provides a risk analysis and we'll discuss risk analysis when we talk about RBA but the point is you can make it do a bunch of adaptive responses I my job here is not to help you understand every correlation search comes out of the box I'm here to discuss the part that most people don't know how to do create your own so I've shown you that you can go look through there's uh the documentation on Splunk says 1400 plus I don't know how they Define what a correlation search is I'm going to tell you that it's it's it's a lot there's a lot of them and by default uh Enterprise security is smart they do not come enabled if I look at the enabled correlation searches this is mine that I was using as I started to help understand Enterprise security and these two were turned on and this is for risk-based approach other than that there are no correlation searches that come out of the box why well one they don't want to turn something on that doesn't fit your data set to often you have to tweak them the correlation search is great but it's not always going to be perfect for your environment and so as a general rule they're there as a guidance use them when they make sense turn one on test it see how it works if it doesn't modify it and typically you'll just clone the correlation search and build your own anyway enough talking about that let's talk about actually building my own correlation search so I'm in configure content and I went to content management if I do create new content that's how I'm going to build one and so we're going to create a new content we're going to make a correlation search this is the way that I do correlation searches that doesn't mean it's the way that has to be done but it's the way it works for me I'm going to call this I would hopefully have a much better name for this but I'm going to do YouTube correlation search horrible name because someone who comes across this will have no idea what it's for but for me when I need to purchase stuff from my system it's really easy and it stands out so I'm going to put it that way then here in my description I'm going to go um grab one event from Network logs I'm not actually going to build something that I'm looking for that that's not the point of this video I'm just showing how to build one and I want them to always fire so I'm going to uh fudge the numbers so that I always get what I want and so the first thing I do is I don't try to build a search through here you can use a guided guidance cool it'll allow you it'll pick data models you can pick fields from it so if I enable the guided mode you'll see the data it'll say all right what data model do you want to look at I might come down to network traffic and what data set do I want to use all traffic do I want to use summaries only I'll discuss summaries only when later this is not the place for it time range and there is your basic query I can run the search and see how it looks um then I'm going to hit filter and filter would be like all DOT traffic all traffic dot best IP oh it's a Boolean where and I actually don't know how to make this work all traffic Dot I'd have to go look this up well that's not very good helpful there the point is I'm not actually going through the guided search tour I'm going to stay right here with a manual query where I can write it it does have guided again you got to understand exactly what you're polling guided is nice if you know follow the docs I'm not here for following the docs I'm here to take a query this is my home network I'm going to look at the correlate logs I'm going to look at my core light con logs I'm going to say where Source IP is 192.1680.star that is only so I make sure that I'm looking at a specific subnet section of my network this is primarily my network designed for doing Splunk videos and so this isn't my whole this is part of my home network but it's a subnet on my network that I use for testing pen testing setup of systems that I tear up and pick up and tear down and so I just want to know what they're doing and so I wanted the source IP maybe you don't want the source AP all I really cared about though is I just wanted this because ultimately later down I'm going to do inventory and I'm going to have a very simple inventory of that subnet and so I only want IPS that at least at least one piece of the data ties to my inventory and so as you can see this here has nothing to do with my network but this one does and I'm going to do a headwind one because I don't want lots and lots of results basically I want to query and I'm always going to return one result as long and that's what I built this isn't bad this isn't actually a known bad I just wanted data to come back so then I can put other stuff on it I'm doing this as a demo for you guys to understand how to build a query you would want to build a query that actually is looking for something malicious right now I just want a query to return a result so that I can when I do my next video about triage and the triage system there are actually tickets coming in if I write a query that's looking for bad well that bad better be occurring on my network or it's not going to fire and so it's a lot harder to troubleshoot if the thing is working if you're building queries right if you build something that isn't you hope to not actually see on your network so I actually hope to see correlatecon logs I sure hope so that means my network has traffic anyway and I'm just going to put the head 1 because I only wanted to create one alert if I let it come back it's every event that comes back in here would be a notable alert I don't want my triage system getting inundated so I'm just going to do this head one now I'm going to map it I'm going to go to miter and I'm going to put in some tickets so I'm going to go t1143 I actually can't remember what all these mean off the top of my head you can go look them up I'm going to say this and this has note no bases whatsoever but again it's this is this these videos are going to build on themselves and so I'm building these minor attacks so when I go to the RBA section of this video playlist you'll see how it maps all the different techniques together and so I'm going to put this down here and and actually because I want this to work on um my system I'm going to actually do I want it always to be 0.128. that way I'm only going to get alerts that are relating to this system that means my risk-based Approach will cross the threshold that actually makes a lot more sense for me I'll explain that when we actually get to RBA but basically I'm going to give me give me an alert every time 0.128 is the source of network traffic and that should fire off quite frequently um ignore the picture up in the top we're just going to move on had one my videos are done rendering anyway so I'm going to map it to these ttps again this is all for demo purposes so I just pick some tptps and I can come down here and I can put a confidence score an impact score contacts analytics we're just gonna leave that alone for now I can create my own framework and now here it's going to say how far back do I want to look do I look back 24 hours I could but I know how often my logs are firing I'm going to look back one hour doesn't really matter because I'm just grabbing head one and I'm I have you I probably get I get hundreds of events every probably thousands of events every hour on this particular subnet and so I it's not going to be a problem getting data I'm going to go look back one hour to now and how often do I want it to run you know what I'm going to let it run every five minutes and that's going to be important so that I actually have events and that'll work I'm going to come down here and I'm going to say do I want it to run as real time or continuous we'll just leave it at its default uh what's my scheduling window again these are I'm not going over these this is just basically how oft how you want to run your times I'm going to run this every five minutes schedule priorities in case there's conflicts hopefully with your Enterprise security you actually do not overload your system so these become a big deal trigger conditions number of results greater than zero that's always going to be the case because I'm getting back one but if I was doing this if I want to do thresholds I could make it the thing has to occur at least 10 times or 15 times or whatever then Windows durations filled to group by that's it that's all I want to deal with I really the only places I put around with this is I wrote a query in the most basic format to get your correlation searches going pick a search I would tie it to an annotation but you don't have to not required you come down here pick your time window these three boxes how far back do you want to look latest time earliest time and your cron schedule and then you really don't have to touch anything else except this add adaptive response I'm going to come and modify this in a minute there is when we talk about RBA I'm going to put a risk analysis for the sake of keeping this simple I am only going to do notables for now so I'm going to come in here and I'm going to click a notable and notable is an alert that goes to your triage system gonna go YouTube notable give a description I can actually use um foreign variable substitution so I'm going to do alert for dollar sign Source IP I need to make sure that field comes back and this does have a source IP so I can use it and you just call it like you do in with the dollar sign on both sides of a variable and that'll be dynamic and so my description will come back with this and just because I want to what if I do yeah we'll just leave it at that YouTube notable security domain there are a bunch of domains this is dealing with access areas that would be authentication endpoint a lot of your host logs Network logs threat identity and audit and so those are the six areas splunkcast as security domains we'll just leave it as a we'll put as a network in the network domain I'm going to put the severity as low and default owner I can put in these I can leave it unassigned I'm going to put it as unassigned to start with again you don't have to default status I'm going to put it as unassigned and I could put a drill down search in there and let's do that we're going to take this very same query just to keep things really simple one of the very first drill Downs I want to put in there is the actual query that created this log but in this case I'm not going to put head 1 I'm going to put I'm going to take the head out oh it looks like I've lost the 128 on there 128. make sure 128 is up here yeah it is okay and I can choose the drill down search will be C what caused alert there are other ways of doing this I'll show but I'm just I'm just going to create a few ad drill down searches and here we're going to just do um Y is this drill down exist I just want to show I can go search anything index equals internal why would you be looking at your internal logs it doesn't really matter um well actually let's just do this I'm going to put in dollar sign Source IP so I'm basically looking in my internal logs and I'm going to see if I find that IP address popping up it it's just kind of an interesting way you can add additional searches to your information um so I'm going to be searching my internal logs for the source IP and I hope you saw this earliest offset latest Offset you can change this or you can you can let it just go by its default or you can say for here I'm going to go plus this is a earliest for example one hour and I'm going to leave the other one as zero does that make sense so I hope this makes this helps I can change my time it's basically going to look in this window one hour back of based off of um the the time this event occurred so this might actually look a little bit in the future this can look a little bit in the future it's going to use time in the back so let's go we're going to go one hour one way this is going to go one hour and in the future and one hour in the past sounds good I'm going to leave my investigation profile alone and these are I uh extractions and these what it's going to do is it's going to it's going to identify identities these are users and stuff like that on your network assets would be like IPS and machines and files and URLs that it might have found I'm going to we got assets here Source test um does my lock do my logs contain source and test well let's go look had one do I actually have a source and a desk here I have a source IP but no source so I don't have the field it's looking for to be able to identify it so what I need to do is I need to come in here and I'm going to go source IP except it's on identity the identity it's an asset so I'm going to come in here and I'm going to go Source IP and just because it's we might we might want to identify the uh the other machine in question we're going to put desktop in there as well so I'm going to have my source IP and my destination IP they're going to be assets that are extracted and that's all I'm going to do I just want to make sure that the anything that might be identifiable in these queries not these queries the query up here let's call them out and I hope all this will make more sense as you actually see the stuff come back there's just a lot of capabilities here I can write steps if I want to I can set things up to uh for example send an email stream capture if you have uh Splunk stream nbstat and it's look up you can make your system do a lot of things like I could have Splunk go ping an IP address you know what um in a little bit I'll actually show me doing that I can have it do a risk analysis run a scripts and a uba send a split mobile Splunk mobile is really cool now it's being sent to my phone add thread intelligence from it web hooks whatever you have a lots of capabilities don't need to do it the the minimum you need for a notable title description you don't even need these drill Downs you can let this be set as default probably should pick a security domain and literally that's it make sure it's a lot more helpful if you can identify your stuff coming back as identities and sources and I'm going to show you that in the next video with workbenches and stuff like that but for the sake of this don't worry about it um just know that it's it's good if you can call it out but if you don't you're it's not like the query will break I'm going to hit save and I should have a correlation search done now I'm going to have to wait I probably just missed my window it's supposed to be kicking off five minutes after the hour so I can almost guarantee that if I come to incident review I will not find an alert called YouTube notable I'm gonna have to wait till five more minutes to go by but let's go ahead and check that so I can come down I can refresh the page here or I can refresh the page here but either way that is not the purpose of this video is to look at the incidents coming in mine was to talk about correlation searches and how to make my own I have set up a correlation search and so I've accomplished my task I'm gonna I'm gonna come see it here with a configure content configure content content management my new correlation search is in here we can see that when I go all correlation search and when you create them by default they are enabled so if I come in here and I enable I can see YouTube correlation search for line Creations if I want to make any changes to it I just hit search now that's interesting that it doesn't say that it's actually scheduled all right well probably because it hasn't run the very first time once it runs I should see here the next schedule time but it's really easy just keep it under the enabled and correlation searches so yep there it is now I've got a time for the next scheduled time stored in the Enterprise Security app what have we covered we've talked about correlation searches what they are they're saved searches that can be used to create notables notables fill out tickets that you will go into a ticket triaging system which we will cover in the next video in this playlist please look at the link below notice that this is a playlist go ahead and join the playlist and watch the videos this is meant to be a comprehensive training to help you understand Enterprise security um click that link we have now create I've shown you how to see the correlation search that come out of the box and I've shown you how to create your own from scratch I hope this has been helpful I hope this helps you move from being a lame analyst to a Splunk ninja that you'll keep following particularly this playlist watch the videos in it and that they're helpful anyway hope to see you around