[Music]
Alright, welcome to my enterprise security
video playlist. This time we're going to
be covering correlation searches. This is
a fancy word for a safe search that
creates an alert. That's really what it
comes down to. They call them notables—
there's a lot of terminology involved—
but the ultimate concept is a
correlation search is a search that
fires off at predefined periods of time,
maybe every five minutes, every hour,
searches back across your logs for
certain behaviors, and if it sees it, it
creates a...it creates an alert. You can
make it create a notable. Technically, it
doesn't have to create a notable, and
I'll explain how that works, but it's
really just a safe search. So let's go
break right into enterprise security, and
let's talk about that.
So I come into enterprise security. We're
going to show what is already outcomes
out of the box. So if
I go 'configure', I'm
in my Enterprise security
and I come into...
'content', and I go to
'content management',
these are all the knowledge objects that
come with enterprise security, and I'm
going to flip this to a
correlation search.
I click that...
we can see that it's going to come back
with lots and lots of results, 58 pages
plus of them and multiple to a page. You
can read this, so I'm just going to go
into the very first one. And this is
'abnormally high number of endpoint
changes by a user'. If I go and open this
up a little bit...
'detects an abnormally high number of
endpoint changes by user account as it
relate to restarts, audits, file system,
user, registry, notifications".
If I go into this...
I'm actually going to be able to see
the query. I'm not going to go explain it
because I can already tell you, it's
probably going to be written with lots
of data models and macros, but out of the
box, you can see: here's the query. And
it's basically...it's going to look at
your data model. You'll hear me talk
about data models. I've discussed data
model, but this is going to be the
endpoint data model, and it's going to be
looking at file systems for changes by the
user, it's going to do a bunch of other
things that ultimately it's going to
come back and say...if you meet a certain
criteria, and you can see that it's
actually using the machine learning
toolkit, so down here it's actually
building a threshold saying, what is the
normal amount of use of changes, and is
it jumping out of that at normal level.
It's really cool, put some really cool
analytics out there for you. You can just
use what they've got. What I love is I
don't want to...I hear, oh
well aren't correlation searches
attached to now frameworks? Well, you can
see the very first ones.
Sometimes they
are. But here, these are frameworks. I've
heard this in my own work,
oh, well they're
all mapped to the miter. Well,
are they? I'll just grab the very first
one, and...there's no miter technique
mapped. What should it be? Well, there's a
lot of things that could cause a miter
technique to...uh...if there's endpoint
changes, it could be many different types
of tact. Then I'll have it mapped. You
could come in here and you could map it,
we'll discuss that later, but point is, we
come down here...
make that go away, that's all...
we can see that it's looking back 1,450
minutes, and the latest time is zero. This
runs at five after the hour, that's how I
read that, five after the hour.
It's...if the results are greater than
zero, it groups by user and change type,
and we see that it creates...it does not
create a notable, it actually just
provides a risk analysis. And we'll
discuss risk analysis when we talk about
RBA. But the point is, you can make it do
a bunch of adaptive responses.
My job here is not to help you
understand every correlation search that
comes out of the box, I'm here to discuss
the part that most people don't know how
to do: create your own. So I've shown you
that you can go look through...there's
the documentation on Splunk, says 1400
plus, I don't know how they define what a
correlation search is. I'm going to tell
you that it's a lot. There's a
lot of them. And by default,
enterprise security is smart. They do
not come enabled. If I look at the
enabled correlation searches,
this is mine that I was using as I
started to help understand
enterprise security,
and these two were turned on
and this is for risk-based approach.
Other than that, there are no correlation
searches that come out of the box. Why?
Well, one, they don't want to turn
something on that doesn't fit your data
set; two, often you have
to tweak them, the
correlation search is great, but it's not
always going to be perfect for your
environment, and so as a general rule,
they're there as a guidance. Use them
when they make sense,
turn one on, test it,
see how it works.
If it doesn't, modify it,
and typically you'll just clone the
correlation search and build your own.
Anyway, enough talking about that, let's
talk about actually building my own
correlation search. So I'm in 'configure
content' and I went to
'content management'.
If I do 'create new content', that's how
I'm going to build one. And so we're
going to create a new content,
we're going to make a correlation search.
This is the way that I
do correlation searches.
That doesn't mean it's the way
that it has to be done,
but it's the way it works for me.
I'm going to call this, I
would hopefully have a much better name
for this, but I'm going to do 'YouTube
Correlation Search'.
Horrible name, because someone who comes
across this will have no idea what it's
for, but for me, when I need to purge
stuff from my system, it's really easy
and it stands out. So I'm going to put it
that way. Then here in my description, I'm
going to go...
'Grab one event from network logs'.
I'm not actually going to build
something that I'm looking for.
That's not the point of this video.
I'm just showing how
to build one, and I want
them to always fire, so I'm going to
fudge the numbers so that I always
get what I want. And so the first thing I
do is I don't try to build a search
through here. You can use a guided.
Guided's cool, it'll allow you it'll pick
data models, you can pick fields from it,
so if I enable the guided mode, you'll
see the data, it'll say alright, what
data model do you want to look at?
I might come down to 'network traffic'...
and what data set do I want to use...
'all traffic'. Do I want
to use 'summaries only'?
I'll discuss summaries only later
this is not the place for it. Time range.
And there is your basic query. I can run
the search and see how it looks.
Then I'm going to hit
'filter', and filter would be like
All.Traffic...
AllTraffic.destIP...
oh.
it's a boolean. Where...
and I actually don't know how to make
this work. All_Traffic...
I'd have to go look this up. Well that's
not very good...helpful
there. The point is,
I'm not actually going through the
guided search tour. I'm going to stay
right here with a manual query where I
can write it. It does have guided, again,
you got to understand exactly what
you're pulling. Guided is nice if you
know, follow the docs. I'm not here for
following the docs, I'm here to take a
query. This is my home network. I'm going
to look at the correlate logs. I'm going
to look at my correlate conn logs. I'm
going to say...where source IP is
192.1680.*. That is only so I make
sure that I'm looking at a specific
subnet section of my network. This is
primarily my network designed for doing
Splunk videos, and so this isn't my...
this is part of my home network, but it's
a subnet on my network that I use for
testing, pen testing, setup of systems
that I tear up and pick up and tear down,
and so I just want to know what they're
doing. And so I wanted the source IP
Maybe you don't want the source IP.
All I really cared about though, is I just
wanted this, because ultimately, later
down, I'm going to do inventory, and I'm
going to have a very simple inventory of
that subnet, and so I only want IPs that
at least one piece of the data
ties to my inventory. And so, as you can
see, this here has nothing to do with my
network, but this one does. And I'm going
to do a head 1, because I don't
want lots and lots of results.
Basically, I want a query
and I'm always going to return one
result...and that's what I built.
This isn't bad. This isn't actually a
known bad, I just wanted data to come
back, so then I can put other stuff on it.
I'm doing this as a demo for you guys to
understand how
to build a query. You would want to build
a query that actually is looking for
something malicious. Right now, I just
want a query to return a result, so that
I can...when I do my next video about
triage and the triage system, there are
actually tickets coming in. If I write a
query that's looking for bad, well, that
bad better be occurring on my network or
it's not going to fire. And so it's a lot
harder to troubleshoot if the thing is
working if you're building queries right,
If you build something that isn't...
you hope to not actually
see on your network.
So I actually hope to see
correlate conn logs.
I sure hope so. That means my
network has traffic. Anyway, and I'm just
going to put the head 1, because I only
want it to create one alert. If I let it
come back, it's every event that comes
back in here would be a notable alert.
I don't want my triage
system getting inundated.
So I'm just going to do this head 1.
Now I'm going to map it. I'm going to go
to miter, and I'm going to
put in some
tickets. So I'm going to go 'T1143'. I
actually can't remember what all these
mean off the top of my head. You can go
look them up. I'm going to say this, and
this has note, no bases whatsoever, but
again, these videos are
going to build on themselves. And so I'm
building these miter attacks so when I
go to the RBA section of this video
playlist, you'll see how it maps all the
different techniques together. And so I'm
going to put this down here,
and actually, because
I want this to work on
my system, I'm going to actually do...
I want it always to be 0.128,
that way I'm only going to get alerts
that are relating to this system.
That means my risk-based
approach will cross
the threshold. That actually makes a lot
more sense for me. I'll explain that when
we actually get to RBA, but basically, I'm
going to give me...
give me an alert every time
0.128 is the source of network traffic.
And that should fire off
quite frequently.
Ignore the picture up in the top.
We're just going to move on.
Head 1.
My videos are done rendering.
Anyway, so I'm going
to map it to these TTPs. Again, this is
all for demo purposes, so I just pick
some TTPs, and I can come down here and
I can put a confidence score,
an impact score,
contacts, analytics, we're just gonna
leave that alone for now.
I can create my own framework
And now here it's going to say
how far back do I want to look? Do I
want to look back 24 hours?
I could, but I know how often
my logs are firing. I'm going
to look back one hour. Doesn't really
matter, because I'm just grabbing head 1.
And...I have...I probably get
hundreds of events every...probably
thousands of events every hour
on this particular subnet. And so it's
not going to be a problem getting data.
I'm going to go look back one hour to
now. And how often do I want it to run?
You know what? I'm going to let it run
every five minutes. And that's going to
be important so that I actually have
events. And that'll work.
I'm going to come down here,
and I'm going to say do I
want it to run as real time or
continuous. We'll just
leave it at its default.
What's my scheduling window? Again,
these are...I'm not going over these, this
is just basically how you want to run
your times. I'm going to run this
every five minutes. Schedule priorities
in case there's conflicts. Hopefully with
your enterprise security, you actually do
not overload your system so these become
a big deal.
Trigger conditions, number of results
greater than zero, that's always going to
be the case because I'm getting back one.
But if I was doing this, if I want to do
thresholds I could make it...the thing has
to occur at least 10 times, or 15 times,
or whatever. Then windows durations
filled to group by...that's it. That's all
I want to deal with. Really, the only
places I put around with this is I wrote
a query in the most basic format to get
your correlation searches going. Pick a
search. I would tie it to an annotation
but you don't have to not required you
come down here pick your time window
these three boxes how far back do you
want to look latest time earliest time
and your cron schedule and then you
really don't have to touch anything else
except this add adaptive response I'm
going to come and modify this in a
minute there is when we talk about RBA
I'm going to put a risk analysis for the
sake of keeping this simple I am only
going to do
notables for now so I'm going to come in
here and I'm going to click a notable
and notable is an alert that goes to
your triage system
gonna go YouTube
notable give a description
I can actually use
um foreign
variable substitution so I'm going to do
alert for dollar sign Source IP
I need to make sure that field comes
back and this does have a source IP so I
can use it and you just call it like you
do in with the dollar sign on both sides
of a variable and that'll be dynamic and
so my description will come back with
this and just because I
want to what if I do yeah we'll just
leave it at that
YouTube notable security domain there
are a bunch of domains this is dealing
with access areas that would be
authentication endpoint a lot of your
host logs Network logs threat identity
and audit and so those are the six areas
splunkcast as security domains we'll
just leave it as a we'll put as a
network
in the network domain I'm going to put
the severity
as low
and default owner I can put in these I
can leave it unassigned
I'm going to put it as unassigned to
start with again you don't have to
default status I'm going to put it as
unassigned
and I could put a drill down search in
there and let's do that
we're going to take this very same query
just to keep things really simple one of
the very first drill Downs I want to put
in there
is the actual query
that created this log
but in this case I'm not going to put
head 1 I'm going to put I'm going to
take the head out
oh it looks like I've lost the 128 on
there 128.
make sure 128 is up here
yeah it is okay and I can choose the
drill down search will be
C
what caused alert
there are other ways of doing this I'll
show but I'm just I'm just going to
create a few ad drill down searches and
here we're going to just do
um
Y is
this
drill down exist
I just want to show I can go search
anything
index equals internal
why would you be looking at your
internal logs it doesn't really matter
um
well actually let's just do this I'm
going to put in dollar sign Source IP
so I'm basically looking in my internal
logs and I'm going to see if I find that
IP address popping up it it's just kind
of an interesting way you can add
additional searches to your information
um
so I'm going to be searching my internal
logs for the source IP
and I hope you saw this earliest offset
latest Offset you can change this or you
can you can let it just go by its
default or you can say for here I'm
going to go
plus this is a earliest for example one
hour
and I'm going to leave the other one as
zero
does that make sense so I hope this
makes this helps I can change my time
it's basically going to look in this
window one hour back of based off of
um
the the time this event occurred
so this might actually look a little bit
in the future this can look a little bit
in the future it's going to use time in
the back so let's go
we're going to go one hour one way this
is going to go one hour and in the
future and one hour in the past
sounds good I'm going to leave my
investigation profile alone and these
are I uh extractions and these what it's
going to do is it's going to it's going
to identify identities these are users
and stuff like that on your network
assets would be like IPS and machines
and files and URLs that it might have
found I'm going to we got assets here
Source test
um does my lock do my logs contain
source and test
well let's go look had one do I actually
have a source and a desk here
I have a source IP but no source so I
don't have the field it's looking for to
be able to identify it so what I need to
do is I need to come in here and I'm
going to go
source IP
except it's on identity
the identity it's an asset so I'm going
to come in here and I'm going to go
Source IP
and just because it's we might we might
want to identify the uh the other
machine in question we're going to put
desktop in there as well so I'm going to
have my source IP and my destination IP
they're going to be assets that are
extracted and that's all I'm going to do
I just want to make sure that the
anything that might be identifiable in
these queries not these queries the
query up here let's call them out and I
hope all this will make more sense as
you actually see the stuff come back
there's just a lot of capabilities here
I can write steps if I want to I can set
things up to uh for example send an
email stream capture if you have uh
Splunk stream nbstat and it's look up
you can make your system do a lot of
things like I could have Splunk go ping
an IP address you know what
um in a little bit I'll actually show me
doing that I can have it do a risk
analysis run a scripts and a uba send a
split mobile Splunk mobile is really
cool now it's being sent to my phone add
thread intelligence from it web hooks
whatever you have a lots of capabilities
don't need to do it the the minimum you
need for a notable
title description
you don't even need these drill Downs
you can let this be set as default
probably should pick a security domain
and literally that's it make sure it's a
lot more helpful if you can identify
your stuff coming back as identities and
sources and I'm going to show you that
in the next video with workbenches and
stuff like that but for the sake of this
don't worry about it
um just know that it's it's good if you
can call it out but if you don't you're
it's not like the query will break
I'm going to hit save
and I should have a correlation search
done now I'm going to have to wait I
probably just missed my window it's
supposed to be kicking off five minutes
after the hour
so I can almost guarantee that if I come
to incident review I will not find an
alert
called YouTube notable
I'm gonna have to wait till five more
minutes to go by but let's go ahead and
check that so I can come down I can
refresh the page here or I can refresh
the page here but either way that is not
the purpose of this video is to look at
the incidents coming in mine was to talk
about correlation searches and how to
make my own I have set up a correlation
search and so I've accomplished my task
I'm gonna I'm gonna come see it here
with a configure
content
configure content content management my
new correlation search is in here we can
see that when I go all
correlation search and when you create
them by default they are enabled
so if I come in here and I enable
I can see YouTube correlation search for
line Creations if I want to make any
changes to it
I just hit search now that's interesting
that it doesn't say that it's actually
scheduled
all right well probably because it
hasn't run the very first time once it
runs I should see
here the next schedule time but it's
really easy just keep it under the
enabled
and correlation searches
so
yep there it is now I've got a time for
the next scheduled time stored in the
Enterprise Security app what have we
covered we've talked about correlation
searches what they are they're saved
searches that can be used to create
notables notables fill out tickets that
you will go into a ticket triaging
system which we will cover in the next
video in this playlist please look at
the link below notice that this is a
playlist go ahead and join the playlist
and watch the videos this is meant to be
a comprehensive training to help you
understand Enterprise security
um
click that link we have now create I've
shown you how to see the correlation
search that come out of the box and I've
shown you how to create your own from
scratch I hope this has been helpful I
hope this helps you move from being a
lame analyst to a Splunk ninja that
you'll keep following particularly this
playlist watch the videos in it and that
they're helpful anyway hope to see you
around