1 00:00:00,000 --> 00:00:10,800 [Music] 2 00:00:10,800 --> 00:00:14,700 Alright, welcome to my enterprise security 3 00:00:14,700 --> 00:00:16,950 video playlist. This time we're going to 4 00:00:16,950 --> 00:00:19,800 be covering correlation searches. This is 5 00:00:19,800 --> 00:00:22,610 a fancy word for a safe search that 6 00:00:22,610 --> 00:00:25,600 creates an alert. That's really what it 7 00:00:25,600 --> 00:00:29,220 comes down to. They call them notables— 8 00:00:29,220 --> 00:00:31,059 there's a lot of terminology involved— 9 00:00:31,059 --> 00:00:33,119 but the ultimate concept is a 10 00:00:33,119 --> 00:00:35,820 correlation search is a search that 11 00:00:35,820 --> 00:00:38,820 fires off at predefined periods of time, 12 00:00:38,820 --> 00:00:40,740 maybe every five minutes, every hour, 13 00:00:40,740 --> 00:00:42,719 searches back across your logs for 14 00:00:42,719 --> 00:00:45,360 certain behaviors, and if it sees it, it 15 00:00:45,360 --> 00:00:48,300 creates a...it creates an alert. You can 16 00:00:48,300 --> 00:00:50,510 make it create a notable. Technically, it 17 00:00:50,510 --> 00:00:52,050 doesn't have to create a notable, and 18 00:00:52,050 --> 00:00:54,660 I'll explain how that works, but it's 19 00:00:54,660 --> 00:00:56,820 really just a safe search. So let's go 20 00:00:56,820 --> 00:00:58,159 break right into enterprise security, and 21 00:00:58,159 --> 00:00:59,820 let's talk about that. 22 00:00:59,820 --> 00:01:01,920 So I come into enterprise security. We're 23 00:01:01,920 --> 00:01:04,500 going to show what is already outcomes 24 00:01:04,500 --> 00:01:07,040 out of the box. So if I go 'configure', I'm 25 00:01:07,040 --> 00:01:09,780 in my Enterprise security and I come into... 26 00:01:09,780 --> 00:01:13,510 'content', and I go to 'content management', 27 00:01:13,510 --> 00:01:15,900 these are all the knowledge objects that 28 00:01:15,900 --> 00:01:19,043 come with enterprise security, and I'm 29 00:01:19,043 --> 00:01:22,870 going to flip this to a correlation search. 30 00:01:25,400 --> 00:01:27,799 I click that... 31 00:01:27,799 --> 00:01:29,800 we can see that it's going to come back 32 00:01:29,800 --> 00:01:33,439 with lots and lots of results, 58 pages 33 00:01:33,439 --> 00:01:38,759 plus of them and multiple to a page. You 34 00:01:38,759 --> 00:01:40,959 can read this, so I'm just going to go 35 00:01:40,959 --> 00:01:43,920 into the very first one. And this is 36 00:01:43,920 --> 00:01:46,439 'abnormally high number of endpoint 37 00:01:46,439 --> 00:01:49,500 changes by a user'. If I go and open this 38 00:01:49,500 --> 00:01:51,780 up a little bit... 39 00:01:51,780 --> 00:01:53,759 'detects an abnormally high number of 40 00:01:53,759 --> 00:01:55,430 endpoint changes by user account as it 41 00:01:55,430 --> 00:01:58,020 relate to restarts, audits, file system, 42 00:01:58,020 --> 00:01:59,742 user, registry, notifications". 43 00:01:59,742 --> 00:02:01,460 If I go into this... 44 00:02:02,280 --> 00:02:04,500 I'm actually going to be able to see 45 00:02:04,500 --> 00:02:07,020 the query. I'm not going to go explain it 46 00:02:07,020 --> 00:02:08,220 because I can already tell you, it's 47 00:02:08,220 --> 00:02:09,479 probably going to be written with lots 48 00:02:09,479 --> 00:02:13,089 of data models and macros, but out of the 49 00:02:13,089 --> 00:02:15,387 box, you can see: here's the query. And 50 00:02:15,387 --> 00:02:16,830 it's basically...it's going to look at 51 00:02:16,830 --> 00:02:18,950 your data model. You'll hear me talk 52 00:02:18,950 --> 00:02:21,459 about data models. I've discussed data 53 00:02:21,459 --> 00:02:22,910 model, but this is going to be the 54 00:02:22,910 --> 00:02:24,710 endpoint data model, and it's going to be 55 00:02:24,710 --> 00:02:27,800 looking at file systems for changes by the 56 00:02:27,800 --> 00:02:29,270 user, it's going to do a bunch of other 57 00:02:29,270 --> 00:02:30,290 things that ultimately it's going to 58 00:02:30,290 --> 00:02:32,510 come back and say...if you meet a certain 59 00:02:32,510 --> 00:02:34,870 criteria, and you can see that it's 60 00:02:34,870 --> 00:02:36,360 actually using the machine learning 61 00:02:36,360 --> 00:02:38,640 toolkit, so down here it's actually 62 00:02:38,640 --> 00:02:41,280 building a threshold saying, what is the 63 00:02:41,280 --> 00:02:43,830 normal amount of use of changes, and is 64 00:02:43,830 --> 00:02:46,270 it jumping out of that at normal level. 65 00:02:46,270 --> 00:02:49,600 It's really cool, put some really cool 66 00:02:49,600 --> 00:02:52,200 analytics out there for you. You can just 67 00:02:52,200 --> 00:02:55,450 use what they've got. What I love is I 68 00:02:55,450 --> 00:02:57,330 don't want to...I hear, oh 69 00:02:57,330 --> 00:02:59,660 well aren't correlation searches 70 00:02:59,660 --> 00:03:03,480 attached to now frameworks? Well, you can 71 00:03:03,480 --> 00:03:04,920 see the very first ones. Sometimes they 72 00:03:04,920 --> 00:03:07,379 are. But here, these are frameworks. I've 73 00:03:07,379 --> 00:03:09,480 heard this in my own work, oh, well they're 74 00:03:09,480 --> 00:03:12,120 all mapped to the miter. Well, 75 00:03:12,120 --> 00:03:14,480 are they? I'll just grab the very first 76 00:03:14,480 --> 00:03:17,160 one, and...there's no miter technique 77 00:03:17,160 --> 00:03:20,050 mapped. What should it be? Well, there's a 78 00:03:20,050 --> 00:03:23,170 lot of things that could cause a miter 79 00:03:23,170 --> 00:03:25,860 technique to...uh...if there's endpoint 80 00:03:25,860 --> 00:03:27,450 changes, it could be many different types 81 00:03:27,450 --> 00:03:29,649 of tact. Then I'll have it mapped. You 82 00:03:29,649 --> 00:03:31,200 could come in here and you could map it, 83 00:03:31,200 --> 00:03:33,529 we'll discuss that later, but point is, we 84 00:03:33,529 --> 00:03:35,640 come down here... 85 00:03:35,640 --> 00:03:37,560 make that go away, that's all... 86 00:03:37,560 --> 00:03:40,260 we can see that it's looking back 1,450 87 00:03:40,260 --> 00:03:43,739 minutes, and the latest time is zero. This 88 00:03:43,739 --> 00:03:48,000 runs at five after the hour, that's how I 89 00:03:48,000 --> 00:03:51,119 read that, five after the hour. 90 00:03:51,119 --> 00:03:52,980 It's...if the results are greater than 91 00:03:52,980 --> 00:03:56,540 zero, it groups by user and change type, 92 00:03:56,540 --> 00:03:59,879 and we see that it creates...it does not 93 00:03:59,879 --> 00:04:01,560 create a notable, it actually just 94 00:04:01,560 --> 00:04:03,959 provides a risk analysis. And we'll 95 00:04:03,959 --> 00:04:06,080 discuss risk analysis when we talk about 96 00:04:06,080 --> 00:04:08,570 RBA. But the point is, you can make it do 97 00:04:08,570 --> 00:04:10,319 a bunch of adaptive responses. 98 00:04:10,319 --> 00:04:12,079 My job here is not to help you 99 00:04:12,079 --> 00:04:13,500 understand every correlation search that 100 00:04:13,500 --> 00:04:15,599 comes out of the box, I'm here to discuss 101 00:04:15,599 --> 00:04:17,280 the part that most people don't know how 102 00:04:17,280 --> 00:04:20,120 to do: create your own. So I've shown you 103 00:04:20,120 --> 00:04:23,400 that you can go look through...there's 104 00:04:23,400 --> 00:04:26,400 the documentation on Splunk, says 1400 105 00:04:26,400 --> 00:04:29,040 plus, I don't know how they define what a 106 00:04:29,040 --> 00:04:31,290 correlation search is. I'm going to tell 107 00:04:31,290 --> 00:04:34,679 you that it's a lot. There's a 108 00:04:34,679 --> 00:04:37,759 lot of them. And by default, 109 00:04:37,759 --> 00:04:40,930 enterprise security is smart. They do 110 00:04:40,930 --> 00:04:43,320 not come enabled. If I look at the 111 00:04:43,320 --> 00:04:46,199 enabled correlation searches, 112 00:04:46,199 --> 00:04:48,590 this is mine that I was using as I 113 00:04:48,590 --> 00:04:49,699 started to help understand 114 00:04:49,699 --> 00:04:50,986 enterprise security, 115 00:04:50,986 --> 00:04:52,800 and these two were turned on 116 00:04:52,800 --> 00:04:55,020 and this is for risk-based approach. 117 00:04:55,020 --> 00:04:57,660 Other than that, there are no correlation 118 00:04:57,660 --> 00:04:59,759 searches that come out of the box. Why? 119 00:04:59,759 --> 00:05:01,500 Well, one, they don't want to turn 120 00:05:01,500 --> 00:05:03,060 something on that doesn't fit your data 121 00:05:03,060 --> 00:05:06,000 set; two, often you have to tweak them, the 122 00:05:06,000 --> 00:05:07,580 correlation search is great, but it's not 123 00:05:07,580 --> 00:05:08,810 always going to be perfect for your 124 00:05:08,810 --> 00:05:10,700 environment, and so as a general rule, 125 00:05:10,700 --> 00:05:12,479 they're there as a guidance. Use them 126 00:05:12,479 --> 00:05:14,780 when they make sense, turn one on, test it, 127 00:05:14,780 --> 00:05:17,160 see how it works. If it doesn't, modify it, 128 00:05:17,160 --> 00:05:19,019 and typically you'll just clone the 129 00:05:19,019 --> 00:05:21,120 correlation search and build your own. 130 00:05:21,120 --> 00:05:23,080 Anyway, enough talking about that, let's 131 00:05:23,080 --> 00:05:24,840 talk about actually building my own 132 00:05:24,840 --> 00:05:27,539 correlation search. So I'm in 'configure 133 00:05:27,539 --> 00:05:30,130 content' and I went to 'content management'. 134 00:05:30,130 --> 00:05:32,260 If I do 'create new content', that's how 135 00:05:32,260 --> 00:05:34,700 I'm going to build one. And so we're 136 00:05:34,700 --> 00:05:36,130 going to create a new content, 137 00:05:36,130 --> 00:05:38,949 we're going to make a correlation search. 138 00:05:38,949 --> 00:05:43,111 This is the way that I do correlation searches. 139 00:05:43,111 --> 00:05:44,160 That doesn't mean it's the way 140 00:05:44,160 --> 00:05:46,132 that it has to be done, but it's the way it works for me. 141 00:05:46,132 --> 00:05:47,520 I'm going to call this, I 142 00:05:47,520 --> 00:05:49,420 would hopefully have a much better name 143 00:05:49,420 --> 00:05:52,460 for this, but I'm going to do 'YouTube 144 00:05:52,460 --> 00:05:56,460 Correlation Search'. 145 00:06:00,740 --> 00:06:02,790 Horrible name, because someone who comes 146 00:06:02,790 --> 00:06:04,993 across this will have no idea what it's 147 00:06:04,993 --> 00:06:06,539 for, but for me, when I need to purge 148 00:06:06,539 --> 00:06:08,460 stuff from my system, it's really easy 149 00:06:08,460 --> 00:06:09,710 and it stands out. So I'm going to put it 150 00:06:09,710 --> 00:06:12,000 that way. Then here in my description, I'm 151 00:06:12,000 --> 00:06:14,820 going to go... 152 00:06:14,820 --> 00:06:19,189 'Grab one event from network logs'. 153 00:06:20,580 --> 00:06:22,139 I'm not actually going to build 154 00:06:22,139 --> 00:06:23,730 something that I'm looking for. 155 00:06:23,730 --> 00:06:25,410 That's not the point of this video. 156 00:06:25,410 --> 00:06:27,540 I'm just showing how to build one, and I want 157 00:06:27,540 --> 00:06:30,840 them to always fire, so I'm going to 158 00:06:30,840 --> 00:06:32,900 fudge the numbers so that I always 159 00:06:32,900 --> 00:06:35,270 get what I want. And so the first thing I 160 00:06:35,270 --> 00:06:36,720 do is I don't try to build a search 161 00:06:36,720 --> 00:06:38,520 through here. You can use a guided. 162 00:06:38,520 --> 00:06:41,020 Guided's cool, it'll allow you it'll pick 163 00:06:41,020 --> 00:06:43,139 data models, you can pick fields from it, 164 00:06:43,139 --> 00:06:45,510 so if I enable the guided mode, you'll 165 00:06:45,510 --> 00:06:47,460 see the data, it'll say alright, what 166 00:06:47,460 --> 00:06:49,520 data model do you want to look at? 167 00:06:49,520 --> 00:06:52,460 I might come down to 'network traffic'... 168 00:06:52,460 --> 00:06:55,325 and what data set do I want to use... 169 00:06:55,325 --> 00:06:58,782 'all traffic'. Do I want to use 'summaries only'? 170 00:06:58,782 --> 00:07:01,080 I'll discuss summaries only later 171 00:07:01,080 --> 00:07:04,199 this is not the place for it. Time range. 172 00:07:04,199 --> 00:07:07,560 And there is your basic query. I can run 173 00:07:07,560 --> 00:07:10,179 the search and see how it looks. 174 00:07:10,179 --> 00:07:12,979 Then I'm going to hit 175 00:07:13,700 --> 00:07:18,539 'filter', and filter would be like 176 00:07:18,539 --> 00:07:22,400 All.Traffic... 177 00:07:23,460 --> 00:07:28,740 AllTraffic.destIP... 178 00:07:28,740 --> 00:07:30,720 oh. 179 00:07:30,720 --> 00:07:34,099 it's a boolean. Where... 180 00:07:34,560 --> 00:07:36,530 and I actually don't know how to make 181 00:07:36,530 --> 00:07:40,220 this work. All_Traffic... 182 00:07:42,630 --> 00:07:44,659 I'd have to go look this up. Well that's 183 00:07:44,659 --> 00:07:46,380 not very good...helpful there. The point is, 184 00:07:46,380 --> 00:07:47,510 I'm not actually going through the 185 00:07:47,510 --> 00:07:49,560 guided search tour. I'm going to stay 186 00:07:49,560 --> 00:07:51,590 right here with a manual query where I 187 00:07:51,590 --> 00:07:54,120 can write it. It does have guided, again, 188 00:07:54,120 --> 00:07:55,500 you got to understand exactly what 189 00:07:55,500 --> 00:07:57,270 you're pulling. Guided is nice if you 190 00:07:57,270 --> 00:07:59,780 know, follow the docs. I'm not here for 191 00:07:59,780 --> 00:08:01,919 following the docs, I'm here to take a 192 00:08:01,919 --> 00:08:04,129 query. This is my home network. I'm going 193 00:08:04,129 --> 00:08:05,520 to look at the correlate logs. I'm going 194 00:08:05,520 --> 00:08:07,360 to look at my correlate conn logs. I'm 195 00:08:07,360 --> 00:08:10,160 going to say...where source IP is 196 00:08:10,160 --> 00:08:13,259 192.1680.*. That is only so I make 197 00:08:13,259 --> 00:08:15,180 sure that I'm looking at a specific 198 00:08:15,180 --> 00:08:17,639 subnet section of my network. This is 199 00:08:17,639 --> 00:08:20,520 primarily my network designed for doing 200 00:08:20,520 --> 00:08:23,819 Splunk videos, and so this isn't my... 201 00:08:23,819 --> 00:08:25,379 this is part of my home network, but it's 202 00:08:25,379 --> 00:08:28,139 a subnet on my network that I use for 203 00:08:28,139 --> 00:08:31,490 testing, pen testing, setup of systems 204 00:08:31,490 --> 00:08:33,300 that I tear up and pick up and tear down, 205 00:08:33,300 --> 00:08:35,169 and so I just want to know what they're 206 00:08:35,169 --> 00:08:37,260 doing. And so I wanted the source IP 207 00:08:37,260 --> 00:08:38,868 Maybe you don't want the source IP. 208 00:08:38,868 --> 00:08:40,310 All I really cared about though, is I just 209 00:08:40,310 --> 00:08:42,289 wanted this, because ultimately, later 210 00:08:42,289 --> 00:08:44,229 down, I'm going to do inventory, and I'm 211 00:08:44,229 --> 00:08:46,090 going to have a very simple inventory of 212 00:08:46,090 --> 00:08:48,290 that subnet, and so I only want IPs that 213 00:08:48,290 --> 00:08:50,700 at least one piece of the data 214 00:08:50,700 --> 00:08:53,469 ties to my inventory. And so, as you can 215 00:08:53,469 --> 00:08:55,550 see, this here has nothing to do with my 216 00:08:55,550 --> 00:08:58,190 network, but this one does. And I'm going 217 00:08:58,190 --> 00:09:00,250 to do a head 1, because I don't 218 00:09:00,250 --> 00:09:02,760 want lots and lots of results. 219 00:09:02,760 --> 00:09:05,459 Basically, I want a query 220 00:09:05,459 --> 00:09:07,140 and I'm always going to return one 221 00:09:07,140 --> 00:09:09,800 result...and that's what I built. 222 00:09:09,800 --> 00:09:12,000 This isn't bad. This isn't actually a 223 00:09:12,000 --> 00:09:13,980 known bad, I just wanted data to come 224 00:09:13,980 --> 00:09:16,200 back, so then I can put other stuff on it. 225 00:09:16,200 --> 00:09:18,660 I'm doing this as a demo for you guys to 226 00:09:18,660 --> 00:09:21,300 understand how 227 00:09:21,300 --> 00:09:23,409 to build a query. You would want to build 228 00:09:23,409 --> 00:09:25,140 a query that actually is looking for 229 00:09:25,140 --> 00:09:27,300 something malicious. Right now, I just 230 00:09:27,300 --> 00:09:30,120 want a query to return a result, so that 231 00:09:30,120 --> 00:09:32,120 I can...when I do my next video about 232 00:09:32,120 --> 00:09:34,940 triage and the triage system, there are 233 00:09:34,940 --> 00:09:37,450 actually tickets coming in. If I write a 234 00:09:37,450 --> 00:09:39,330 query that's looking for bad, well, that 235 00:09:39,330 --> 00:09:41,100 bad better be occurring on my network or 236 00:09:41,100 --> 00:09:43,019 it's not going to fire. And so it's a lot 237 00:09:43,019 --> 00:09:44,289 harder to troubleshoot if the thing is 238 00:09:44,289 --> 00:09:45,899 working if you're building queries right, 239 00:09:45,899 --> 00:09:48,202 If you build something that isn't... 240 00:09:48,202 --> 00:09:50,330 you hope to not actually see on your network. 241 00:09:50,330 --> 00:09:52,660 So I actually hope to see correlate conn logs. 242 00:09:52,660 --> 00:09:54,370 I sure hope so. That means my 243 00:09:54,370 --> 00:09:56,400 network has traffic. Anyway, and I'm just 244 00:09:56,400 --> 00:09:57,699 going to put the head 1, because I only 245 00:09:57,699 --> 00:10:00,200 want it to create one alert. If I let it 246 00:10:00,200 --> 00:10:02,090 come back, it's every event that comes 247 00:10:02,090 --> 00:10:04,650 back in here would be a notable alert. 248 00:10:04,650 --> 00:10:07,842 I don't want my triage system getting inundated. 249 00:10:07,842 --> 00:10:09,959 So I'm just going to do this head 1. 250 00:10:09,959 --> 00:10:11,940 Now I'm going to map it. I'm going to go 251 00:10:11,940 --> 00:10:15,000 to miter, and I'm going to 252 00:10:15,000 --> 00:10:17,640 put in some 253 00:10:17,640 --> 00:10:20,279 tickets. So I'm going to go 'T1143'. I 254 00:10:20,279 --> 00:10:21,600 actually can't remember what all these 255 00:10:21,600 --> 00:10:23,459 mean off the top of my head. You can go 256 00:10:23,459 --> 00:10:26,289 look them up. I'm going to say this, and 257 00:10:26,289 --> 00:10:28,800 this has note, no bases whatsoever, but 258 00:10:28,800 --> 00:10:30,669 again, these videos are 259 00:10:30,669 --> 00:10:32,700 going to build on themselves. And so I'm 260 00:10:32,700 --> 00:10:34,840 building these miter attacks so when I 261 00:10:34,840 --> 00:10:37,440 go to the RBA section of this video 262 00:10:37,440 --> 00:10:40,430 playlist, you'll see how it maps all the 263 00:10:40,430 --> 00:10:42,420 different techniques together. And so I'm 264 00:10:42,420 --> 00:10:45,360 going to put this down here, 265 00:10:45,360 --> 00:10:49,019 and actually, because I want this to work on 266 00:10:49,019 --> 00:10:50,840 my system, I'm going to actually do... 267 00:10:50,840 --> 00:10:53,579 I want it always to be 0.128, 268 00:10:53,579 --> 00:10:57,240 that way I'm only going to get alerts 269 00:10:57,240 --> 00:10:59,190 that are relating to this system. 270 00:10:59,190 --> 00:11:01,820 That means my risk-based approach will cross 271 00:11:01,820 --> 00:11:03,779 the threshold. That actually makes a lot 272 00:11:03,779 --> 00:11:06,230 more sense for me. I'll explain that when 273 00:11:06,230 --> 00:11:08,640 we actually get to RBA, but basically, I'm 274 00:11:08,640 --> 00:11:12,029 going to give me... give me an alert every time 275 00:11:12,029 --> 00:11:15,420 0.128 is the source of network traffic. 276 00:11:15,420 --> 00:11:17,920 And that should fire off quite frequently. 277 00:11:19,320 --> 00:11:21,480 Ignore the picture up in the top. 278 00:11:21,480 --> 00:11:23,940 We're just going to move on. Head 1. 279 00:11:23,940 --> 00:11:26,330 My videos are done rendering. Anyway, so I'm going 280 00:11:26,330 --> 00:11:29,379 to map it to these TTPs. Again, this is 281 00:11:29,379 --> 00:11:31,380 all for demo purposes, so I just pick 282 00:11:31,380 --> 00:11:35,580 some TTPs, and I can come down here and 283 00:11:35,580 --> 00:11:38,659 I can put a confidence score, an impact score, 284 00:11:38,659 --> 00:11:40,520 contacts, analytics, we're just gonna 285 00:11:40,520 --> 00:11:41,760 leave that alone for now. 286 00:11:41,760 --> 00:11:43,615 I can create my own framework 287 00:11:43,615 --> 00:11:45,070 And now here it's going to say 288 00:11:45,070 --> 00:11:47,059 how far back do I want to look? Do I 289 00:11:47,059 --> 00:11:48,138 want to look back 24 hours? 290 00:11:48,138 --> 00:11:49,690 I could, but I know how often 291 00:11:49,690 --> 00:11:51,140 my logs are firing. I'm going 292 00:11:51,140 --> 00:11:53,160 to look back one hour. Doesn't really 293 00:11:53,160 --> 00:11:55,319 matter, because I'm just grabbing head 1. 294 00:11:55,319 --> 00:11:59,149 And...I have...I probably get 295 00:11:59,149 --> 00:12:01,590 hundreds of events every...probably 296 00:12:01,590 --> 00:12:03,600 thousands of events every hour 297 00:12:03,600 --> 00:12:06,210 on this particular subnet. And so it's 298 00:12:06,210 --> 00:12:07,500 not going to be a problem getting data. 299 00:12:07,500 --> 00:12:09,270 I'm going to go look back one hour to 300 00:12:09,270 --> 00:12:11,579 now. And how often do I want it to run? 301 00:12:11,579 --> 00:12:13,260 You know what? I'm going to let it run 302 00:12:13,260 --> 00:12:16,090 every five minutes. And that's going to 303 00:12:16,090 --> 00:12:17,760 be important so that I actually have 304 00:12:17,760 --> 00:12:20,911 events. And that'll work. 305 00:12:20,911 --> 00:12:23,459 I'm going to come down here, and I'm going to say do I 306 00:12:23,459 --> 00:12:25,380 want it to run as real time or 307 00:12:25,380 --> 00:12:28,560 continuous. We'll just leave it at its default. 308 00:12:28,560 --> 00:12:30,899 What's my scheduling window? Again, 309 00:12:30,899 --> 00:12:33,330 these are...I'm not going over these, this 310 00:12:33,330 --> 00:12:36,060 is just basically how you want to run 311 00:12:36,060 --> 00:12:37,590 your times. I'm going to run this 312 00:12:37,590 --> 00:12:39,420 every five minutes. Schedule priorities 313 00:12:39,420 --> 00:12:41,459 in case there's conflicts. Hopefully with 314 00:12:41,459 --> 00:12:43,260 your enterprise security, you actually do 315 00:12:43,260 --> 00:12:45,839 not overload your system so these become 316 00:12:45,839 --> 00:12:47,040 a big deal. 317 00:12:47,040 --> 00:12:48,660 Trigger conditions, number of results 318 00:12:48,660 --> 00:12:50,269 greater than zero, that's always going to 319 00:12:50,269 --> 00:12:51,660 be the case because I'm getting back one. 320 00:12:51,660 --> 00:12:53,820 But if I was doing this, if I want to do 321 00:12:53,820 --> 00:12:55,920 thresholds I could make it...the thing has 322 00:12:55,920 --> 00:12:58,440 to occur at least 10 times, or 15 times, 323 00:12:58,440 --> 00:13:01,320 or whatever. Then windows durations 324 00:13:01,320 --> 00:13:03,999 filled to group by...that's it. That's all 325 00:13:03,999 --> 00:13:06,540 I want to deal with. Really, the only 326 00:13:06,540 --> 00:13:08,519 places I put around with this is I wrote 327 00:13:08,519 --> 00:13:10,840 a query in the most basic format to get 328 00:13:10,840 --> 00:13:13,070 your correlation searches going. Pick a 329 00:13:13,070 --> 00:13:15,839 search. I would tie it to an annotation, 330 00:13:15,839 --> 00:13:18,278 but you don't have to, not required. 331 00:13:18,278 --> 00:13:20,243 You come down, here pick your time window, 332 00:13:20,243 --> 00:13:22,120 these three boxes, how far back do you 333 00:13:22,120 --> 00:13:24,120 want to look, latest time, earliest time, 334 00:13:24,120 --> 00:13:26,369 and your cron schedule, and then you 335 00:13:26,369 --> 00:13:27,779 really don't have to touch anything else, 336 00:13:27,779 --> 00:13:31,510 except this 'add adaptive response'. I'm 337 00:13:31,510 --> 00:13:33,140 going to come and modify this in a 338 00:13:33,140 --> 00:13:35,700 minute. There is, when we talk about RBA, 339 00:13:35,700 --> 00:13:37,780 I'm going to put a risk analysis. For the 340 00:13:37,780 --> 00:13:40,090 sake of keeping this simple, I am only 341 00:13:40,090 --> 00:13:41,459 going to do 342 00:13:41,459 --> 00:13:43,600 notables for now. So I'm going to come in 343 00:13:43,600 --> 00:13:45,070 here and I'm going to click a notable. 344 00:13:45,070 --> 00:13:47,220 A notable is an alert that goes to 345 00:13:47,220 --> 00:13:48,779 your triage system. 346 00:13:48,779 --> 00:13:52,260 Gonna go...'YouTube 347 00:13:52,260 --> 00:13:55,440 notable'. Give it a description. 348 00:13:55,440 --> 00:13:57,899 I can actually use... 349 00:13:59,820 --> 00:14:01,980 variable substitution, so I'm going to do 350 00:14:01,980 --> 00:14:05,830 'Alert for $src_Ip'. 351 00:14:05,830 --> 00:14:07,618 I need to make sure that field comes 352 00:14:07,618 --> 00:14:10,860 back, and this does have a source IP, so I 353 00:14:10,860 --> 00:14:12,720 can use it, and you just call it like you 354 00:14:12,720 --> 00:14:15,180 do in with the dollar sign on both sides 355 00:14:15,180 --> 00:14:17,339 of a variable, and that'll be dynamic. And 356 00:14:17,339 --> 00:14:19,680 so my description will come back with 357 00:14:19,680 --> 00:14:22,680 this. And just because I 358 00:14:22,680 --> 00:14:24,679 want to, what if I...yeah, we'll just 359 00:14:24,679 --> 00:14:26,220 leave it at that. 360 00:14:26,220 --> 00:14:29,160 YouTube notable security domain. There 361 00:14:29,160 --> 00:14:31,430 are a bunch of domains. This is dealing 362 00:14:31,430 --> 00:14:33,600 with access areas, that would be 363 00:14:33,600 --> 00:14:35,880 authentication, endpoint, a lot of your 364 00:14:35,880 --> 00:14:39,420 host logs, network logs, threat, identity, 365 00:14:39,420 --> 00:14:41,459 and audit. And so those are the six areas 366 00:14:41,459 --> 00:14:43,880 Splunk has as security domains. We'll 367 00:14:43,880 --> 00:14:47,579 just leave it as a... we'll put as a network. 368 00:14:47,579 --> 00:14:49,680 In the network domain, I'm going to put 369 00:14:49,680 --> 00:14:52,579 the severity 370 00:14:53,899 --> 00:14:56,300 as low. 371 00:14:56,300 --> 00:14:59,430 And default owner, I can put in these, 372 00:14:59,430 --> 00:15:01,560 I can leave it unassigned. 373 00:15:01,560 --> 00:15:03,700 I'm going to put it as unassigned to start with. 374 00:15:03,700 --> 00:15:05,100 Again, you don't have to. 375 00:15:05,100 --> 00:15:09,120 Default status, I'm going to put it as unassigned. 376 00:15:09,120 --> 00:15:11,379 And I could put a drill down search in 377 00:15:11,379 --> 00:15:15,079 there, and let's do that. 378 00:15:15,480 --> 00:15:17,880 We're going to take this very same query. 379 00:15:17,880 --> 00:15:19,930 Just to keep things really simple, one of 380 00:15:19,930 --> 00:15:23,519 the very first drill downs I want to put in there 381 00:15:23,519 --> 00:15:25,920 is the actual query 382 00:15:25,920 --> 00:15:28,680 that created this log. 383 00:15:28,680 --> 00:15:30,899 But in this case, I'm not going to put 384 00:15:30,899 --> 00:15:32,800 head 1, I'm going to put...I'm going to 385 00:15:32,800 --> 00:15:34,380 take the head out. 386 00:15:34,380 --> 00:15:36,320 Oh, it looks like I've lost the 128 on 387 00:15:36,320 --> 00:15:38,940 there. 128. 388 00:15:38,940 --> 00:15:41,459 Make sure 128 is up here. 389 00:15:41,459 --> 00:15:44,399 Yeah, it is. Okay, and I can choose... 390 00:15:44,399 --> 00:15:46,500 the drill down search will be 391 00:15:46,500 --> 00:15:49,160 'See... 392 00:15:49,260 --> 00:15:53,880 what caused alert'. 393 00:15:55,079 --> 00:15:56,880 There are other ways of doing this I'll 394 00:15:56,880 --> 00:15:58,019 show, but I'm just going to 395 00:15:58,019 --> 00:15:59,860 create a few add drill down searches. 396 00:15:59,860 --> 00:16:02,459 And here, we're going to just do 397 00:16:04,560 --> 00:16:07,560 'why does 398 00:16:07,560 --> 00:16:10,399 this 399 00:16:10,459 --> 00:16:14,000 drilldown exist'. 400 00:16:14,880 --> 00:16:17,579 I just want to show I can go search anything. 401 00:16:17,579 --> 00:16:21,199 'Index equals internal'. 402 00:16:21,199 --> 00:16:22,800 Why would you be looking at your 403 00:16:22,800 --> 00:16:26,279 internal logs? It doesn't really matter. 404 00:16:28,260 --> 00:16:30,040 Well, actually, let's just do this. 405 00:16:30,040 --> 00:16:33,370 I'm going to put in '$src_ip$'. 406 00:16:33,370 --> 00:16:35,319 So I'm basically looking in my internal 407 00:16:35,319 --> 00:16:37,139 logs, and I'm going to see if I find that 408 00:16:37,139 --> 00:16:40,039 IP address popping up. It's just kind 409 00:16:40,039 --> 00:16:41,820 of an interesting way you can add 410 00:16:41,820 --> 00:16:45,660 additional searches to your information. 411 00:16:46,500 --> 00:16:48,360 So I'm going to be searching my internal 412 00:16:48,360 --> 00:16:50,459 logs for the source IP. 413 00:16:50,459 --> 00:16:53,160 And I hope you saw this earliest offset, 414 00:16:53,160 --> 00:16:56,099 latest offset. You can change this, or you 415 00:16:56,099 --> 00:16:57,759 can you can let it just go by its 416 00:16:57,759 --> 00:16:59,920 default. Or you can say, for here I'm 417 00:16:59,920 --> 00:17:01,139 going to go 418 00:17:01,139 --> 00:17:06,480 plus, this is a earliest, for example, one hour 419 00:17:06,480 --> 00:17:10,520 and I'm going to leave the other one as zero. 420 00:17:10,559 --> 00:17:12,456 Does that make sense? So I hope 421 00:17:12,456 --> 00:17:14,640 this helps. I can change my time. 422 00:17:14,640 --> 00:17:16,439 It's basically going to look in this 423 00:17:16,439 --> 00:17:22,220 window one hour back, based off of 424 00:17:25,079 --> 00:17:27,780 the time this event occurred. 425 00:17:27,780 --> 00:17:29,140 So this might actually look a little bit 426 00:17:29,140 --> 00:17:30,280 in the future, this is gonna look a little bit 427 00:17:30,280 --> 00:17:31,100 in the future. 428 00:17:31,100 --> 00:17:32,316 It's going to use time in the back. 429 00:17:32,316 --> 00:17:35,299 So let's go... 430 00:17:35,960 --> 00:17:37,440 we're going to go one hour.... 431 00:17:37,440 --> 00:17:40,220 this is going to go one hour in the 432 00:17:40,220 --> 00:17:43,320 future and one hour in the past. 433 00:17:43,320 --> 00:17:45,640 Sounds good. I'm going to leave my 434 00:17:45,640 --> 00:17:48,080 investigation profile alone. And these 435 00:17:48,080 --> 00:17:50,690 are...extractions, and what it's 436 00:17:50,690 --> 00:17:52,440 going to do is it's going to 437 00:17:52,440 --> 00:17:55,919 identify identities, these are users 438 00:17:55,919 --> 00:17:57,240 and stuff like that on your network. 439 00:17:57,240 --> 00:18:00,240 Assets would be like IPs, and machines, 440 00:18:00,240 --> 00:18:02,840 and files, and URLs that it might have 441 00:18:02,840 --> 00:18:06,020 found. I'm going to...we got assets here. 442 00:18:06,020 --> 00:18:08,760 Source dest. 443 00:18:08,760 --> 00:18:10,390 Does my log, do my logs contain 444 00:18:10,390 --> 00:18:11,760 source and dest? 445 00:18:11,760 --> 00:18:14,940 Well, let's go look. Had one, do I actually 446 00:18:14,940 --> 00:18:18,200 have a source and a dest here? 447 00:18:18,299 --> 00:18:20,589 I have a source IP, but no source. 448 00:18:20,589 --> 00:18:23,270 So I don't have the field it's looking for to 449 00:18:23,270 --> 00:18:25,240 be able to identify it. So what I need to 450 00:18:25,240 --> 00:18:27,960 do is I need to come in here, and I'm going to go 451 00:18:27,960 --> 00:18:30,780 '$src_ip$', 452 00:18:30,780 --> 00:18:33,539 except it's on identity. 453 00:18:33,539 --> 00:18:35,760 The identity...it's an asset so I'm going, 454 00:18:35,760 --> 00:18:36,880 to come in here and I'm going to go 455 00:18:36,880 --> 00:18:39,679 'source IP'. 456 00:18:40,400 --> 00:18:43,120 And just because we might 457 00:18:43,120 --> 00:18:46,010 want to identify the other 458 00:18:46,010 --> 00:18:47,061 machine in question. 459 00:18:47,061 --> 00:18:49,176 We're going to put dest IP in there as well. 460 00:18:49,176 --> 00:18:50,792 So I'm going to have my source IP 461 00:18:50,792 --> 00:18:52,260 and my destination IP. 462 00:18:52,260 --> 00:18:53,959 They're going to be assets that are 463 00:18:53,959 --> 00:18:56,100 extracted. And that's all I'm going to do. 464 00:18:56,100 --> 00:18:57,539 I just want to make sure that 465 00:18:57,539 --> 00:18:59,850 anything that might be identifiable in 466 00:18:59,850 --> 00:19:01,359 these queries...not these queries, 467 00:19:01,359 --> 00:19:03,733 the query up here. Let's call them out. 468 00:19:03,733 --> 00:19:05,630 And I hope all this will make more sense as 469 00:19:05,630 --> 00:19:07,380 you actually see the stuff come back. 470 00:19:07,380 --> 00:19:09,360 There's just a lot of capabilities here. 471 00:19:09,360 --> 00:19:12,760 I can write steps if I want to, I can set 472 00:19:12,760 --> 00:19:14,720 things up to, for example, send an 473 00:19:14,720 --> 00:19:17,640 email, stream capture if you have 474 00:19:17,640 --> 00:19:20,230 Splunk Stream, nbstat and it's... 475 00:19:20,230 --> 00:19:21,600 You can make your system do a lot of 476 00:19:21,600 --> 00:19:23,720 things. Like, I could have Splunk go ping 477 00:19:23,720 --> 00:19:26,220 an IP address. You know what? 478 00:19:26,220 --> 00:19:28,350 In a little bit, I'll actually show me 479 00:19:28,350 --> 00:19:30,140 doing that. I can have it do a risk 480 00:19:30,140 --> 00:19:32,290 analysis, run a scripts, send a UBA, send a 481 00:19:32,290 --> 00:19:34,110 Splunk mobile. Splunk mobile is really 482 00:19:34,110 --> 00:19:36,670 cool. Now it's being sent to my phone. Add 483 00:19:36,670 --> 00:19:38,760 thread intelligence from it, web hooks, 484 00:19:38,760 --> 00:19:40,860 whatever. You have a lots of capabilities, 485 00:19:40,860 --> 00:19:43,569 don't need to do it. The minimum you 486 00:19:43,569 --> 00:19:45,120 need for a notable: 487 00:19:45,120 --> 00:19:48,059 title, description, 488 00:19:48,059 --> 00:19:50,100 you don't even need these drilldowns, 489 00:19:50,100 --> 00:19:52,320 you can let this be set as default, 490 00:19:52,320 --> 00:19:54,280 probably should pick a security domain, 491 00:19:54,280 --> 00:19:57,530 and literally, that's it. Make sure...it's a 492 00:19:57,530 --> 00:19:59,390 lot more helpful if you can identify 493 00:19:59,390 --> 00:20:01,140 your stuff coming back as identities and 494 00:20:01,140 --> 00:20:03,059 sources. And I'm going to show you that 495 00:20:03,059 --> 00:20:05,720 in the next video with workbenches and 496 00:20:05,720 --> 00:20:07,799 stuff like that, but for the sake of this, 497 00:20:07,799 --> 00:20:09,299 don't worry about it. 498 00:20:09,299 --> 00:20:10,799 Just know that it's it's good if you 499 00:20:10,799 --> 00:20:12,600 can call it out, but if you don't, 500 00:20:12,600 --> 00:20:14,580 it's not like the query will break. 501 00:20:14,580 --> 00:20:17,539 I'm going to hit save, 502 00:20:18,299 --> 00:20:20,570 and I should have a correlation search done. 503 00:20:20,570 --> 00:20:22,070 Now I'm going to have to wait. 504 00:20:22,070 --> 00:20:24,780 I probably just missed my window. It's 505 00:20:24,780 --> 00:20:28,500 supposed to be kicking off five minutes after the hour, 506 00:20:28,500 --> 00:20:30,840 so I can almost guarantee that if I come 507 00:20:30,840 --> 00:20:35,400 to incident review, I will not find an alert 508 00:20:35,400 --> 00:20:38,640 called 'YouTube notable'. 509 00:20:38,640 --> 00:20:40,513 I'm gonna have to wait 'til five more 510 00:20:40,513 --> 00:20:42,920 minutes go by, but let's go ahead and 511 00:20:42,920 --> 00:20:44,690 check that. So I can come down, I can 512 00:20:44,690 --> 00:20:47,460 refresh the page here, or I can refresh 513 00:20:47,460 --> 00:20:50,300 the page here. But either way, that is not 514 00:20:50,300 --> 00:20:52,380 the purpose of this video is to look at 515 00:20:52,380 --> 00:20:54,349 the incidents coming in. Mine was to talk 516 00:20:54,349 --> 00:20:56,120 about correlation searches and how to 517 00:20:56,120 --> 00:20:58,320 make my own. I have set up a correlation 518 00:20:58,320 --> 00:21:01,250 search, and so I've accomplished my task. 519 00:21:01,250 --> 00:21:03,120 I'm gonna come see it here 520 00:21:03,120 --> 00:21:06,960 with a configure content. 521 00:21:06,960 --> 00:21:10,049 Configure content, content management. 522 00:21:10,049 --> 00:21:12,942 My new correlation search is in here. 523 00:21:12,942 --> 00:21:16,850 We can see that when I go 'all correlation search'... 524 00:21:16,850 --> 00:21:18,651 And when you create them, by default, 525 00:21:18,651 --> 00:21:20,700 they are enabled. 526 00:21:20,700 --> 00:21:24,000 So if I come in here and I enable, 527 00:21:24,000 --> 00:21:26,806 I can see 'YouTube correlation search' for Lame Creations. 528 00:21:26,806 --> 00:21:29,700 If I want to make any changes to it, 529 00:21:29,700 --> 00:21:32,049 I just hit search. Now, that's interesting 530 00:21:32,049 --> 00:21:35,840 that it doesn't say that it's actually scheduled. 531 00:21:40,740 --> 00:21:42,780 Alright, well, probably because it 532 00:21:42,780 --> 00:21:44,940 hasn't run the very first time. Once it 533 00:21:44,940 --> 00:21:47,039 runs, I should see 534 00:21:47,039 --> 00:21:49,360 here the next schedule time. 535 00:21:49,360 --> 00:21:50,579 But it's really easy, 536 00:21:50,579 --> 00:21:53,900 just keep it under the enabled 537 00:21:54,539 --> 00:21:58,140 and correlation searches. 538 00:21:58,140 --> 00:22:00,496 So...yep, there it is. 539 00:22:00,496 --> 00:22:02,814 Now I've got a time for the next scheduled time. 540 00:22:02,814 --> 00:22:04,484 stored in the Enterprise Security app. 541 00:22:04,484 --> 00:22:05,668 What have we covered? 542 00:22:05,668 --> 00:22:07,539 We've talked about correlation searches, 543 00:22:07,539 --> 00:22:09,179 what they are, they're safe 544 00:22:09,179 --> 00:22:11,640 searches that can be used to create 545 00:22:11,640 --> 00:22:15,430 notables. Notables fill out tickets that 546 00:22:15,430 --> 00:22:17,760 will go into a ticket triaging 547 00:22:17,760 --> 00:22:19,620 system, which we will cover in the next 548 00:22:19,620 --> 00:22:21,520 video in this playlist. Please look at 549 00:22:21,520 --> 00:22:23,280 the link below, notice that this is a 550 00:22:23,280 --> 00:22:25,140 playlist. Go ahead and join the playlist 551 00:22:25,140 --> 00:22:27,299 and watch the videos. This is meant to be 552 00:22:27,299 --> 00:22:29,360 a comprehensive training to help you 553 00:22:29,360 --> 00:22:31,620 understand enterprise security. 554 00:22:32,220 --> 00:22:34,830 Click that link. We have now....I've 555 00:22:34,830 --> 00:22:36,480 shown you how to see the correlation 556 00:22:36,480 --> 00:22:38,159 search that come out of the box, and I've 557 00:22:38,159 --> 00:22:40,080 shown you how to create your own from 558 00:22:40,080 --> 00:22:42,249 scratch. I hope this has been helpful, I 559 00:22:42,249 --> 00:22:44,299 hope this helps you move from being a 560 00:22:44,299 --> 00:22:47,490 lame analyst to a Splunk Ninja, that 561 00:22:47,490 --> 00:22:49,140 you'll keep following, particularly this 562 00:22:49,140 --> 00:22:51,120 playlist, watch the videos in it, and that 563 00:22:51,120 --> 00:22:51,749 they're helpful. 564 00:22:51,749 --> 00:22:55,000 Anyway, hope to see you around.