[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:10.80,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:00:10.80,0:00:14.70,Default,,0000,0000,0000,,Alright, welcome to my enterprise security
Dialogue: 0,0:00:14.70,0:00:16.95,Default,,0000,0000,0000,,video playlist. This time we're going to
Dialogue: 0,0:00:16.95,0:00:19.80,Default,,0000,0000,0000,,be covering correlation searches. This is
Dialogue: 0,0:00:19.80,0:00:22.61,Default,,0000,0000,0000,,a fancy word for a safe search that
Dialogue: 0,0:00:22.61,0:00:25.60,Default,,0000,0000,0000,,creates an alert. That's really what it
Dialogue: 0,0:00:25.60,0:00:29.22,Default,,0000,0000,0000,,comes down to. They call them notables—
Dialogue: 0,0:00:29.22,0:00:31.06,Default,,0000,0000,0000,,there's a lot of terminology involved—
Dialogue: 0,0:00:31.06,0:00:33.12,Default,,0000,0000,0000,,but the ultimate concept is a
Dialogue: 0,0:00:33.12,0:00:35.82,Default,,0000,0000,0000,,correlation search is a search that
Dialogue: 0,0:00:35.82,0:00:38.82,Default,,0000,0000,0000,,fires off at predefined periods of time,
Dialogue: 0,0:00:38.82,0:00:40.74,Default,,0000,0000,0000,,maybe every five minutes, every hour,
Dialogue: 0,0:00:40.74,0:00:42.72,Default,,0000,0000,0000,,searches back across your logs for
Dialogue: 0,0:00:42.72,0:00:45.36,Default,,0000,0000,0000,,certain behaviors, and if it sees it, it
Dialogue: 0,0:00:45.36,0:00:48.30,Default,,0000,0000,0000,,creates a...it creates an alert. You can
Dialogue: 0,0:00:48.30,0:00:50.51,Default,,0000,0000,0000,,make it create a notable. Technically, it
Dialogue: 0,0:00:50.51,0:00:52.05,Default,,0000,0000,0000,,doesn't have to create a notable, and
Dialogue: 0,0:00:52.05,0:00:54.66,Default,,0000,0000,0000,,I'll explain how that works, but it's
Dialogue: 0,0:00:54.66,0:00:56.82,Default,,0000,0000,0000,,really just a safe search. So let's go
Dialogue: 0,0:00:56.82,0:00:58.16,Default,,0000,0000,0000,,break right into enterprise security, and
Dialogue: 0,0:00:58.16,0:00:59.82,Default,,0000,0000,0000,,let's talk about that.
Dialogue: 0,0:00:59.82,0:01:01.92,Default,,0000,0000,0000,,So I come into enterprise security. We're
Dialogue: 0,0:01:01.92,0:01:04.50,Default,,0000,0000,0000,,going to show what is already outcomes
Dialogue: 0,0:01:04.50,0:01:07.04,Default,,0000,0000,0000,,out of the box. So if \NI go 'configure', I'm
Dialogue: 0,0:01:07.04,0:01:09.78,Default,,0000,0000,0000,,in my Enterprise security \Nand I come into...
Dialogue: 0,0:01:09.78,0:01:13.51,Default,,0000,0000,0000,,'content', and I go to \N'content management',
Dialogue: 0,0:01:13.51,0:01:15.90,Default,,0000,0000,0000,,these are all the knowledge objects that
Dialogue: 0,0:01:15.90,0:01:19.04,Default,,0000,0000,0000,,come with enterprise security, and I'm
Dialogue: 0,0:01:19.04,0:01:22.87,Default,,0000,0000,0000,,going to flip this to a \Ncorrelation search.
Dialogue: 0,0:01:25.40,0:01:27.80,Default,,0000,0000,0000,,I click that...
Dialogue: 0,0:01:27.80,0:01:29.80,Default,,0000,0000,0000,,we can see that it's going to come back
Dialogue: 0,0:01:29.80,0:01:33.44,Default,,0000,0000,0000,,with lots and lots of results, 58 pages
Dialogue: 0,0:01:33.44,0:01:38.76,Default,,0000,0000,0000,,plus of them and multiple to a page. You
Dialogue: 0,0:01:38.76,0:01:40.96,Default,,0000,0000,0000,,can read this, so I'm just going to go
Dialogue: 0,0:01:40.96,0:01:43.92,Default,,0000,0000,0000,,into the very first one. And this is
Dialogue: 0,0:01:43.92,0:01:46.44,Default,,0000,0000,0000,,'abnormally high number of endpoint
Dialogue: 0,0:01:46.44,0:01:49.50,Default,,0000,0000,0000,,changes by a user'. If I go and open this
Dialogue: 0,0:01:49.50,0:01:51.78,Default,,0000,0000,0000,,up a little bit...
Dialogue: 0,0:01:51.78,0:01:53.76,Default,,0000,0000,0000,,'detects an abnormally high number of
Dialogue: 0,0:01:53.76,0:01:55.43,Default,,0000,0000,0000,,endpoint changes by user account as it
Dialogue: 0,0:01:55.43,0:01:58.02,Default,,0000,0000,0000,,relate to restarts, audits, file system,
Dialogue: 0,0:01:58.02,0:01:59.74,Default,,0000,0000,0000,,user, registry, notifications".
Dialogue: 0,0:01:59.74,0:02:01.46,Default,,0000,0000,0000,,If I go into this...
Dialogue: 0,0:02:02.28,0:02:04.50,Default,,0000,0000,0000,,I'm actually going to be able to see
Dialogue: 0,0:02:04.50,0:02:07.02,Default,,0000,0000,0000,,the query. I'm not going to go explain it
Dialogue: 0,0:02:07.02,0:02:08.22,Default,,0000,0000,0000,,because I can already tell you, it's
Dialogue: 0,0:02:08.22,0:02:09.48,Default,,0000,0000,0000,,probably going to be written with lots
Dialogue: 0,0:02:09.48,0:02:13.09,Default,,0000,0000,0000,,of data models and macros, but out of the
Dialogue: 0,0:02:13.09,0:02:15.39,Default,,0000,0000,0000,,box, you can see: here's the query. And
Dialogue: 0,0:02:15.39,0:02:16.83,Default,,0000,0000,0000,,it's basically...it's going to look at
Dialogue: 0,0:02:16.83,0:02:18.95,Default,,0000,0000,0000,,your data model. You'll hear me talk
Dialogue: 0,0:02:18.95,0:02:21.46,Default,,0000,0000,0000,,about data models. I've discussed data
Dialogue: 0,0:02:21.46,0:02:22.91,Default,,0000,0000,0000,,model, but this is going to be the
Dialogue: 0,0:02:22.91,0:02:24.71,Default,,0000,0000,0000,,endpoint data model, and it's going to be
Dialogue: 0,0:02:24.71,0:02:27.80,Default,,0000,0000,0000,,looking at file systems for changes by the
Dialogue: 0,0:02:27.80,0:02:29.27,Default,,0000,0000,0000,,user, it's going to do a bunch of other
Dialogue: 0,0:02:29.27,0:02:30.29,Default,,0000,0000,0000,,things that ultimately it's going to
Dialogue: 0,0:02:30.29,0:02:32.51,Default,,0000,0000,0000,,come back and say...if you meet a certain
Dialogue: 0,0:02:32.51,0:02:34.87,Default,,0000,0000,0000,,criteria, and you can see that it's
Dialogue: 0,0:02:34.87,0:02:36.36,Default,,0000,0000,0000,,actually using the machine learning
Dialogue: 0,0:02:36.36,0:02:38.64,Default,,0000,0000,0000,,toolkit, so down here it's actually
Dialogue: 0,0:02:38.64,0:02:41.28,Default,,0000,0000,0000,,building a threshold saying, what is the
Dialogue: 0,0:02:41.28,0:02:43.83,Default,,0000,0000,0000,,normal amount of use of changes, and is
Dialogue: 0,0:02:43.83,0:02:46.27,Default,,0000,0000,0000,,it jumping out of that at normal level.
Dialogue: 0,0:02:46.27,0:02:49.60,Default,,0000,0000,0000,,It's really cool, put some really cool
Dialogue: 0,0:02:49.60,0:02:52.20,Default,,0000,0000,0000,,analytics out there for you. You can just
Dialogue: 0,0:02:52.20,0:02:55.45,Default,,0000,0000,0000,,use what they've got. What I love is I
Dialogue: 0,0:02:55.45,0:02:57.33,Default,,0000,0000,0000,,don't want to...I hear, oh
Dialogue: 0,0:02:57.33,0:02:59.66,Default,,0000,0000,0000,,well aren't correlation searches
Dialogue: 0,0:02:59.66,0:03:03.48,Default,,0000,0000,0000,,attached to now frameworks? Well, you can
Dialogue: 0,0:03:03.48,0:03:04.92,Default,,0000,0000,0000,,see the very first ones. \NSometimes they
Dialogue: 0,0:03:04.92,0:03:07.38,Default,,0000,0000,0000,,are. But here, these are frameworks. I've
Dialogue: 0,0:03:07.38,0:03:09.48,Default,,0000,0000,0000,,heard this in my own work, \Noh, well they're
Dialogue: 0,0:03:09.48,0:03:12.12,Default,,0000,0000,0000,,all mapped to the miter. Well,
Dialogue: 0,0:03:12.12,0:03:14.48,Default,,0000,0000,0000,,are they? I'll just grab the very first
Dialogue: 0,0:03:14.48,0:03:17.16,Default,,0000,0000,0000,,one, and...there's no miter technique
Dialogue: 0,0:03:17.16,0:03:20.05,Default,,0000,0000,0000,,mapped. What should it be? Well, there's a
Dialogue: 0,0:03:20.05,0:03:23.17,Default,,0000,0000,0000,,lot of things that could cause a miter
Dialogue: 0,0:03:23.17,0:03:25.86,Default,,0000,0000,0000,,technique to...uh...if there's endpoint
Dialogue: 0,0:03:25.86,0:03:27.45,Default,,0000,0000,0000,,changes, it could be many different types
Dialogue: 0,0:03:27.45,0:03:29.65,Default,,0000,0000,0000,,of tact. Then I'll have it mapped. You
Dialogue: 0,0:03:29.65,0:03:31.20,Default,,0000,0000,0000,,could come in here and you could map it,
Dialogue: 0,0:03:31.20,0:03:33.53,Default,,0000,0000,0000,,we'll discuss that later, but point is, we
Dialogue: 0,0:03:33.53,0:03:35.64,Default,,0000,0000,0000,,come down here...
Dialogue: 0,0:03:35.64,0:03:37.56,Default,,0000,0000,0000,,make that go away, that's all...
Dialogue: 0,0:03:37.56,0:03:40.26,Default,,0000,0000,0000,,we can see that it's looking back 1,450
Dialogue: 0,0:03:40.26,0:03:43.74,Default,,0000,0000,0000,,minutes, and the latest time is zero. This
Dialogue: 0,0:03:43.74,0:03:48.00,Default,,0000,0000,0000,,runs at five after the hour, that's how I
Dialogue: 0,0:03:48.00,0:03:51.12,Default,,0000,0000,0000,,read that, five after the hour.
Dialogue: 0,0:03:51.12,0:03:52.98,Default,,0000,0000,0000,,It's...if the results are greater than
Dialogue: 0,0:03:52.98,0:03:56.54,Default,,0000,0000,0000,,zero, it groups by user and change type,
Dialogue: 0,0:03:56.54,0:03:59.88,Default,,0000,0000,0000,,and we see that it creates...it does not
Dialogue: 0,0:03:59.88,0:04:01.56,Default,,0000,0000,0000,,create a notable, it actually just
Dialogue: 0,0:04:01.56,0:04:03.96,Default,,0000,0000,0000,,provides a risk analysis. And we'll
Dialogue: 0,0:04:03.96,0:04:06.08,Default,,0000,0000,0000,,discuss risk analysis when we talk about
Dialogue: 0,0:04:06.08,0:04:08.57,Default,,0000,0000,0000,,RBA. But the point is, you can make it do
Dialogue: 0,0:04:08.57,0:04:10.32,Default,,0000,0000,0000,,a bunch of adaptive responses.
Dialogue: 0,0:04:10.32,0:04:12.08,Default,,0000,0000,0000,,My job here is not to help you
Dialogue: 0,0:04:12.08,0:04:13.50,Default,,0000,0000,0000,,understand every correlation search that
Dialogue: 0,0:04:13.50,0:04:15.60,Default,,0000,0000,0000,,comes out of the box, I'm here to discuss
Dialogue: 0,0:04:15.60,0:04:17.28,Default,,0000,0000,0000,,the part that most people don't know how
Dialogue: 0,0:04:17.28,0:04:20.12,Default,,0000,0000,0000,,to do: create your own. So I've shown you
Dialogue: 0,0:04:20.12,0:04:23.40,Default,,0000,0000,0000,,that you can go look through...there's
Dialogue: 0,0:04:23.40,0:04:26.40,Default,,0000,0000,0000,,the documentation on Splunk, says 1400
Dialogue: 0,0:04:26.40,0:04:29.04,Default,,0000,0000,0000,,plus, I don't know how they define what a
Dialogue: 0,0:04:29.04,0:04:31.29,Default,,0000,0000,0000,,correlation search is. I'm going to tell
Dialogue: 0,0:04:31.29,0:04:34.68,Default,,0000,0000,0000,,you that it's a lot. There's a
Dialogue: 0,0:04:34.68,0:04:37.76,Default,,0000,0000,0000,,lot of them. And by default,
Dialogue: 0,0:04:37.76,0:04:40.93,Default,,0000,0000,0000,,enterprise security is smart. They do
Dialogue: 0,0:04:40.93,0:04:43.32,Default,,0000,0000,0000,,not come enabled. If I look at the
Dialogue: 0,0:04:43.32,0:04:46.20,Default,,0000,0000,0000,,enabled correlation searches,
Dialogue: 0,0:04:46.20,0:04:48.59,Default,,0000,0000,0000,,this is mine that I was using as I
Dialogue: 0,0:04:48.59,0:04:49.70,Default,,0000,0000,0000,,started to help understand
Dialogue: 0,0:04:49.70,0:04:50.99,Default,,0000,0000,0000,,enterprise security,
Dialogue: 0,0:04:50.99,0:04:52.80,Default,,0000,0000,0000,,and these two were turned on
Dialogue: 0,0:04:52.80,0:04:55.02,Default,,0000,0000,0000,,and this is for risk-based approach.
Dialogue: 0,0:04:55.02,0:04:57.66,Default,,0000,0000,0000,,Other than that, there are no correlation
Dialogue: 0,0:04:57.66,0:04:59.76,Default,,0000,0000,0000,,searches that come out of the box. Why?
Dialogue: 0,0:04:59.76,0:05:01.50,Default,,0000,0000,0000,,Well, one, they don't want to turn
Dialogue: 0,0:05:01.50,0:05:03.06,Default,,0000,0000,0000,,something on that doesn't fit your data
Dialogue: 0,0:05:03.06,0:05:06.00,Default,,0000,0000,0000,,set; two, often you have \Nto tweak them, the
Dialogue: 0,0:05:06.00,0:05:07.58,Default,,0000,0000,0000,,correlation search is great, but it's not
Dialogue: 0,0:05:07.58,0:05:08.81,Default,,0000,0000,0000,,always going to be perfect for your
Dialogue: 0,0:05:08.81,0:05:10.70,Default,,0000,0000,0000,,environment, and so as a general rule,
Dialogue: 0,0:05:10.70,0:05:12.48,Default,,0000,0000,0000,,they're there as a guidance. Use them
Dialogue: 0,0:05:12.48,0:05:14.78,Default,,0000,0000,0000,,when they make sense, \Nturn one on, test it,
Dialogue: 0,0:05:14.78,0:05:17.16,Default,,0000,0000,0000,,see how it works. \NIf it doesn't, modify it,
Dialogue: 0,0:05:17.16,0:05:19.02,Default,,0000,0000,0000,,and typically you'll just clone the
Dialogue: 0,0:05:19.02,0:05:21.12,Default,,0000,0000,0000,,correlation search and build your own.
Dialogue: 0,0:05:21.12,0:05:23.08,Default,,0000,0000,0000,,Anyway, enough talking about that, let's
Dialogue: 0,0:05:23.08,0:05:24.84,Default,,0000,0000,0000,,talk about actually building my own
Dialogue: 0,0:05:24.84,0:05:27.54,Default,,0000,0000,0000,,correlation search. So I'm in 'configure
Dialogue: 0,0:05:27.54,0:05:30.13,Default,,0000,0000,0000,,content' and I went to \N'content management'.
Dialogue: 0,0:05:30.13,0:05:32.26,Default,,0000,0000,0000,,If I do 'create new content', that's how
Dialogue: 0,0:05:32.26,0:05:34.70,Default,,0000,0000,0000,,I'm going to build one. And so we're
Dialogue: 0,0:05:34.70,0:05:36.13,Default,,0000,0000,0000,,going to create a new content,
Dialogue: 0,0:05:36.13,0:05:38.95,Default,,0000,0000,0000,,we're going to make a correlation search.
Dialogue: 0,0:05:38.95,0:05:43.11,Default,,0000,0000,0000,,This is the way that I \Ndo correlation searches.
Dialogue: 0,0:05:43.11,0:05:44.16,Default,,0000,0000,0000,,That doesn't mean it's the way
Dialogue: 0,0:05:44.16,0:05:46.13,Default,,0000,0000,0000,,that it has to be done, \Nbut it's the way it works for me.
Dialogue: 0,0:05:46.13,0:05:47.52,Default,,0000,0000,0000,,I'm going to call this, I
Dialogue: 0,0:05:47.52,0:05:49.42,Default,,0000,0000,0000,,would hopefully have a much better name
Dialogue: 0,0:05:49.42,0:05:52.46,Default,,0000,0000,0000,,for this, but I'm going to do 'YouTube
Dialogue: 0,0:05:52.46,0:05:56.46,Default,,0000,0000,0000,,Correlation Search'.
Dialogue: 0,0:06:00.74,0:06:02.79,Default,,0000,0000,0000,,Horrible name, because someone who comes
Dialogue: 0,0:06:02.79,0:06:04.99,Default,,0000,0000,0000,,across this will have no idea what it's
Dialogue: 0,0:06:04.99,0:06:06.54,Default,,0000,0000,0000,,for, but for me, when I need to purge
Dialogue: 0,0:06:06.54,0:06:08.46,Default,,0000,0000,0000,,stuff from my system, it's really easy
Dialogue: 0,0:06:08.46,0:06:09.71,Default,,0000,0000,0000,,and it stands out. So I'm going to put it
Dialogue: 0,0:06:09.71,0:06:12.00,Default,,0000,0000,0000,,that way. Then here in my description, I'm
Dialogue: 0,0:06:12.00,0:06:14.82,Default,,0000,0000,0000,,going to go...
Dialogue: 0,0:06:14.82,0:06:19.19,Default,,0000,0000,0000,,'Grab one event from network logs'.
Dialogue: 0,0:06:20.58,0:06:22.14,Default,,0000,0000,0000,,I'm not actually going to build
Dialogue: 0,0:06:22.14,0:06:23.73,Default,,0000,0000,0000,,something that I'm looking for.
Dialogue: 0,0:06:23.73,0:06:25.41,Default,,0000,0000,0000,,That's not the point of this video.
Dialogue: 0,0:06:25.41,0:06:27.54,Default,,0000,0000,0000,,I'm just showing how \Nto build one, and I want
Dialogue: 0,0:06:27.54,0:06:30.84,Default,,0000,0000,0000,,them to always fire, so I'm going to
Dialogue: 0,0:06:30.84,0:06:32.90,Default,,0000,0000,0000,,fudge the numbers so that I always
Dialogue: 0,0:06:32.90,0:06:35.27,Default,,0000,0000,0000,,get what I want. And so the first thing I
Dialogue: 0,0:06:35.27,0:06:36.72,Default,,0000,0000,0000,,do is I don't try to build a search
Dialogue: 0,0:06:36.72,0:06:38.52,Default,,0000,0000,0000,,through here. You can use a guided.
Dialogue: 0,0:06:38.52,0:06:41.02,Default,,0000,0000,0000,,Guided's cool, it'll allow you it'll pick
Dialogue: 0,0:06:41.02,0:06:43.14,Default,,0000,0000,0000,,data models, you can pick fields from it,
Dialogue: 0,0:06:43.14,0:06:45.51,Default,,0000,0000,0000,,so if I enable the guided mode, you'll
Dialogue: 0,0:06:45.51,0:06:47.46,Default,,0000,0000,0000,,see the data, it'll say alright, what
Dialogue: 0,0:06:47.46,0:06:49.52,Default,,0000,0000,0000,,data model do you want to look at?
Dialogue: 0,0:06:49.52,0:06:52.46,Default,,0000,0000,0000,,I might come down to 'network traffic'...
Dialogue: 0,0:06:52.46,0:06:55.32,Default,,0000,0000,0000,,and what data set do I want to use...
Dialogue: 0,0:06:55.32,0:06:58.78,Default,,0000,0000,0000,,'all traffic'. Do I want \Nto use 'summaries only'?
Dialogue: 0,0:06:58.78,0:07:01.08,Default,,0000,0000,0000,,I'll discuss summaries only later
Dialogue: 0,0:07:01.08,0:07:04.20,Default,,0000,0000,0000,,this is not the place for it. Time range.
Dialogue: 0,0:07:04.20,0:07:07.56,Default,,0000,0000,0000,,And there is your basic query. I can run
Dialogue: 0,0:07:07.56,0:07:10.18,Default,,0000,0000,0000,,the search and see how it looks.
Dialogue: 0,0:07:10.18,0:07:12.98,Default,,0000,0000,0000,,Then I'm going to hit
Dialogue: 0,0:07:13.70,0:07:18.54,Default,,0000,0000,0000,,'filter', and filter would be like
Dialogue: 0,0:07:18.54,0:07:22.40,Default,,0000,0000,0000,,All.Traffic...
Dialogue: 0,0:07:23.46,0:07:28.74,Default,,0000,0000,0000,,AllTraffic.destIP...
Dialogue: 0,0:07:28.74,0:07:30.72,Default,,0000,0000,0000,,oh.
Dialogue: 0,0:07:30.72,0:07:34.10,Default,,0000,0000,0000,,it's a boolean. Where...
Dialogue: 0,0:07:34.56,0:07:36.53,Default,,0000,0000,0000,,and I actually don't know how to make
Dialogue: 0,0:07:36.53,0:07:40.22,Default,,0000,0000,0000,,this work. All_Traffic...
Dialogue: 0,0:07:42.63,0:07:44.66,Default,,0000,0000,0000,,I'd have to go look this up. Well that's
Dialogue: 0,0:07:44.66,0:07:46.38,Default,,0000,0000,0000,,not very good...helpful \Nthere. The point is,
Dialogue: 0,0:07:46.38,0:07:47.51,Default,,0000,0000,0000,,I'm not actually going through the
Dialogue: 0,0:07:47.51,0:07:49.56,Default,,0000,0000,0000,,guided search tour. I'm going to stay
Dialogue: 0,0:07:49.56,0:07:51.59,Default,,0000,0000,0000,,right here with a manual query where I
Dialogue: 0,0:07:51.59,0:07:54.12,Default,,0000,0000,0000,,can write it. It does have guided, again,
Dialogue: 0,0:07:54.12,0:07:55.50,Default,,0000,0000,0000,,you got to understand exactly what
Dialogue: 0,0:07:55.50,0:07:57.27,Default,,0000,0000,0000,,you're pulling. Guided is nice if you
Dialogue: 0,0:07:57.27,0:07:59.78,Default,,0000,0000,0000,,know, follow the docs. I'm not here for
Dialogue: 0,0:07:59.78,0:08:01.92,Default,,0000,0000,0000,,following the docs, I'm here to take a
Dialogue: 0,0:08:01.92,0:08:04.13,Default,,0000,0000,0000,,query. This is my home network. I'm going
Dialogue: 0,0:08:04.13,0:08:05.52,Default,,0000,0000,0000,,to look at the correlate logs. I'm going
Dialogue: 0,0:08:05.52,0:08:07.36,Default,,0000,0000,0000,,to look at my correlate conn logs. I'm
Dialogue: 0,0:08:07.36,0:08:10.16,Default,,0000,0000,0000,,going to say...where source IP is
Dialogue: 0,0:08:10.16,0:08:13.26,Default,,0000,0000,0000,,192.1680.*. That is only so I make
Dialogue: 0,0:08:13.26,0:08:15.18,Default,,0000,0000,0000,,sure that I'm looking at a specific
Dialogue: 0,0:08:15.18,0:08:17.64,Default,,0000,0000,0000,,subnet section of my network. This is
Dialogue: 0,0:08:17.64,0:08:20.52,Default,,0000,0000,0000,,primarily my network designed for doing
Dialogue: 0,0:08:20.52,0:08:23.82,Default,,0000,0000,0000,,Splunk videos, and so this isn't my...
Dialogue: 0,0:08:23.82,0:08:25.38,Default,,0000,0000,0000,,this is part of my home network, but it's
Dialogue: 0,0:08:25.38,0:08:28.14,Default,,0000,0000,0000,,a subnet on my network that I use for
Dialogue: 0,0:08:28.14,0:08:31.49,Default,,0000,0000,0000,,testing, pen testing, setup of systems
Dialogue: 0,0:08:31.49,0:08:33.30,Default,,0000,0000,0000,,that I tear up and pick up and tear down,
Dialogue: 0,0:08:33.30,0:08:35.17,Default,,0000,0000,0000,,and so I just want to know what they're
Dialogue: 0,0:08:35.17,0:08:37.26,Default,,0000,0000,0000,,doing. And so I wanted the source IP
Dialogue: 0,0:08:37.26,0:08:38.87,Default,,0000,0000,0000,,Maybe you don't want the source IP.
Dialogue: 0,0:08:38.87,0:08:40.31,Default,,0000,0000,0000,,All I really cared about though, is I just
Dialogue: 0,0:08:40.31,0:08:42.29,Default,,0000,0000,0000,,wanted this, because ultimately, later
Dialogue: 0,0:08:42.29,0:08:44.23,Default,,0000,0000,0000,,down, I'm going to do inventory, and I'm
Dialogue: 0,0:08:44.23,0:08:46.09,Default,,0000,0000,0000,,going to have a very simple inventory of
Dialogue: 0,0:08:46.09,0:08:48.29,Default,,0000,0000,0000,,that subnet, and so I only want IPs that
Dialogue: 0,0:08:48.29,0:08:50.70,Default,,0000,0000,0000,,at least one piece of the data
Dialogue: 0,0:08:50.70,0:08:53.47,Default,,0000,0000,0000,,ties to my inventory. And so, as you can
Dialogue: 0,0:08:53.47,0:08:55.55,Default,,0000,0000,0000,,see, this here has nothing to do with my
Dialogue: 0,0:08:55.55,0:08:58.19,Default,,0000,0000,0000,,network, but this one does. And I'm going
Dialogue: 0,0:08:58.19,0:09:00.25,Default,,0000,0000,0000,,to do a head 1, because I don't
Dialogue: 0,0:09:00.25,0:09:02.76,Default,,0000,0000,0000,,want lots and lots of results.
Dialogue: 0,0:09:02.76,0:09:05.46,Default,,0000,0000,0000,,Basically, I want a query
Dialogue: 0,0:09:05.46,0:09:07.14,Default,,0000,0000,0000,,and I'm always going to return one
Dialogue: 0,0:09:07.14,0:09:09.80,Default,,0000,0000,0000,,result...and that's what I built.
Dialogue: 0,0:09:09.80,0:09:12.00,Default,,0000,0000,0000,,This isn't bad. This isn't actually a
Dialogue: 0,0:09:12.00,0:09:13.98,Default,,0000,0000,0000,,known bad, I just wanted data to come
Dialogue: 0,0:09:13.98,0:09:16.20,Default,,0000,0000,0000,,back, so then I can put other stuff on it.
Dialogue: 0,0:09:16.20,0:09:18.66,Default,,0000,0000,0000,,I'm doing this as a demo for you guys to
Dialogue: 0,0:09:18.66,0:09:21.30,Default,,0000,0000,0000,,understand how
Dialogue: 0,0:09:21.30,0:09:23.41,Default,,0000,0000,0000,,to build a query. You would want to build
Dialogue: 0,0:09:23.41,0:09:25.14,Default,,0000,0000,0000,,a query that actually is looking for
Dialogue: 0,0:09:25.14,0:09:27.30,Default,,0000,0000,0000,,something malicious. Right now, I just
Dialogue: 0,0:09:27.30,0:09:30.12,Default,,0000,0000,0000,,want a query to return a result, so that
Dialogue: 0,0:09:30.12,0:09:32.12,Default,,0000,0000,0000,,I can...when I do my next video about
Dialogue: 0,0:09:32.12,0:09:34.94,Default,,0000,0000,0000,,triage and the triage system, there are
Dialogue: 0,0:09:34.94,0:09:37.45,Default,,0000,0000,0000,,actually tickets coming in. If I write a
Dialogue: 0,0:09:37.45,0:09:39.33,Default,,0000,0000,0000,,query that's looking for bad, well, that
Dialogue: 0,0:09:39.33,0:09:41.10,Default,,0000,0000,0000,,bad better be occurring on my network or
Dialogue: 0,0:09:41.10,0:09:43.02,Default,,0000,0000,0000,,it's not going to fire. And so it's a lot
Dialogue: 0,0:09:43.02,0:09:44.29,Default,,0000,0000,0000,,harder to troubleshoot if the thing is
Dialogue: 0,0:09:44.29,0:09:45.90,Default,,0000,0000,0000,,working if you're building queries right,
Dialogue: 0,0:09:45.90,0:09:48.20,Default,,0000,0000,0000,,If you build something that isn't...
Dialogue: 0,0:09:48.20,0:09:50.33,Default,,0000,0000,0000,,you hope to not actually\Nsee on your network.
Dialogue: 0,0:09:50.33,0:09:52.66,Default,,0000,0000,0000,,So I actually hope to see \Ncorrelate conn logs.
Dialogue: 0,0:09:52.66,0:09:54.37,Default,,0000,0000,0000,,I sure hope so. That means my
Dialogue: 0,0:09:54.37,0:09:56.40,Default,,0000,0000,0000,,network has traffic. Anyway, and I'm just
Dialogue: 0,0:09:56.40,0:09:57.70,Default,,0000,0000,0000,,going to put the head 1, because I only
Dialogue: 0,0:09:57.70,0:10:00.20,Default,,0000,0000,0000,,want it to create one alert. If I let it
Dialogue: 0,0:10:00.20,0:10:02.09,Default,,0000,0000,0000,,come back, it's every event that comes
Dialogue: 0,0:10:02.09,0:10:04.65,Default,,0000,0000,0000,,back in here would be a notable alert.
Dialogue: 0,0:10:04.65,0:10:07.84,Default,,0000,0000,0000,,I don't want my triage \Nsystem getting inundated.
Dialogue: 0,0:10:07.84,0:10:09.96,Default,,0000,0000,0000,,So I'm just going to do this head 1.
Dialogue: 0,0:10:09.96,0:10:11.94,Default,,0000,0000,0000,,Now I'm going to map it. I'm going to go
Dialogue: 0,0:10:11.94,0:10:15.00,Default,,0000,0000,0000,,to miter, and I'm going to
Dialogue: 0,0:10:15.00,0:10:17.64,Default,,0000,0000,0000,,put in some
Dialogue: 0,0:10:17.64,0:10:20.28,Default,,0000,0000,0000,,tickets. So I'm going to go 'T1143'. I
Dialogue: 0,0:10:20.28,0:10:21.60,Default,,0000,0000,0000,,actually can't remember what all these
Dialogue: 0,0:10:21.60,0:10:23.46,Default,,0000,0000,0000,,mean off the top of my head. You can go
Dialogue: 0,0:10:23.46,0:10:26.29,Default,,0000,0000,0000,,look them up. I'm going to say this, and
Dialogue: 0,0:10:26.29,0:10:28.80,Default,,0000,0000,0000,,this has note, no bases whatsoever, but
Dialogue: 0,0:10:28.80,0:10:30.67,Default,,0000,0000,0000,,again, these videos are
Dialogue: 0,0:10:30.67,0:10:32.70,Default,,0000,0000,0000,,going to build on themselves. And so I'm
Dialogue: 0,0:10:32.70,0:10:34.84,Default,,0000,0000,0000,,building these miter attacks so when I
Dialogue: 0,0:10:34.84,0:10:37.44,Default,,0000,0000,0000,,go to the RBA section of this video
Dialogue: 0,0:10:37.44,0:10:40.43,Default,,0000,0000,0000,,playlist, you'll see how it maps all the
Dialogue: 0,0:10:40.43,0:10:42.42,Default,,0000,0000,0000,,different techniques together. And so I'm
Dialogue: 0,0:10:42.42,0:10:45.36,Default,,0000,0000,0000,,going to put this down here,
Dialogue: 0,0:10:45.36,0:10:49.02,Default,,0000,0000,0000,,and actually, because \NI want this to work on
Dialogue: 0,0:10:49.02,0:10:50.84,Default,,0000,0000,0000,,my system, I'm going to actually do...
Dialogue: 0,0:10:50.84,0:10:53.58,Default,,0000,0000,0000,,I want it always to be 0.128,
Dialogue: 0,0:10:53.58,0:10:57.24,Default,,0000,0000,0000,,that way I'm only going to get alerts
Dialogue: 0,0:10:57.24,0:10:59.19,Default,,0000,0000,0000,,that are relating to this system.
Dialogue: 0,0:10:59.19,0:11:01.82,Default,,0000,0000,0000,,That means my risk-based \Napproach will cross
Dialogue: 0,0:11:01.82,0:11:03.78,Default,,0000,0000,0000,,the threshold. That actually makes a lot
Dialogue: 0,0:11:03.78,0:11:06.23,Default,,0000,0000,0000,,more sense for me. I'll explain that when
Dialogue: 0,0:11:06.23,0:11:08.64,Default,,0000,0000,0000,,we actually get to RBA, but basically, I'm
Dialogue: 0,0:11:08.64,0:11:12.03,Default,,0000,0000,0000,,going to give me...\Ngive me an alert every time
Dialogue: 0,0:11:12.03,0:11:15.42,Default,,0000,0000,0000,,0.128 is the source of network traffic.
Dialogue: 0,0:11:15.42,0:11:17.92,Default,,0000,0000,0000,,And that should fire off \Nquite frequently.
Dialogue: 0,0:11:19.32,0:11:21.48,Default,,0000,0000,0000,,Ignore the picture up in the top.
Dialogue: 0,0:11:21.48,0:11:23.94,Default,,0000,0000,0000,,We're just going to move on. \NHead 1.
Dialogue: 0,0:11:23.94,0:11:26.33,Default,,0000,0000,0000,,My videos are done rendering. \NAnyway, so I'm going
Dialogue: 0,0:11:26.33,0:11:29.38,Default,,0000,0000,0000,,to map it to these TTPs. Again, this is
Dialogue: 0,0:11:29.38,0:11:31.38,Default,,0000,0000,0000,,all for demo purposes, so I just pick
Dialogue: 0,0:11:31.38,0:11:35.58,Default,,0000,0000,0000,,some TTPs, and I can come down here and
Dialogue: 0,0:11:35.58,0:11:38.66,Default,,0000,0000,0000,,I can put a confidence score, \Nan impact score,
Dialogue: 0,0:11:38.66,0:11:40.52,Default,,0000,0000,0000,,contacts, analytics, we're just gonna
Dialogue: 0,0:11:40.52,0:11:41.76,Default,,0000,0000,0000,,leave that alone for now.
Dialogue: 0,0:11:41.76,0:11:43.62,Default,,0000,0000,0000,,I can create my own framework
Dialogue: 0,0:11:43.62,0:11:45.07,Default,,0000,0000,0000,,And now here it's going to say
Dialogue: 0,0:11:45.07,0:11:47.06,Default,,0000,0000,0000,,how far back do I want to look? Do I
Dialogue: 0,0:11:47.06,0:11:48.14,Default,,0000,0000,0000,,want to look back 24 hours?
Dialogue: 0,0:11:48.14,0:11:49.69,Default,,0000,0000,0000,,I could, but I know how often
Dialogue: 0,0:11:49.69,0:11:51.14,Default,,0000,0000,0000,,my logs are firing. I'm going
Dialogue: 0,0:11:51.14,0:11:53.16,Default,,0000,0000,0000,,to look back one hour. Doesn't really
Dialogue: 0,0:11:53.16,0:11:55.32,Default,,0000,0000,0000,,matter, because I'm just grabbing head 1.
Dialogue: 0,0:11:55.32,0:11:59.15,Default,,0000,0000,0000,,And...I have...I probably get
Dialogue: 0,0:11:59.15,0:12:01.59,Default,,0000,0000,0000,,hundreds of events every...probably
Dialogue: 0,0:12:01.59,0:12:03.60,Default,,0000,0000,0000,,thousands of events every hour
Dialogue: 0,0:12:03.60,0:12:06.21,Default,,0000,0000,0000,,on this particular subnet. And so it's
Dialogue: 0,0:12:06.21,0:12:07.50,Default,,0000,0000,0000,,not going to be a problem getting data.
Dialogue: 0,0:12:07.50,0:12:09.27,Default,,0000,0000,0000,,I'm going to go look back one hour to
Dialogue: 0,0:12:09.27,0:12:11.58,Default,,0000,0000,0000,,now. And how often do I want it to run?
Dialogue: 0,0:12:11.58,0:12:13.26,Default,,0000,0000,0000,,You know what? I'm going to let it run
Dialogue: 0,0:12:13.26,0:12:16.09,Default,,0000,0000,0000,,every five minutes. And that's going to
Dialogue: 0,0:12:16.09,0:12:17.76,Default,,0000,0000,0000,,be important so that I actually have
Dialogue: 0,0:12:17.76,0:12:20.91,Default,,0000,0000,0000,,events. And that'll work.
Dialogue: 0,0:12:20.91,0:12:23.46,Default,,0000,0000,0000,,I'm going to come down here, \Nand I'm going to say do I
Dialogue: 0,0:12:23.46,0:12:25.38,Default,,0000,0000,0000,,want it to run as real time or
Dialogue: 0,0:12:25.38,0:12:28.56,Default,,0000,0000,0000,,continuous. We'll just \Nleave it at its default.
Dialogue: 0,0:12:28.56,0:12:30.90,Default,,0000,0000,0000,,What's my scheduling window? Again,
Dialogue: 0,0:12:30.90,0:12:33.33,Default,,0000,0000,0000,,these are...I'm not going over these, this
Dialogue: 0,0:12:33.33,0:12:36.06,Default,,0000,0000,0000,,is just basically how you want to run
Dialogue: 0,0:12:36.06,0:12:37.59,Default,,0000,0000,0000,,your times. I'm going to run this
Dialogue: 0,0:12:37.59,0:12:39.42,Default,,0000,0000,0000,,every five minutes. Schedule priorities
Dialogue: 0,0:12:39.42,0:12:41.46,Default,,0000,0000,0000,,in case there's conflicts. Hopefully with
Dialogue: 0,0:12:41.46,0:12:43.26,Default,,0000,0000,0000,,your enterprise security, you actually do
Dialogue: 0,0:12:43.26,0:12:45.84,Default,,0000,0000,0000,,not overload your system so these become
Dialogue: 0,0:12:45.84,0:12:47.04,Default,,0000,0000,0000,,a big deal.
Dialogue: 0,0:12:47.04,0:12:48.66,Default,,0000,0000,0000,,Trigger conditions, number of results
Dialogue: 0,0:12:48.66,0:12:50.27,Default,,0000,0000,0000,,greater than zero, that's always going to
Dialogue: 0,0:12:50.27,0:12:51.66,Default,,0000,0000,0000,,be the case because I'm getting back one.
Dialogue: 0,0:12:51.66,0:12:53.82,Default,,0000,0000,0000,,But if I was doing this, if I want to do
Dialogue: 0,0:12:53.82,0:12:55.92,Default,,0000,0000,0000,,thresholds I could make it...the thing has
Dialogue: 0,0:12:55.92,0:12:58.44,Default,,0000,0000,0000,,to occur at least 10 times, or 15 times,
Dialogue: 0,0:12:58.44,0:13:01.32,Default,,0000,0000,0000,,or whatever. Then windows durations
Dialogue: 0,0:13:01.32,0:13:03.100,Default,,0000,0000,0000,,filled to group by...that's it. That's all
Dialogue: 0,0:13:03.100,0:13:06.54,Default,,0000,0000,0000,,I want to deal with. Really, the only
Dialogue: 0,0:13:06.54,0:13:08.52,Default,,0000,0000,0000,,places I put around with this is I wrote
Dialogue: 0,0:13:08.52,0:13:10.84,Default,,0000,0000,0000,,a query in the most basic format to get
Dialogue: 0,0:13:10.84,0:13:13.07,Default,,0000,0000,0000,,your correlation searches going. Pick a
Dialogue: 0,0:13:13.07,0:13:15.84,Default,,0000,0000,0000,,search. I would tie it to an annotation,
Dialogue: 0,0:13:15.84,0:13:18.28,Default,,0000,0000,0000,,but you don't have to, not required.
Dialogue: 0,0:13:18.28,0:13:20.24,Default,,0000,0000,0000,,You come down, here pick your time window,
Dialogue: 0,0:13:20.24,0:13:22.12,Default,,0000,0000,0000,,these three boxes, how far back do you
Dialogue: 0,0:13:22.12,0:13:24.12,Default,,0000,0000,0000,,want to look, latest time, earliest time,
Dialogue: 0,0:13:24.12,0:13:26.37,Default,,0000,0000,0000,,and your cron schedule, and then you
Dialogue: 0,0:13:26.37,0:13:27.78,Default,,0000,0000,0000,,really don't have to touch anything else,
Dialogue: 0,0:13:27.78,0:13:31.51,Default,,0000,0000,0000,,except this 'add adaptive response'. I'm
Dialogue: 0,0:13:31.51,0:13:33.14,Default,,0000,0000,0000,,going to come and modify this in a
Dialogue: 0,0:13:33.14,0:13:35.70,Default,,0000,0000,0000,,minute. There is, when we talk about RBA,
Dialogue: 0,0:13:35.70,0:13:37.78,Default,,0000,0000,0000,,I'm going to put a risk analysis. For the
Dialogue: 0,0:13:37.78,0:13:40.09,Default,,0000,0000,0000,,sake of keeping this simple, I am only
Dialogue: 0,0:13:40.09,0:13:41.46,Default,,0000,0000,0000,,going to do
Dialogue: 0,0:13:41.46,0:13:43.60,Default,,0000,0000,0000,,notables for now. So I'm going to come in
Dialogue: 0,0:13:43.60,0:13:45.07,Default,,0000,0000,0000,,here and I'm going to click a notable.
Dialogue: 0,0:13:45.07,0:13:47.22,Default,,0000,0000,0000,,A notable is an alert that goes to
Dialogue: 0,0:13:47.22,0:13:48.78,Default,,0000,0000,0000,,your triage system.
Dialogue: 0,0:13:48.78,0:13:52.26,Default,,0000,0000,0000,,Gonna go...'YouTube
Dialogue: 0,0:13:52.26,0:13:55.44,Default,,0000,0000,0000,,notable'. Give it a description.
Dialogue: 0,0:13:55.44,0:13:57.90,Default,,0000,0000,0000,,I can actually use...
Dialogue: 0,0:13:59.82,0:14:01.98,Default,,0000,0000,0000,,variable substitution, so I'm going to do
Dialogue: 0,0:14:01.98,0:14:05.83,Default,,0000,0000,0000,,'Alert for $src_Ip'.
Dialogue: 0,0:14:05.83,0:14:07.62,Default,,0000,0000,0000,,I need to make sure that field comes
Dialogue: 0,0:14:07.62,0:14:10.86,Default,,0000,0000,0000,,back, and this does have a source IP, so I
Dialogue: 0,0:14:10.86,0:14:12.72,Default,,0000,0000,0000,,can use it, and you just call it like you
Dialogue: 0,0:14:12.72,0:14:15.18,Default,,0000,0000,0000,,do in with the dollar sign on both sides
Dialogue: 0,0:14:15.18,0:14:17.34,Default,,0000,0000,0000,,of a variable, and that'll be dynamic. And
Dialogue: 0,0:14:17.34,0:14:19.68,Default,,0000,0000,0000,,so my description will come back with
Dialogue: 0,0:14:19.68,0:14:22.68,Default,,0000,0000,0000,,this. And just because I
Dialogue: 0,0:14:22.68,0:14:24.68,Default,,0000,0000,0000,,want to, what if I...yeah, we'll just
Dialogue: 0,0:14:24.68,0:14:26.22,Default,,0000,0000,0000,,leave it at that.
Dialogue: 0,0:14:26.22,0:14:29.16,Default,,0000,0000,0000,,YouTube notable security domain. There
Dialogue: 0,0:14:29.16,0:14:31.43,Default,,0000,0000,0000,,are a bunch of domains. This is dealing
Dialogue: 0,0:14:31.43,0:14:33.60,Default,,0000,0000,0000,,with access areas, that would be
Dialogue: 0,0:14:33.60,0:14:35.88,Default,,0000,0000,0000,,authentication, endpoint, a lot of your
Dialogue: 0,0:14:35.88,0:14:39.42,Default,,0000,0000,0000,,host logs, network logs, threat, identity,
Dialogue: 0,0:14:39.42,0:14:41.46,Default,,0000,0000,0000,,and audit. And so those are the six areas
Dialogue: 0,0:14:41.46,0:14:43.88,Default,,0000,0000,0000,,Splunk has as security domains. We'll
Dialogue: 0,0:14:43.88,0:14:47.58,Default,,0000,0000,0000,,just leave it as a...\Nwe'll put as a network.
Dialogue: 0,0:14:47.58,0:14:49.68,Default,,0000,0000,0000,,In the network domain, I'm going to put
Dialogue: 0,0:14:49.68,0:14:52.58,Default,,0000,0000,0000,,the severity
Dialogue: 0,0:14:53.90,0:14:56.30,Default,,0000,0000,0000,,as low.
Dialogue: 0,0:14:56.30,0:14:59.43,Default,,0000,0000,0000,,And default owner, I can put in these,
Dialogue: 0,0:14:59.43,0:15:01.56,Default,,0000,0000,0000,,I can leave it unassigned.
Dialogue: 0,0:15:01.56,0:15:03.70,Default,,0000,0000,0000,,I'm going to put it as \Nunassigned to start with.
Dialogue: 0,0:15:03.70,0:15:05.10,Default,,0000,0000,0000,,Again, you don't have to.
Dialogue: 0,0:15:05.10,0:15:09.12,Default,,0000,0000,0000,,Default status, I'm going to \Nput it as unassigned.
Dialogue: 0,0:15:09.12,0:15:11.38,Default,,0000,0000,0000,,And I could put a drill down search in
Dialogue: 0,0:15:11.38,0:15:15.08,Default,,0000,0000,0000,,there, and let's do that.
Dialogue: 0,0:15:15.48,0:15:17.88,Default,,0000,0000,0000,,We're going to take this very same query.
Dialogue: 0,0:15:17.88,0:15:19.93,Default,,0000,0000,0000,,Just to keep things really simple, one of
Dialogue: 0,0:15:19.93,0:15:23.52,Default,,0000,0000,0000,,the very first drill downs \NI want to put in there
Dialogue: 0,0:15:23.52,0:15:25.92,Default,,0000,0000,0000,,is the actual query
Dialogue: 0,0:15:25.92,0:15:28.68,Default,,0000,0000,0000,,that created this log.
Dialogue: 0,0:15:28.68,0:15:30.90,Default,,0000,0000,0000,,But in this case, I'm not going to put
Dialogue: 0,0:15:30.90,0:15:32.80,Default,,0000,0000,0000,,head 1, I'm going to put...I'm going to
Dialogue: 0,0:15:32.80,0:15:34.38,Default,,0000,0000,0000,,take the head out.
Dialogue: 0,0:15:34.38,0:15:36.32,Default,,0000,0000,0000,,Oh, it looks like I've lost the 128 on
Dialogue: 0,0:15:36.32,0:15:38.94,Default,,0000,0000,0000,,there. 128.
Dialogue: 0,0:15:38.94,0:15:41.46,Default,,0000,0000,0000,,Make sure 128 is up here.
Dialogue: 0,0:15:41.46,0:15:44.40,Default,,0000,0000,0000,,Yeah, it is. Okay, and I can choose...
Dialogue: 0,0:15:44.40,0:15:46.50,Default,,0000,0000,0000,,the drill down search will be
Dialogue: 0,0:15:46.50,0:15:49.16,Default,,0000,0000,0000,,'See...
Dialogue: 0,0:15:49.26,0:15:53.88,Default,,0000,0000,0000,,what caused alert'.
Dialogue: 0,0:15:55.08,0:15:56.88,Default,,0000,0000,0000,,There are other ways of doing this I'll
Dialogue: 0,0:15:56.88,0:15:58.02,Default,,0000,0000,0000,,show, but I'm just going to
Dialogue: 0,0:15:58.02,0:15:59.86,Default,,0000,0000,0000,,create a few add drill down searches.
Dialogue: 0,0:15:59.86,0:16:02.46,Default,,0000,0000,0000,,And here, we're going to just do
Dialogue: 0,0:16:04.56,0:16:07.56,Default,,0000,0000,0000,,'why does
Dialogue: 0,0:16:07.56,0:16:10.40,Default,,0000,0000,0000,,this
Dialogue: 0,0:16:10.46,0:16:14.00,Default,,0000,0000,0000,,drilldown exist'.
Dialogue: 0,0:16:14.88,0:16:17.58,Default,,0000,0000,0000,,I just want to show \NI can go search anything.
Dialogue: 0,0:16:17.58,0:16:21.20,Default,,0000,0000,0000,,'Index equals internal'.
Dialogue: 0,0:16:21.20,0:16:22.80,Default,,0000,0000,0000,,Why would you be looking at your
Dialogue: 0,0:16:22.80,0:16:26.28,Default,,0000,0000,0000,,internal logs? It doesn't really matter.
Dialogue: 0,0:16:28.26,0:16:30.04,Default,,0000,0000,0000,,Well, actually, let's just do this.
Dialogue: 0,0:16:30.04,0:16:33.37,Default,,0000,0000,0000,,I'm going to put in '$src_ip$'.
Dialogue: 0,0:16:33.37,0:16:35.32,Default,,0000,0000,0000,,So I'm basically looking in my internal
Dialogue: 0,0:16:35.32,0:16:37.14,Default,,0000,0000,0000,,logs, and I'm going to see if I find that
Dialogue: 0,0:16:37.14,0:16:40.04,Default,,0000,0000,0000,,IP address popping up. It's just kind
Dialogue: 0,0:16:40.04,0:16:41.82,Default,,0000,0000,0000,,of an interesting way you can add
Dialogue: 0,0:16:41.82,0:16:45.66,Default,,0000,0000,0000,,additional searches to your information.
Dialogue: 0,0:16:46.50,0:16:48.36,Default,,0000,0000,0000,,So I'm going to be searching my internal
Dialogue: 0,0:16:48.36,0:16:50.46,Default,,0000,0000,0000,,logs for the source IP.
Dialogue: 0,0:16:50.46,0:16:53.16,Default,,0000,0000,0000,,And I hope you saw this earliest offset,
Dialogue: 0,0:16:53.16,0:16:56.10,Default,,0000,0000,0000,,latest offset. You can change this, or you
Dialogue: 0,0:16:56.10,0:16:57.76,Default,,0000,0000,0000,,can you can let it just go by its
Dialogue: 0,0:16:57.76,0:16:59.92,Default,,0000,0000,0000,,default. Or you can say, for here I'm
Dialogue: 0,0:16:59.92,0:17:01.14,Default,,0000,0000,0000,,going to go
Dialogue: 0,0:17:01.14,0:17:06.48,Default,,0000,0000,0000,,plus, this is a earliest, \Nfor example, one hour
Dialogue: 0,0:17:06.48,0:17:10.52,Default,,0000,0000,0000,,and I'm going to leave \Nthe other one as zero.
Dialogue: 0,0:17:10.56,0:17:12.46,Default,,0000,0000,0000,,Does that make sense? So I hope
Dialogue: 0,0:17:12.46,0:17:14.64,Default,,0000,0000,0000,,this helps. I can change my time.
Dialogue: 0,0:17:14.64,0:17:16.44,Default,,0000,0000,0000,,It's basically going to look in this
Dialogue: 0,0:17:16.44,0:17:22.22,Default,,0000,0000,0000,,window one hour back, based off of
Dialogue: 0,0:17:25.08,0:17:27.78,Default,,0000,0000,0000,,the time this event occurred.
Dialogue: 0,0:17:27.78,0:17:29.14,Default,,0000,0000,0000,,So this might actually look a little bit
Dialogue: 0,0:17:29.14,0:17:30.28,Default,,0000,0000,0000,,in the future, this is \Ngonna look a little bit
Dialogue: 0,0:17:30.28,0:17:31.10,Default,,0000,0000,0000,,in the future.
Dialogue: 0,0:17:31.10,0:17:32.32,Default,,0000,0000,0000,,It's going to use time in the back.
Dialogue: 0,0:17:32.32,0:17:35.30,Default,,0000,0000,0000,,So let's go...
Dialogue: 0,0:17:35.96,0:17:37.44,Default,,0000,0000,0000,,we're going to go one hour....
Dialogue: 0,0:17:37.44,0:17:40.22,Default,,0000,0000,0000,,this is going to go one hour in the
Dialogue: 0,0:17:40.22,0:17:43.32,Default,,0000,0000,0000,,future and one hour in the past.
Dialogue: 0,0:17:43.32,0:17:45.64,Default,,0000,0000,0000,,Sounds good. I'm going to leave my
Dialogue: 0,0:17:45.64,0:17:48.08,Default,,0000,0000,0000,,investigation profile alone. And these
Dialogue: 0,0:17:48.08,0:17:50.69,Default,,0000,0000,0000,,are...extractions, and what it's
Dialogue: 0,0:17:50.69,0:17:52.44,Default,,0000,0000,0000,,going to do is it's going to
Dialogue: 0,0:17:52.44,0:17:55.92,Default,,0000,0000,0000,,identify identities, these are users
Dialogue: 0,0:17:55.92,0:17:57.24,Default,,0000,0000,0000,,and stuff like that on your network.
Dialogue: 0,0:17:57.24,0:18:00.24,Default,,0000,0000,0000,,Assets would be like IPs, and machines,
Dialogue: 0,0:18:00.24,0:18:02.84,Default,,0000,0000,0000,,and files, and URLs that it might have
Dialogue: 0,0:18:02.84,0:18:06.02,Default,,0000,0000,0000,,found. I'm going to...we got assets here.
Dialogue: 0,0:18:06.02,0:18:08.76,Default,,0000,0000,0000,,Source dest.
Dialogue: 0,0:18:08.76,0:18:10.39,Default,,0000,0000,0000,,Does my log, do my logs contain
Dialogue: 0,0:18:10.39,0:18:11.76,Default,,0000,0000,0000,,source and dest?
Dialogue: 0,0:18:11.76,0:18:14.94,Default,,0000,0000,0000,,Well, let's go look. Had one, do I actually
Dialogue: 0,0:18:14.94,0:18:18.20,Default,,0000,0000,0000,,have a source and a dest here?
Dialogue: 0,0:18:18.30,0:18:20.59,Default,,0000,0000,0000,,I have a source IP, but no source.
Dialogue: 0,0:18:20.59,0:18:23.27,Default,,0000,0000,0000,,So I don't have the \Nfield it's looking for to
Dialogue: 0,0:18:23.27,0:18:25.24,Default,,0000,0000,0000,,be able to identify it. So what I need to
Dialogue: 0,0:18:25.24,0:18:27.96,Default,,0000,0000,0000,,do is I need to come in here, \Nand I'm going to go
Dialogue: 0,0:18:27.96,0:18:30.78,Default,,0000,0000,0000,,'$src_ip$',
Dialogue: 0,0:18:30.78,0:18:33.54,Default,,0000,0000,0000,,except it's on identity.
Dialogue: 0,0:18:33.54,0:18:35.76,Default,,0000,0000,0000,,The identity...it's an asset so I'm going,
Dialogue: 0,0:18:35.76,0:18:36.88,Default,,0000,0000,0000,,to come in here and I'm going to go
Dialogue: 0,0:18:36.88,0:18:39.68,Default,,0000,0000,0000,,'source IP'.
Dialogue: 0,0:18:40.40,0:18:43.12,Default,,0000,0000,0000,,And just because we might
Dialogue: 0,0:18:43.12,0:18:46.01,Default,,0000,0000,0000,,want to identify the other
Dialogue: 0,0:18:46.01,0:18:47.06,Default,,0000,0000,0000,,machine in question.
Dialogue: 0,0:18:47.06,0:18:49.18,Default,,0000,0000,0000,,We're going to put dest \NIP in there as well.
Dialogue: 0,0:18:49.18,0:18:50.79,Default,,0000,0000,0000,,So I'm going to have my source IP
Dialogue: 0,0:18:50.79,0:18:52.26,Default,,0000,0000,0000,,and my destination IP.
Dialogue: 0,0:18:52.26,0:18:53.96,Default,,0000,0000,0000,,They're going to be assets that are
Dialogue: 0,0:18:53.96,0:18:56.10,Default,,0000,0000,0000,,extracted. And that's all I'm going to do.
Dialogue: 0,0:18:56.10,0:18:57.54,Default,,0000,0000,0000,,I just want to make sure that
Dialogue: 0,0:18:57.54,0:18:59.85,Default,,0000,0000,0000,,anything that might be identifiable in
Dialogue: 0,0:18:59.85,0:19:01.36,Default,,0000,0000,0000,,these queries...not these queries,
Dialogue: 0,0:19:01.36,0:19:03.73,Default,,0000,0000,0000,,the query up here. Let's call them out.
Dialogue: 0,0:19:03.73,0:19:05.63,Default,,0000,0000,0000,,And I hope all this \Nwill make more sense as
Dialogue: 0,0:19:05.63,0:19:07.38,Default,,0000,0000,0000,,you actually see the stuff come back.
Dialogue: 0,0:19:07.38,0:19:09.36,Default,,0000,0000,0000,,There's just a lot of capabilities here.
Dialogue: 0,0:19:09.36,0:19:12.76,Default,,0000,0000,0000,,I can write steps if I want to, I can set
Dialogue: 0,0:19:12.76,0:19:14.72,Default,,0000,0000,0000,,things up to, for example, send an
Dialogue: 0,0:19:14.72,0:19:17.64,Default,,0000,0000,0000,,email, stream capture if you have
Dialogue: 0,0:19:17.64,0:19:20.23,Default,,0000,0000,0000,,Splunk Stream, nbstat and it's...
Dialogue: 0,0:19:20.23,0:19:21.60,Default,,0000,0000,0000,,You can make your system do a lot of
Dialogue: 0,0:19:21.60,0:19:23.72,Default,,0000,0000,0000,,things. Like, I could have Splunk go ping
Dialogue: 0,0:19:23.72,0:19:26.22,Default,,0000,0000,0000,,an IP address. You know what?
Dialogue: 0,0:19:26.22,0:19:28.35,Default,,0000,0000,0000,,In a little bit, I'll actually show me
Dialogue: 0,0:19:28.35,0:19:30.14,Default,,0000,0000,0000,,doing that. I can have it do a risk
Dialogue: 0,0:19:30.14,0:19:32.29,Default,,0000,0000,0000,,analysis, run a scripts,\Nsend a UBA, send a
Dialogue: 0,0:19:32.29,0:19:34.11,Default,,0000,0000,0000,,Splunk mobile. Splunk mobile is really
Dialogue: 0,0:19:34.11,0:19:36.67,Default,,0000,0000,0000,,cool. Now it's being sent to my phone. Add
Dialogue: 0,0:19:36.67,0:19:38.76,Default,,0000,0000,0000,,thread intelligence from it, web hooks,
Dialogue: 0,0:19:38.76,0:19:40.86,Default,,0000,0000,0000,,whatever. You have a lots of capabilities,
Dialogue: 0,0:19:40.86,0:19:43.57,Default,,0000,0000,0000,,don't need to do it. The minimum you
Dialogue: 0,0:19:43.57,0:19:45.12,Default,,0000,0000,0000,,need for a notable:
Dialogue: 0,0:19:45.12,0:19:48.06,Default,,0000,0000,0000,,title, description,
Dialogue: 0,0:19:48.06,0:19:50.10,Default,,0000,0000,0000,,you don't even need these drilldowns,
Dialogue: 0,0:19:50.10,0:19:52.32,Default,,0000,0000,0000,,you can let this be set as default,
Dialogue: 0,0:19:52.32,0:19:54.28,Default,,0000,0000,0000,,probably should pick a security domain,
Dialogue: 0,0:19:54.28,0:19:57.53,Default,,0000,0000,0000,,and literally, that's it. \NMake sure...it's a
Dialogue: 0,0:19:57.53,0:19:59.39,Default,,0000,0000,0000,,lot more helpful if you can identify
Dialogue: 0,0:19:59.39,0:20:01.14,Default,,0000,0000,0000,,your stuff coming back as identities and
Dialogue: 0,0:20:01.14,0:20:03.06,Default,,0000,0000,0000,,sources. And I'm going to show you that
Dialogue: 0,0:20:03.06,0:20:05.72,Default,,0000,0000,0000,,in the next video with workbenches and
Dialogue: 0,0:20:05.72,0:20:07.80,Default,,0000,0000,0000,,stuff like that, but for the sake of this,
Dialogue: 0,0:20:07.80,0:20:09.30,Default,,0000,0000,0000,,don't worry about it.
Dialogue: 0,0:20:09.30,0:20:10.80,Default,,0000,0000,0000,,Just know that it's it's good if you
Dialogue: 0,0:20:10.80,0:20:12.60,Default,,0000,0000,0000,,can call it out, but if you don't,
Dialogue: 0,0:20:12.60,0:20:14.58,Default,,0000,0000,0000,,it's not like the query will break.
Dialogue: 0,0:20:14.58,0:20:17.54,Default,,0000,0000,0000,,I'm going to hit save,
Dialogue: 0,0:20:18.30,0:20:20.57,Default,,0000,0000,0000,,and I should have a \Ncorrelation search done.
Dialogue: 0,0:20:20.57,0:20:22.07,Default,,0000,0000,0000,,Now I'm going to have to wait.
Dialogue: 0,0:20:22.07,0:20:24.78,Default,,0000,0000,0000,,I probably just missed my window. It's
Dialogue: 0,0:20:24.78,0:20:28.50,Default,,0000,0000,0000,,supposed to be kicking off \Nfive minutes after the hour,
Dialogue: 0,0:20:28.50,0:20:30.84,Default,,0000,0000,0000,,so I can almost guarantee that if I come
Dialogue: 0,0:20:30.84,0:20:35.40,Default,,0000,0000,0000,,to incident review, \NI will not find an alert
Dialogue: 0,0:20:35.40,0:20:38.64,Default,,0000,0000,0000,,called 'YouTube notable'.
Dialogue: 0,0:20:38.64,0:20:40.51,Default,,0000,0000,0000,,I'm gonna have to wait 'til five more
Dialogue: 0,0:20:40.51,0:20:42.92,Default,,0000,0000,0000,,minutes go by, but let's go ahead and
Dialogue: 0,0:20:42.92,0:20:44.69,Default,,0000,0000,0000,,check that. So I can come down, I can
Dialogue: 0,0:20:44.69,0:20:47.46,Default,,0000,0000,0000,,refresh the page here, or I can refresh
Dialogue: 0,0:20:47.46,0:20:50.30,Default,,0000,0000,0000,,the page here. But either way, that is not
Dialogue: 0,0:20:50.30,0:20:52.38,Default,,0000,0000,0000,,the purpose of this video is to look at
Dialogue: 0,0:20:52.38,0:20:54.35,Default,,0000,0000,0000,,the incidents coming in. Mine was to talk
Dialogue: 0,0:20:54.35,0:20:56.12,Default,,0000,0000,0000,,about correlation searches and how to
Dialogue: 0,0:20:56.12,0:20:58.32,Default,,0000,0000,0000,,make my own. I have set up a correlation
Dialogue: 0,0:20:58.32,0:21:01.25,Default,,0000,0000,0000,,search, and so I've accomplished my task.
Dialogue: 0,0:21:01.25,0:21:03.12,Default,,0000,0000,0000,,I'm gonna come see it here
Dialogue: 0,0:21:03.12,0:21:06.96,Default,,0000,0000,0000,,with a configure content.
Dialogue: 0,0:21:06.96,0:21:10.05,Default,,0000,0000,0000,,Configure content, content management.
Dialogue: 0,0:21:10.05,0:21:12.94,Default,,0000,0000,0000,,My new correlation search is in here.
Dialogue: 0,0:21:12.94,0:21:16.85,Default,,0000,0000,0000,,We can see that when I go \N'all correlation search'...
Dialogue: 0,0:21:16.85,0:21:18.65,Default,,0000,0000,0000,,And when you create them, by default,
Dialogue: 0,0:21:18.65,0:21:20.70,Default,,0000,0000,0000,,they are enabled.
Dialogue: 0,0:21:20.70,0:21:24.00,Default,,0000,0000,0000,,So if I come in here and I enable,
Dialogue: 0,0:21:24.00,0:21:26.81,Default,,0000,0000,0000,,I can see 'YouTube correlation search'\Nfor Lame Creations.
Dialogue: 0,0:21:26.81,0:21:29.70,Default,,0000,0000,0000,,If I want to make any changes to it,
Dialogue: 0,0:21:29.70,0:21:32.05,Default,,0000,0000,0000,,I just hit search. Now, that's interesting
Dialogue: 0,0:21:32.05,0:21:35.84,Default,,0000,0000,0000,,that it doesn't say that \Nit's actually scheduled.
Dialogue: 0,0:21:40.74,0:21:42.78,Default,,0000,0000,0000,,Alright, well, probably because it
Dialogue: 0,0:21:42.78,0:21:44.94,Default,,0000,0000,0000,,hasn't run the very first time. Once it
Dialogue: 0,0:21:44.94,0:21:47.04,Default,,0000,0000,0000,,runs, I should see
Dialogue: 0,0:21:47.04,0:21:49.36,Default,,0000,0000,0000,,here the next schedule time.
Dialogue: 0,0:21:49.36,0:21:50.58,Default,,0000,0000,0000,,But it's really easy,
Dialogue: 0,0:21:50.58,0:21:53.90,Default,,0000,0000,0000,,just keep it under the enabled
Dialogue: 0,0:21:54.54,0:21:58.14,Default,,0000,0000,0000,,and correlation searches.
Dialogue: 0,0:21:58.14,0:22:00.50,Default,,0000,0000,0000,,So...yep, there it is.
Dialogue: 0,0:22:00.50,0:22:02.81,Default,,0000,0000,0000,,Now I've got a time for \Nthe next scheduled time.
Dialogue: 0,0:22:02.81,0:22:04.48,Default,,0000,0000,0000,,stored in the Enterprise Security app.
Dialogue: 0,0:22:04.48,0:22:05.67,Default,,0000,0000,0000,,What have we covered?
Dialogue: 0,0:22:05.67,0:22:07.54,Default,,0000,0000,0000,,We've talked about correlation searches,
Dialogue: 0,0:22:07.54,0:22:09.18,Default,,0000,0000,0000,,what they are, they're safe
Dialogue: 0,0:22:09.18,0:22:11.64,Default,,0000,0000,0000,,searches that can be used to create
Dialogue: 0,0:22:11.64,0:22:15.43,Default,,0000,0000,0000,,notables. Notables fill out tickets that
Dialogue: 0,0:22:15.43,0:22:17.76,Default,,0000,0000,0000,,will go into a ticket triaging
Dialogue: 0,0:22:17.76,0:22:19.62,Default,,0000,0000,0000,,system, which we will cover in the next
Dialogue: 0,0:22:19.62,0:22:21.52,Default,,0000,0000,0000,,video in this playlist. Please look at
Dialogue: 0,0:22:21.52,0:22:23.28,Default,,0000,0000,0000,,the link below, notice that this is a
Dialogue: 0,0:22:23.28,0:22:25.14,Default,,0000,0000,0000,,playlist. Go ahead and join the playlist
Dialogue: 0,0:22:25.14,0:22:27.30,Default,,0000,0000,0000,,and watch the videos. This is meant to be
Dialogue: 0,0:22:27.30,0:22:29.36,Default,,0000,0000,0000,,a comprehensive training to help you
Dialogue: 0,0:22:29.36,0:22:31.62,Default,,0000,0000,0000,,understand enterprise security.
Dialogue: 0,0:22:32.22,0:22:34.83,Default,,0000,0000,0000,,Click that link. We have now....I've
Dialogue: 0,0:22:34.83,0:22:36.48,Default,,0000,0000,0000,,shown you how to see the correlation
Dialogue: 0,0:22:36.48,0:22:38.16,Default,,0000,0000,0000,,search that come out of the box, and I've
Dialogue: 0,0:22:38.16,0:22:40.08,Default,,0000,0000,0000,,shown you how to create your own from
Dialogue: 0,0:22:40.08,0:22:42.25,Default,,0000,0000,0000,,scratch. I hope this has been helpful, I
Dialogue: 0,0:22:42.25,0:22:44.30,Default,,0000,0000,0000,,hope this helps you move from being a
Dialogue: 0,0:22:44.30,0:22:47.49,Default,,0000,0000,0000,,lame analyst to a Splunk Ninja, that
Dialogue: 0,0:22:47.49,0:22:49.14,Default,,0000,0000,0000,,you'll keep following, particularly this
Dialogue: 0,0:22:49.14,0:22:51.12,Default,,0000,0000,0000,,playlist, watch the videos in it, and that
Dialogue: 0,0:22:51.12,0:22:51.75,Default,,0000,0000,0000,,they're helpful.
Dialogue: 0,0:22:51.75,0:22:55.00,Default,,0000,0000,0000,,Anyway, hope to see you around.