[Music] Alright, welcome to my enterprise security video playlist. This time we're going to be covering correlation searches. This is a fancy word for a safe search that creates an alert. That's really what it comes down to. They call them notables— there's a lot of terminology involved— but the ultimate concept is a correlation search is a search that fires off at predefined periods of time, maybe every five minutes, every hour, searches back across your logs for certain behaviors, and if it sees it, it creates a...it creates an alert. You can make it create a notable. Technically, it doesn't have to create a notable, and I'll explain how that works, but it's really just a safe search. So let's go break right into enterprise security, and let's talk about that. So I come into enterprise security. We're going to show what is already outcomes out of the box. So if I go 'configure', I'm in my Enterprise security and I come into... 'content', and I go to 'content management', these are all the knowledge objects that come with enterprise security, and I'm going to flip this to a correlation search. I click that... we can see that it's going to come back with lots and lots of results, 58 pages plus of them and multiple to a page. You can read this, so I'm just going to go into the very first one. And this is 'abnormally high number of endpoint changes by a user'. If I go and open this up a little bit... 'detects an abnormally high number of endpoint changes by user account as it relate to restarts, audits, file system, user, registry, notifications". If I go into this... I'm actually going to be able to see the query. I'm not going to go explain it because I can already tell you, it's probably going to be written with lots of data models and macros, but out of the box, you can see: here's the query. And it's basically...it's going to look at your data model. You'll hear me talk about data models. I've discussed data model, but this is going to be the endpoint data model, and it's going to be looking at file systems for changes by the user, it's going to do a bunch of other things that ultimately it's going to come back and say...if you meet a certain criteria, and you can see that it's actually using the machine learning toolkit, so down here it's actually building a threshold saying, what is the normal amount of use of changes, and is it jumping out of that at normal level. It's really cool, put some really cool analytics out there for you. You can just use what they've got. What I love is I don't want to...I hear, oh well aren't correlation searches attached to now frameworks? Well, you can see the very first ones. Sometimes they are. But here, these are frameworks. I've heard this in my own work, oh, well they're all mapped to the miter. Well, are they? I'll just grab the very first one, and...there's no miter technique mapped. What should it be? Well, there's a lot of things that could cause a miter technique to...uh...if there's endpoint changes, it could be many different types of tact. Then I'll have it mapped. You could come in here and you could map it, we'll discuss that later, but point is, we come down here... make that go away, that's all... we can see that it's looking back 1,450 minutes, and the latest time is zero. This runs at five after the hour, that's how I read that, five after the hour. It's...if the results are greater than zero, it groups by user and change type, and we see that it creates...it does not create a notable, it actually just provides a risk analysis. And we'll discuss risk analysis when we talk about RBA. But the point is, you can make it do a bunch of adaptive responses. My job here is not to help you understand every correlation search that comes out of the box, I'm here to discuss the part that most people don't know how to do: create your own. So I've shown you that you can go look through...there's the documentation on Splunk, says 1400 plus, I don't know how they define what a correlation search is. I'm going to tell you that it's a lot. There's a lot of them. And by default, enterprise security is smart. They do not come enabled. If I look at the enabled correlation searches, this is mine that I was using as I started to help understand enterprise security, and these two were turned on and this is for risk-based approach. Other than that, there are no correlation searches that come out of the box. Why? Well, one, they don't want to turn something on that doesn't fit your data set; two, often you have to tweak them, the correlation search is great, but it's not always going to be perfect for your environment, and so as a general rule, they're there as a guidance. Use them when they make sense, turn one on, test it, see how it works. If it doesn't, modify it, and typically you'll just clone the correlation search and build your own. Anyway, enough talking about that, let's talk about actually building my own correlation search. So I'm in 'configure content' and I went to 'content management'. If I do 'create new content', that's how I'm going to build one. And so we're going to create a new content, we're going to make a correlation search. This is the way that I do correlation searches. That doesn't mean it's the way that it has to be done, but it's the way it works for me. I'm going to call this, I would hopefully have a much better name for this, but I'm going to do 'YouTube Correlation Search'. Horrible name, because someone who comes across this will have no idea what it's for, but for me, when I need to purge stuff from my system, it's really easy and it stands out. So I'm going to put it that way. Then here in my description, I'm going to go... 'Grab one event from network logs'. I'm not actually going to build something that I'm looking for. That's not the point of this video. I'm just showing how to build one, and I want them to always fire, so I'm going to fudge the numbers so that I always get what I want. And so the first thing I do is I don't try to build a search through here. You can use a guided. Guided's cool, it'll allow you it'll pick data models, you can pick fields from it, so if I enable the guided mode, you'll see the data, it'll say alright, what data model do you want to look at? I might come down to 'network traffic'... and what data set do I want to use... 'all traffic'. Do I want to use 'summaries only'? I'll discuss summaries only later this is not the place for it. Time range. And there is your basic query. I can run the search and see how it looks. Then I'm going to hit 'filter', and filter would be like All.Traffic... AllTraffic.destIP... oh. it's a boolean. Where... and I actually don't know how to make this work. All_Traffic... I'd have to go look this up. Well that's not very good...helpful there. The point is, I'm not actually going through the guided search tour. I'm going to stay right here with a manual query where I can write it. It does have guided, again, you got to understand exactly what you're pulling. Guided is nice if you know, follow the docs. I'm not here for following the docs, I'm here to take a query. This is my home network. I'm going to look at the correlate logs. I'm going to look at my correlate conn logs. I'm going to say...where source IP is 192.1680.*. That is only so I make sure that I'm looking at a specific subnet section of my network. This is primarily my network designed for doing Splunk videos, and so this isn't my... this is part of my home network, but it's a subnet on my network that I use for testing, pen testing, setup of systems that I tear up and pick up and tear down, and so I just want to know what they're doing. And so I wanted the source IP Maybe you don't want the source IP. All I really cared about though, is I just wanted this, because ultimately, later down, I'm going to do inventory, and I'm going to have a very simple inventory of that subnet, and so I only want IPs that at least one piece of the data ties to my inventory. And so, as you can see, this here has nothing to do with my network, but this one does. And I'm going to do a head 1, because I don't want lots and lots of results. Basically, I want a query and I'm always going to return one result...and that's what I built. This isn't bad. This isn't actually a known bad, I just wanted data to come back, so then I can put other stuff on it. I'm doing this as a demo for you guys to understand how to build a query. You would want to build a query that actually is looking for something malicious. Right now, I just want a query to return a result, so that I can...when I do my next video about triage and the triage system, there are actually tickets coming in. If I write a query that's looking for bad, well, that bad better be occurring on my network or it's not going to fire. And so it's a lot harder to troubleshoot if the thing is working if you're building queries right, If you build something that isn't... you hope to not actually see on your network. So I actually hope to see correlate conn logs. I sure hope so. That means my network has traffic. Anyway, and I'm just going to put the head 1, because I only want it to create one alert. If I let it come back, it's every event that comes back in here would be a notable alert. I don't want my triage system getting inundated. So I'm just going to do this head 1. Now I'm going to map it. I'm going to go to miter, and I'm going to put in some tickets. So I'm going to go 'T1143'. I actually can't remember what all these mean off the top of my head. You can go look them up. I'm going to say this, and this has note, no bases whatsoever, but again, these videos are going to build on themselves. And so I'm building these miter attacks so when I go to the RBA section of this video playlist, you'll see how it maps all the different techniques together. And so I'm going to put this down here, and actually, because I want this to work on my system, I'm going to actually do... I want it always to be 0.128, that way I'm only going to get alerts that are relating to this system. That means my risk-based approach will cross the threshold. That actually makes a lot more sense for me. I'll explain that when we actually get to RBA, but basically, I'm going to give me... give me an alert every time 0.128 is the source of network traffic. And that should fire off quite frequently. Ignore the picture up in the top. We're just going to move on. Head 1. My videos are done rendering. Anyway, so I'm going to map it to these TTPs. Again, this is all for demo purposes, so I just pick some TTPs, and I can come down here and I can put a confidence score, an impact score, contacts, analytics, we're just gonna leave that alone for now. I can create my own framework And now here it's going to say how far back do I want to look? Do I want to look back 24 hours? I could, but I know how often my logs are firing. I'm going to look back one hour. Doesn't really matter, because I'm just grabbing head 1. And...I have...I probably get hundreds of events every...probably thousands of events every hour on this particular subnet. And so it's not going to be a problem getting data. I'm going to go look back one hour to now. And how often do I want it to run? You know what? I'm going to let it run every five minutes. And that's going to be important so that I actually have events. And that'll work. I'm going to come down here, and I'm going to say do I want it to run as real time or continuous. We'll just leave it at its default. What's my scheduling window? Again, these are...I'm not going over these, this is just basically how you want to run your times. I'm going to run this every five minutes. Schedule priorities in case there's conflicts. Hopefully with your enterprise security, you actually do not overload your system so these become a big deal. Trigger conditions, number of results greater than zero, that's always going to be the case because I'm getting back one. But if I was doing this, if I want to do thresholds I could make it...the thing has to occur at least 10 times, or 15 times, or whatever. Then windows durations filled to group by...that's it. That's all I want to deal with. Really, the only places I put around with this is I wrote a query in the most basic format to get your correlation searches going. Pick a search. I would tie it to an annotation but you don't have to not required you come down here pick your time window these three boxes how far back do you want to look latest time earliest time and your cron schedule and then you really don't have to touch anything else except this add adaptive response I'm going to come and modify this in a minute there is when we talk about RBA I'm going to put a risk analysis for the sake of keeping this simple I am only going to do notables for now so I'm going to come in here and I'm going to click a notable and notable is an alert that goes to your triage system gonna go YouTube notable give a description I can actually use um foreign variable substitution so I'm going to do alert for dollar sign Source IP I need to make sure that field comes back and this does have a source IP so I can use it and you just call it like you do in with the dollar sign on both sides of a variable and that'll be dynamic and so my description will come back with this and just because I want to what if I do yeah we'll just leave it at that YouTube notable security domain there are a bunch of domains this is dealing with access areas that would be authentication endpoint a lot of your host logs Network logs threat identity and audit and so those are the six areas splunkcast as security domains we'll just leave it as a we'll put as a network in the network domain I'm going to put the severity as low and default owner I can put in these I can leave it unassigned I'm going to put it as unassigned to start with again you don't have to default status I'm going to put it as unassigned and I could put a drill down search in there and let's do that we're going to take this very same query just to keep things really simple one of the very first drill Downs I want to put in there is the actual query that created this log but in this case I'm not going to put head 1 I'm going to put I'm going to take the head out oh it looks like I've lost the 128 on there 128. make sure 128 is up here yeah it is okay and I can choose the drill down search will be C what caused alert there are other ways of doing this I'll show but I'm just I'm just going to create a few ad drill down searches and here we're going to just do um Y is this drill down exist I just want to show I can go search anything index equals internal why would you be looking at your internal logs it doesn't really matter um well actually let's just do this I'm going to put in dollar sign Source IP so I'm basically looking in my internal logs and I'm going to see if I find that IP address popping up it it's just kind of an interesting way you can add additional searches to your information um so I'm going to be searching my internal logs for the source IP and I hope you saw this earliest offset latest Offset you can change this or you can you can let it just go by its default or you can say for here I'm going to go plus this is a earliest for example one hour and I'm going to leave the other one as zero does that make sense so I hope this makes this helps I can change my time it's basically going to look in this window one hour back of based off of um the the time this event occurred so this might actually look a little bit in the future this can look a little bit in the future it's going to use time in the back so let's go we're going to go one hour one way this is going to go one hour and in the future and one hour in the past sounds good I'm going to leave my investigation profile alone and these are I uh extractions and these what it's going to do is it's going to it's going to identify identities these are users and stuff like that on your network assets would be like IPS and machines and files and URLs that it might have found I'm going to we got assets here Source test um does my lock do my logs contain source and test well let's go look had one do I actually have a source and a desk here I have a source IP but no source so I don't have the field it's looking for to be able to identify it so what I need to do is I need to come in here and I'm going to go source IP except it's on identity the identity it's an asset so I'm going to come in here and I'm going to go Source IP and just because it's we might we might want to identify the uh the other machine in question we're going to put desktop in there as well so I'm going to have my source IP and my destination IP they're going to be assets that are extracted and that's all I'm going to do I just want to make sure that the anything that might be identifiable in these queries not these queries the query up here let's call them out and I hope all this will make more sense as you actually see the stuff come back there's just a lot of capabilities here I can write steps if I want to I can set things up to uh for example send an email stream capture if you have uh Splunk stream nbstat and it's look up you can make your system do a lot of things like I could have Splunk go ping an IP address you know what um in a little bit I'll actually show me doing that I can have it do a risk analysis run a scripts and a uba send a split mobile Splunk mobile is really cool now it's being sent to my phone add thread intelligence from it web hooks whatever you have a lots of capabilities don't need to do it the the minimum you need for a notable title description you don't even need these drill Downs you can let this be set as default probably should pick a security domain and literally that's it make sure it's a lot more helpful if you can identify your stuff coming back as identities and sources and I'm going to show you that in the next video with workbenches and stuff like that but for the sake of this don't worry about it um just know that it's it's good if you can call it out but if you don't you're it's not like the query will break I'm going to hit save and I should have a correlation search done now I'm going to have to wait I probably just missed my window it's supposed to be kicking off five minutes after the hour so I can almost guarantee that if I come to incident review I will not find an alert called YouTube notable I'm gonna have to wait till five more minutes to go by but let's go ahead and check that so I can come down I can refresh the page here or I can refresh the page here but either way that is not the purpose of this video is to look at the incidents coming in mine was to talk about correlation searches and how to make my own I have set up a correlation search and so I've accomplished my task I'm gonna I'm gonna come see it here with a configure content configure content content management my new correlation search is in here we can see that when I go all correlation search and when you create them by default they are enabled so if I come in here and I enable I can see YouTube correlation search for line Creations if I want to make any changes to it I just hit search now that's interesting that it doesn't say that it's actually scheduled all right well probably because it hasn't run the very first time once it runs I should see here the next schedule time but it's really easy just keep it under the enabled and correlation searches so yep there it is now I've got a time for the next scheduled time stored in the Enterprise Security app what have we covered we've talked about correlation searches what they are they're saved searches that can be used to create notables notables fill out tickets that you will go into a ticket triaging system which we will cover in the next video in this playlist please look at the link below notice that this is a playlist go ahead and join the playlist and watch the videos this is meant to be a comprehensive training to help you understand Enterprise security um click that link we have now create I've shown you how to see the correlation search that come out of the box and I've shown you how to create your own from scratch I hope this has been helpful I hope this helps you move from being a lame analyst to a Splunk ninja that you'll keep following particularly this playlist watch the videos in it and that they're helpful anyway hope to see you around