[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:10.80,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:00:10.80,0:00:14.70,Default,,0000,0000,0000,,Alright, welcome to my enterprise security
Dialogue: 0,0:00:14.70,0:00:16.95,Default,,0000,0000,0000,,video playlist. This time we're going to
Dialogue: 0,0:00:16.95,0:00:19.80,Default,,0000,0000,0000,,be covering correlation searches. This is
Dialogue: 0,0:00:19.80,0:00:22.61,Default,,0000,0000,0000,,a fancy word for a safe search that
Dialogue: 0,0:00:22.61,0:00:25.60,Default,,0000,0000,0000,,creates an alert. That's really what it
Dialogue: 0,0:00:25.60,0:00:29.22,Default,,0000,0000,0000,,comes down to. They call them notables—
Dialogue: 0,0:00:29.22,0:00:31.06,Default,,0000,0000,0000,,there's a lot of terminology involved—
Dialogue: 0,0:00:31.06,0:00:33.12,Default,,0000,0000,0000,,but the ultimate concept is a
Dialogue: 0,0:00:33.12,0:00:35.82,Default,,0000,0000,0000,,correlation search is a search that
Dialogue: 0,0:00:35.82,0:00:38.82,Default,,0000,0000,0000,,fires off at predefined periods of time,
Dialogue: 0,0:00:38.82,0:00:40.74,Default,,0000,0000,0000,,maybe every five minutes, every hour,
Dialogue: 0,0:00:40.74,0:00:42.72,Default,,0000,0000,0000,,searches back across your logs for
Dialogue: 0,0:00:42.72,0:00:45.36,Default,,0000,0000,0000,,certain behaviors, and if it sees it, it
Dialogue: 0,0:00:45.36,0:00:48.30,Default,,0000,0000,0000,,creates a...it creates an alert. You can
Dialogue: 0,0:00:48.30,0:00:50.51,Default,,0000,0000,0000,,make it create a notable. Technically, it
Dialogue: 0,0:00:50.51,0:00:52.05,Default,,0000,0000,0000,,doesn't have to create a notable, and
Dialogue: 0,0:00:52.05,0:00:54.66,Default,,0000,0000,0000,,I'll explain how that works, but it's
Dialogue: 0,0:00:54.66,0:00:56.82,Default,,0000,0000,0000,,really just a safe search. So let's go
Dialogue: 0,0:00:56.82,0:00:58.16,Default,,0000,0000,0000,,break right into enterprise security, and
Dialogue: 0,0:00:58.16,0:00:59.82,Default,,0000,0000,0000,,let's talk about that.
Dialogue: 0,0:00:59.82,0:01:01.92,Default,,0000,0000,0000,,So I come into enterprise security. We're
Dialogue: 0,0:01:01.92,0:01:04.50,Default,,0000,0000,0000,,going to show what is already outcomes
Dialogue: 0,0:01:04.50,0:01:07.04,Default,,0000,0000,0000,,out of the box. So if \NI go 'configure', I'm
Dialogue: 0,0:01:07.04,0:01:09.78,Default,,0000,0000,0000,,in my Enterprise security \Nand I come into...
Dialogue: 0,0:01:09.78,0:01:13.51,Default,,0000,0000,0000,,'content', and I go to \N'content management',
Dialogue: 0,0:01:13.51,0:01:15.90,Default,,0000,0000,0000,,these are all the knowledge objects that
Dialogue: 0,0:01:15.90,0:01:19.04,Default,,0000,0000,0000,,come with enterprise security, and I'm
Dialogue: 0,0:01:19.04,0:01:22.87,Default,,0000,0000,0000,,going to flip this to a \Ncorrelation search.
Dialogue: 0,0:01:25.40,0:01:27.80,Default,,0000,0000,0000,,I click that...
Dialogue: 0,0:01:27.80,0:01:29.80,Default,,0000,0000,0000,,we can see that it's going to come back
Dialogue: 0,0:01:29.80,0:01:33.44,Default,,0000,0000,0000,,with lots and lots of results, 58 pages
Dialogue: 0,0:01:33.44,0:01:38.76,Default,,0000,0000,0000,,plus of them and multiple to a page. You
Dialogue: 0,0:01:38.76,0:01:40.96,Default,,0000,0000,0000,,can read this, so I'm just going to go
Dialogue: 0,0:01:40.96,0:01:43.92,Default,,0000,0000,0000,,into the very first one. And this is
Dialogue: 0,0:01:43.92,0:01:46.44,Default,,0000,0000,0000,,'abnormally high number of endpoint
Dialogue: 0,0:01:46.44,0:01:49.50,Default,,0000,0000,0000,,changes by a user'. If I go and open this
Dialogue: 0,0:01:49.50,0:01:51.78,Default,,0000,0000,0000,,up a little bit...
Dialogue: 0,0:01:51.78,0:01:53.76,Default,,0000,0000,0000,,'detects an abnormally high number of
Dialogue: 0,0:01:53.76,0:01:55.43,Default,,0000,0000,0000,,endpoint changes by user account as it
Dialogue: 0,0:01:55.43,0:01:58.02,Default,,0000,0000,0000,,relate to restarts, audits, file system,
Dialogue: 0,0:01:58.02,0:01:59.74,Default,,0000,0000,0000,,user, registry, notifications".
Dialogue: 0,0:01:59.74,0:02:01.46,Default,,0000,0000,0000,,If I go into this...
Dialogue: 0,0:02:02.28,0:02:04.50,Default,,0000,0000,0000,,I'm actually going to be able to see
Dialogue: 0,0:02:04.50,0:02:07.02,Default,,0000,0000,0000,,the query. I'm not going to go explain it
Dialogue: 0,0:02:07.02,0:02:08.22,Default,,0000,0000,0000,,because I can already tell you, it's
Dialogue: 0,0:02:08.22,0:02:09.48,Default,,0000,0000,0000,,probably going to be written with lots
Dialogue: 0,0:02:09.48,0:02:13.09,Default,,0000,0000,0000,,of data models and macros, but out of the
Dialogue: 0,0:02:13.09,0:02:15.39,Default,,0000,0000,0000,,box, you can see: here's the query. And
Dialogue: 0,0:02:15.39,0:02:16.83,Default,,0000,0000,0000,,it's basically...it's going to look at
Dialogue: 0,0:02:16.83,0:02:18.95,Default,,0000,0000,0000,,your data model. You'll hear me talk
Dialogue: 0,0:02:18.95,0:02:21.46,Default,,0000,0000,0000,,about data models. I've discussed data
Dialogue: 0,0:02:21.46,0:02:22.91,Default,,0000,0000,0000,,model, but this is going to be the
Dialogue: 0,0:02:22.91,0:02:24.71,Default,,0000,0000,0000,,endpoint data model, and it's going to be
Dialogue: 0,0:02:24.71,0:02:27.80,Default,,0000,0000,0000,,looking at file systems for changes by the
Dialogue: 0,0:02:27.80,0:02:29.27,Default,,0000,0000,0000,,user, it's going to do a bunch of other
Dialogue: 0,0:02:29.27,0:02:30.29,Default,,0000,0000,0000,,things that ultimately it's going to
Dialogue: 0,0:02:30.29,0:02:32.51,Default,,0000,0000,0000,,come back and say...if you meet a certain
Dialogue: 0,0:02:32.51,0:02:34.87,Default,,0000,0000,0000,,criteria, and you can see that it's
Dialogue: 0,0:02:34.87,0:02:36.36,Default,,0000,0000,0000,,actually using the machine learning
Dialogue: 0,0:02:36.36,0:02:38.64,Default,,0000,0000,0000,,toolkit, so down here it's actually
Dialogue: 0,0:02:38.64,0:02:41.28,Default,,0000,0000,0000,,building a threshold saying, what is the
Dialogue: 0,0:02:41.28,0:02:43.83,Default,,0000,0000,0000,,normal amount of use of changes, and is
Dialogue: 0,0:02:43.83,0:02:46.27,Default,,0000,0000,0000,,it jumping out of that at normal level.
Dialogue: 0,0:02:46.27,0:02:49.60,Default,,0000,0000,0000,,It's really cool, put some really cool
Dialogue: 0,0:02:49.60,0:02:52.20,Default,,0000,0000,0000,,analytics out there for you. You can just
Dialogue: 0,0:02:52.20,0:02:55.45,Default,,0000,0000,0000,,use what they've got. What I love is I
Dialogue: 0,0:02:55.45,0:02:57.33,Default,,0000,0000,0000,,don't want to...I hear, oh
Dialogue: 0,0:02:57.33,0:02:59.66,Default,,0000,0000,0000,,well aren't correlation searches
Dialogue: 0,0:02:59.66,0:03:03.48,Default,,0000,0000,0000,,attached to now frameworks? Well, you can
Dialogue: 0,0:03:03.48,0:03:04.92,Default,,0000,0000,0000,,see the very first ones. \NSometimes they
Dialogue: 0,0:03:04.92,0:03:07.38,Default,,0000,0000,0000,,are. But here, these are frameworks. I've
Dialogue: 0,0:03:07.38,0:03:09.48,Default,,0000,0000,0000,,heard this in my own work, \Noh, well they're
Dialogue: 0,0:03:09.48,0:03:12.12,Default,,0000,0000,0000,,all mapped to the miter. Well,
Dialogue: 0,0:03:12.12,0:03:14.48,Default,,0000,0000,0000,,are they? I'll just grab the very first
Dialogue: 0,0:03:14.48,0:03:17.16,Default,,0000,0000,0000,,one, and...there's no miter technique
Dialogue: 0,0:03:17.16,0:03:20.05,Default,,0000,0000,0000,,mapped. What should it be? Well, there's a
Dialogue: 0,0:03:20.05,0:03:23.17,Default,,0000,0000,0000,,lot of things that could cause a miter
Dialogue: 0,0:03:23.17,0:03:25.86,Default,,0000,0000,0000,,technique to...uh...if there's endpoint
Dialogue: 0,0:03:25.86,0:03:27.45,Default,,0000,0000,0000,,changes, it could be many different types
Dialogue: 0,0:03:27.45,0:03:29.65,Default,,0000,0000,0000,,of tact. Then I'll have it mapped. You
Dialogue: 0,0:03:29.65,0:03:31.20,Default,,0000,0000,0000,,could come in here and you could map it,
Dialogue: 0,0:03:31.20,0:03:33.53,Default,,0000,0000,0000,,we'll discuss that later, but point is, we
Dialogue: 0,0:03:33.53,0:03:35.64,Default,,0000,0000,0000,,come down here...
Dialogue: 0,0:03:35.64,0:03:37.56,Default,,0000,0000,0000,,make that go away, that's all...
Dialogue: 0,0:03:37.56,0:03:40.26,Default,,0000,0000,0000,,we can see that it's looking back 1,450
Dialogue: 0,0:03:40.26,0:03:43.74,Default,,0000,0000,0000,,minutes, and the latest time is zero. This
Dialogue: 0,0:03:43.74,0:03:48.00,Default,,0000,0000,0000,,runs at five after the hour, that's how I
Dialogue: 0,0:03:48.00,0:03:51.12,Default,,0000,0000,0000,,read that, five after the hour.
Dialogue: 0,0:03:51.12,0:03:52.98,Default,,0000,0000,0000,,It's...if the results are greater than
Dialogue: 0,0:03:52.98,0:03:56.54,Default,,0000,0000,0000,,zero, it groups by user and change type,
Dialogue: 0,0:03:56.54,0:03:59.88,Default,,0000,0000,0000,,and we see that it creates...it does not
Dialogue: 0,0:03:59.88,0:04:01.56,Default,,0000,0000,0000,,create a notable, it actually just
Dialogue: 0,0:04:01.56,0:04:03.96,Default,,0000,0000,0000,,provides a risk analysis. And we'll
Dialogue: 0,0:04:03.96,0:04:06.08,Default,,0000,0000,0000,,discuss risk analysis when we talk about
Dialogue: 0,0:04:06.08,0:04:08.57,Default,,0000,0000,0000,,RBA. But the point is, you can make it do
Dialogue: 0,0:04:08.57,0:04:10.32,Default,,0000,0000,0000,,a bunch of adaptive responses.
Dialogue: 0,0:04:10.32,0:04:12.08,Default,,0000,0000,0000,,My job here is not to help you
Dialogue: 0,0:04:12.08,0:04:13.50,Default,,0000,0000,0000,,understand every correlation search that
Dialogue: 0,0:04:13.50,0:04:15.60,Default,,0000,0000,0000,,comes out of the box, I'm here to discuss
Dialogue: 0,0:04:15.60,0:04:17.28,Default,,0000,0000,0000,,the part that most people don't know how
Dialogue: 0,0:04:17.28,0:04:20.12,Default,,0000,0000,0000,,to do: create your own. So I've shown you
Dialogue: 0,0:04:20.12,0:04:23.40,Default,,0000,0000,0000,,that you can go look through...there's
Dialogue: 0,0:04:23.40,0:04:26.40,Default,,0000,0000,0000,,the documentation on Splunk, says 1400
Dialogue: 0,0:04:26.40,0:04:29.04,Default,,0000,0000,0000,,plus, I don't know how they define what a
Dialogue: 0,0:04:29.04,0:04:31.29,Default,,0000,0000,0000,,correlation search is. I'm going to tell
Dialogue: 0,0:04:31.29,0:04:34.68,Default,,0000,0000,0000,,you that it's a lot. There's a
Dialogue: 0,0:04:34.68,0:04:37.76,Default,,0000,0000,0000,,lot of them. And by default,
Dialogue: 0,0:04:37.76,0:04:40.93,Default,,0000,0000,0000,,enterprise security is smart. They do
Dialogue: 0,0:04:40.93,0:04:43.32,Default,,0000,0000,0000,,not come enabled. If I look at the
Dialogue: 0,0:04:43.32,0:04:46.20,Default,,0000,0000,0000,,enabled correlation searches,
Dialogue: 0,0:04:46.20,0:04:48.59,Default,,0000,0000,0000,,this is mine that I was using as I
Dialogue: 0,0:04:48.59,0:04:49.70,Default,,0000,0000,0000,,started to help understand
Dialogue: 0,0:04:49.70,0:04:50.99,Default,,0000,0000,0000,,enterprise security,
Dialogue: 0,0:04:50.99,0:04:52.80,Default,,0000,0000,0000,,and these two were turned on
Dialogue: 0,0:04:52.80,0:04:55.02,Default,,0000,0000,0000,,and this is for risk-based approach.
Dialogue: 0,0:04:55.02,0:04:57.66,Default,,0000,0000,0000,,Other than that, there are no correlation
Dialogue: 0,0:04:57.66,0:04:59.76,Default,,0000,0000,0000,,searches that come out of the box. Why?
Dialogue: 0,0:04:59.76,0:05:01.50,Default,,0000,0000,0000,,Well, one, they don't want to turn
Dialogue: 0,0:05:01.50,0:05:03.06,Default,,0000,0000,0000,,something on that doesn't fit your data
Dialogue: 0,0:05:03.06,0:05:06.00,Default,,0000,0000,0000,,set; two, often you have \Nto tweak them, the
Dialogue: 0,0:05:06.00,0:05:07.58,Default,,0000,0000,0000,,correlation search is great, but it's not
Dialogue: 0,0:05:07.58,0:05:08.81,Default,,0000,0000,0000,,always going to be perfect for your
Dialogue: 0,0:05:08.81,0:05:10.70,Default,,0000,0000,0000,,environment, and so as a general rule,
Dialogue: 0,0:05:10.70,0:05:12.48,Default,,0000,0000,0000,,they're there as a guidance. Use them
Dialogue: 0,0:05:12.48,0:05:14.78,Default,,0000,0000,0000,,when they make sense, \Nturn one on, test it,
Dialogue: 0,0:05:14.78,0:05:17.16,Default,,0000,0000,0000,,see how it works. \NIf it doesn't, modify it,
Dialogue: 0,0:05:17.16,0:05:19.02,Default,,0000,0000,0000,,and typically you'll just clone the
Dialogue: 0,0:05:19.02,0:05:21.12,Default,,0000,0000,0000,,correlation search and build your own.
Dialogue: 0,0:05:21.12,0:05:23.08,Default,,0000,0000,0000,,Anyway, enough talking about that, let's
Dialogue: 0,0:05:23.08,0:05:24.84,Default,,0000,0000,0000,,talk about actually building my own
Dialogue: 0,0:05:24.84,0:05:27.54,Default,,0000,0000,0000,,correlation search. So I'm in 'configure
Dialogue: 0,0:05:27.54,0:05:30.13,Default,,0000,0000,0000,,content' and I went to \N'content management'.
Dialogue: 0,0:05:30.13,0:05:32.26,Default,,0000,0000,0000,,If I do 'create new content', that's how
Dialogue: 0,0:05:32.26,0:05:34.70,Default,,0000,0000,0000,,I'm going to build one. And so we're
Dialogue: 0,0:05:34.70,0:05:36.13,Default,,0000,0000,0000,,going to create a new content,
Dialogue: 0,0:05:36.13,0:05:38.95,Default,,0000,0000,0000,,we're going to make a correlation search.
Dialogue: 0,0:05:38.95,0:05:43.11,Default,,0000,0000,0000,,This is the way that I \Ndo correlation searches.
Dialogue: 0,0:05:43.11,0:05:44.16,Default,,0000,0000,0000,,That doesn't mean it's the way
Dialogue: 0,0:05:44.16,0:05:46.13,Default,,0000,0000,0000,,that it has to be done, \Nbut it's the way it works for me.
Dialogue: 0,0:05:46.13,0:05:47.52,Default,,0000,0000,0000,,I'm going to call this, I
Dialogue: 0,0:05:47.52,0:05:49.42,Default,,0000,0000,0000,,would hopefully have a much better name
Dialogue: 0,0:05:49.42,0:05:52.46,Default,,0000,0000,0000,,for this, but I'm going to do 'YouTube
Dialogue: 0,0:05:52.46,0:05:56.46,Default,,0000,0000,0000,,Correlation Search'.
Dialogue: 0,0:06:00.74,0:06:02.79,Default,,0000,0000,0000,,Horrible name, because someone who comes
Dialogue: 0,0:06:02.79,0:06:04.99,Default,,0000,0000,0000,,across this will have no idea what it's
Dialogue: 0,0:06:04.99,0:06:06.54,Default,,0000,0000,0000,,for, but for me, when I need to purge
Dialogue: 0,0:06:06.54,0:06:08.46,Default,,0000,0000,0000,,stuff from my system, it's really easy
Dialogue: 0,0:06:08.46,0:06:09.71,Default,,0000,0000,0000,,and it stands out. So I'm going to put it
Dialogue: 0,0:06:09.71,0:06:12.00,Default,,0000,0000,0000,,that way. Then here in my description, I'm
Dialogue: 0,0:06:12.00,0:06:14.82,Default,,0000,0000,0000,,going to go...
Dialogue: 0,0:06:14.82,0:06:19.19,Default,,0000,0000,0000,,'Grab one event from network logs'.
Dialogue: 0,0:06:20.58,0:06:22.14,Default,,0000,0000,0000,,I'm not actually going to build
Dialogue: 0,0:06:22.14,0:06:23.73,Default,,0000,0000,0000,,something that I'm looking for.
Dialogue: 0,0:06:23.73,0:06:25.41,Default,,0000,0000,0000,,That's not the point of this video.
Dialogue: 0,0:06:25.41,0:06:27.54,Default,,0000,0000,0000,,I'm just showing how \Nto build one, and I want
Dialogue: 0,0:06:27.54,0:06:30.84,Default,,0000,0000,0000,,them to always fire, so I'm going to
Dialogue: 0,0:06:30.84,0:06:32.90,Default,,0000,0000,0000,,fudge the numbers so that I always
Dialogue: 0,0:06:32.90,0:06:35.27,Default,,0000,0000,0000,,get what I want. And so the first thing I
Dialogue: 0,0:06:35.27,0:06:36.72,Default,,0000,0000,0000,,do is I don't try to build a search
Dialogue: 0,0:06:36.72,0:06:38.52,Default,,0000,0000,0000,,through here. You can use a guided.
Dialogue: 0,0:06:38.52,0:06:41.02,Default,,0000,0000,0000,,Guided's cool, it'll allow you it'll pick
Dialogue: 0,0:06:41.02,0:06:43.14,Default,,0000,0000,0000,,data models, you can pick fields from it,
Dialogue: 0,0:06:43.14,0:06:45.51,Default,,0000,0000,0000,,so if I enable the guided mode, you'll
Dialogue: 0,0:06:45.51,0:06:47.46,Default,,0000,0000,0000,,see the data, it'll say alright, what
Dialogue: 0,0:06:47.46,0:06:49.52,Default,,0000,0000,0000,,data model do you want to look at?
Dialogue: 0,0:06:49.52,0:06:52.46,Default,,0000,0000,0000,,I might come down to 'network traffic'...
Dialogue: 0,0:06:52.46,0:06:55.32,Default,,0000,0000,0000,,and what data set do I want to use...
Dialogue: 0,0:06:55.32,0:06:58.78,Default,,0000,0000,0000,,'all traffic'. Do I want \Nto use 'summaries only'?
Dialogue: 0,0:06:58.78,0:07:01.08,Default,,0000,0000,0000,,I'll discuss summaries only later
Dialogue: 0,0:07:01.08,0:07:04.20,Default,,0000,0000,0000,,this is not the place for it. Time range.
Dialogue: 0,0:07:04.20,0:07:07.56,Default,,0000,0000,0000,,And there is your basic query. I can run
Dialogue: 0,0:07:07.56,0:07:10.18,Default,,0000,0000,0000,,the search and see how it looks.
Dialogue: 0,0:07:10.18,0:07:12.98,Default,,0000,0000,0000,,Then I'm going to hit
Dialogue: 0,0:07:13.70,0:07:18.54,Default,,0000,0000,0000,,'filter', and filter would be like
Dialogue: 0,0:07:18.54,0:07:22.40,Default,,0000,0000,0000,,All.Traffic...
Dialogue: 0,0:07:23.46,0:07:28.74,Default,,0000,0000,0000,,AllTraffic.destIP...
Dialogue: 0,0:07:28.74,0:07:30.72,Default,,0000,0000,0000,,oh.
Dialogue: 0,0:07:30.72,0:07:34.10,Default,,0000,0000,0000,,it's a boolean. Where...
Dialogue: 0,0:07:34.56,0:07:36.53,Default,,0000,0000,0000,,and I actually don't know how to make
Dialogue: 0,0:07:36.53,0:07:40.22,Default,,0000,0000,0000,,this work. All_Traffic...
Dialogue: 0,0:07:42.63,0:07:44.66,Default,,0000,0000,0000,,I'd have to go look this up. Well that's
Dialogue: 0,0:07:44.66,0:07:46.38,Default,,0000,0000,0000,,not very good...helpful \Nthere. The point is,
Dialogue: 0,0:07:46.38,0:07:47.51,Default,,0000,0000,0000,,I'm not actually going through the
Dialogue: 0,0:07:47.51,0:07:49.56,Default,,0000,0000,0000,,guided search tour. I'm going to stay
Dialogue: 0,0:07:49.56,0:07:51.59,Default,,0000,0000,0000,,right here with a manual query where I
Dialogue: 0,0:07:51.59,0:07:54.12,Default,,0000,0000,0000,,can write it. It does have guided, again,
Dialogue: 0,0:07:54.12,0:07:55.50,Default,,0000,0000,0000,,you got to understand exactly what
Dialogue: 0,0:07:55.50,0:07:57.27,Default,,0000,0000,0000,,you're pulling. Guided is nice if you
Dialogue: 0,0:07:57.27,0:07:59.78,Default,,0000,0000,0000,,know, follow the docs. I'm not here for
Dialogue: 0,0:07:59.78,0:08:01.92,Default,,0000,0000,0000,,following the docs, I'm here to take a
Dialogue: 0,0:08:01.92,0:08:04.13,Default,,0000,0000,0000,,query. This is my home network. I'm going
Dialogue: 0,0:08:04.13,0:08:05.52,Default,,0000,0000,0000,,to look at the correlate logs. I'm going
Dialogue: 0,0:08:05.52,0:08:07.36,Default,,0000,0000,0000,,to look at my correlate conn logs. I'm
Dialogue: 0,0:08:07.36,0:08:10.16,Default,,0000,0000,0000,,going to say...where source IP is
Dialogue: 0,0:08:10.16,0:08:13.26,Default,,0000,0000,0000,,192.1680.*. That is only so I make
Dialogue: 0,0:08:13.26,0:08:15.18,Default,,0000,0000,0000,,sure that I'm looking at a specific
Dialogue: 0,0:08:15.18,0:08:17.64,Default,,0000,0000,0000,,subnet section of my network. This is
Dialogue: 0,0:08:17.64,0:08:20.52,Default,,0000,0000,0000,,primarily my network designed for doing
Dialogue: 0,0:08:20.52,0:08:23.82,Default,,0000,0000,0000,,Splunk videos, and so this isn't my...
Dialogue: 0,0:08:23.82,0:08:25.38,Default,,0000,0000,0000,,this is part of my home network, but it's
Dialogue: 0,0:08:25.38,0:08:28.14,Default,,0000,0000,0000,,a subnet on my network that I use for
Dialogue: 0,0:08:28.14,0:08:31.49,Default,,0000,0000,0000,,testing, pen testing, setup of systems
Dialogue: 0,0:08:31.49,0:08:33.30,Default,,0000,0000,0000,,that I tear up and pick up and tear down,
Dialogue: 0,0:08:33.30,0:08:35.17,Default,,0000,0000,0000,,and so I just want to know what they're
Dialogue: 0,0:08:35.17,0:08:37.26,Default,,0000,0000,0000,,doing. And so I wanted the source IP
Dialogue: 0,0:08:37.26,0:08:38.87,Default,,0000,0000,0000,,Maybe you don't want the source IP.
Dialogue: 0,0:08:38.87,0:08:40.31,Default,,0000,0000,0000,,All I really cared about though, is I just
Dialogue: 0,0:08:40.31,0:08:42.29,Default,,0000,0000,0000,,wanted this, because ultimately, later
Dialogue: 0,0:08:42.29,0:08:44.23,Default,,0000,0000,0000,,down, I'm going to do inventory, and I'm
Dialogue: 0,0:08:44.23,0:08:46.09,Default,,0000,0000,0000,,going to have a very simple inventory of
Dialogue: 0,0:08:46.09,0:08:48.29,Default,,0000,0000,0000,,that subnet, and so I only want IPs that
Dialogue: 0,0:08:48.29,0:08:50.70,Default,,0000,0000,0000,,at least one piece of the data
Dialogue: 0,0:08:50.70,0:08:53.47,Default,,0000,0000,0000,,ties to my inventory. And so, as you can
Dialogue: 0,0:08:53.47,0:08:55.55,Default,,0000,0000,0000,,see, this here has nothing to do with my
Dialogue: 0,0:08:55.55,0:08:58.19,Default,,0000,0000,0000,,network, but this one does. And I'm going
Dialogue: 0,0:08:58.19,0:09:00.25,Default,,0000,0000,0000,,to do a head 1, because I don't
Dialogue: 0,0:09:00.25,0:09:02.76,Default,,0000,0000,0000,,want lots and lots of results.
Dialogue: 0,0:09:02.76,0:09:05.46,Default,,0000,0000,0000,,Basically, I want a query
Dialogue: 0,0:09:05.46,0:09:07.14,Default,,0000,0000,0000,,and I'm always going to return one
Dialogue: 0,0:09:07.14,0:09:09.80,Default,,0000,0000,0000,,result...and that's what I built.
Dialogue: 0,0:09:09.80,0:09:12.00,Default,,0000,0000,0000,,This isn't bad. This isn't actually a
Dialogue: 0,0:09:12.00,0:09:13.98,Default,,0000,0000,0000,,known bad, I just wanted data to come
Dialogue: 0,0:09:13.98,0:09:16.20,Default,,0000,0000,0000,,back, so then I can put other stuff on it.
Dialogue: 0,0:09:16.20,0:09:18.66,Default,,0000,0000,0000,,I'm doing this as a demo for you guys to
Dialogue: 0,0:09:18.66,0:09:21.30,Default,,0000,0000,0000,,understand how
Dialogue: 0,0:09:21.30,0:09:23.41,Default,,0000,0000,0000,,to build a query. You would want to build
Dialogue: 0,0:09:23.41,0:09:25.14,Default,,0000,0000,0000,,a query that actually is looking for
Dialogue: 0,0:09:25.14,0:09:27.30,Default,,0000,0000,0000,,something malicious. Right now, I just
Dialogue: 0,0:09:27.30,0:09:30.12,Default,,0000,0000,0000,,want a query to return a result, so that
Dialogue: 0,0:09:30.12,0:09:32.12,Default,,0000,0000,0000,,I can...when I do my next video about
Dialogue: 0,0:09:32.12,0:09:34.94,Default,,0000,0000,0000,,triage and the triage system, there are
Dialogue: 0,0:09:34.94,0:09:37.45,Default,,0000,0000,0000,,actually tickets coming in. If I write a
Dialogue: 0,0:09:37.45,0:09:39.33,Default,,0000,0000,0000,,query that's looking for bad, well, that
Dialogue: 0,0:09:39.33,0:09:41.10,Default,,0000,0000,0000,,bad better be occurring on my network or
Dialogue: 0,0:09:41.10,0:09:43.02,Default,,0000,0000,0000,,it's not going to fire. And so it's a lot
Dialogue: 0,0:09:43.02,0:09:44.29,Default,,0000,0000,0000,,harder to troubleshoot if the thing is
Dialogue: 0,0:09:44.29,0:09:45.90,Default,,0000,0000,0000,,working if you're building queries right,
Dialogue: 0,0:09:45.90,0:09:48.20,Default,,0000,0000,0000,,If you build something that isn't...
Dialogue: 0,0:09:48.20,0:09:50.33,Default,,0000,0000,0000,,you hope to not actually\Nsee on your network.
Dialogue: 0,0:09:50.33,0:09:52.66,Default,,0000,0000,0000,,So I actually hope to see \Ncorrelate conn logs.
Dialogue: 0,0:09:52.66,0:09:54.37,Default,,0000,0000,0000,,I sure hope so. That means my
Dialogue: 0,0:09:54.37,0:09:56.40,Default,,0000,0000,0000,,network has traffic. Anyway, and I'm just
Dialogue: 0,0:09:56.40,0:09:57.70,Default,,0000,0000,0000,,going to put the head 1, because I only
Dialogue: 0,0:09:57.70,0:10:00.20,Default,,0000,0000,0000,,want it to create one alert. If I let it
Dialogue: 0,0:10:00.20,0:10:02.09,Default,,0000,0000,0000,,come back, it's every event that comes
Dialogue: 0,0:10:02.09,0:10:04.65,Default,,0000,0000,0000,,back in here would be a notable alert.
Dialogue: 0,0:10:04.65,0:10:07.84,Default,,0000,0000,0000,,I don't want my triage \Nsystem getting inundated.
Dialogue: 0,0:10:07.84,0:10:09.96,Default,,0000,0000,0000,,So I'm just going to do this head 1.
Dialogue: 0,0:10:09.96,0:10:11.94,Default,,0000,0000,0000,,Now I'm going to map it. I'm going to go
Dialogue: 0,0:10:11.94,0:10:15.00,Default,,0000,0000,0000,,to miter, and I'm going to
Dialogue: 0,0:10:15.00,0:10:17.64,Default,,0000,0000,0000,,put in some
Dialogue: 0,0:10:17.64,0:10:20.28,Default,,0000,0000,0000,,tickets. So I'm going to go 'T1143'. I
Dialogue: 0,0:10:20.28,0:10:21.60,Default,,0000,0000,0000,,actually can't remember what all these
Dialogue: 0,0:10:21.60,0:10:23.46,Default,,0000,0000,0000,,mean off the top of my head. You can go
Dialogue: 0,0:10:23.46,0:10:26.29,Default,,0000,0000,0000,,look them up. I'm going to say this, and
Dialogue: 0,0:10:26.29,0:10:28.80,Default,,0000,0000,0000,,this has note, no bases whatsoever, but
Dialogue: 0,0:10:28.80,0:10:30.67,Default,,0000,0000,0000,,again, these videos are
Dialogue: 0,0:10:30.67,0:10:32.70,Default,,0000,0000,0000,,going to build on themselves. And so I'm
Dialogue: 0,0:10:32.70,0:10:34.84,Default,,0000,0000,0000,,building these miter attacks so when I
Dialogue: 0,0:10:34.84,0:10:37.44,Default,,0000,0000,0000,,go to the RBA section of this video
Dialogue: 0,0:10:37.44,0:10:40.43,Default,,0000,0000,0000,,playlist, you'll see how it maps all the
Dialogue: 0,0:10:40.43,0:10:42.42,Default,,0000,0000,0000,,different techniques together. And so I'm
Dialogue: 0,0:10:42.42,0:10:45.36,Default,,0000,0000,0000,,going to put this down here,
Dialogue: 0,0:10:45.36,0:10:49.02,Default,,0000,0000,0000,,and actually, because \NI want this to work on
Dialogue: 0,0:10:49.02,0:10:50.84,Default,,0000,0000,0000,,my system, I'm going to actually do...
Dialogue: 0,0:10:50.84,0:10:53.58,Default,,0000,0000,0000,,I want it always to be 0.128,
Dialogue: 0,0:10:53.58,0:10:57.24,Default,,0000,0000,0000,,that way I'm only going to get alerts
Dialogue: 0,0:10:57.24,0:10:59.19,Default,,0000,0000,0000,,that are relating to this system.
Dialogue: 0,0:10:59.19,0:11:01.82,Default,,0000,0000,0000,,That means my risk-based \Napproach will cross
Dialogue: 0,0:11:01.82,0:11:03.78,Default,,0000,0000,0000,,the threshold. That actually makes a lot
Dialogue: 0,0:11:03.78,0:11:06.23,Default,,0000,0000,0000,,more sense for me. I'll explain that when
Dialogue: 0,0:11:06.23,0:11:08.64,Default,,0000,0000,0000,,we actually get to RBA, but basically, I'm
Dialogue: 0,0:11:08.64,0:11:12.03,Default,,0000,0000,0000,,going to give me...\Ngive me an alert every time
Dialogue: 0,0:11:12.03,0:11:15.42,Default,,0000,0000,0000,,0.128 is the source of network traffic.
Dialogue: 0,0:11:15.42,0:11:17.92,Default,,0000,0000,0000,,And that should fire off \Nquite frequently.
Dialogue: 0,0:11:19.32,0:11:21.48,Default,,0000,0000,0000,,Ignore the picture up in the top.
Dialogue: 0,0:11:21.48,0:11:23.94,Default,,0000,0000,0000,,We're just going to move on. \NHead 1.
Dialogue: 0,0:11:23.94,0:11:26.33,Default,,0000,0000,0000,,My videos are done rendering. \NAnyway, so I'm going
Dialogue: 0,0:11:26.33,0:11:29.38,Default,,0000,0000,0000,,to map it to these TTPs. Again, this is
Dialogue: 0,0:11:29.38,0:11:31.38,Default,,0000,0000,0000,,all for demo purposes, so I just pick
Dialogue: 0,0:11:31.38,0:11:35.58,Default,,0000,0000,0000,,some TTPs, and I can come down here and
Dialogue: 0,0:11:35.58,0:11:38.66,Default,,0000,0000,0000,,I can put a confidence score, \Nan impact score,
Dialogue: 0,0:11:38.66,0:11:40.52,Default,,0000,0000,0000,,contacts, analytics, we're just gonna
Dialogue: 0,0:11:40.52,0:11:41.76,Default,,0000,0000,0000,,leave that alone for now.
Dialogue: 0,0:11:41.76,0:11:43.62,Default,,0000,0000,0000,,I can create my own framework
Dialogue: 0,0:11:43.62,0:11:45.07,Default,,0000,0000,0000,,And now here it's going to say
Dialogue: 0,0:11:45.07,0:11:47.06,Default,,0000,0000,0000,,how far back do I want to look? Do I
Dialogue: 0,0:11:47.06,0:11:48.14,Default,,0000,0000,0000,,want to look back 24 hours?
Dialogue: 0,0:11:48.14,0:11:49.69,Default,,0000,0000,0000,,I could, but I know how often
Dialogue: 0,0:11:49.69,0:11:51.14,Default,,0000,0000,0000,,my logs are firing. I'm going
Dialogue: 0,0:11:51.14,0:11:53.16,Default,,0000,0000,0000,,to look back one hour. Doesn't really
Dialogue: 0,0:11:53.16,0:11:55.32,Default,,0000,0000,0000,,matter, because I'm just grabbing head 1.
Dialogue: 0,0:11:55.32,0:11:59.15,Default,,0000,0000,0000,,And...I have...I probably get
Dialogue: 0,0:11:59.15,0:12:01.59,Default,,0000,0000,0000,,hundreds of events every...probably
Dialogue: 0,0:12:01.59,0:12:03.60,Default,,0000,0000,0000,,thousands of events every hour
Dialogue: 0,0:12:03.60,0:12:06.21,Default,,0000,0000,0000,,on this particular subnet. And so it's
Dialogue: 0,0:12:06.21,0:12:07.50,Default,,0000,0000,0000,,not going to be a problem getting data.
Dialogue: 0,0:12:07.50,0:12:09.27,Default,,0000,0000,0000,,I'm going to go look back one hour to
Dialogue: 0,0:12:09.27,0:12:11.58,Default,,0000,0000,0000,,now. And how often do I want it to run?
Dialogue: 0,0:12:11.58,0:12:13.26,Default,,0000,0000,0000,,You know what? I'm going to let it run
Dialogue: 0,0:12:13.26,0:12:16.09,Default,,0000,0000,0000,,every five minutes. And that's going to
Dialogue: 0,0:12:16.09,0:12:17.76,Default,,0000,0000,0000,,be important so that I actually have
Dialogue: 0,0:12:17.76,0:12:20.91,Default,,0000,0000,0000,,events. And that'll work.
Dialogue: 0,0:12:20.91,0:12:23.46,Default,,0000,0000,0000,,I'm going to come down here, \Nand I'm going to say do I
Dialogue: 0,0:12:23.46,0:12:25.38,Default,,0000,0000,0000,,want it to run as real time or
Dialogue: 0,0:12:25.38,0:12:28.56,Default,,0000,0000,0000,,continuous. We'll just \Nleave it at its default.
Dialogue: 0,0:12:28.56,0:12:30.90,Default,,0000,0000,0000,,What's my scheduling window? Again,
Dialogue: 0,0:12:30.90,0:12:33.33,Default,,0000,0000,0000,,these are...I'm not going over these, this
Dialogue: 0,0:12:33.33,0:12:36.06,Default,,0000,0000,0000,,is just basically how you want to run
Dialogue: 0,0:12:36.06,0:12:37.59,Default,,0000,0000,0000,,your times. I'm going to run this
Dialogue: 0,0:12:37.59,0:12:39.42,Default,,0000,0000,0000,,every five minutes. Schedule priorities
Dialogue: 0,0:12:39.42,0:12:41.46,Default,,0000,0000,0000,,in case there's conflicts. Hopefully with
Dialogue: 0,0:12:41.46,0:12:43.26,Default,,0000,0000,0000,,your enterprise security, you actually do
Dialogue: 0,0:12:43.26,0:12:45.84,Default,,0000,0000,0000,,not overload your system so these become
Dialogue: 0,0:12:45.84,0:12:47.04,Default,,0000,0000,0000,,a big deal.
Dialogue: 0,0:12:47.04,0:12:48.66,Default,,0000,0000,0000,,Trigger conditions, number of results
Dialogue: 0,0:12:48.66,0:12:50.27,Default,,0000,0000,0000,,greater than zero, that's always going to
Dialogue: 0,0:12:50.27,0:12:51.66,Default,,0000,0000,0000,,be the case because I'm getting back one.
Dialogue: 0,0:12:51.66,0:12:53.82,Default,,0000,0000,0000,,But if I was doing this, if I want to do
Dialogue: 0,0:12:53.82,0:12:55.92,Default,,0000,0000,0000,,thresholds I could make it...the thing has
Dialogue: 0,0:12:55.92,0:12:58.44,Default,,0000,0000,0000,,to occur at least 10 times, or 15 times,
Dialogue: 0,0:12:58.44,0:13:01.32,Default,,0000,0000,0000,,or whatever. Then windows durations
Dialogue: 0,0:13:01.32,0:13:03.100,Default,,0000,0000,0000,,filled to group by...that's it. That's all
Dialogue: 0,0:13:03.100,0:13:06.54,Default,,0000,0000,0000,,I want to deal with. Really, the only
Dialogue: 0,0:13:06.54,0:13:08.52,Default,,0000,0000,0000,,places I put around with this is I wrote
Dialogue: 0,0:13:08.52,0:13:10.84,Default,,0000,0000,0000,,a query in the most basic format to get
Dialogue: 0,0:13:10.84,0:13:13.07,Default,,0000,0000,0000,,your correlation searches going. Pick a
Dialogue: 0,0:13:13.07,0:13:15.84,Default,,0000,0000,0000,,search. I would tie it to an annotation
Dialogue: 0,0:13:15.84,0:13:18.60,Default,,0000,0000,0000,,but you don't have to not required you
Dialogue: 0,0:13:18.60,0:13:20.10,Default,,0000,0000,0000,,come down here pick your time window
Dialogue: 0,0:13:20.10,0:13:22.26,Default,,0000,0000,0000,,these three boxes how far back do you
Dialogue: 0,0:13:22.26,0:13:24.12,Default,,0000,0000,0000,,want to look latest time earliest time
Dialogue: 0,0:13:24.12,0:13:26.46,Default,,0000,0000,0000,,and your cron schedule and then you
Dialogue: 0,0:13:26.46,0:13:27.78,Default,,0000,0000,0000,,really don't have to touch anything else
Dialogue: 0,0:13:27.78,0:13:31.74,Default,,0000,0000,0000,,except this add adaptive response I'm
Dialogue: 0,0:13:31.74,0:13:33.30,Default,,0000,0000,0000,,going to come and modify this in a
Dialogue: 0,0:13:33.30,0:13:35.70,Default,,0000,0000,0000,,minute there is when we talk about RBA
Dialogue: 0,0:13:35.70,0:13:38.04,Default,,0000,0000,0000,,I'm going to put a risk analysis for the
Dialogue: 0,0:13:38.04,0:13:40.20,Default,,0000,0000,0000,,sake of keeping this simple I am only
Dialogue: 0,0:13:40.20,0:13:41.46,Default,,0000,0000,0000,,going to do
Dialogue: 0,0:13:41.46,0:13:43.80,Default,,0000,0000,0000,,notables for now so I'm going to come in
Dialogue: 0,0:13:43.80,0:13:44.88,Default,,0000,0000,0000,,here and I'm going to click a notable
Dialogue: 0,0:13:44.88,0:13:47.22,Default,,0000,0000,0000,,and notable is an alert that goes to
Dialogue: 0,0:13:47.22,0:13:48.78,Default,,0000,0000,0000,,your triage system
Dialogue: 0,0:13:48.78,0:13:52.26,Default,,0000,0000,0000,,gonna go YouTube
Dialogue: 0,0:13:52.26,0:13:55.44,Default,,0000,0000,0000,,notable give a description
Dialogue: 0,0:13:55.44,0:13:57.90,Default,,0000,0000,0000,,I can actually use
Dialogue: 0,0:13:57.90,0:13:59.82,Default,,0000,0000,0000,,um foreign
Dialogue: 0,0:13:59.82,0:14:01.98,Default,,0000,0000,0000,,variable substitution so I'm going to do
Dialogue: 0,0:14:01.98,0:14:06.18,Default,,0000,0000,0000,,alert for dollar sign Source IP
Dialogue: 0,0:14:06.18,0:14:07.86,Default,,0000,0000,0000,,I need to make sure that field comes
Dialogue: 0,0:14:07.86,0:14:10.86,Default,,0000,0000,0000,,back and this does have a source IP so I
Dialogue: 0,0:14:10.86,0:14:12.72,Default,,0000,0000,0000,,can use it and you just call it like you
Dialogue: 0,0:14:12.72,0:14:15.18,Default,,0000,0000,0000,,do in with the dollar sign on both sides
Dialogue: 0,0:14:15.18,0:14:17.34,Default,,0000,0000,0000,,of a variable and that'll be dynamic and
Dialogue: 0,0:14:17.34,0:14:19.68,Default,,0000,0000,0000,,so my description will come back with
Dialogue: 0,0:14:19.68,0:14:22.68,Default,,0000,0000,0000,,this and just because I
Dialogue: 0,0:14:22.68,0:14:24.84,Default,,0000,0000,0000,,want to what if I do yeah we'll just
Dialogue: 0,0:14:24.84,0:14:26.22,Default,,0000,0000,0000,,leave it at that
Dialogue: 0,0:14:26.22,0:14:29.16,Default,,0000,0000,0000,,YouTube notable security domain there
Dialogue: 0,0:14:29.16,0:14:31.50,Default,,0000,0000,0000,,are a bunch of domains this is dealing
Dialogue: 0,0:14:31.50,0:14:33.72,Default,,0000,0000,0000,,with access areas that would be
Dialogue: 0,0:14:33.72,0:14:35.88,Default,,0000,0000,0000,,authentication endpoint a lot of your
Dialogue: 0,0:14:35.88,0:14:39.42,Default,,0000,0000,0000,,host logs Network logs threat identity
Dialogue: 0,0:14:39.42,0:14:41.46,Default,,0000,0000,0000,,and audit and so those are the six areas
Dialogue: 0,0:14:41.46,0:14:43.98,Default,,0000,0000,0000,,splunkcast as security domains we'll
Dialogue: 0,0:14:43.98,0:14:46.68,Default,,0000,0000,0000,,just leave it as a we'll put as a
Dialogue: 0,0:14:46.68,0:14:47.58,Default,,0000,0000,0000,,network
Dialogue: 0,0:14:47.58,0:14:49.80,Default,,0000,0000,0000,,in the network domain I'm going to put
Dialogue: 0,0:14:49.80,0:14:52.58,Default,,0000,0000,0000,,the severity
Dialogue: 0,0:14:53.90,0:14:56.30,Default,,0000,0000,0000,,as low
Dialogue: 0,0:14:56.30,0:14:59.76,Default,,0000,0000,0000,,and default owner I can put in these I
Dialogue: 0,0:14:59.76,0:15:01.56,Default,,0000,0000,0000,,can leave it unassigned
Dialogue: 0,0:15:01.56,0:15:03.06,Default,,0000,0000,0000,,I'm going to put it as unassigned to
Dialogue: 0,0:15:03.06,0:15:05.10,Default,,0000,0000,0000,,start with again you don't have to
Dialogue: 0,0:15:05.10,0:15:07.32,Default,,0000,0000,0000,,default status I'm going to put it as
Dialogue: 0,0:15:07.32,0:15:09.12,Default,,0000,0000,0000,,unassigned
Dialogue: 0,0:15:09.12,0:15:11.58,Default,,0000,0000,0000,,and I could put a drill down search in
Dialogue: 0,0:15:11.58,0:15:15.08,Default,,0000,0000,0000,,there and let's do that
Dialogue: 0,0:15:15.48,0:15:17.88,Default,,0000,0000,0000,,we're going to take this very same query
Dialogue: 0,0:15:17.88,0:15:20.22,Default,,0000,0000,0000,,just to keep things really simple one of
Dialogue: 0,0:15:20.22,0:15:21.66,Default,,0000,0000,0000,,the very first drill Downs I want to put
Dialogue: 0,0:15:21.66,0:15:23.52,Default,,0000,0000,0000,,in there
Dialogue: 0,0:15:23.52,0:15:25.92,Default,,0000,0000,0000,,is the actual query
Dialogue: 0,0:15:25.92,0:15:28.68,Default,,0000,0000,0000,,that created this log
Dialogue: 0,0:15:28.68,0:15:30.90,Default,,0000,0000,0000,,but in this case I'm not going to put
Dialogue: 0,0:15:30.90,0:15:32.88,Default,,0000,0000,0000,,head 1 I'm going to put I'm going to
Dialogue: 0,0:15:32.88,0:15:34.38,Default,,0000,0000,0000,,take the head out
Dialogue: 0,0:15:34.38,0:15:36.48,Default,,0000,0000,0000,,oh it looks like I've lost the 128 on
Dialogue: 0,0:15:36.48,0:15:38.94,Default,,0000,0000,0000,,there 128.
Dialogue: 0,0:15:38.94,0:15:41.46,Default,,0000,0000,0000,,make sure 128 is up here
Dialogue: 0,0:15:41.46,0:15:44.70,Default,,0000,0000,0000,,yeah it is okay and I can choose the
Dialogue: 0,0:15:44.70,0:15:46.50,Default,,0000,0000,0000,,drill down search will be
Dialogue: 0,0:15:46.50,0:15:49.16,Default,,0000,0000,0000,,C
Dialogue: 0,0:15:49.26,0:15:53.88,Default,,0000,0000,0000,,what caused alert
Dialogue: 0,0:15:55.08,0:15:56.88,Default,,0000,0000,0000,,there are other ways of doing this I'll
Dialogue: 0,0:15:56.88,0:15:58.02,Default,,0000,0000,0000,,show but I'm just I'm just going to
Dialogue: 0,0:15:58.02,0:16:00.12,Default,,0000,0000,0000,,create a few ad drill down searches and
Dialogue: 0,0:16:00.12,0:16:02.46,Default,,0000,0000,0000,,here we're going to just do
Dialogue: 0,0:16:02.46,0:16:04.52,Default,,0000,0000,0000,,um
Dialogue: 0,0:16:04.56,0:16:07.56,Default,,0000,0000,0000,,Y is
Dialogue: 0,0:16:07.56,0:16:10.40,Default,,0000,0000,0000,,this
Dialogue: 0,0:16:10.46,0:16:14.00,Default,,0000,0000,0000,,drill down exist
Dialogue: 0,0:16:14.88,0:16:16.38,Default,,0000,0000,0000,,I just want to show I can go search
Dialogue: 0,0:16:16.38,0:16:17.58,Default,,0000,0000,0000,,anything
Dialogue: 0,0:16:17.58,0:16:21.20,Default,,0000,0000,0000,,index equals internal
Dialogue: 0,0:16:21.20,0:16:22.98,Default,,0000,0000,0000,,why would you be looking at your
Dialogue: 0,0:16:22.98,0:16:26.28,Default,,0000,0000,0000,,internal logs it doesn't really matter
Dialogue: 0,0:16:26.28,0:16:28.34,Default,,0000,0000,0000,,um
Dialogue: 0,0:16:28.50,0:16:30.18,Default,,0000,0000,0000,,well actually let's just do this I'm
Dialogue: 0,0:16:30.18,0:16:33.18,Default,,0000,0000,0000,,going to put in dollar sign Source IP
Dialogue: 0,0:16:33.18,0:16:35.46,Default,,0000,0000,0000,,so I'm basically looking in my internal
Dialogue: 0,0:16:35.46,0:16:37.14,Default,,0000,0000,0000,,logs and I'm going to see if I find that
Dialogue: 0,0:16:37.14,0:16:40.20,Default,,0000,0000,0000,,IP address popping up it it's just kind
Dialogue: 0,0:16:40.20,0:16:41.82,Default,,0000,0000,0000,,of an interesting way you can add
Dialogue: 0,0:16:41.82,0:16:45.66,Default,,0000,0000,0000,,additional searches to your information
Dialogue: 0,0:16:45.66,0:16:46.50,Default,,0000,0000,0000,,um
Dialogue: 0,0:16:46.50,0:16:48.36,Default,,0000,0000,0000,,so I'm going to be searching my internal
Dialogue: 0,0:16:48.36,0:16:50.46,Default,,0000,0000,0000,,logs for the source IP
Dialogue: 0,0:16:50.46,0:16:53.16,Default,,0000,0000,0000,,and I hope you saw this earliest offset
Dialogue: 0,0:16:53.16,0:16:56.40,Default,,0000,0000,0000,,latest Offset you can change this or you
Dialogue: 0,0:16:56.40,0:16:57.96,Default,,0000,0000,0000,,can you can let it just go by its
Dialogue: 0,0:16:57.96,0:17:00.06,Default,,0000,0000,0000,,default or you can say for here I'm
Dialogue: 0,0:17:00.06,0:17:01.14,Default,,0000,0000,0000,,going to go
Dialogue: 0,0:17:01.14,0:17:05.40,Default,,0000,0000,0000,,plus this is a earliest for example one
Dialogue: 0,0:17:05.40,0:17:06.48,Default,,0000,0000,0000,,hour
Dialogue: 0,0:17:06.48,0:17:08.22,Default,,0000,0000,0000,,and I'm going to leave the other one as
Dialogue: 0,0:17:08.22,0:17:10.64,Default,,0000,0000,0000,,zero
Dialogue: 0,0:17:10.92,0:17:12.36,Default,,0000,0000,0000,,does that make sense so I hope this
Dialogue: 0,0:17:12.36,0:17:14.64,Default,,0000,0000,0000,,makes this helps I can change my time
Dialogue: 0,0:17:14.64,0:17:16.56,Default,,0000,0000,0000,,it's basically going to look in this
Dialogue: 0,0:17:16.56,0:17:22.22,Default,,0000,0000,0000,,window one hour back of based off of
Dialogue: 0,0:17:22.92,0:17:24.98,Default,,0000,0000,0000,,um
Dialogue: 0,0:17:25.08,0:17:27.78,Default,,0000,0000,0000,,the the time this event occurred
Dialogue: 0,0:17:27.78,0:17:29.22,Default,,0000,0000,0000,,so this might actually look a little bit
Dialogue: 0,0:17:29.22,0:17:30.36,Default,,0000,0000,0000,,in the future this can look a little bit
Dialogue: 0,0:17:30.36,0:17:32.04,Default,,0000,0000,0000,,in the future it's going to use time in
Dialogue: 0,0:17:32.04,0:17:35.30,Default,,0000,0000,0000,,the back so let's go
Dialogue: 0,0:17:35.58,0:17:37.86,Default,,0000,0000,0000,,we're going to go one hour one way this
Dialogue: 0,0:17:37.86,0:17:40.50,Default,,0000,0000,0000,,is going to go one hour and in the
Dialogue: 0,0:17:40.50,0:17:43.32,Default,,0000,0000,0000,,future and one hour in the past
Dialogue: 0,0:17:43.32,0:17:45.84,Default,,0000,0000,0000,,sounds good I'm going to leave my
Dialogue: 0,0:17:45.84,0:17:48.24,Default,,0000,0000,0000,,investigation profile alone and these
Dialogue: 0,0:17:48.24,0:17:50.88,Default,,0000,0000,0000,,are I uh extractions and these what it's
Dialogue: 0,0:17:50.88,0:17:52.44,Default,,0000,0000,0000,,going to do is it's going to it's going
Dialogue: 0,0:17:52.44,0:17:55.92,Default,,0000,0000,0000,,to identify identities these are users
Dialogue: 0,0:17:55.92,0:17:57.24,Default,,0000,0000,0000,,and stuff like that on your network
Dialogue: 0,0:17:57.24,0:18:00.24,Default,,0000,0000,0000,,assets would be like IPS and machines
Dialogue: 0,0:18:00.24,0:18:02.94,Default,,0000,0000,0000,,and files and URLs that it might have
Dialogue: 0,0:18:02.94,0:18:06.02,Default,,0000,0000,0000,,found I'm going to we got assets here
Dialogue: 0,0:18:06.02,0:18:08.76,Default,,0000,0000,0000,,Source test
Dialogue: 0,0:18:08.76,0:18:10.50,Default,,0000,0000,0000,,um does my lock do my logs contain
Dialogue: 0,0:18:10.50,0:18:11.76,Default,,0000,0000,0000,,source and test
Dialogue: 0,0:18:11.76,0:18:14.94,Default,,0000,0000,0000,,well let's go look had one do I actually
Dialogue: 0,0:18:14.94,0:18:18.20,Default,,0000,0000,0000,,have a source and a desk here
Dialogue: 0,0:18:18.30,0:18:21.30,Default,,0000,0000,0000,,I have a source IP but no source so I
Dialogue: 0,0:18:21.30,0:18:23.46,Default,,0000,0000,0000,,don't have the field it's looking for to
Dialogue: 0,0:18:23.46,0:18:25.44,Default,,0000,0000,0000,,be able to identify it so what I need to
Dialogue: 0,0:18:25.44,0:18:26.70,Default,,0000,0000,0000,,do is I need to come in here and I'm
Dialogue: 0,0:18:26.70,0:18:27.96,Default,,0000,0000,0000,,going to go
Dialogue: 0,0:18:27.96,0:18:30.78,Default,,0000,0000,0000,,source IP
Dialogue: 0,0:18:30.78,0:18:33.54,Default,,0000,0000,0000,,except it's on identity
Dialogue: 0,0:18:33.54,0:18:35.94,Default,,0000,0000,0000,,the identity it's an asset so I'm going
Dialogue: 0,0:18:35.94,0:18:36.72,Default,,0000,0000,0000,,to come in here and I'm going to go
Dialogue: 0,0:18:36.72,0:18:39.68,Default,,0000,0000,0000,,Source IP
Dialogue: 0,0:18:40.40,0:18:43.50,Default,,0000,0000,0000,,and just because it's we might we might
Dialogue: 0,0:18:43.50,0:18:46.32,Default,,0000,0000,0000,,want to identify the uh the other
Dialogue: 0,0:18:46.32,0:18:47.70,Default,,0000,0000,0000,,machine in question we're going to put
Dialogue: 0,0:18:47.70,0:18:50.16,Default,,0000,0000,0000,,desktop in there as well so I'm going to
Dialogue: 0,0:18:50.16,0:18:52.26,Default,,0000,0000,0000,,have my source IP and my destination IP
Dialogue: 0,0:18:52.26,0:18:54.06,Default,,0000,0000,0000,,they're going to be assets that are
Dialogue: 0,0:18:54.06,0:18:56.10,Default,,0000,0000,0000,,extracted and that's all I'm going to do
Dialogue: 0,0:18:56.10,0:18:57.54,Default,,0000,0000,0000,,I just want to make sure that the
Dialogue: 0,0:18:57.54,0:19:00.00,Default,,0000,0000,0000,,anything that might be identifiable in
Dialogue: 0,0:19:00.00,0:19:01.50,Default,,0000,0000,0000,,these queries not these queries the
Dialogue: 0,0:19:01.50,0:19:04.20,Default,,0000,0000,0000,,query up here let's call them out and I
Dialogue: 0,0:19:04.20,0:19:05.76,Default,,0000,0000,0000,,hope all this will make more sense as
Dialogue: 0,0:19:05.76,0:19:07.14,Default,,0000,0000,0000,,you actually see the stuff come back
Dialogue: 0,0:19:07.14,0:19:09.36,Default,,0000,0000,0000,,there's just a lot of capabilities here
Dialogue: 0,0:19:09.36,0:19:12.90,Default,,0000,0000,0000,,I can write steps if I want to I can set
Dialogue: 0,0:19:12.90,0:19:14.94,Default,,0000,0000,0000,,things up to uh for example send an
Dialogue: 0,0:19:14.94,0:19:17.64,Default,,0000,0000,0000,,email stream capture if you have uh
Dialogue: 0,0:19:17.64,0:19:20.40,Default,,0000,0000,0000,,Splunk stream nbstat and it's look up
Dialogue: 0,0:19:20.40,0:19:21.60,Default,,0000,0000,0000,,you can make your system do a lot of
Dialogue: 0,0:19:21.60,0:19:23.82,Default,,0000,0000,0000,,things like I could have Splunk go ping
Dialogue: 0,0:19:23.82,0:19:26.22,Default,,0000,0000,0000,,an IP address you know what
Dialogue: 0,0:19:26.22,0:19:28.44,Default,,0000,0000,0000,,um in a little bit I'll actually show me
Dialogue: 0,0:19:28.44,0:19:30.36,Default,,0000,0000,0000,,doing that I can have it do a risk
Dialogue: 0,0:19:30.36,0:19:32.40,Default,,0000,0000,0000,,analysis run a scripts and a uba send a
Dialogue: 0,0:19:32.40,0:19:34.20,Default,,0000,0000,0000,,split mobile Splunk mobile is really
Dialogue: 0,0:19:34.20,0:19:36.78,Default,,0000,0000,0000,,cool now it's being sent to my phone add
Dialogue: 0,0:19:36.78,0:19:38.88,Default,,0000,0000,0000,,thread intelligence from it web hooks
Dialogue: 0,0:19:38.88,0:19:40.86,Default,,0000,0000,0000,,whatever you have a lots of capabilities
Dialogue: 0,0:19:40.86,0:19:43.80,Default,,0000,0000,0000,,don't need to do it the the minimum you
Dialogue: 0,0:19:43.80,0:19:45.12,Default,,0000,0000,0000,,need for a notable
Dialogue: 0,0:19:45.12,0:19:48.06,Default,,0000,0000,0000,,title description
Dialogue: 0,0:19:48.06,0:19:50.10,Default,,0000,0000,0000,,you don't even need these drill Downs
Dialogue: 0,0:19:50.10,0:19:52.32,Default,,0000,0000,0000,,you can let this be set as default
Dialogue: 0,0:19:52.32,0:19:54.08,Default,,0000,0000,0000,,probably should pick a security domain
Dialogue: 0,0:19:54.08,0:19:57.78,Default,,0000,0000,0000,,and literally that's it make sure it's a
Dialogue: 0,0:19:57.78,0:19:59.52,Default,,0000,0000,0000,,lot more helpful if you can identify
Dialogue: 0,0:19:59.52,0:20:01.14,Default,,0000,0000,0000,,your stuff coming back as identities and
Dialogue: 0,0:20:01.14,0:20:03.06,Default,,0000,0000,0000,,sources and I'm going to show you that
Dialogue: 0,0:20:03.06,0:20:05.88,Default,,0000,0000,0000,,in the next video with workbenches and
Dialogue: 0,0:20:05.88,0:20:07.80,Default,,0000,0000,0000,,stuff like that but for the sake of this
Dialogue: 0,0:20:07.80,0:20:09.30,Default,,0000,0000,0000,,don't worry about it
Dialogue: 0,0:20:09.30,0:20:10.92,Default,,0000,0000,0000,,um just know that it's it's good if you
Dialogue: 0,0:20:10.92,0:20:12.60,Default,,0000,0000,0000,,can call it out but if you don't you're
Dialogue: 0,0:20:12.60,0:20:14.58,Default,,0000,0000,0000,,it's not like the query will break
Dialogue: 0,0:20:14.58,0:20:17.54,Default,,0000,0000,0000,,I'm going to hit save
Dialogue: 0,0:20:18.30,0:20:20.34,Default,,0000,0000,0000,,and I should have a correlation search
Dialogue: 0,0:20:20.34,0:20:22.32,Default,,0000,0000,0000,,done now I'm going to have to wait I
Dialogue: 0,0:20:22.32,0:20:24.78,Default,,0000,0000,0000,,probably just missed my window it's
Dialogue: 0,0:20:24.78,0:20:26.40,Default,,0000,0000,0000,,supposed to be kicking off five minutes
Dialogue: 0,0:20:26.40,0:20:28.50,Default,,0000,0000,0000,,after the hour
Dialogue: 0,0:20:28.50,0:20:30.84,Default,,0000,0000,0000,,so I can almost guarantee that if I come
Dialogue: 0,0:20:30.84,0:20:33.66,Default,,0000,0000,0000,,to incident review I will not find an
Dialogue: 0,0:20:33.66,0:20:35.40,Default,,0000,0000,0000,,alert
Dialogue: 0,0:20:35.40,0:20:38.64,Default,,0000,0000,0000,,called YouTube notable
Dialogue: 0,0:20:38.64,0:20:40.68,Default,,0000,0000,0000,,I'm gonna have to wait till five more
Dialogue: 0,0:20:40.68,0:20:43.02,Default,,0000,0000,0000,,minutes to go by but let's go ahead and
Dialogue: 0,0:20:43.02,0:20:44.70,Default,,0000,0000,0000,,check that so I can come down I can
Dialogue: 0,0:20:44.70,0:20:47.46,Default,,0000,0000,0000,,refresh the page here or I can refresh
Dialogue: 0,0:20:47.46,0:20:50.46,Default,,0000,0000,0000,,the page here but either way that is not
Dialogue: 0,0:20:50.46,0:20:52.38,Default,,0000,0000,0000,,the purpose of this video is to look at
Dialogue: 0,0:20:52.38,0:20:54.42,Default,,0000,0000,0000,,the incidents coming in mine was to talk
Dialogue: 0,0:20:54.42,0:20:56.22,Default,,0000,0000,0000,,about correlation searches and how to
Dialogue: 0,0:20:56.22,0:20:58.32,Default,,0000,0000,0000,,make my own I have set up a correlation
Dialogue: 0,0:20:58.32,0:21:00.96,Default,,0000,0000,0000,,search and so I've accomplished my task
Dialogue: 0,0:21:00.96,0:21:03.12,Default,,0000,0000,0000,,I'm gonna I'm gonna come see it here
Dialogue: 0,0:21:03.12,0:21:04.62,Default,,0000,0000,0000,,with a configure
Dialogue: 0,0:21:04.62,0:21:06.96,Default,,0000,0000,0000,,content
Dialogue: 0,0:21:06.96,0:21:10.86,Default,,0000,0000,0000,,configure content content management my
Dialogue: 0,0:21:10.86,0:21:13.68,Default,,0000,0000,0000,,new correlation search is in here we can
Dialogue: 0,0:21:13.68,0:21:16.14,Default,,0000,0000,0000,,see that when I go all
Dialogue: 0,0:21:16.14,0:21:17.64,Default,,0000,0000,0000,,correlation search and when you create
Dialogue: 0,0:21:17.64,0:21:20.70,Default,,0000,0000,0000,,them by default they are enabled
Dialogue: 0,0:21:20.70,0:21:24.00,Default,,0000,0000,0000,,so if I come in here and I enable
Dialogue: 0,0:21:24.00,0:21:26.34,Default,,0000,0000,0000,,I can see YouTube correlation search for
Dialogue: 0,0:21:26.34,0:21:27.48,Default,,0000,0000,0000,,line Creations if I want to make any
Dialogue: 0,0:21:27.48,0:21:29.70,Default,,0000,0000,0000,,changes to it
Dialogue: 0,0:21:29.70,0:21:32.16,Default,,0000,0000,0000,,I just hit search now that's interesting
Dialogue: 0,0:21:32.16,0:21:33.48,Default,,0000,0000,0000,,that it doesn't say that it's actually
Dialogue: 0,0:21:33.48,0:21:36.14,Default,,0000,0000,0000,,scheduled
Dialogue: 0,0:21:40.74,0:21:42.96,Default,,0000,0000,0000,,all right well probably because it
Dialogue: 0,0:21:42.96,0:21:44.94,Default,,0000,0000,0000,,hasn't run the very first time once it
Dialogue: 0,0:21:44.94,0:21:47.04,Default,,0000,0000,0000,,runs I should see
Dialogue: 0,0:21:47.04,0:21:50.22,Default,,0000,0000,0000,,here the next schedule time but it's
Dialogue: 0,0:21:50.22,0:21:51.42,Default,,0000,0000,0000,,really easy just keep it under the
Dialogue: 0,0:21:51.42,0:21:53.90,Default,,0000,0000,0000,,enabled
Dialogue: 0,0:21:54.54,0:21:58.14,Default,,0000,0000,0000,,and correlation searches
Dialogue: 0,0:21:58.14,0:21:59.40,Default,,0000,0000,0000,,so
Dialogue: 0,0:21:59.40,0:22:01.50,Default,,0000,0000,0000,,yep there it is now I've got a time for
Dialogue: 0,0:22:01.50,0:22:03.24,Default,,0000,0000,0000,,the next scheduled time stored in the
Dialogue: 0,0:22:03.24,0:22:05.04,Default,,0000,0000,0000,,Enterprise Security app what have we
Dialogue: 0,0:22:05.04,0:22:06.78,Default,,0000,0000,0000,,covered we've talked about correlation
Dialogue: 0,0:22:06.78,0:22:09.42,Default,,0000,0000,0000,,searches what they are they're saved
Dialogue: 0,0:22:09.42,0:22:11.64,Default,,0000,0000,0000,,searches that can be used to create
Dialogue: 0,0:22:11.64,0:22:15.72,Default,,0000,0000,0000,,notables notables fill out tickets that
Dialogue: 0,0:22:15.72,0:22:17.76,Default,,0000,0000,0000,,you will go into a ticket triaging
Dialogue: 0,0:22:17.76,0:22:19.62,Default,,0000,0000,0000,,system which we will cover in the next
Dialogue: 0,0:22:19.62,0:22:21.60,Default,,0000,0000,0000,,video in this playlist please look at
Dialogue: 0,0:22:21.60,0:22:23.34,Default,,0000,0000,0000,,the link below notice that this is a
Dialogue: 0,0:22:23.34,0:22:25.14,Default,,0000,0000,0000,,playlist go ahead and join the playlist
Dialogue: 0,0:22:25.14,0:22:27.30,Default,,0000,0000,0000,,and watch the videos this is meant to be
Dialogue: 0,0:22:27.30,0:22:29.52,Default,,0000,0000,0000,,a comprehensive training to help you
Dialogue: 0,0:22:29.52,0:22:31.62,Default,,0000,0000,0000,,understand Enterprise security
Dialogue: 0,0:22:31.62,0:22:32.22,Default,,0000,0000,0000,,um
Dialogue: 0,0:22:32.22,0:22:35.10,Default,,0000,0000,0000,,click that link we have now create I've
Dialogue: 0,0:22:35.10,0:22:36.48,Default,,0000,0000,0000,,shown you how to see the correlation
Dialogue: 0,0:22:36.48,0:22:38.16,Default,,0000,0000,0000,,search that come out of the box and I've
Dialogue: 0,0:22:38.16,0:22:40.08,Default,,0000,0000,0000,,shown you how to create your own from
Dialogue: 0,0:22:40.08,0:22:42.42,Default,,0000,0000,0000,,scratch I hope this has been helpful I
Dialogue: 0,0:22:42.42,0:22:44.30,Default,,0000,0000,0000,,hope this helps you move from being a
Dialogue: 0,0:22:44.30,0:22:47.70,Default,,0000,0000,0000,,lame analyst to a Splunk ninja that
Dialogue: 0,0:22:47.70,0:22:49.26,Default,,0000,0000,0000,,you'll keep following particularly this
Dialogue: 0,0:22:49.26,0:22:51.12,Default,,0000,0000,0000,,playlist watch the videos in it and that
Dialogue: 0,0:22:51.12,0:22:52.80,Default,,0000,0000,0000,,they're helpful anyway hope to see you
Dialogue: 0,0:22:52.80,0:22:54.92,Default,,0000,0000,0000,,around