WEBVTT 00:00:01.500 --> 00:00:03.710 foreign 00:00:03.710 --> 00:00:10.789 [Music] 00:00:10.800 --> 00:00:14.700 welcome to my Enterprise security uh 00:00:14.700 --> 00:00:17.100 video playlist this time we're going to 00:00:17.100 --> 00:00:19.920 be covering correlation searches this is 00:00:19.920 --> 00:00:22.680 a fancy word for a safe search that 00:00:22.680 --> 00:00:25.740 creates an alert that's really what it 00:00:25.740 --> 00:00:29.220 comes down to they call them notables 00:00:29.220 --> 00:00:30.779 there's a lot of terminology involved 00:00:30.779 --> 00:00:33.239 but the ultimate concept is a 00:00:33.239 --> 00:00:35.820 correlation search is a search that 00:00:35.820 --> 00:00:38.820 fires off at predefined periods of time 00:00:38.820 --> 00:00:40.500 maybe every five minutes every hour 00:00:40.500 --> 00:00:42.719 searches back across your logs for 00:00:42.719 --> 00:00:45.360 certain behaviors and if it sees it it 00:00:45.360 --> 00:00:48.300 creates a it creates an alert you can 00:00:48.300 --> 00:00:50.760 make it create a notable technically it 00:00:50.760 --> 00:00:52.140 doesn't have to create a notable and 00:00:52.140 --> 00:00:54.660 I'll explain how that works but it's 00:00:54.660 --> 00:00:56.820 really just just save search so let's go 00:00:56.820 --> 00:00:58.199 break right into Enterprise security and 00:00:58.199 --> 00:00:59.820 let's talk about that 00:00:59.820 --> 00:01:01.920 so I come into Enterprise security we're 00:01:01.920 --> 00:01:04.500 going to show what is already outcomes 00:01:04.500 --> 00:01:07.140 out of the box so if I go configure I'm 00:01:07.140 --> 00:01:08.700 in my Enterprise security and I come 00:01:08.700 --> 00:01:09.780 into 00:01:09.780 --> 00:01:13.040 content and I go to content management 00:01:13.040 --> 00:01:15.900 these are all the knowledge objects that 00:01:15.900 --> 00:01:19.140 come with Enterprise security and I'm 00:01:19.140 --> 00:01:21.900 going to flip this to a correlation 00:01:21.900 --> 00:01:24.259 search 00:01:25.400 --> 00:01:27.799 I click that 00:01:27.799 --> 00:01:29.880 we can see that it's going to come back 00:01:29.880 --> 00:01:33.439 with lots and lots of results 58 Pages 00:01:33.439 --> 00:01:38.759 plus of them and multiple to a page you 00:01:38.759 --> 00:01:41.159 can read this so I I'm just going to go 00:01:41.159 --> 00:01:43.920 to the very first one and this is 00:01:43.920 --> 00:01:46.439 abnormally High number of endpoint 00:01:46.439 --> 00:01:49.500 changes by a user if I go and open this 00:01:49.500 --> 00:01:51.780 up a little bit 00:01:51.780 --> 00:01:53.939 detection abnormally hard number of 00:01:53.939 --> 00:01:55.560 endpoint change by user account as it 00:01:55.560 --> 00:01:58.020 relate to restart audits file system 00:01:58.020 --> 00:02:00.720 user registry notifications if I go into 00:02:00.720 --> 00:02:02.280 this 00:02:02.280 --> 00:02:04.500 I'm actually going to be able to see 00:02:04.500 --> 00:02:07.020 the query I'm not going to go explain it 00:02:07.020 --> 00:02:08.220 because I can already tell you it's 00:02:08.220 --> 00:02:09.479 probably going to be written with lots 00:02:09.479 --> 00:02:13.319 of data models and macros but out of the 00:02:13.319 --> 00:02:15.720 box you can see here's the query and 00:02:15.720 --> 00:02:16.980 it's basically it's going to look at 00:02:16.980 --> 00:02:19.080 your data model you'll hear me talk 00:02:19.080 --> 00:02:21.599 about data models I've discussed data 00:02:21.599 --> 00:02:23.040 model but this is going to be the 00:02:23.040 --> 00:02:24.840 endpoint data model and it's going to 00:02:24.840 --> 00:02:28.020 look at file systems for changes by the 00:02:28.020 --> 00:02:29.400 user it's going to do a bunch of other 00:02:29.400 --> 00:02:30.420 things that ultimately it's going to 00:02:30.420 --> 00:02:32.580 come back and say if you meet a certain 00:02:32.580 --> 00:02:35.160 criteria and you can see that it's 00:02:35.160 --> 00:02:36.360 actually using the machine learning 00:02:36.360 --> 00:02:38.640 toolkit so down here it's actually 00:02:38.640 --> 00:02:41.280 building a threshold saying what is the 00:02:41.280 --> 00:02:43.980 normal amount of use of changes and is 00:02:43.980 --> 00:02:46.080 it jumping out of that at normal level 00:02:46.080 --> 00:02:49.340 it's really cool put some really cool uh 00:02:49.340 --> 00:02:52.200 analytics out there for you you can just 00:02:52.200 --> 00:02:55.560 use what they've got what I love is I 00:02:55.560 --> 00:02:57.420 don't want to I don't want to I hear oh 00:02:57.420 --> 00:02:59.660 well aren't correlation searches 00:02:59.660 --> 00:03:03.480 attached to now Frameworks well you can 00:03:03.480 --> 00:03:05.040 see the very first ones sometimes they 00:03:05.040 --> 00:03:07.379 are but here these are Frameworks I've 00:03:07.379 --> 00:03:09.480 heard this in my own work well they're 00:03:09.480 --> 00:03:12.120 all mapped to the miter well 00:03:12.120 --> 00:03:14.580 are they I'll just grab the very first 00:03:14.580 --> 00:03:17.280 one and there's no miter technique 00:03:17.280 --> 00:03:20.220 mapped what should it be well there's a 00:03:20.220 --> 00:03:23.340 lot of things that could cause a miter 00:03:23.340 --> 00:03:25.860 technique to uh if there's endpoint 00:03:25.860 --> 00:03:27.480 changes it could be many different types 00:03:27.480 --> 00:03:29.819 of tact then I'll have a mapped you 00:03:29.819 --> 00:03:31.200 could come in here and you could map it 00:03:31.200 --> 00:03:33.659 we'll discuss that later but point is we 00:03:33.659 --> 00:03:35.640 come down here uh 00:03:35.640 --> 00:03:37.560 make that go away that's all 00:03:37.560 --> 00:03:40.260 we can see that it's looking back 1450 00:03:40.260 --> 00:03:43.739 minutes and the latest time is zero this 00:03:43.739 --> 00:03:48.000 runs at five after the hour that's how I 00:03:48.000 --> 00:03:50.519 read that five after the hour 00:03:50.519 --> 00:03:52.980 um it's if the results are greater than 00:03:52.980 --> 00:03:56.540 zero it groups by user and change type 00:03:56.540 --> 00:03:59.879 and we see that it creates it does not 00:03:59.879 --> 00:04:01.560 create a notable it actually just 00:04:01.560 --> 00:04:03.959 provides a risk analysis and we'll 00:04:03.959 --> 00:04:05.840 discuss risk analysis when we talk about 00:04:05.840 --> 00:04:08.700 RBA but the point is you can make it do 00:04:08.700 --> 00:04:10.319 a bunch of adaptive responses 00:04:10.319 --> 00:04:12.239 I my job here is not to help you 00:04:12.239 --> 00:04:13.500 understand every correlation search 00:04:13.500 --> 00:04:15.599 comes out of the box I'm here to discuss 00:04:15.599 --> 00:04:17.280 the part that most people don't know how 00:04:17.280 --> 00:04:20.220 to do create your own so I've shown you 00:04:20.220 --> 00:04:23.400 that you can go look through there's 00:04:23.400 --> 00:04:26.400 uh the documentation on Splunk says 1400 00:04:26.400 --> 00:04:29.040 plus I don't know how they Define what a 00:04:29.040 --> 00:04:31.440 correlation search is I'm going to tell 00:04:31.440 --> 00:04:34.979 you that it's it's it's a lot there's a 00:04:34.979 --> 00:04:37.759 lot of them and by default 00:04:37.759 --> 00:04:41.040 uh Enterprise security is smart they do 00:04:41.040 --> 00:04:43.440 not come enabled if I look at the 00:04:43.440 --> 00:04:46.199 enabled correlation searches 00:04:46.199 --> 00:04:48.840 this is mine that I was using as I 00:04:48.840 --> 00:04:49.979 started to help understand Enterprise 00:04:49.979 --> 00:04:52.800 security and these two were turned on 00:04:52.800 --> 00:04:55.020 and this is for risk-based approach 00:04:55.020 --> 00:04:57.660 other than that there are no correlation 00:04:57.660 --> 00:04:59.759 searches that come out of the box why 00:04:59.759 --> 00:05:01.620 well one they don't want to turn 00:05:01.620 --> 00:05:03.300 something on that doesn't fit your data 00:05:03.300 --> 00:05:06.000 set to often you have to tweak them the 00:05:06.000 --> 00:05:07.680 correlation search is great but it's not 00:05:07.680 --> 00:05:08.880 always going to be perfect for your 00:05:08.880 --> 00:05:10.860 environment and so as a general rule 00:05:10.860 --> 00:05:12.479 they're there as a guidance use them 00:05:12.479 --> 00:05:14.880 when they make sense turn one on test it 00:05:14.880 --> 00:05:17.160 see how it works if it doesn't modify it 00:05:17.160 --> 00:05:19.139 and typically you'll just clone the 00:05:19.139 --> 00:05:21.120 correlation search and build your own 00:05:21.120 --> 00:05:23.220 anyway enough talking about that let's 00:05:23.220 --> 00:05:24.840 talk about actually building my own 00:05:24.840 --> 00:05:27.539 correlation search so I'm in configure 00:05:27.539 --> 00:05:29.820 content and I went to content management 00:05:29.820 --> 00:05:32.400 if I do create new content that's how 00:05:32.400 --> 00:05:34.800 I'm going to build one and so we're 00:05:34.800 --> 00:05:36.300 going to create a new content we're 00:05:36.300 --> 00:05:38.699 going to make a correlation search 00:05:38.699 --> 00:05:42.479 this is the way that I do correlation 00:05:42.479 --> 00:05:44.160 searches that doesn't mean it's the way 00:05:44.160 --> 00:05:45.300 that has to be done but it's the way it 00:05:45.300 --> 00:05:47.520 works for me I'm going to call this I 00:05:47.520 --> 00:05:49.560 would hopefully have a much better name 00:05:49.560 --> 00:05:52.460 for this but I'm going to do YouTube 00:05:52.460 --> 00:05:56.460 correlation search 00:06:00.740 --> 00:06:03.000 horrible name because someone who comes 00:06:03.000 --> 00:06:05.160 across this will have no idea what it's 00:06:05.160 --> 00:06:06.539 for but for me when I need to purchase 00:06:06.539 --> 00:06:08.460 stuff from my system it's really easy 00:06:08.460 --> 00:06:09.840 and it stands out so I'm going to put it 00:06:09.840 --> 00:06:12.120 that way then here in my description I'm 00:06:12.120 --> 00:06:13.860 going to go 00:06:13.860 --> 00:06:14.820 um 00:06:14.820 --> 00:06:20.479 grab one event from Network logs 00:06:20.580 --> 00:06:22.139 I'm not actually going to build 00:06:22.139 --> 00:06:23.940 something that I'm looking for that 00:06:23.940 --> 00:06:25.680 that's not the point of this video I'm 00:06:25.680 --> 00:06:27.600 just showing how to build one and I want 00:06:27.600 --> 00:06:30.840 them to always fire so I'm going to 00:06:30.840 --> 00:06:33.060 uh fudge the numbers so that I always 00:06:33.060 --> 00:06:35.400 get what I want and so the first thing I 00:06:35.400 --> 00:06:36.720 do is I don't try to build a search 00:06:36.720 --> 00:06:38.520 through here you can use a guided 00:06:38.520 --> 00:06:41.160 guidance cool it'll allow you it'll pick 00:06:41.160 --> 00:06:43.139 data models you can pick fields from it 00:06:43.139 --> 00:06:45.660 so if I enable the guided mode you'll 00:06:45.660 --> 00:06:47.460 see the data it'll say all right what 00:06:47.460 --> 00:06:49.740 data model do you want to look at I 00:06:49.740 --> 00:06:52.460 might come down to network traffic 00:06:52.460 --> 00:06:55.680 and what data set do I want to use all 00:06:55.680 --> 00:06:58.280 traffic do I want to use summaries only 00:06:58.280 --> 00:07:01.080 I'll discuss summaries only when later 00:07:01.080 --> 00:07:04.199 this is not the place for it time range 00:07:04.199 --> 00:07:07.680 and there is your basic query I can run 00:07:07.680 --> 00:07:10.259 the search and see how it looks 00:07:10.259 --> 00:07:12.979 um then I'm going to hit 00:07:13.340 --> 00:07:18.539 filter and filter would be like 00:07:18.539 --> 00:07:22.400 all DOT traffic 00:07:23.460 --> 00:07:28.740 all traffic dot best IP 00:07:28.740 --> 00:07:30.720 oh 00:07:30.720 --> 00:07:34.099 it's a Boolean where 00:07:34.560 --> 00:07:36.660 and I actually don't know how to make 00:07:36.660 --> 00:07:40.220 this work all traffic Dot 00:07:42.780 --> 00:07:44.759 I'd have to go look this up well that's 00:07:44.759 --> 00:07:46.380 not very good helpful there the point is 00:07:46.380 --> 00:07:47.580 I'm not actually going through the 00:07:47.580 --> 00:07:49.560 guided search tour I'm going to stay 00:07:49.560 --> 00:07:51.720 right here with a manual query where I 00:07:51.720 --> 00:07:54.120 can write it it does have guided again 00:07:54.120 --> 00:07:55.500 you got to understand exactly what 00:07:55.500 --> 00:07:57.360 you're polling guided is nice if you 00:07:57.360 --> 00:08:00.000 know follow the docs I'm not here for 00:08:00.000 --> 00:08:02.039 following the docs I'm here to take a 00:08:02.039 --> 00:08:04.259 query this is my home network I'm going 00:08:04.259 --> 00:08:05.520 to look at the correlate logs I'm going 00:08:05.520 --> 00:08:07.500 to look at my core light con logs I'm 00:08:07.500 --> 00:08:10.160 going to say where Source IP is 00:08:10.160 --> 00:08:13.259 192.1680.star that is only so I make 00:08:13.259 --> 00:08:15.180 sure that I'm looking at a specific 00:08:15.180 --> 00:08:17.639 subnet section of my network this is 00:08:17.639 --> 00:08:20.520 primarily my network designed for doing 00:08:20.520 --> 00:08:23.819 Splunk videos and so this isn't my whole 00:08:23.819 --> 00:08:25.379 this is part of my home network but it's 00:08:25.379 --> 00:08:28.139 a subnet on my network that I use for 00:08:28.139 --> 00:08:31.680 testing pen testing setup of systems 00:08:31.680 --> 00:08:33.300 that I tear up and pick up and tear down 00:08:33.300 --> 00:08:35.219 and so I just want to know what they're 00:08:35.219 --> 00:08:37.260 doing and so I wanted the source IP 00:08:37.260 --> 00:08:39.300 maybe you don't want the source AP all I 00:08:39.300 --> 00:08:40.440 really cared about though is I just 00:08:40.440 --> 00:08:42.419 wanted this because ultimately later 00:08:42.419 --> 00:08:44.339 down I'm going to do inventory and I'm 00:08:44.339 --> 00:08:46.140 going to have a very simple inventory of 00:08:46.140 --> 00:08:48.540 that subnet and so I only want IPS that 00:08:48.540 --> 00:08:50.700 at least at least one piece of the data 00:08:50.700 --> 00:08:53.519 ties to my inventory and so as you can 00:08:53.519 --> 00:08:55.680 see this here has nothing to do with my 00:08:55.680 --> 00:08:58.320 network but this one does and I'm going 00:08:58.320 --> 00:09:00.540 to do a headwind one because I don't 00:09:00.540 --> 00:09:02.760 want lots and lots of results 00:09:02.760 --> 00:09:05.459 basically I want to query 00:09:05.459 --> 00:09:07.140 and I'm always going to return one 00:09:07.140 --> 00:09:09.540 result as long and that's what I built 00:09:09.540 --> 00:09:12.000 this isn't bad this isn't actually a 00:09:12.000 --> 00:09:13.980 known bad I just wanted data to come 00:09:13.980 --> 00:09:16.200 back so then I can put other stuff on it 00:09:16.200 --> 00:09:18.660 I'm doing this as a demo for you guys to 00:09:18.660 --> 00:09:21.300 understand how 00:09:21.300 --> 00:09:23.519 to build a query you would want to build 00:09:23.519 --> 00:09:25.140 a query that actually is looking for 00:09:25.140 --> 00:09:27.420 something malicious right now I just 00:09:27.420 --> 00:09:30.120 want a query to return a result so that 00:09:30.120 --> 00:09:32.120 I can when I do my next video about 00:09:32.120 --> 00:09:35.100 triage and the triage system there are 00:09:35.100 --> 00:09:37.560 actually tickets coming in if I write a 00:09:37.560 --> 00:09:39.420 query that's looking for bad well that 00:09:39.420 --> 00:09:41.100 bad better be occurring on my network or 00:09:41.100 --> 00:09:43.019 it's not going to fire and so it's a lot 00:09:43.019 --> 00:09:44.399 harder to troubleshoot if the thing is 00:09:44.399 --> 00:09:45.899 working if you're building queries right 00:09:45.899 --> 00:09:48.600 if you build something that isn't you 00:09:48.600 --> 00:09:50.040 hope to not actually see on your network 00:09:50.040 --> 00:09:52.140 so I actually hope to see correlatecon 00:09:52.140 --> 00:09:54.480 logs I sure hope so that means my 00:09:54.480 --> 00:09:56.580 network has traffic anyway and I'm just 00:09:56.580 --> 00:09:57.779 going to put the head 1 because I only 00:09:57.779 --> 00:10:00.360 wanted to create one alert if I let it 00:10:00.360 --> 00:10:02.220 come back it's every event that comes 00:10:02.220 --> 00:10:04.980 back in here would be a notable alert I 00:10:04.980 --> 00:10:06.959 don't want my triage system getting 00:10:06.959 --> 00:10:08.700 inundated so I'm just going to do this 00:10:08.700 --> 00:10:09.959 head one 00:10:09.959 --> 00:10:11.940 now I'm going to map it I'm going to go 00:10:11.940 --> 00:10:15.000 to miter and I'm going to 00:10:15.000 --> 00:10:17.640 put in some 00:10:17.640 --> 00:10:20.459 tickets so I'm going to go t1143 I 00:10:20.459 --> 00:10:21.600 actually can't remember what all these 00:10:21.600 --> 00:10:23.459 mean off the top of my head you can go 00:10:23.459 --> 00:10:26.519 look them up I'm going to say this and 00:10:26.519 --> 00:10:28.800 this has note no bases whatsoever but 00:10:28.800 --> 00:10:30.899 again it's this is this these videos are 00:10:30.899 --> 00:10:32.700 going to build on themselves and so I'm 00:10:32.700 --> 00:10:34.980 building these minor attacks so when I 00:10:34.980 --> 00:10:37.440 go to the RBA section of this video 00:10:37.440 --> 00:10:40.680 playlist you'll see how it maps all the 00:10:40.680 --> 00:10:42.420 different techniques together and so I'm 00:10:42.420 --> 00:10:45.420 going to put this down here and and 00:10:45.420 --> 00:10:49.019 actually because I want this to work on 00:10:49.019 --> 00:10:51.000 um my system I'm going to actually do I 00:10:51.000 --> 00:10:53.579 want it always to be 0.128. 00:10:53.579 --> 00:10:57.240 that way I'm only going to get alerts 00:10:57.240 --> 00:10:59.640 that are relating to this system that 00:10:59.640 --> 00:11:01.920 means my risk-based Approach will cross 00:11:01.920 --> 00:11:03.779 the threshold that actually makes a lot 00:11:03.779 --> 00:11:06.360 more sense for me I'll explain that when 00:11:06.360 --> 00:11:08.760 we actually get to RBA but basically I'm 00:11:08.760 --> 00:11:11.279 going to give me give me an alert every 00:11:11.279 --> 00:11:12.380 time 00:11:12.380 --> 00:11:15.420 0.128 is the source of network traffic 00:11:15.420 --> 00:11:17.040 and that should fire off quite 00:11:17.040 --> 00:11:18.660 frequently 00:11:18.660 --> 00:11:19.320 um 00:11:19.320 --> 00:11:21.480 ignore the picture up in the top we're 00:11:21.480 --> 00:11:24.360 just going to move on had one my videos 00:11:24.360 --> 00:11:26.700 are done rendering anyway so I'm going 00:11:26.700 --> 00:11:29.579 to map it to these ttps again this is 00:11:29.579 --> 00:11:31.380 all for demo purposes so I just pick 00:11:31.380 --> 00:11:35.760 some tptps and I can come down here and 00:11:35.760 --> 00:11:37.680 I can put a confidence score an impact 00:11:37.680 --> 00:11:38.959 score 00:11:38.959 --> 00:11:40.860 contacts analytics we're just gonna 00:11:40.860 --> 00:11:42.660 leave that alone for now I can create my 00:11:42.660 --> 00:11:44.760 own framework and now here it's going to 00:11:44.760 --> 00:11:47.279 say how far back do I want to look do I 00:11:47.279 --> 00:11:49.260 look back 24 hours I could but I know 00:11:49.260 --> 00:11:51.240 how often my logs are firing I'm going 00:11:51.240 --> 00:11:53.160 to look back one hour doesn't really 00:11:53.160 --> 00:11:54.420 matter because I'm just grabbing head 00:11:54.420 --> 00:11:55.519 one 00:11:55.519 --> 00:11:59.459 and I'm I have you I probably get I get 00:11:59.459 --> 00:12:01.680 hundreds of events every probably 00:12:01.680 --> 00:12:03.600 thousands of events every hour 00:12:03.600 --> 00:12:06.300 on this particular subnet and so I it's 00:12:06.300 --> 00:12:07.500 not going to be a problem getting data 00:12:07.500 --> 00:12:09.300 I'm going to go look back one hour to 00:12:09.300 --> 00:12:11.579 now and how often do I want it to run 00:12:11.579 --> 00:12:13.260 you know what I'm going to let it run 00:12:13.260 --> 00:12:16.320 every five minutes and that's going to 00:12:16.320 --> 00:12:17.760 be important so that I actually have 00:12:17.760 --> 00:12:21.779 events and that'll work I'm going to 00:12:21.779 --> 00:12:23.459 come down here and I'm going to say do I 00:12:23.459 --> 00:12:25.380 want it to run as real time or 00:12:25.380 --> 00:12:27.480 continuous we'll just leave it at its 00:12:27.480 --> 00:12:28.560 default 00:12:28.560 --> 00:12:30.899 uh what's my scheduling window again 00:12:30.899 --> 00:12:33.480 these are I'm not going over these this 00:12:33.480 --> 00:12:36.060 is just basically how oft how you want 00:12:36.060 --> 00:12:37.680 to run your times I'm going to run this 00:12:37.680 --> 00:12:39.420 every five minutes schedule priorities 00:12:39.420 --> 00:12:41.459 in case there's conflicts hopefully with 00:12:41.459 --> 00:12:43.260 your Enterprise security you actually do 00:12:43.260 --> 00:12:45.839 not overload your system so these become 00:12:45.839 --> 00:12:47.040 a big deal 00:12:47.040 --> 00:12:48.660 trigger conditions number of results 00:12:48.660 --> 00:12:50.399 greater than zero that's always going to 00:12:50.399 --> 00:12:51.660 be the case because I'm getting back one 00:12:51.660 --> 00:12:53.820 but if I was doing this if I want to do 00:12:53.820 --> 00:12:55.920 thresholds I could make it the thing has 00:12:55.920 --> 00:12:58.440 to occur at least 10 times or 15 times 00:12:58.440 --> 00:13:01.320 or whatever then Windows durations 00:13:01.320 --> 00:13:04.139 filled to group by that's it that's all 00:13:04.139 --> 00:13:06.540 I want to deal with I really the only 00:13:06.540 --> 00:13:08.519 places I put around with this is I wrote 00:13:08.519 --> 00:13:10.980 a query in the most basic format to get 00:13:10.980 --> 00:13:13.200 your correlation searches going pick a 00:13:13.200 --> 00:13:15.839 search I would tie it to an annotation 00:13:15.839 --> 00:13:18.600 but you don't have to not required you 00:13:18.600 --> 00:13:20.100 come down here pick your time window 00:13:20.100 --> 00:13:22.260 these three boxes how far back do you 00:13:22.260 --> 00:13:24.120 want to look latest time earliest time 00:13:24.120 --> 00:13:26.459 and your cron schedule and then you 00:13:26.459 --> 00:13:27.779 really don't have to touch anything else 00:13:27.779 --> 00:13:31.740 except this add adaptive response I'm 00:13:31.740 --> 00:13:33.300 going to come and modify this in a 00:13:33.300 --> 00:13:35.700 minute there is when we talk about RBA 00:13:35.700 --> 00:13:38.040 I'm going to put a risk analysis for the 00:13:38.040 --> 00:13:40.200 sake of keeping this simple I am only 00:13:40.200 --> 00:13:41.459 going to do 00:13:41.459 --> 00:13:43.800 notables for now so I'm going to come in 00:13:43.800 --> 00:13:44.880 here and I'm going to click a notable 00:13:44.880 --> 00:13:47.220 and notable is an alert that goes to 00:13:47.220 --> 00:13:48.779 your triage system 00:13:48.779 --> 00:13:52.260 gonna go YouTube 00:13:52.260 --> 00:13:55.440 notable give a description 00:13:55.440 --> 00:13:57.899 I can actually use 00:13:57.899 --> 00:13:59.820 um foreign 00:13:59.820 --> 00:14:01.980 variable substitution so I'm going to do 00:14:01.980 --> 00:14:06.180 alert for dollar sign Source IP 00:14:06.180 --> 00:14:07.860 I need to make sure that field comes 00:14:07.860 --> 00:14:10.860 back and this does have a source IP so I 00:14:10.860 --> 00:14:12.720 can use it and you just call it like you 00:14:12.720 --> 00:14:15.180 do in with the dollar sign on both sides 00:14:15.180 --> 00:14:17.339 of a variable and that'll be dynamic and 00:14:17.339 --> 00:14:19.680 so my description will come back with 00:14:19.680 --> 00:14:22.680 this and just because I 00:14:22.680 --> 00:14:24.839 want to what if I do yeah we'll just 00:14:24.839 --> 00:14:26.220 leave it at that 00:14:26.220 --> 00:14:29.160 YouTube notable security domain there 00:14:29.160 --> 00:14:31.500 are a bunch of domains this is dealing 00:14:31.500 --> 00:14:33.720 with access areas that would be 00:14:33.720 --> 00:14:35.880 authentication endpoint a lot of your 00:14:35.880 --> 00:14:39.420 host logs Network logs threat identity 00:14:39.420 --> 00:14:41.459 and audit and so those are the six areas 00:14:41.459 --> 00:14:43.980 splunkcast as security domains we'll 00:14:43.980 --> 00:14:46.680 just leave it as a we'll put as a 00:14:46.680 --> 00:14:47.579 network 00:14:47.579 --> 00:14:49.800 in the network domain I'm going to put 00:14:49.800 --> 00:14:52.579 the severity 00:14:53.899 --> 00:14:56.300 as low 00:14:56.300 --> 00:14:59.760 and default owner I can put in these I 00:14:59.760 --> 00:15:01.560 can leave it unassigned 00:15:01.560 --> 00:15:03.060 I'm going to put it as unassigned to 00:15:03.060 --> 00:15:05.100 start with again you don't have to 00:15:05.100 --> 00:15:07.320 default status I'm going to put it as 00:15:07.320 --> 00:15:09.120 unassigned 00:15:09.120 --> 00:15:11.579 and I could put a drill down search in 00:15:11.579 --> 00:15:15.079 there and let's do that 00:15:15.480 --> 00:15:17.880 we're going to take this very same query 00:15:17.880 --> 00:15:20.220 just to keep things really simple one of 00:15:20.220 --> 00:15:21.660 the very first drill Downs I want to put 00:15:21.660 --> 00:15:23.519 in there 00:15:23.519 --> 00:15:25.920 is the actual query 00:15:25.920 --> 00:15:28.680 that created this log 00:15:28.680 --> 00:15:30.899 but in this case I'm not going to put 00:15:30.899 --> 00:15:32.880 head 1 I'm going to put I'm going to 00:15:32.880 --> 00:15:34.380 take the head out 00:15:34.380 --> 00:15:36.480 oh it looks like I've lost the 128 on 00:15:36.480 --> 00:15:38.940 there 128. 00:15:38.940 --> 00:15:41.459 make sure 128 is up here 00:15:41.459 --> 00:15:44.699 yeah it is okay and I can choose the 00:15:44.699 --> 00:15:46.500 drill down search will be 00:15:46.500 --> 00:15:49.160 C 00:15:49.260 --> 00:15:53.880 what caused alert 00:15:55.079 --> 00:15:56.880 there are other ways of doing this I'll 00:15:56.880 --> 00:15:58.019 show but I'm just I'm just going to 00:15:58.019 --> 00:16:00.120 create a few ad drill down searches and 00:16:00.120 --> 00:16:02.459 here we're going to just do 00:16:02.459 --> 00:16:04.519 um 00:16:04.560 --> 00:16:07.560 Y is 00:16:07.560 --> 00:16:10.399 this 00:16:10.459 --> 00:16:14.000 drill down exist 00:16:14.880 --> 00:16:16.380 I just want to show I can go search 00:16:16.380 --> 00:16:17.579 anything 00:16:17.579 --> 00:16:21.199 index equals internal 00:16:21.199 --> 00:16:22.980 why would you be looking at your 00:16:22.980 --> 00:16:26.279 internal logs it doesn't really matter 00:16:26.279 --> 00:16:28.339 um 00:16:28.500 --> 00:16:30.180 well actually let's just do this I'm 00:16:30.180 --> 00:16:33.180 going to put in dollar sign Source IP 00:16:33.180 --> 00:16:35.459 so I'm basically looking in my internal 00:16:35.459 --> 00:16:37.139 logs and I'm going to see if I find that 00:16:37.139 --> 00:16:40.199 IP address popping up it it's just kind 00:16:40.199 --> 00:16:41.820 of an interesting way you can add 00:16:41.820 --> 00:16:45.660 additional searches to your information 00:16:45.660 --> 00:16:46.500 um 00:16:46.500 --> 00:16:48.360 so I'm going to be searching my internal 00:16:48.360 --> 00:16:50.459 logs for the source IP 00:16:50.459 --> 00:16:53.160 and I hope you saw this earliest offset 00:16:53.160 --> 00:16:56.399 latest Offset you can change this or you 00:16:56.399 --> 00:16:57.959 can you can let it just go by its 00:16:57.959 --> 00:17:00.060 default or you can say for here I'm 00:17:00.060 --> 00:17:01.139 going to go 00:17:01.139 --> 00:17:05.400 plus this is a earliest for example one 00:17:05.400 --> 00:17:06.480 hour 00:17:06.480 --> 00:17:08.220 and I'm going to leave the other one as 00:17:08.220 --> 00:17:10.640 zero 00:17:10.919 --> 00:17:12.360 does that make sense so I hope this 00:17:12.360 --> 00:17:14.640 makes this helps I can change my time 00:17:14.640 --> 00:17:16.559 it's basically going to look in this 00:17:16.559 --> 00:17:22.220 window one hour back of based off of 00:17:22.919 --> 00:17:24.980 um 00:17:25.079 --> 00:17:27.780 the the time this event occurred 00:17:27.780 --> 00:17:29.220 so this might actually look a little bit 00:17:29.220 --> 00:17:30.360 in the future this can look a little bit 00:17:30.360 --> 00:17:32.040 in the future it's going to use time in 00:17:32.040 --> 00:17:35.299 the back so let's go 00:17:35.580 --> 00:17:37.860 we're going to go one hour one way this 00:17:37.860 --> 00:17:40.500 is going to go one hour and in the 00:17:40.500 --> 00:17:43.320 future and one hour in the past 00:17:43.320 --> 00:17:45.840 sounds good I'm going to leave my 00:17:45.840 --> 00:17:48.240 investigation profile alone and these 00:17:48.240 --> 00:17:50.880 are I uh extractions and these what it's 00:17:50.880 --> 00:17:52.440 going to do is it's going to it's going 00:17:52.440 --> 00:17:55.919 to identify identities these are users 00:17:55.919 --> 00:17:57.240 and stuff like that on your network 00:17:57.240 --> 00:18:00.240 assets would be like IPS and machines 00:18:00.240 --> 00:18:02.940 and files and URLs that it might have 00:18:02.940 --> 00:18:06.020 found I'm going to we got assets here 00:18:06.020 --> 00:18:08.760 Source test 00:18:08.760 --> 00:18:10.500 um does my lock do my logs contain 00:18:10.500 --> 00:18:11.760 source and test 00:18:11.760 --> 00:18:14.940 well let's go look had one do I actually 00:18:14.940 --> 00:18:18.200 have a source and a desk here 00:18:18.299 --> 00:18:21.299 I have a source IP but no source so I 00:18:21.299 --> 00:18:23.460 don't have the field it's looking for to 00:18:23.460 --> 00:18:25.440 be able to identify it so what I need to 00:18:25.440 --> 00:18:26.700 do is I need to come in here and I'm 00:18:26.700 --> 00:18:27.960 going to go 00:18:27.960 --> 00:18:30.780 source IP 00:18:30.780 --> 00:18:33.539 except it's on identity 00:18:33.539 --> 00:18:35.940 the identity it's an asset so I'm going 00:18:35.940 --> 00:18:36.720 to come in here and I'm going to go 00:18:36.720 --> 00:18:39.679 Source IP 00:18:40.400 --> 00:18:43.500 and just because it's we might we might 00:18:43.500 --> 00:18:46.320 want to identify the uh the other 00:18:46.320 --> 00:18:47.700 machine in question we're going to put 00:18:47.700 --> 00:18:50.160 desktop in there as well so I'm going to 00:18:50.160 --> 00:18:52.260 have my source IP and my destination IP 00:18:52.260 --> 00:18:54.059 they're going to be assets that are 00:18:54.059 --> 00:18:56.100 extracted and that's all I'm going to do 00:18:56.100 --> 00:18:57.539 I just want to make sure that the 00:18:57.539 --> 00:19:00.000 anything that might be identifiable in 00:19:00.000 --> 00:19:01.500 these queries not these queries the 00:19:01.500 --> 00:19:04.200 query up here let's call them out and I 00:19:04.200 --> 00:19:05.760 hope all this will make more sense as 00:19:05.760 --> 00:19:07.140 you actually see the stuff come back 00:19:07.140 --> 00:19:09.360 there's just a lot of capabilities here 00:19:09.360 --> 00:19:12.900 I can write steps if I want to I can set 00:19:12.900 --> 00:19:14.940 things up to uh for example send an 00:19:14.940 --> 00:19:17.640 email stream capture if you have uh 00:19:17.640 --> 00:19:20.400 Splunk stream nbstat and it's look up 00:19:20.400 --> 00:19:21.600 you can make your system do a lot of 00:19:21.600 --> 00:19:23.820 things like I could have Splunk go ping 00:19:23.820 --> 00:19:26.220 an IP address you know what 00:19:26.220 --> 00:19:28.440 um in a little bit I'll actually show me 00:19:28.440 --> 00:19:30.360 doing that I can have it do a risk 00:19:30.360 --> 00:19:32.400 analysis run a scripts and a uba send a 00:19:32.400 --> 00:19:34.200 split mobile Splunk mobile is really 00:19:34.200 --> 00:19:36.780 cool now it's being sent to my phone add 00:19:36.780 --> 00:19:38.880 thread intelligence from it web hooks 00:19:38.880 --> 00:19:40.860 whatever you have a lots of capabilities 00:19:40.860 --> 00:19:43.799 don't need to do it the the minimum you 00:19:43.799 --> 00:19:45.120 need for a notable 00:19:45.120 --> 00:19:48.059 title description 00:19:48.059 --> 00:19:50.100 you don't even need these drill Downs 00:19:50.100 --> 00:19:52.320 you can let this be set as default 00:19:52.320 --> 00:19:54.080 probably should pick a security domain 00:19:54.080 --> 00:19:57.780 and literally that's it make sure it's a 00:19:57.780 --> 00:19:59.520 lot more helpful if you can identify 00:19:59.520 --> 00:20:01.140 your stuff coming back as identities and 00:20:01.140 --> 00:20:03.059 sources and I'm going to show you that 00:20:03.059 --> 00:20:05.880 in the next video with workbenches and 00:20:05.880 --> 00:20:07.799 stuff like that but for the sake of this 00:20:07.799 --> 00:20:09.299 don't worry about it 00:20:09.299 --> 00:20:10.919 um just know that it's it's good if you 00:20:10.919 --> 00:20:12.600 can call it out but if you don't you're 00:20:12.600 --> 00:20:14.580 it's not like the query will break 00:20:14.580 --> 00:20:17.539 I'm going to hit save 00:20:18.299 --> 00:20:20.340 and I should have a correlation search 00:20:20.340 --> 00:20:22.320 done now I'm going to have to wait I 00:20:22.320 --> 00:20:24.780 probably just missed my window it's 00:20:24.780 --> 00:20:26.400 supposed to be kicking off five minutes 00:20:26.400 --> 00:20:28.500 after the hour 00:20:28.500 --> 00:20:30.840 so I can almost guarantee that if I come 00:20:30.840 --> 00:20:33.660 to incident review I will not find an 00:20:33.660 --> 00:20:35.400 alert 00:20:35.400 --> 00:20:38.640 called YouTube notable 00:20:38.640 --> 00:20:40.679 I'm gonna have to wait till five more 00:20:40.679 --> 00:20:43.020 minutes to go by but let's go ahead and 00:20:43.020 --> 00:20:44.700 check that so I can come down I can 00:20:44.700 --> 00:20:47.460 refresh the page here or I can refresh 00:20:47.460 --> 00:20:50.460 the page here but either way that is not 00:20:50.460 --> 00:20:52.380 the purpose of this video is to look at 00:20:52.380 --> 00:20:54.419 the incidents coming in mine was to talk 00:20:54.419 --> 00:20:56.220 about correlation searches and how to 00:20:56.220 --> 00:20:58.320 make my own I have set up a correlation 00:20:58.320 --> 00:21:00.960 search and so I've accomplished my task 00:21:00.960 --> 00:21:03.120 I'm gonna I'm gonna come see it here 00:21:03.120 --> 00:21:04.620 with a configure 00:21:04.620 --> 00:21:06.960 content 00:21:06.960 --> 00:21:10.860 configure content content management my 00:21:10.860 --> 00:21:13.679 new correlation search is in here we can 00:21:13.679 --> 00:21:16.140 see that when I go all 00:21:16.140 --> 00:21:17.640 correlation search and when you create 00:21:17.640 --> 00:21:20.700 them by default they are enabled 00:21:20.700 --> 00:21:24.000 so if I come in here and I enable 00:21:24.000 --> 00:21:26.340 I can see YouTube correlation search for 00:21:26.340 --> 00:21:27.480 line Creations if I want to make any 00:21:27.480 --> 00:21:29.700 changes to it 00:21:29.700 --> 00:21:32.159 I just hit search now that's interesting 00:21:32.159 --> 00:21:33.480 that it doesn't say that it's actually 00:21:33.480 --> 00:21:36.140 scheduled 00:21:40.740 --> 00:21:42.960 all right well probably because it 00:21:42.960 --> 00:21:44.940 hasn't run the very first time once it 00:21:44.940 --> 00:21:47.039 runs I should see 00:21:47.039 --> 00:21:50.220 here the next schedule time but it's 00:21:50.220 --> 00:21:51.419 really easy just keep it under the 00:21:51.419 --> 00:21:53.900 enabled 00:21:54.539 --> 00:21:58.140 and correlation searches 00:21:58.140 --> 00:21:59.400 so 00:21:59.400 --> 00:22:01.500 yep there it is now I've got a time for 00:22:01.500 --> 00:22:03.240 the next scheduled time stored in the 00:22:03.240 --> 00:22:05.039 Enterprise Security app what have we 00:22:05.039 --> 00:22:06.780 covered we've talked about correlation 00:22:06.780 --> 00:22:09.419 searches what they are they're saved 00:22:09.419 --> 00:22:11.640 searches that can be used to create 00:22:11.640 --> 00:22:15.720 notables notables fill out tickets that 00:22:15.720 --> 00:22:17.760 you will go into a ticket triaging 00:22:17.760 --> 00:22:19.620 system which we will cover in the next 00:22:19.620 --> 00:22:21.600 video in this playlist please look at 00:22:21.600 --> 00:22:23.340 the link below notice that this is a 00:22:23.340 --> 00:22:25.140 playlist go ahead and join the playlist 00:22:25.140 --> 00:22:27.299 and watch the videos this is meant to be 00:22:27.299 --> 00:22:29.520 a comprehensive training to help you 00:22:29.520 --> 00:22:31.620 understand Enterprise security 00:22:31.620 --> 00:22:32.220 um 00:22:32.220 --> 00:22:35.100 click that link we have now create I've 00:22:35.100 --> 00:22:36.480 shown you how to see the correlation 00:22:36.480 --> 00:22:38.159 search that come out of the box and I've 00:22:38.159 --> 00:22:40.080 shown you how to create your own from 00:22:40.080 --> 00:22:42.419 scratch I hope this has been helpful I 00:22:42.419 --> 00:22:44.299 hope this helps you move from being a 00:22:44.299 --> 00:22:47.700 lame analyst to a Splunk ninja that 00:22:47.700 --> 00:22:49.260 you'll keep following particularly this 00:22:49.260 --> 00:22:51.120 playlist watch the videos in it and that 00:22:51.120 --> 00:22:52.799 they're helpful anyway hope to see you 00:22:52.799 --> 00:22:54.919 around