[Music]
Alright, welcome to my enterprise security
video playlist. This time we're going to
be covering correlation searches. This is
a fancy word for a safe search that
creates an alert. That's really what it
comes down to. They call them notables—
there's a lot of terminology involved—
but the ultimate concept is a
correlation search is a search that
fires off at predefined periods of time,
maybe every five minutes, every hour,
searches back across your logs for
certain behaviors, and if it sees it, it
creates a...it creates an alert. You can
make it create a notable. Technically, it
doesn't have to create a notable, and
I'll explain how that works, but it's
really just a safe search. So let's go
break right into enterprise security, and
let's talk about that.
So I come into enterprise security. We're
going to show what is already outcomes
out of the box. So if
I go 'configure', I'm
in my Enterprise security
and I come into...
'content', and I go to
'content management',
these are all the knowledge objects that
come with enterprise security, and I'm
going to flip this to a
correlation search.
I click that...
we can see that it's going to come back
with lots and lots of results, 58 pages
plus of them and multiple to a page. You
can read this, so I'm just going to go
into the very first one. And this is
'abnormally high number of endpoint
changes by a user'. If I go and open this
up a little bit...
'detects an abnormally high number of
endpoint changes by user account as it
relate to restarts, audits, file system,
user, registry, notifications".
If I go into this...
I'm actually going to be able to see
the query. I'm not going to go explain it
because I can already tell you, it's
probably going to be written with lots
of data models and macros, but out of the
box, you can see: here's the query. And
it's basically...it's going to look at
your data model. You'll hear me talk
about data models. I've discussed data
model, but this is going to be the
endpoint data model, and it's going to be
looking at file systems for changes by the
user, it's going to do a bunch of other
things that ultimately it's going to
come back and say...if you meet a certain
criteria, and you can see that it's
actually using the machine learning
toolkit, so down here it's actually
building a threshold saying, what is the
normal amount of use of changes, and is
it jumping out of that at normal level.
It's really cool, put some really cool
analytics out there for you. You can just
use what they've got. What I love is I
don't want to...I hear, oh
well aren't correlation searches
attached to now frameworks? Well, you can
see the very first ones.
Sometimes they
are. But here, these are frameworks. I've
heard this in my own work,
oh, well they're
all mapped to the miter. Well,
are they? I'll just grab the very first
one, and...there's no miter technique
mapped. What should it be? Well, there's a
lot of things that could cause a miter
technique to...uh...if there's endpoint
changes, it could be many different types
of tact. Then I'll have it mapped. You
could come in here and you could map it,
we'll discuss that later, but point is, we
come down here...
make that go away, that's all...
we can see that it's looking back 1,450
minutes, and the latest time is zero. This
runs at five after the hour, that's how I
read that, five after the hour.
It's...if the results are greater than
zero, it groups by user and change type,
and we see that it creates...it does not
create a notable, it actually just
provides a risk analysis. And we'll
discuss risk analysis when we talk about
RBA. But the point is, you can make it do
a bunch of adaptive responses.
My job here is not to help you
understand every correlation search that
comes out of the box, I'm here to discuss
the part that most people don't know how
to do: create your own. So I've shown you
that you can go look through...there's
the documentation on Splunk, says 1400
plus, I don't know how they define what a
correlation search is. I'm going to tell
you that it's a lot. There's a
lot of them. And by default,
enterprise security is smart. They do
not come enabled. If I look at the
enabled correlation searches,
this is mine that I was using as I
started to help understand
enterprise security,
and these two were turned on
and this is for risk-based approach.
Other than that, there are no correlation
searches that come out of the box. Why?
Well, one, they don't want to turn
something on that doesn't fit your data
set; two, often you have
to tweak them, the
correlation search is great, but it's not
always going to be perfect for your
environment, and so as a general rule,
they're there as a guidance. Use them
when they make sense,
turn one on, test it,
see how it works.
If it doesn't, modify it,
and typically you'll just clone the
correlation search and build your own.
Anyway, enough talking about that, let's
talk about actually building my own
correlation search. So I'm in 'configure
content' and I went to
'content management'.
If I do 'create new content', that's how
I'm going to build one. And so we're
going to create a new content,
we're going to make a correlation search.
This is the way that I
do correlation searches.
That doesn't mean it's the way
that it has to be done,
but it's the way it works for me.
I'm going to call this, I
would hopefully have a much better name
for this, but I'm going to do 'YouTube
Correlation Search'.
Horrible name, because someone who comes
across this will have no idea what it's
for, but for me, when I need to purge
stuff from my system, it's really easy
and it stands out. So I'm going to put it
that way. Then here in my description, I'm
going to go...
'Grab one event from network logs'.
I'm not actually going to build
something that I'm looking for.
That's not the point of this video.
I'm just showing how
to build one, and I want
them to always fire, so I'm going to
fudge the numbers so that I always
get what I want. And so the first thing I
do is I don't try to build a search
through here. You can use a guided.
Guided's cool, it'll allow you it'll pick
data models, you can pick fields from it,
so if I enable the guided mode, you'll
see the data, it'll say alright, what
data model do you want to look at?
I might come down to 'network traffic'...
and what data set do I want to use...
'all traffic'. Do I want
to use 'summaries only'?
I'll discuss summaries only later
this is not the place for it. Time range.
And there is your basic query. I can run
the search and see how it looks.
Then I'm going to hit
'filter', and filter would be like
All.Traffic...
AllTraffic.destIP...
oh.
it's a boolean. Where...
and I actually don't know how to make
this work. All_Traffic...
I'd have to go look this up. Well that's
not very good...helpful
there. The point is,
I'm not actually going through the
guided search tour. I'm going to stay
right here with a manual query where I
can write it. It does have guided, again,
you got to understand exactly what
you're pulling. Guided is nice if you
know, follow the docs. I'm not here for
following the docs, I'm here to take a
query. This is my home network. I'm going
to look at the correlate logs. I'm going
to look at my correlate conn logs. I'm
going to say...where source IP is
192.1680.*. That is only so I make
sure that I'm looking at a specific
subnet section of my network. This is
primarily my network designed for doing
Splunk videos, and so this isn't my...
this is part of my home network, but it's
a subnet on my network that I use for
testing, pen testing, setup of systems
that I tear up and pick up and tear down,
and so I just want to know what they're
doing. And so I wanted the source IP
Maybe you don't want the source IP.
All I really cared about though, is I just
wanted this, because ultimately, later
down, I'm going to do inventory, and I'm
going to have a very simple inventory of
that subnet, and so I only want IPs that
at least one piece of the data
ties to my inventory. And so, as you can
see, this here has nothing to do with my
network, but this one does. And I'm going
to do a head 1, because I don't
want lots and lots of results.
Basically, I want a query
and I'm always going to return one
result...and that's what I built.
This isn't bad. This isn't actually a
known bad, I just wanted data to come
back, so then I can put other stuff on it.
I'm doing this as a demo for you guys to
understand how
to build a query. You would want to build
a query that actually is looking for
something malicious. Right now, I just
want a query to return a result, so that
I can...when I do my next video about
triage and the triage system, there are
actually tickets coming in. If I write a
query that's looking for bad, well, that
bad better be occurring on my network or
it's not going to fire. And so it's a lot
harder to troubleshoot if the thing is
working if you're building queries right,
If you build something that isn't...
you hope to not actually
see on your network.
So I actually hope to see
correlate conn logs.
I sure hope so. That means my
network has traffic. Anyway, and I'm just
going to put the head 1, because I only
want it to create one alert. If I let it
come back, it's every event that comes
back in here would be a notable alert.
I don't want my triage
system getting inundated.
So I'm just going to do this head 1.
Now I'm going to map it. I'm going to go
to miter, and I'm going to
put in some
tickets. So I'm going to go 'T1143'. I
actually can't remember what all these
mean off the top of my head. You can go
look them up. I'm going to say this, and
this has note, no bases whatsoever, but
again, these videos are
going to build on themselves. And so I'm
building these miter attacks so when I
go to the RBA section of this video
playlist, you'll see how it maps all the
different techniques together. And so I'm
going to put this down here,
and actually, because
I want this to work on
my system, I'm going to actually do...
I want it always to be 0.128,
that way I'm only going to get alerts
that are relating to this system.
That means my risk-based
approach will cross
the threshold. That actually makes a lot
more sense for me. I'll explain that when
we actually get to RBA, but basically, I'm
going to give me...
give me an alert every time
0.128 is the source of network traffic.
And that should fire off
quite frequently.
Ignore the picture up in the top.
We're just going to move on.
Head 1.
My videos are done rendering.
Anyway, so I'm going
to map it to these TTPs. Again, this is
all for demo purposes, so I just pick
some TTPs, and I can come down here and
I can put a confidence score,
an impact score,
contacts, analytics, we're just gonna
leave that alone for now.
I can create my own framework
And now here it's going to say
how far back do I want to look? Do I
want to look back 24 hours?
I could, but I know how often
my logs are firing. I'm going
to look back one hour. Doesn't really
matter, because I'm just grabbing head 1.
And...I have...I probably get
hundreds of events every...probably
thousands of events every hour
on this particular subnet. And so it's
not going to be a problem getting data.
I'm going to go look back one hour to
now. And how often do I want it to run?
You know what? I'm going to let it run
every five minutes. And that's going to
be important so that I actually have
events. And that'll work.
I'm going to come down here,
and I'm going to say do I
want it to run as real time or
continuous. We'll just
leave it at its default.
What's my scheduling window? Again,
these are...I'm not going over these, this
is just basically how you want to run
your times. I'm going to run this
every five minutes. Schedule priorities
in case there's conflicts. Hopefully with
your enterprise security, you actually do
not overload your system so these become
a big deal.
Trigger conditions, number of results
greater than zero, that's always going to
be the case because I'm getting back one.
But if I was doing this, if I want to do
thresholds I could make it...the thing has
to occur at least 10 times, or 15 times,
or whatever. Then windows durations
filled to group by...that's it. That's all
I want to deal with. Really, the only
places I put around with this is I wrote
a query in the most basic format to get
your correlation searches going. Pick a
search. I would tie it to an annotation,
but you don't have to, not required.
You come down, here pick your time window,
these three boxes, how far back do you
want to look, latest time, earliest time,
and your cron schedule, and then you
really don't have to touch anything else,
except this 'add adaptive response'. I'm
going to come and modify this in a
minute. There is, when we talk about RBA,
I'm going to put a risk analysis. For the
sake of keeping this simple, I am only
going to do
notables for now. So I'm going to come in
here and I'm going to click a notable.
A notable is an alert that goes to
your triage system.
Gonna go...'YouTube
notable'. Give it a description.
I can actually use...
variable substitution, so I'm going to do
'Alert for $src_Ip'.
I need to make sure that field comes
back, and this does have a source IP, so I
can use it, and you just call it like you
do in with the dollar sign on both sides
of a variable, and that'll be dynamic. And
so my description will come back with
this. And just because I
want to, what if I...yeah, we'll just
leave it at that.
YouTube notable security domain. There
are a bunch of domains. This is dealing
with access areas, that would be
authentication, endpoint, a lot of your
host logs, network logs, threat, identity,
and audit. And so those are the six areas
Splunk has as security domains. We'll
just leave it as a...
we'll put as a network.
In the network domain, I'm going to put
the severity
as low.
And default owner, I can put in these,
I can leave it unassigned.
I'm going to put it as
unassigned to start with.
Again, you don't have to.
Default status, I'm going to
put it as unassigned.
And I could put a drill down search in
there, and let's do that.
We're going to take this very same query.
Just to keep things really simple, one of
the very first drill downs
I want to put in there
is the actual query
that created this log.
But in this case, I'm not going to put
head 1, I'm going to put...I'm going to
take the head out.
Oh, it looks like I've lost the 128 on
there. 128.
Make sure 128 is up here.
Yeah, it is. Okay, and I can choose...
the drill down search will be
'See...
what caused alert'.
There are other ways of doing this I'll
show, but I'm just going to
create a few add drill down searches.
And here, we're going to just do
'why does
this
drilldown exist'.
I just want to show
I can go search anything.
'Index equals internal'.
Why would you be looking at your
internal logs? It doesn't really matter.
Well, actually, let's just do this.
I'm going to put in '$src_ip$'.
So I'm basically looking in my internal
logs, and I'm going to see if I find that
IP address popping up. It's just kind
of an interesting way you can add
additional searches to your information.
So I'm going to be searching my internal
logs for the source IP.
And I hope you saw this earliest offset,
latest offset. You can change this, or you
can you can let it just go by its
default. Or you can say, for here I'm
going to go
plus, this is a earliest,
for example, one hour
and I'm going to leave
the other one as zero.
Does that make sense? So I hope
this helps. I can change my time.
It's basically going to look in this
window one hour back, based off of
the time this event occurred.
So this might actually look a little bit
in the future, this is
gonna look a little bit
in the future.
It's going to use time in the back.
So let's go...
we're going to go one hour....
this is going to go one hour in the
future and one hour in the past.
Sounds good. I'm going to leave my
investigation profile alone. And these
are...extractions, and what it's
going to do is it's going to
identify identities, these are users
and stuff like that on your network.
Assets would be like IPs, and machines,
and files, and URLs that it might have
found. I'm going to...we got assets here.
Source dest.
Does my log, do my logs contain
source and dest?
Well, let's go look. Had one, do I actually
have a source and a dest here?
I have a source IP, but no source.
So I don't have the
field it's looking for to
be able to identify it. So what I need to
do is I need to come in here,
and I'm going to go
'$src_ip$',
except it's on identity.
The identity...it's an asset so I'm going,
to come in here and I'm going to go
'source IP'.
And just because we might
want to identify the other
machine in question.
We're going to put dest
IP in there as well.
So I'm going to have my source IP
and my destination IP.
They're going to be assets that are
extracted. And that's all I'm going to do.
I just want to make sure that
anything that might be identifiable in
these queries...not these queries,
the query up here. Let's call them out.
And I hope all this
will make more sense as
you actually see the stuff come back.
There's just a lot of capabilities here.
I can write steps if I want to, I can set
things up to, for example, send an
email, stream capture if you have
Splunk Stream, nbstat and it's...
You can make your system do a lot of
things. Like, I could have Splunk go ping
an IP address. You know what?
In a little bit, I'll actually show me
doing that. I can have it do a risk
analysis, run a scripts,
send a UBA, send a
Splunk mobile. Splunk mobile is really
cool. Now it's being sent to my phone. Add
thread intelligence from it, web hooks,
whatever. You have a lots of capabilities,
don't need to do it. The minimum you
need for a notable:
title, description,
you don't even need these drilldowns,
you can let this be set as default,
probably should pick a security domain,
and literally, that's it.
Make sure...it's a
lot more helpful if you can identify
your stuff coming back as identities and
sources. And I'm going to show you that
in the next video with workbenches and
stuff like that, but for the sake of this,
don't worry about it.
Just know that it's it's good if you
can call it out, but if you don't,
it's not like the query will break.
I'm going to hit save,
and I should have a
correlation search done.
Now I'm going to have to wait.
I probably just missed my window. It's
supposed to be kicking off
five minutes after the hour,
so I can almost guarantee that if I come
to incident review,
I will not find an alert
called 'YouTube notable'.
I'm gonna have to wait 'til five more
minutes go by, but let's go ahead and
check that. So I can come down, I can
refresh the page here, or I can refresh
the page here. But either way, that is not
the purpose of this video is to look at
the incidents coming in. Mine was to talk
about correlation searches and how to
make my own. I have set up a correlation
search, and so I've accomplished my task.
I'm gonna come see it here
with a configure content.
Configure content, content management.
My new correlation search is in here.
We can see that when I go
'all correlation search'...
And when you create them, by default,
they are enabled.
So if I come in here and I enable,
I can see 'YouTube correlation search'
for Lame Creations.
If I want to make any changes to it,
I just hit search. Now, that's interesting
that it doesn't say that
it's actually scheduled.
Alright, well, probably because it
hasn't run the very first time. Once it
runs, I should see
here the next schedule time.
But it's really easy,
just keep it under the enabled
and correlation searches.
So...yep, there it is.
Now I've got a time for
the next scheduled time.
stored in the Enterprise Security app.
What have we covered?
We've talked about correlation searches,
what they are, they're safe
searches that can be used to create
notables. Notables fill out tickets that
will go into a ticket triaging
system, which we will cover in the next
video in this playlist. Please look at
the link below, notice that this is a
playlist. Go ahead and join the playlist
and watch the videos. This is meant to be
a comprehensive training to help you
understand enterprise security.
Click that link. We have now....I've
shown you how to see the correlation
search that come out of the box, and I've
shown you how to create your own from
scratch. I hope this has been helpful, I
hope this helps you move from being a
lame analyst to a Splunk Ninja, that
you'll keep following, particularly this
playlist, watch the videos in it, and that
they're helpful.
Anyway, hope to see you around.