0:00:00.000,0:00:10.800
[Music]

0:00:10.800,0:00:14.700
Alright, welcome to my enterprise security

0:00:14.700,0:00:16.950
video playlist. This time we're going to

0:00:16.950,0:00:19.800
be covering correlation searches. This is

0:00:19.800,0:00:22.610
a fancy word for a safe search that

0:00:22.610,0:00:25.600
creates an alert. That's really what it

0:00:25.600,0:00:29.220
comes down to. They call them notables—

0:00:29.220,0:00:31.059
there's a lot of terminology involved—

0:00:31.059,0:00:33.119
but the ultimate concept is a

0:00:33.119,0:00:35.820
correlation search is a search that

0:00:35.820,0:00:38.820
fires off at predefined periods of time,

0:00:38.820,0:00:40.740
maybe every five minutes, every hour,

0:00:40.740,0:00:42.719
searches back across your logs for

0:00:42.719,0:00:45.360
certain behaviors, and if it sees it, it

0:00:45.360,0:00:48.300
creates a...it creates an alert. You can

0:00:48.300,0:00:50.510
make it create a notable. Technically, it

0:00:50.510,0:00:52.050
doesn't have to create a notable, and

0:00:52.050,0:00:54.660
I'll explain how that works, but it's

0:00:54.660,0:00:56.820
really just a safe search. So let's go

0:00:56.820,0:00:58.159
break right into enterprise security, and

0:00:58.159,0:00:59.820
let's talk about that.

0:00:59.820,0:01:01.920
So I come into enterprise security. We're

0:01:01.920,0:01:04.500
going to show what is already outcomes

0:01:04.500,0:01:07.040
out of the box. So if [br]I go 'configure', I'm

0:01:07.040,0:01:09.780
in my Enterprise security [br]and I come into...

0:01:09.780,0:01:13.510
'content', and I go to [br]'content management',

0:01:13.510,0:01:15.900
these are all the knowledge objects that

0:01:15.900,0:01:19.043
come with enterprise security, and I'm

0:01:19.043,0:01:22.870
going to flip this to a [br]correlation search.

0:01:25.400,0:01:27.799
I click that...

0:01:27.799,0:01:29.800
we can see that it's going to come back

0:01:29.800,0:01:33.439
with lots and lots of results, 58 pages

0:01:33.439,0:01:38.759
plus of them and multiple to a page. You

0:01:38.759,0:01:40.959
can read this, so I'm just going to go

0:01:40.959,0:01:43.920
into the very first one. And this is

0:01:43.920,0:01:46.439
'abnormally high number of endpoint

0:01:46.439,0:01:49.500
changes by a user'. If I go and open this

0:01:49.500,0:01:51.780
up a little bit...

0:01:51.780,0:01:53.759
'detects an abnormally high number of

0:01:53.759,0:01:55.430
endpoint changes by user account as it

0:01:55.430,0:01:58.020
relate to restarts, audits, file system,

0:01:58.020,0:01:59.742
user, registry, notifications".

0:01:59.742,0:02:01.460
If I go into this...

0:02:02.280,0:02:04.500
I'm actually going to be able to see

0:02:04.500,0:02:07.020
the query. I'm not going to go explain it

0:02:07.020,0:02:08.220
because I can already tell you, it's

0:02:08.220,0:02:09.479
probably going to be written with lots

0:02:09.479,0:02:13.089
of data models and macros, but out of the

0:02:13.089,0:02:15.387
box, you can see: here's the query. And

0:02:15.387,0:02:16.830
it's basically...it's going to look at

0:02:16.830,0:02:18.950
your data model. You'll hear me talk

0:02:18.950,0:02:21.459
about data models. I've discussed data

0:02:21.459,0:02:22.910
model, but this is going to be the

0:02:22.910,0:02:24.710
endpoint data model, and it's going to be

0:02:24.710,0:02:27.800
looking at file systems for changes by the

0:02:27.800,0:02:29.270
user, it's going to do a bunch of other

0:02:29.270,0:02:30.290
things that ultimately it's going to

0:02:30.290,0:02:32.510
come back and say...if you meet a certain

0:02:32.510,0:02:34.870
criteria, and you can see that it's

0:02:34.870,0:02:36.360
actually using the machine learning

0:02:36.360,0:02:38.640
toolkit, so down here it's actually

0:02:38.640,0:02:41.280
building a threshold saying, what is the

0:02:41.280,0:02:43.830
normal amount of use of changes, and is

0:02:43.830,0:02:46.270
it jumping out of that at normal level.

0:02:46.270,0:02:49.600
It's really cool, put some really cool

0:02:49.600,0:02:52.200
analytics out there for you. You can just

0:02:52.200,0:02:55.450
use what they've got. What I love is I

0:02:55.450,0:02:57.330
don't want to...I hear, oh

0:02:57.330,0:02:59.660
well aren't correlation searches

0:02:59.660,0:03:03.480
attached to now frameworks? Well, you can

0:03:03.480,0:03:04.920
see the very first ones. [br]Sometimes they

0:03:04.920,0:03:07.379
are. But here, these are frameworks. I've

0:03:07.379,0:03:09.480
heard this in my own work, [br]oh, well they're

0:03:09.480,0:03:12.120
all mapped to the miter. Well,

0:03:12.120,0:03:14.480
are they? I'll just grab the very first

0:03:14.480,0:03:17.160
one, and...there's no miter technique

0:03:17.160,0:03:20.050
mapped. What should it be? Well, there's a

0:03:20.050,0:03:23.170
lot of things that could cause a miter

0:03:23.170,0:03:25.860
technique to...uh...if there's endpoint

0:03:25.860,0:03:27.450
changes, it could be many different types

0:03:27.450,0:03:29.649
of tact. Then I'll have it mapped. You

0:03:29.649,0:03:31.200
could come in here and you could map it,

0:03:31.200,0:03:33.529
we'll discuss that later, but point is, we

0:03:33.529,0:03:35.640
come down here...

0:03:35.640,0:03:37.560
make that go away, that's all...

0:03:37.560,0:03:40.260
we can see that it's looking back 1,450

0:03:40.260,0:03:43.739
minutes, and the latest time is zero. This

0:03:43.739,0:03:48.000
runs at five after the hour, that's how I

0:03:48.000,0:03:51.119
read that, five after the hour.

0:03:51.119,0:03:52.980
It's...if the results are greater than

0:03:52.980,0:03:56.540
zero, it groups by user and change type,

0:03:56.540,0:03:59.879
and we see that it creates...it does not

0:03:59.879,0:04:01.560
create a notable, it actually just

0:04:01.560,0:04:03.959
provides a risk analysis. And we'll

0:04:03.959,0:04:06.080
discuss risk analysis when we talk about

0:04:06.080,0:04:08.570
RBA. But the point is, you can make it do

0:04:08.570,0:04:10.319
a bunch of adaptive responses.

0:04:10.319,0:04:12.079
My job here is not to help you

0:04:12.079,0:04:13.500
understand every correlation search that

0:04:13.500,0:04:15.599
comes out of the box, I'm here to discuss

0:04:15.599,0:04:17.280
the part that most people don't know how

0:04:17.280,0:04:20.120
to do: create your own. So I've shown you

0:04:20.120,0:04:23.400
that you can go look through...there's

0:04:23.400,0:04:26.400
the documentation on Splunk, says 1400

0:04:26.400,0:04:29.040
plus, I don't know how they define what a

0:04:29.040,0:04:31.290
correlation search is. I'm going to tell

0:04:31.290,0:04:34.679
you that it's a lot. There's a

0:04:34.679,0:04:37.759
lot of them. And by default,

0:04:37.759,0:04:40.930
enterprise security is smart. They do

0:04:40.930,0:04:43.320
not come enabled. If I look at the

0:04:43.320,0:04:46.199
enabled correlation searches,

0:04:46.199,0:04:48.590
this is mine that I was using as I

0:04:48.590,0:04:49.699
started to help understand

0:04:49.699,0:04:50.986
enterprise security,

0:04:50.986,0:04:52.800
and these two were turned on

0:04:52.800,0:04:55.020
and this is for risk-based approach.

0:04:55.020,0:04:57.660
Other than that, there are no correlation

0:04:57.660,0:04:59.759
searches that come out of the box. Why?

0:04:59.759,0:05:01.500
Well, one, they don't want to turn

0:05:01.500,0:05:03.060
something on that doesn't fit your data

0:05:03.060,0:05:06.000
set; two, often you have [br]to tweak them, the

0:05:06.000,0:05:07.580
correlation search is great, but it's not

0:05:07.580,0:05:08.810
always going to be perfect for your

0:05:08.810,0:05:10.700
environment, and so as a general rule,

0:05:10.700,0:05:12.479
they're there as a guidance. Use them

0:05:12.479,0:05:14.780
when they make sense, [br]turn one on, test it,

0:05:14.780,0:05:17.160
see how it works. [br]If it doesn't, modify it,

0:05:17.160,0:05:19.019
and typically you'll just clone the

0:05:19.019,0:05:21.120
correlation search and build your own.

0:05:21.120,0:05:23.080
Anyway, enough talking about that, let's

0:05:23.080,0:05:24.840
talk about actually building my own

0:05:24.840,0:05:27.539
correlation search. So I'm in 'configure

0:05:27.539,0:05:30.130
content' and I went to [br]'content management'.

0:05:30.130,0:05:32.260
If I do 'create new content', that's how

0:05:32.260,0:05:34.700
I'm going to build one. And so we're

0:05:34.700,0:05:36.130
going to create a new content,

0:05:36.130,0:05:38.949
we're going to make a correlation search.

0:05:38.949,0:05:43.111
This is the way that I [br]do correlation searches.

0:05:43.111,0:05:44.160
That doesn't mean it's the way

0:05:44.160,0:05:46.132
that it has to be done, [br]but it's the way it works for me.

0:05:46.132,0:05:47.520
I'm going to call this, I

0:05:47.520,0:05:49.420
would hopefully have a much better name

0:05:49.420,0:05:52.460
for this, but I'm going to do 'YouTube

0:05:52.460,0:05:56.460
Correlation Search'.

0:06:00.740,0:06:02.790
Horrible name, because someone who comes

0:06:02.790,0:06:04.993
across this will have no idea what it's

0:06:04.993,0:06:06.539
for, but for me, when I need to purge

0:06:06.539,0:06:08.460
stuff from my system, it's really easy

0:06:08.460,0:06:09.710
and it stands out. So I'm going to put it

0:06:09.710,0:06:12.000
that way. Then here in my description, I'm

0:06:12.000,0:06:14.820
going to go...

0:06:14.820,0:06:19.189
'Grab one event from network logs'.

0:06:20.580,0:06:22.139
I'm not actually going to build

0:06:22.139,0:06:23.730
something that I'm looking for.

0:06:23.730,0:06:25.410
That's not the point of this video.

0:06:25.410,0:06:27.540
I'm just showing how [br]to build one, and I want

0:06:27.540,0:06:30.840
them to always fire, so I'm going to

0:06:30.840,0:06:32.900
fudge the numbers so that I always

0:06:32.900,0:06:35.270
get what I want. And so the first thing I

0:06:35.270,0:06:36.720
do is I don't try to build a search

0:06:36.720,0:06:38.520
through here. You can use a guided.

0:06:38.520,0:06:41.020
Guided's cool, it'll allow you it'll pick

0:06:41.020,0:06:43.139
data models, you can pick fields from it,

0:06:43.139,0:06:45.510
so if I enable the guided mode, you'll

0:06:45.510,0:06:47.460
see the data, it'll say alright, what

0:06:47.460,0:06:49.520
data model do you want to look at?

0:06:49.520,0:06:52.460
I might come down to 'network traffic'...

0:06:52.460,0:06:55.325
and what data set do I want to use...

0:06:55.325,0:06:58.782
'all traffic'. Do I want [br]to use 'summaries only'?

0:06:58.782,0:07:01.080
I'll discuss summaries only later

0:07:01.080,0:07:04.199
this is not the place for it. Time range.

0:07:04.199,0:07:07.560
And there is your basic query. I can run

0:07:07.560,0:07:10.179
the search and see how it looks.

0:07:10.179,0:07:12.979
Then I'm going to hit

0:07:13.700,0:07:18.539
'filter', and filter would be like

0:07:18.539,0:07:22.400
All.Traffic...

0:07:23.460,0:07:28.740
AllTraffic.destIP...

0:07:28.740,0:07:30.720
oh.

0:07:30.720,0:07:34.099
it's a boolean. Where...

0:07:34.560,0:07:36.530
and I actually don't know how to make

0:07:36.530,0:07:40.220
this work. All_Traffic...

0:07:42.630,0:07:44.659
I'd have to go look this up. Well that's

0:07:44.659,0:07:46.380
not very good...helpful [br]there. The point is,

0:07:46.380,0:07:47.510
I'm not actually going through the

0:07:47.510,0:07:49.560
guided search tour. I'm going to stay

0:07:49.560,0:07:51.590
right here with a manual query where I

0:07:51.590,0:07:54.120
can write it. It does have guided, again,

0:07:54.120,0:07:55.500
you got to understand exactly what

0:07:55.500,0:07:57.270
you're pulling. Guided is nice if you

0:07:57.270,0:07:59.780
know, follow the docs. I'm not here for

0:07:59.780,0:08:01.919
following the docs, I'm here to take a

0:08:01.919,0:08:04.129
query. This is my home network. I'm going

0:08:04.129,0:08:05.520
to look at the correlate logs. I'm going

0:08:05.520,0:08:07.360
to look at my correlate conn logs. I'm

0:08:07.360,0:08:10.160
going to say...where source IP is

0:08:10.160,0:08:13.259
192.1680.*. That is only so I make

0:08:13.259,0:08:15.180
sure that I'm looking at a specific

0:08:15.180,0:08:17.639
subnet section of my network. This is

0:08:17.639,0:08:20.520
primarily my network designed for doing

0:08:20.520,0:08:23.819
Splunk videos, and so this isn't my...

0:08:23.819,0:08:25.379
this is part of my home network, but it's

0:08:25.379,0:08:28.139
a subnet on my network that I use for

0:08:28.139,0:08:31.490
testing, pen testing, setup of systems

0:08:31.490,0:08:33.300
that I tear up and pick up and tear down,

0:08:33.300,0:08:35.169
and so I just want to know what they're

0:08:35.169,0:08:37.260
doing. And so I wanted the source IP

0:08:37.260,0:08:38.868
Maybe you don't want the source IP.

0:08:38.868,0:08:40.310
All I really cared about though, is I just

0:08:40.310,0:08:42.289
wanted this, because ultimately, later

0:08:42.289,0:08:44.229
down, I'm going to do inventory, and I'm

0:08:44.229,0:08:46.090
going to have a very simple inventory of

0:08:46.090,0:08:48.290
that subnet, and so I only want IPs that

0:08:48.290,0:08:50.700
at least one piece of the data

0:08:50.700,0:08:53.469
ties to my inventory. And so, as you can

0:08:53.469,0:08:55.550
see, this here has nothing to do with my

0:08:55.550,0:08:58.190
network, but this one does. And I'm going

0:08:58.190,0:09:00.250
to do a head 1, because I don't

0:09:00.250,0:09:02.760
want lots and lots of results.

0:09:02.760,0:09:05.459
Basically, I want a query

0:09:05.459,0:09:07.140
and I'm always going to return one

0:09:07.140,0:09:09.800
result...and that's what I built.

0:09:09.800,0:09:12.000
This isn't bad. This isn't actually a

0:09:12.000,0:09:13.980
known bad, I just wanted data to come

0:09:13.980,0:09:16.200
back, so then I can put other stuff on it.

0:09:16.200,0:09:18.660
I'm doing this as a demo for you guys to

0:09:18.660,0:09:21.300
understand how

0:09:21.300,0:09:23.409
to build a query. You would want to build

0:09:23.409,0:09:25.140
a query that actually is looking for

0:09:25.140,0:09:27.300
something malicious. Right now, I just

0:09:27.300,0:09:30.120
want a query to return a result, so that

0:09:30.120,0:09:32.120
I can...when I do my next video about

0:09:32.120,0:09:34.940
triage and the triage system, there are

0:09:34.940,0:09:37.450
actually tickets coming in. If I write a

0:09:37.450,0:09:39.330
query that's looking for bad, well, that

0:09:39.330,0:09:41.100
bad better be occurring on my network or

0:09:41.100,0:09:43.019
it's not going to fire. And so it's a lot

0:09:43.019,0:09:44.289
harder to troubleshoot if the thing is

0:09:44.289,0:09:45.899
working if you're building queries right,

0:09:45.899,0:09:48.202
If you build something that isn't...

0:09:48.202,0:09:50.330
you hope to not actually[br]see on your network.

0:09:50.330,0:09:52.660
So I actually hope to see [br]correlate conn logs.

0:09:52.660,0:09:54.370
I sure hope so. That means my

0:09:54.370,0:09:56.400
network has traffic. Anyway, and I'm just

0:09:56.400,0:09:57.699
going to put the head 1, because I only

0:09:57.699,0:10:00.200
want it to create one alert. If I let it

0:10:00.200,0:10:02.090
come back, it's every event that comes

0:10:02.090,0:10:04.650
back in here would be a notable alert.

0:10:04.650,0:10:07.842
I don't want my triage [br]system getting inundated.

0:10:07.842,0:10:09.959
So I'm just going to do this head 1.

0:10:09.959,0:10:11.940
Now I'm going to map it. I'm going to go

0:10:11.940,0:10:15.000
to miter, and I'm going to

0:10:15.000,0:10:17.640
put in some

0:10:17.640,0:10:20.279
tickets. So I'm going to go 'T1143'. I

0:10:20.279,0:10:21.600
actually can't remember what all these

0:10:21.600,0:10:23.459
mean off the top of my head. You can go

0:10:23.459,0:10:26.289
look them up. I'm going to say this, and

0:10:26.289,0:10:28.800
this has note, no bases whatsoever, but

0:10:28.800,0:10:30.669
again, these videos are

0:10:30.669,0:10:32.700
going to build on themselves. And so I'm

0:10:32.700,0:10:34.840
building these miter attacks so when I

0:10:34.840,0:10:37.440
go to the RBA section of this video

0:10:37.440,0:10:40.430
playlist, you'll see how it maps all the

0:10:40.430,0:10:42.420
different techniques together. And so I'm

0:10:42.420,0:10:45.360
going to put this down here,

0:10:45.360,0:10:49.019
and actually, because [br]I want this to work on

0:10:49.019,0:10:50.840
my system, I'm going to actually do...

0:10:50.840,0:10:53.579
I want it always to be 0.128,

0:10:53.579,0:10:57.240
that way I'm only going to get alerts

0:10:57.240,0:10:59.190
that are relating to this system.

0:10:59.190,0:11:01.820
That means my risk-based [br]approach will cross

0:11:01.820,0:11:03.779
the threshold. That actually makes a lot

0:11:03.779,0:11:06.230
more sense for me. I'll explain that when

0:11:06.230,0:11:08.640
we actually get to RBA, but basically, I'm

0:11:08.640,0:11:12.029
going to give me...[br]give me an alert every time

0:11:12.029,0:11:15.420
0.128 is the source of network traffic.

0:11:15.420,0:11:17.920
And that should fire off [br]quite frequently.

0:11:19.320,0:11:21.480
Ignore the picture up in the top.

0:11:21.480,0:11:23.940
We're just going to move on. [br]Head 1.

0:11:23.940,0:11:26.330
My videos are done rendering. [br]Anyway, so I'm going

0:11:26.330,0:11:29.379
to map it to these TTPs. Again, this is

0:11:29.379,0:11:31.380
all for demo purposes, so I just pick

0:11:31.380,0:11:35.580
some TTPs, and I can come down here and

0:11:35.580,0:11:38.659
I can put a confidence score, [br]an impact score,

0:11:38.659,0:11:40.520
contacts, analytics, we're just gonna

0:11:40.520,0:11:41.760
leave that alone for now.

0:11:41.760,0:11:43.615
I can create my own framework

0:11:43.615,0:11:45.070
And now here it's going to say

0:11:45.070,0:11:47.059
how far back do I want to look? Do I

0:11:47.059,0:11:48.138
want to look back 24 hours?

0:11:48.138,0:11:49.690
I could, but I know how often

0:11:49.690,0:11:51.140
my logs are firing. I'm going

0:11:51.140,0:11:53.160
to look back one hour. Doesn't really

0:11:53.160,0:11:55.319
matter, because I'm just grabbing head 1.

0:11:55.319,0:11:59.149
And...I have...I probably get

0:11:59.149,0:12:01.590
hundreds of events every...probably

0:12:01.590,0:12:03.600
thousands of events every hour

0:12:03.600,0:12:06.210
on this particular subnet. And so it's

0:12:06.210,0:12:07.500
not going to be a problem getting data.

0:12:07.500,0:12:09.270
I'm going to go look back one hour to

0:12:09.270,0:12:11.579
now. And how often do I want it to run?

0:12:11.579,0:12:13.260
You know what? I'm going to let it run

0:12:13.260,0:12:16.090
every five minutes. And that's going to

0:12:16.090,0:12:17.760
be important so that I actually have

0:12:17.760,0:12:20.911
events. And that'll work.

0:12:20.911,0:12:23.459
I'm going to come down here, [br]and I'm going to say do I

0:12:23.459,0:12:25.380
want it to run as real time or

0:12:25.380,0:12:28.560
continuous. We'll just [br]leave it at its default.

0:12:28.560,0:12:30.899
What's my scheduling window? Again,

0:12:30.899,0:12:33.330
these are...I'm not going over these, this

0:12:33.330,0:12:36.060
is just basically how you want to run

0:12:36.060,0:12:37.590
your times. I'm going to run this

0:12:37.590,0:12:39.420
every five minutes. Schedule priorities

0:12:39.420,0:12:41.459
in case there's conflicts. Hopefully with

0:12:41.459,0:12:43.260
your enterprise security, you actually do

0:12:43.260,0:12:45.839
not overload your system so these become

0:12:45.839,0:12:47.040
a big deal.

0:12:47.040,0:12:48.660
Trigger conditions, number of results

0:12:48.660,0:12:50.269
greater than zero, that's always going to

0:12:50.269,0:12:51.660
be the case because I'm getting back one.

0:12:51.660,0:12:53.820
But if I was doing this, if I want to do

0:12:53.820,0:12:55.920
thresholds I could make it...the thing has

0:12:55.920,0:12:58.440
to occur at least 10 times, or 15 times,

0:12:58.440,0:13:01.320
or whatever. Then windows durations

0:13:01.320,0:13:03.999
filled to group by...that's it. That's all

0:13:03.999,0:13:06.540
I want to deal with. Really, the only

0:13:06.540,0:13:08.519
places I put around with this is I wrote

0:13:08.519,0:13:10.840
a query in the most basic format to get

0:13:10.840,0:13:13.070
your correlation searches going. Pick a

0:13:13.070,0:13:15.839
search. I would tie it to an annotation

0:13:15.839,0:13:18.600
but you don't have to not required you

0:13:18.600,0:13:20.100
come down here pick your time window

0:13:20.100,0:13:22.260
these three boxes how far back do you

0:13:22.260,0:13:24.120
want to look latest time earliest time

0:13:24.120,0:13:26.459
and your cron schedule and then you

0:13:26.459,0:13:27.779
really don't have to touch anything else

0:13:27.779,0:13:31.740
except this add adaptive response I'm

0:13:31.740,0:13:33.300
going to come and modify this in a

0:13:33.300,0:13:35.700
minute there is when we talk about RBA

0:13:35.700,0:13:38.040
I'm going to put a risk analysis for the

0:13:38.040,0:13:40.200
sake of keeping this simple I am only

0:13:40.200,0:13:41.459
going to do

0:13:41.459,0:13:43.800
notables for now so I'm going to come in

0:13:43.800,0:13:44.880
here and I'm going to click a notable

0:13:44.880,0:13:47.220
and notable is an alert that goes to

0:13:47.220,0:13:48.779
your triage system

0:13:48.779,0:13:52.260
gonna go YouTube

0:13:52.260,0:13:55.440
notable give a description

0:13:55.440,0:13:57.899
I can actually use

0:13:57.899,0:13:59.820
um foreign

0:13:59.820,0:14:01.980
variable substitution so I'm going to do

0:14:01.980,0:14:06.180
alert for dollar sign Source IP

0:14:06.180,0:14:07.860
I need to make sure that field comes

0:14:07.860,0:14:10.860
back and this does have a source IP so I

0:14:10.860,0:14:12.720
can use it and you just call it like you

0:14:12.720,0:14:15.180
do in with the dollar sign on both sides

0:14:15.180,0:14:17.339
of a variable and that'll be dynamic and

0:14:17.339,0:14:19.680
so my description will come back with

0:14:19.680,0:14:22.680
this and just because I

0:14:22.680,0:14:24.839
want to what if I do yeah we'll just

0:14:24.839,0:14:26.220
leave it at that

0:14:26.220,0:14:29.160
YouTube notable security domain there

0:14:29.160,0:14:31.500
are a bunch of domains this is dealing

0:14:31.500,0:14:33.720
with access areas that would be

0:14:33.720,0:14:35.880
authentication endpoint a lot of your

0:14:35.880,0:14:39.420
host logs Network logs threat identity

0:14:39.420,0:14:41.459
and audit and so those are the six areas

0:14:41.459,0:14:43.980
splunkcast as security domains we'll

0:14:43.980,0:14:46.680
just leave it as a we'll put as a

0:14:46.680,0:14:47.579
network

0:14:47.579,0:14:49.800
in the network domain I'm going to put

0:14:49.800,0:14:52.579
the severity

0:14:53.899,0:14:56.300
as low

0:14:56.300,0:14:59.760
and default owner I can put in these I

0:14:59.760,0:15:01.560
can leave it unassigned

0:15:01.560,0:15:03.060
I'm going to put it as unassigned to

0:15:03.060,0:15:05.100
start with again you don't have to

0:15:05.100,0:15:07.320
default status I'm going to put it as

0:15:07.320,0:15:09.120
unassigned

0:15:09.120,0:15:11.579
and I could put a drill down search in

0:15:11.579,0:15:15.079
there and let's do that

0:15:15.480,0:15:17.880
we're going to take this very same query

0:15:17.880,0:15:20.220
just to keep things really simple one of

0:15:20.220,0:15:21.660
the very first drill Downs I want to put

0:15:21.660,0:15:23.519
in there

0:15:23.519,0:15:25.920
is the actual query

0:15:25.920,0:15:28.680
that created this log

0:15:28.680,0:15:30.899
but in this case I'm not going to put

0:15:30.899,0:15:32.880
head 1 I'm going to put I'm going to

0:15:32.880,0:15:34.380
take the head out

0:15:34.380,0:15:36.480
oh it looks like I've lost the 128 on

0:15:36.480,0:15:38.940
there 128.

0:15:38.940,0:15:41.459
make sure 128 is up here

0:15:41.459,0:15:44.699
yeah it is okay and I can choose the

0:15:44.699,0:15:46.500
drill down search will be

0:15:46.500,0:15:49.160
C

0:15:49.260,0:15:53.880
what caused alert

0:15:55.079,0:15:56.880
there are other ways of doing this I'll

0:15:56.880,0:15:58.019
show but I'm just I'm just going to

0:15:58.019,0:16:00.120
create a few ad drill down searches and

0:16:00.120,0:16:02.459
here we're going to just do

0:16:02.459,0:16:04.519
um

0:16:04.560,0:16:07.560
Y is

0:16:07.560,0:16:10.399
this

0:16:10.459,0:16:14.000
drill down exist

0:16:14.880,0:16:16.380
I just want to show I can go search

0:16:16.380,0:16:17.579
anything

0:16:17.579,0:16:21.199
index equals internal

0:16:21.199,0:16:22.980
why would you be looking at your

0:16:22.980,0:16:26.279
internal logs it doesn't really matter

0:16:26.279,0:16:28.339
um

0:16:28.500,0:16:30.180
well actually let's just do this I'm

0:16:30.180,0:16:33.180
going to put in dollar sign Source IP

0:16:33.180,0:16:35.459
so I'm basically looking in my internal

0:16:35.459,0:16:37.139
logs and I'm going to see if I find that

0:16:37.139,0:16:40.199
IP address popping up it it's just kind

0:16:40.199,0:16:41.820
of an interesting way you can add

0:16:41.820,0:16:45.660
additional searches to your information

0:16:45.660,0:16:46.500
um

0:16:46.500,0:16:48.360
so I'm going to be searching my internal

0:16:48.360,0:16:50.459
logs for the source IP

0:16:50.459,0:16:53.160
and I hope you saw this earliest offset

0:16:53.160,0:16:56.399
latest Offset you can change this or you

0:16:56.399,0:16:57.959
can you can let it just go by its

0:16:57.959,0:17:00.060
default or you can say for here I'm

0:17:00.060,0:17:01.139
going to go

0:17:01.139,0:17:05.400
plus this is a earliest for example one

0:17:05.400,0:17:06.480
hour

0:17:06.480,0:17:08.220
and I'm going to leave the other one as

0:17:08.220,0:17:10.640
zero

0:17:10.919,0:17:12.360
does that make sense so I hope this

0:17:12.360,0:17:14.640
makes this helps I can change my time

0:17:14.640,0:17:16.559
it's basically going to look in this

0:17:16.559,0:17:22.220
window one hour back of based off of

0:17:22.919,0:17:24.980
um

0:17:25.079,0:17:27.780
the the time this event occurred

0:17:27.780,0:17:29.220
so this might actually look a little bit

0:17:29.220,0:17:30.360
in the future this can look a little bit

0:17:30.360,0:17:32.040
in the future it's going to use time in

0:17:32.040,0:17:35.299
the back so let's go

0:17:35.580,0:17:37.860
we're going to go one hour one way this

0:17:37.860,0:17:40.500
is going to go one hour and in the

0:17:40.500,0:17:43.320
future and one hour in the past

0:17:43.320,0:17:45.840
sounds good I'm going to leave my

0:17:45.840,0:17:48.240
investigation profile alone and these

0:17:48.240,0:17:50.880
are I uh extractions and these what it's

0:17:50.880,0:17:52.440
going to do is it's going to it's going

0:17:52.440,0:17:55.919
to identify identities these are users

0:17:55.919,0:17:57.240
and stuff like that on your network

0:17:57.240,0:18:00.240
assets would be like IPS and machines

0:18:00.240,0:18:02.940
and files and URLs that it might have

0:18:02.940,0:18:06.020
found I'm going to we got assets here

0:18:06.020,0:18:08.760
Source test

0:18:08.760,0:18:10.500
um does my lock do my logs contain

0:18:10.500,0:18:11.760
source and test

0:18:11.760,0:18:14.940
well let's go look had one do I actually

0:18:14.940,0:18:18.200
have a source and a desk here

0:18:18.299,0:18:21.299
I have a source IP but no source so I

0:18:21.299,0:18:23.460
don't have the field it's looking for to

0:18:23.460,0:18:25.440
be able to identify it so what I need to

0:18:25.440,0:18:26.700
do is I need to come in here and I'm

0:18:26.700,0:18:27.960
going to go

0:18:27.960,0:18:30.780
source IP

0:18:30.780,0:18:33.539
except it's on identity

0:18:33.539,0:18:35.940
the identity it's an asset so I'm going

0:18:35.940,0:18:36.720
to come in here and I'm going to go

0:18:36.720,0:18:39.679
Source IP

0:18:40.400,0:18:43.500
and just because it's we might we might

0:18:43.500,0:18:46.320
want to identify the uh the other

0:18:46.320,0:18:47.700
machine in question we're going to put

0:18:47.700,0:18:50.160
desktop in there as well so I'm going to

0:18:50.160,0:18:52.260
have my source IP and my destination IP

0:18:52.260,0:18:54.059
they're going to be assets that are

0:18:54.059,0:18:56.100
extracted and that's all I'm going to do

0:18:56.100,0:18:57.539
I just want to make sure that the

0:18:57.539,0:19:00.000
anything that might be identifiable in

0:19:00.000,0:19:01.500
these queries not these queries the

0:19:01.500,0:19:04.200
query up here let's call them out and I

0:19:04.200,0:19:05.760
hope all this will make more sense as

0:19:05.760,0:19:07.140
you actually see the stuff come back

0:19:07.140,0:19:09.360
there's just a lot of capabilities here

0:19:09.360,0:19:12.900
I can write steps if I want to I can set

0:19:12.900,0:19:14.940
things up to uh for example send an

0:19:14.940,0:19:17.640
email stream capture if you have uh

0:19:17.640,0:19:20.400
Splunk stream nbstat and it's look up

0:19:20.400,0:19:21.600
you can make your system do a lot of

0:19:21.600,0:19:23.820
things like I could have Splunk go ping

0:19:23.820,0:19:26.220
an IP address you know what

0:19:26.220,0:19:28.440
um in a little bit I'll actually show me

0:19:28.440,0:19:30.360
doing that I can have it do a risk

0:19:30.360,0:19:32.400
analysis run a scripts and a uba send a

0:19:32.400,0:19:34.200
split mobile Splunk mobile is really

0:19:34.200,0:19:36.780
cool now it's being sent to my phone add

0:19:36.780,0:19:38.880
thread intelligence from it web hooks

0:19:38.880,0:19:40.860
whatever you have a lots of capabilities

0:19:40.860,0:19:43.799
don't need to do it the the minimum you

0:19:43.799,0:19:45.120
need for a notable

0:19:45.120,0:19:48.059
title description

0:19:48.059,0:19:50.100
you don't even need these drill Downs

0:19:50.100,0:19:52.320
you can let this be set as default

0:19:52.320,0:19:54.080
probably should pick a security domain

0:19:54.080,0:19:57.780
and literally that's it make sure it's a

0:19:57.780,0:19:59.520
lot more helpful if you can identify

0:19:59.520,0:20:01.140
your stuff coming back as identities and

0:20:01.140,0:20:03.059
sources and I'm going to show you that

0:20:03.059,0:20:05.880
in the next video with workbenches and

0:20:05.880,0:20:07.799
stuff like that but for the sake of this

0:20:07.799,0:20:09.299
don't worry about it

0:20:09.299,0:20:10.919
um just know that it's it's good if you

0:20:10.919,0:20:12.600
can call it out but if you don't you're

0:20:12.600,0:20:14.580
it's not like the query will break

0:20:14.580,0:20:17.539
I'm going to hit save

0:20:18.299,0:20:20.340
and I should have a correlation search

0:20:20.340,0:20:22.320
done now I'm going to have to wait I

0:20:22.320,0:20:24.780
probably just missed my window it's

0:20:24.780,0:20:26.400
supposed to be kicking off five minutes

0:20:26.400,0:20:28.500
after the hour

0:20:28.500,0:20:30.840
so I can almost guarantee that if I come

0:20:30.840,0:20:33.660
to incident review I will not find an

0:20:33.660,0:20:35.400
alert

0:20:35.400,0:20:38.640
called YouTube notable

0:20:38.640,0:20:40.679
I'm gonna have to wait till five more

0:20:40.679,0:20:43.020
minutes to go by but let's go ahead and

0:20:43.020,0:20:44.700
check that so I can come down I can

0:20:44.700,0:20:47.460
refresh the page here or I can refresh

0:20:47.460,0:20:50.460
the page here but either way that is not

0:20:50.460,0:20:52.380
the purpose of this video is to look at

0:20:52.380,0:20:54.419
the incidents coming in mine was to talk

0:20:54.419,0:20:56.220
about correlation searches and how to

0:20:56.220,0:20:58.320
make my own I have set up a correlation

0:20:58.320,0:21:00.960
search and so I've accomplished my task

0:21:00.960,0:21:03.120
I'm gonna I'm gonna come see it here

0:21:03.120,0:21:04.620
with a configure

0:21:04.620,0:21:06.960
content

0:21:06.960,0:21:10.860
configure content content management my

0:21:10.860,0:21:13.679
new correlation search is in here we can

0:21:13.679,0:21:16.140
see that when I go all

0:21:16.140,0:21:17.640
correlation search and when you create

0:21:17.640,0:21:20.700
them by default they are enabled

0:21:20.700,0:21:24.000
so if I come in here and I enable

0:21:24.000,0:21:26.340
I can see YouTube correlation search for

0:21:26.340,0:21:27.480
line Creations if I want to make any

0:21:27.480,0:21:29.700
changes to it

0:21:29.700,0:21:32.159
I just hit search now that's interesting

0:21:32.159,0:21:33.480
that it doesn't say that it's actually

0:21:33.480,0:21:36.140
scheduled

0:21:40.740,0:21:42.960
all right well probably because it

0:21:42.960,0:21:44.940
hasn't run the very first time once it

0:21:44.940,0:21:47.039
runs I should see

0:21:47.039,0:21:50.220
here the next schedule time but it's

0:21:50.220,0:21:51.419
really easy just keep it under the

0:21:51.419,0:21:53.900
enabled

0:21:54.539,0:21:58.140
and correlation searches

0:21:58.140,0:21:59.400
so

0:21:59.400,0:22:01.500
yep there it is now I've got a time for

0:22:01.500,0:22:03.240
the next scheduled time stored in the

0:22:03.240,0:22:05.039
Enterprise Security app what have we

0:22:05.039,0:22:06.780
covered we've talked about correlation

0:22:06.780,0:22:09.419
searches what they are they're saved

0:22:09.419,0:22:11.640
searches that can be used to create

0:22:11.640,0:22:15.720
notables notables fill out tickets that

0:22:15.720,0:22:17.760
you will go into a ticket triaging

0:22:17.760,0:22:19.620
system which we will cover in the next

0:22:19.620,0:22:21.600
video in this playlist please look at

0:22:21.600,0:22:23.340
the link below notice that this is a

0:22:23.340,0:22:25.140
playlist go ahead and join the playlist

0:22:25.140,0:22:27.299
and watch the videos this is meant to be

0:22:27.299,0:22:29.520
a comprehensive training to help you

0:22:29.520,0:22:31.620
understand Enterprise security

0:22:31.620,0:22:32.220
um

0:22:32.220,0:22:35.100
click that link we have now create I've

0:22:35.100,0:22:36.480
shown you how to see the correlation

0:22:36.480,0:22:38.159
search that come out of the box and I've

0:22:38.159,0:22:40.080
shown you how to create your own from

0:22:40.080,0:22:42.419
scratch I hope this has been helpful I

0:22:42.419,0:22:44.299
hope this helps you move from being a

0:22:44.299,0:22:47.700
lame analyst to a Splunk ninja that

0:22:47.700,0:22:49.260
you'll keep following particularly this

0:22:49.260,0:22:51.120
playlist watch the videos in it and that

0:22:51.120,0:22:52.799
they're helpful anyway hope to see you

0:22:52.799,0:22:54.919
around