WEBVTT 00:00:00.000 --> 00:00:10.800 [Music] 00:00:10.800 --> 00:00:14.700 Alright, welcome to my enterprise security 00:00:14.700 --> 00:00:16.950 video playlist. This time we're going to 00:00:16.950 --> 00:00:19.800 be covering correlation searches. This is 00:00:19.800 --> 00:00:22.610 a fancy word for a safe search that 00:00:22.610 --> 00:00:25.600 creates an alert. That's really what it 00:00:25.600 --> 00:00:29.220 comes down to. They call them notables— 00:00:29.220 --> 00:00:31.059 there's a lot of terminology involved— 00:00:31.059 --> 00:00:33.119 but the ultimate concept is a 00:00:33.119 --> 00:00:35.820 correlation search is a search that 00:00:35.820 --> 00:00:38.820 fires off at predefined periods of time, 00:00:38.820 --> 00:00:40.740 maybe every five minutes, every hour, 00:00:40.740 --> 00:00:42.719 searches back across your logs for 00:00:42.719 --> 00:00:45.360 certain behaviors, and if it sees it, it 00:00:45.360 --> 00:00:48.300 creates a...it creates an alert. You can 00:00:48.300 --> 00:00:50.510 make it create a notable. Technically, it 00:00:50.510 --> 00:00:52.050 doesn't have to create a notable, and 00:00:52.050 --> 00:00:54.660 I'll explain how that works, but it's 00:00:54.660 --> 00:00:56.820 really just a safe search. So let's go 00:00:56.820 --> 00:00:58.159 break right into enterprise security, and 00:00:58.159 --> 00:00:59.820 let's talk about that. 00:00:59.820 --> 00:01:01.920 So I come into enterprise security. We're 00:01:01.920 --> 00:01:04.500 going to show what is already outcomes 00:01:04.500 --> 00:01:07.040 out of the box. So if I go 'configure', I'm 00:01:07.040 --> 00:01:09.780 in my Enterprise security and I come into... 00:01:09.780 --> 00:01:13.510 'content', and I go to 'content management', 00:01:13.510 --> 00:01:15.900 these are all the knowledge objects that 00:01:15.900 --> 00:01:19.043 come with enterprise security, and I'm 00:01:19.043 --> 00:01:22.870 going to flip this to a correlation search. 00:01:25.400 --> 00:01:27.799 I click that... 00:01:27.799 --> 00:01:29.800 we can see that it's going to come back 00:01:29.800 --> 00:01:33.439 with lots and lots of results, 58 pages 00:01:33.439 --> 00:01:38.759 plus of them and multiple to a page. You 00:01:38.759 --> 00:01:40.959 can read this, so I'm just going to go 00:01:40.959 --> 00:01:43.920 into the very first one. And this is 00:01:43.920 --> 00:01:46.439 'abnormally high number of endpoint 00:01:46.439 --> 00:01:49.500 changes by a user'. If I go and open this 00:01:49.500 --> 00:01:51.780 up a little bit... 00:01:51.780 --> 00:01:53.759 'detects an abnormally high number of 00:01:53.759 --> 00:01:55.430 endpoint changes by user account as it 00:01:55.430 --> 00:01:58.020 relate to restarts, audits, file system, 00:01:58.020 --> 00:01:59.742 user, registry, notifications". 00:01:59.742 --> 00:02:01.460 If I go into this... 00:02:02.280 --> 00:02:04.500 I'm actually going to be able to see 00:02:04.500 --> 00:02:07.020 the query. I'm not going to go explain it 00:02:07.020 --> 00:02:08.220 because I can already tell you, it's 00:02:08.220 --> 00:02:09.479 probably going to be written with lots 00:02:09.479 --> 00:02:13.089 of data models and macros, but out of the 00:02:13.089 --> 00:02:15.387 box, you can see: here's the query. And 00:02:15.387 --> 00:02:16.830 it's basically...it's going to look at 00:02:16.830 --> 00:02:18.950 your data model. You'll hear me talk 00:02:18.950 --> 00:02:21.459 about data models. I've discussed data 00:02:21.459 --> 00:02:22.910 model, but this is going to be the 00:02:22.910 --> 00:02:24.710 endpoint data model, and it's going to be 00:02:24.710 --> 00:02:27.800 looking at file systems for changes by the 00:02:27.800 --> 00:02:29.270 user, it's going to do a bunch of other 00:02:29.270 --> 00:02:30.290 things that ultimately it's going to 00:02:30.290 --> 00:02:32.510 come back and say...if you meet a certain 00:02:32.510 --> 00:02:34.870 criteria, and you can see that it's 00:02:34.870 --> 00:02:36.360 actually using the machine learning 00:02:36.360 --> 00:02:38.640 toolkit, so down here it's actually 00:02:38.640 --> 00:02:41.280 building a threshold saying, what is the 00:02:41.280 --> 00:02:43.830 normal amount of use of changes, and is 00:02:43.830 --> 00:02:46.270 it jumping out of that at normal level. 00:02:46.270 --> 00:02:49.600 It's really cool, put some really cool 00:02:49.600 --> 00:02:52.200 analytics out there for you. You can just 00:02:52.200 --> 00:02:55.450 use what they've got. What I love is I 00:02:55.450 --> 00:02:57.330 don't want to...I hear, oh 00:02:57.330 --> 00:02:59.660 well aren't correlation searches 00:02:59.660 --> 00:03:03.480 attached to now frameworks? Well, you can 00:03:03.480 --> 00:03:04.920 see the very first ones. Sometimes they 00:03:04.920 --> 00:03:07.379 are. But here, these are frameworks. I've 00:03:07.379 --> 00:03:09.480 heard this in my own work, oh, well they're 00:03:09.480 --> 00:03:12.120 all mapped to the miter. Well, 00:03:12.120 --> 00:03:14.480 are they? I'll just grab the very first 00:03:14.480 --> 00:03:17.160 one, and...there's no miter technique 00:03:17.160 --> 00:03:20.050 mapped. What should it be? Well, there's a 00:03:20.050 --> 00:03:23.170 lot of things that could cause a miter 00:03:23.170 --> 00:03:25.860 technique to...uh...if there's endpoint 00:03:25.860 --> 00:03:27.450 changes, it could be many different types 00:03:27.450 --> 00:03:29.649 of tact. Then I'll have it mapped. You 00:03:29.649 --> 00:03:31.200 could come in here and you could map it, 00:03:31.200 --> 00:03:33.529 we'll discuss that later, but point is, we 00:03:33.529 --> 00:03:35.640 come down here... 00:03:35.640 --> 00:03:37.560 make that go away, that's all... 00:03:37.560 --> 00:03:40.260 we can see that it's looking back 1,450 00:03:40.260 --> 00:03:43.739 minutes, and the latest time is zero. This 00:03:43.739 --> 00:03:48.000 runs at five after the hour, that's how I 00:03:48.000 --> 00:03:51.119 read that, five after the hour. 00:03:51.119 --> 00:03:52.980 It's...if the results are greater than 00:03:52.980 --> 00:03:56.540 zero, it groups by user and change type, 00:03:56.540 --> 00:03:59.879 and we see that it creates...it does not 00:03:59.879 --> 00:04:01.560 create a notable, it actually just 00:04:01.560 --> 00:04:03.959 provides a risk analysis. And we'll 00:04:03.959 --> 00:04:06.080 discuss risk analysis when we talk about 00:04:06.080 --> 00:04:08.570 RBA. But the point is, you can make it do 00:04:08.570 --> 00:04:10.319 a bunch of adaptive responses. 00:04:10.319 --> 00:04:12.079 My job here is not to help you 00:04:12.079 --> 00:04:13.500 understand every correlation search that 00:04:13.500 --> 00:04:15.599 comes out of the box, I'm here to discuss 00:04:15.599 --> 00:04:17.280 the part that most people don't know how 00:04:17.280 --> 00:04:20.120 to do: create your own. So I've shown you 00:04:20.120 --> 00:04:23.400 that you can go look through...there's 00:04:23.400 --> 00:04:26.400 the documentation on Splunk, says 1400 00:04:26.400 --> 00:04:29.040 plus, I don't know how they define what a 00:04:29.040 --> 00:04:31.290 correlation search is. I'm going to tell 00:04:31.290 --> 00:04:34.679 you that it's a lot. There's a 00:04:34.679 --> 00:04:37.759 lot of them. And by default, 00:04:37.759 --> 00:04:40.930 enterprise security is smart. They do 00:04:40.930 --> 00:04:43.320 not come enabled. If I look at the 00:04:43.320 --> 00:04:46.199 enabled correlation searches, 00:04:46.199 --> 00:04:48.590 this is mine that I was using as I 00:04:48.590 --> 00:04:49.699 started to help understand 00:04:49.699 --> 00:04:50.986 enterprise security, 00:04:50.986 --> 00:04:52.800 and these two were turned on 00:04:52.800 --> 00:04:55.020 and this is for risk-based approach. 00:04:55.020 --> 00:04:57.660 Other than that, there are no correlation 00:04:57.660 --> 00:04:59.759 searches that come out of the box. Why? 00:04:59.759 --> 00:05:01.500 Well, one, they don't want to turn 00:05:01.500 --> 00:05:03.060 something on that doesn't fit your data 00:05:03.060 --> 00:05:06.000 set; two, often you have to tweak them, the 00:05:06.000 --> 00:05:07.580 correlation search is great, but it's not 00:05:07.580 --> 00:05:08.810 always going to be perfect for your 00:05:08.810 --> 00:05:10.700 environment, and so as a general rule, 00:05:10.700 --> 00:05:12.479 they're there as a guidance. Use them 00:05:12.479 --> 00:05:14.780 when they make sense, turn one on, test it, 00:05:14.780 --> 00:05:17.160 see how it works. If it doesn't, modify it, 00:05:17.160 --> 00:05:19.019 and typically you'll just clone the 00:05:19.019 --> 00:05:21.120 correlation search and build your own. 00:05:21.120 --> 00:05:23.080 Anyway, enough talking about that, let's 00:05:23.080 --> 00:05:24.840 talk about actually building my own 00:05:24.840 --> 00:05:27.539 correlation search. So I'm in 'configure 00:05:27.539 --> 00:05:30.130 content' and I went to 'content management'. 00:05:30.130 --> 00:05:32.260 If I do 'create new content', that's how 00:05:32.260 --> 00:05:34.700 I'm going to build one. And so we're 00:05:34.700 --> 00:05:36.130 going to create a new content, 00:05:36.130 --> 00:05:38.949 we're going to make a correlation search. 00:05:38.949 --> 00:05:43.111 This is the way that I do correlation searches. 00:05:43.111 --> 00:05:44.160 That doesn't mean it's the way 00:05:44.160 --> 00:05:46.132 that it has to be done, but it's the way it works for me. 00:05:46.132 --> 00:05:47.520 I'm going to call this, I 00:05:47.520 --> 00:05:49.420 would hopefully have a much better name 00:05:49.420 --> 00:05:52.460 for this, but I'm going to do 'YouTube 00:05:52.460 --> 00:05:56.460 Correlation Search'. 00:06:00.740 --> 00:06:02.790 Horrible name, because someone who comes 00:06:02.790 --> 00:06:04.993 across this will have no idea what it's 00:06:04.993 --> 00:06:06.539 for, but for me, when I need to purge 00:06:06.539 --> 00:06:08.460 stuff from my system, it's really easy 00:06:08.460 --> 00:06:09.710 and it stands out. So I'm going to put it 00:06:09.710 --> 00:06:12.000 that way. Then here in my description, I'm 00:06:12.000 --> 00:06:14.820 going to go... 00:06:14.820 --> 00:06:19.189 'Grab one event from network logs'. 00:06:20.580 --> 00:06:22.139 I'm not actually going to build 00:06:22.139 --> 00:06:23.730 something that I'm looking for. 00:06:23.730 --> 00:06:25.410 That's not the point of this video. 00:06:25.410 --> 00:06:27.540 I'm just showing how to build one, and I want 00:06:27.540 --> 00:06:30.840 them to always fire, so I'm going to 00:06:30.840 --> 00:06:32.900 fudge the numbers so that I always 00:06:32.900 --> 00:06:35.270 get what I want. And so the first thing I 00:06:35.270 --> 00:06:36.720 do is I don't try to build a search 00:06:36.720 --> 00:06:38.520 through here. You can use a guided. 00:06:38.520 --> 00:06:41.020 Guided's cool, it'll allow you it'll pick 00:06:41.020 --> 00:06:43.139 data models, you can pick fields from it, 00:06:43.139 --> 00:06:45.510 so if I enable the guided mode, you'll 00:06:45.510 --> 00:06:47.460 see the data, it'll say alright, what 00:06:47.460 --> 00:06:49.520 data model do you want to look at? 00:06:49.520 --> 00:06:52.460 I might come down to 'network traffic'... 00:06:52.460 --> 00:06:55.325 and what data set do I want to use... 00:06:55.325 --> 00:06:58.782 'all traffic'. Do I want to use 'summaries only'? 00:06:58.782 --> 00:07:01.080 I'll discuss summaries only later 00:07:01.080 --> 00:07:04.199 this is not the place for it. Time range. 00:07:04.199 --> 00:07:07.560 And there is your basic query. I can run 00:07:07.560 --> 00:07:10.179 the search and see how it looks. 00:07:10.179 --> 00:07:12.979 Then I'm going to hit 00:07:13.700 --> 00:07:18.539 'filter', and filter would be like 00:07:18.539 --> 00:07:22.400 All.Traffic... 00:07:23.460 --> 00:07:28.740 AllTraffic.destIP... 00:07:28.740 --> 00:07:30.720 oh. 00:07:30.720 --> 00:07:34.099 it's a boolean. Where... 00:07:34.560 --> 00:07:36.530 and I actually don't know how to make 00:07:36.530 --> 00:07:40.220 this work. All_Traffic... 00:07:42.630 --> 00:07:44.659 I'd have to go look this up. Well that's 00:07:44.659 --> 00:07:46.380 not very good...helpful there. The point is, 00:07:46.380 --> 00:07:47.510 I'm not actually going through the 00:07:47.510 --> 00:07:49.560 guided search tour. I'm going to stay 00:07:49.560 --> 00:07:51.590 right here with a manual query where I 00:07:51.590 --> 00:07:54.120 can write it. It does have guided, again, 00:07:54.120 --> 00:07:55.500 you got to understand exactly what 00:07:55.500 --> 00:07:57.270 you're pulling. Guided is nice if you 00:07:57.270 --> 00:07:59.780 know, follow the docs. I'm not here for 00:07:59.780 --> 00:08:01.919 following the docs, I'm here to take a 00:08:01.919 --> 00:08:04.129 query. This is my home network. I'm going 00:08:04.129 --> 00:08:05.520 to look at the correlate logs. I'm going 00:08:05.520 --> 00:08:07.360 to look at my correlate conn logs. I'm 00:08:07.360 --> 00:08:10.160 going to say...where source IP is 00:08:10.160 --> 00:08:13.259 192.1680.*. That is only so I make 00:08:13.259 --> 00:08:15.180 sure that I'm looking at a specific 00:08:15.180 --> 00:08:17.639 subnet section of my network. This is 00:08:17.639 --> 00:08:20.520 primarily my network designed for doing 00:08:20.520 --> 00:08:23.819 Splunk videos, and so this isn't my... 00:08:23.819 --> 00:08:25.379 this is part of my home network, but it's 00:08:25.379 --> 00:08:28.139 a subnet on my network that I use for 00:08:28.139 --> 00:08:31.490 testing, pen testing, setup of systems 00:08:31.490 --> 00:08:33.300 that I tear up and pick up and tear down, 00:08:33.300 --> 00:08:35.169 and so I just want to know what they're 00:08:35.169 --> 00:08:37.260 doing. And so I wanted the source IP 00:08:37.260 --> 00:08:38.868 Maybe you don't want the source IP. 00:08:38.868 --> 00:08:40.310 All I really cared about though, is I just 00:08:40.310 --> 00:08:42.289 wanted this, because ultimately, later 00:08:42.289 --> 00:08:44.229 down, I'm going to do inventory, and I'm 00:08:44.229 --> 00:08:46.090 going to have a very simple inventory of 00:08:46.090 --> 00:08:48.290 that subnet, and so I only want IPs that 00:08:48.290 --> 00:08:50.700 at least one piece of the data 00:08:50.700 --> 00:08:53.469 ties to my inventory. And so, as you can 00:08:53.469 --> 00:08:55.550 see, this here has nothing to do with my 00:08:55.550 --> 00:08:58.190 network, but this one does. And I'm going 00:08:58.190 --> 00:09:00.250 to do a head 1, because I don't 00:09:00.250 --> 00:09:02.760 want lots and lots of results. 00:09:02.760 --> 00:09:05.459 Basically, I want a query 00:09:05.459 --> 00:09:07.140 and I'm always going to return one 00:09:07.140 --> 00:09:09.800 result...and that's what I built. 00:09:09.800 --> 00:09:12.000 This isn't bad. This isn't actually a 00:09:12.000 --> 00:09:13.980 known bad, I just wanted data to come 00:09:13.980 --> 00:09:16.200 back, so then I can put other stuff on it. 00:09:16.200 --> 00:09:18.660 I'm doing this as a demo for you guys to 00:09:18.660 --> 00:09:21.300 understand how 00:09:21.300 --> 00:09:23.409 to build a query. You would want to build 00:09:23.409 --> 00:09:25.140 a query that actually is looking for 00:09:25.140 --> 00:09:27.300 something malicious. Right now, I just 00:09:27.300 --> 00:09:30.120 want a query to return a result, so that 00:09:30.120 --> 00:09:32.120 I can...when I do my next video about 00:09:32.120 --> 00:09:34.940 triage and the triage system, there are 00:09:34.940 --> 00:09:37.450 actually tickets coming in. If I write a 00:09:37.450 --> 00:09:39.330 query that's looking for bad, well, that 00:09:39.330 --> 00:09:41.100 bad better be occurring on my network or 00:09:41.100 --> 00:09:43.019 it's not going to fire. And so it's a lot 00:09:43.019 --> 00:09:44.289 harder to troubleshoot if the thing is 00:09:44.289 --> 00:09:45.899 working if you're building queries right, 00:09:45.899 --> 00:09:48.202 If you build something that isn't... 00:09:48.202 --> 00:09:50.330 you hope to not actually see on your network. 00:09:50.330 --> 00:09:52.660 So I actually hope to see correlate conn logs. 00:09:52.660 --> 00:09:54.370 I sure hope so. That means my 00:09:54.370 --> 00:09:56.400 network has traffic. Anyway, and I'm just 00:09:56.400 --> 00:09:57.699 going to put the head 1, because I only 00:09:57.699 --> 00:10:00.200 want it to create one alert. If I let it 00:10:00.200 --> 00:10:02.090 come back, it's every event that comes 00:10:02.090 --> 00:10:04.650 back in here would be a notable alert. 00:10:04.650 --> 00:10:07.842 I don't want my triage system getting inundated. 00:10:07.842 --> 00:10:09.959 So I'm just going to do this head 1. 00:10:09.959 --> 00:10:11.940 Now I'm going to map it. I'm going to go 00:10:11.940 --> 00:10:15.000 to miter, and I'm going to 00:10:15.000 --> 00:10:17.640 put in some 00:10:17.640 --> 00:10:20.279 tickets. So I'm going to go 'T1143'. I 00:10:20.279 --> 00:10:21.600 actually can't remember what all these 00:10:21.600 --> 00:10:23.459 mean off the top of my head. You can go 00:10:23.459 --> 00:10:26.289 look them up. I'm going to say this, and 00:10:26.289 --> 00:10:28.800 this has note, no bases whatsoever, but 00:10:28.800 --> 00:10:30.669 again, these videos are 00:10:30.669 --> 00:10:32.700 going to build on themselves. And so I'm 00:10:32.700 --> 00:10:34.840 building these miter attacks so when I 00:10:34.840 --> 00:10:37.440 go to the RBA section of this video 00:10:37.440 --> 00:10:40.430 playlist, you'll see how it maps all the 00:10:40.430 --> 00:10:42.420 different techniques together. And so I'm 00:10:42.420 --> 00:10:45.360 going to put this down here, 00:10:45.360 --> 00:10:49.019 and actually, because I want this to work on 00:10:49.019 --> 00:10:50.840 my system, I'm going to actually do... 00:10:50.840 --> 00:10:53.579 I want it always to be 0.128, 00:10:53.579 --> 00:10:57.240 that way I'm only going to get alerts 00:10:57.240 --> 00:10:59.190 that are relating to this system. 00:10:59.190 --> 00:11:01.820 That means my risk-based approach will cross 00:11:01.820 --> 00:11:03.779 the threshold. That actually makes a lot 00:11:03.779 --> 00:11:06.230 more sense for me. I'll explain that when 00:11:06.230 --> 00:11:08.640 we actually get to RBA, but basically, I'm 00:11:08.640 --> 00:11:12.029 going to give me... give me an alert every time 00:11:12.029 --> 00:11:15.420 0.128 is the source of network traffic. 00:11:15.420 --> 00:11:17.920 And that should fire off quite frequently. 00:11:19.320 --> 00:11:21.480 Ignore the picture up in the top. 00:11:21.480 --> 00:11:23.940 We're just going to move on. Head 1. 00:11:23.940 --> 00:11:26.330 My videos are done rendering. Anyway, so I'm going 00:11:26.330 --> 00:11:29.379 to map it to these TTPs. Again, this is 00:11:29.379 --> 00:11:31.380 all for demo purposes, so I just pick 00:11:31.380 --> 00:11:35.580 some TTPs, and I can come down here and 00:11:35.580 --> 00:11:38.659 I can put a confidence score, an impact score, 00:11:38.659 --> 00:11:40.520 contacts, analytics, we're just gonna 00:11:40.520 --> 00:11:41.760 leave that alone for now. 00:11:41.760 --> 00:11:43.615 I can create my own framework 00:11:43.615 --> 00:11:45.070 And now here it's going to say 00:11:45.070 --> 00:11:47.059 how far back do I want to look? Do I 00:11:47.059 --> 00:11:48.138 want to look back 24 hours? 00:11:48.138 --> 00:11:49.690 I could, but I know how often 00:11:49.690 --> 00:11:51.140 my logs are firing. I'm going 00:11:51.140 --> 00:11:53.160 to look back one hour. Doesn't really 00:11:53.160 --> 00:11:55.319 matter, because I'm just grabbing head 1. 00:11:55.319 --> 00:11:59.149 And...I have...I probably get 00:11:59.149 --> 00:12:01.590 hundreds of events every...probably 00:12:01.590 --> 00:12:03.600 thousands of events every hour 00:12:03.600 --> 00:12:06.210 on this particular subnet. And so it's 00:12:06.210 --> 00:12:07.500 not going to be a problem getting data. 00:12:07.500 --> 00:12:09.270 I'm going to go look back one hour to 00:12:09.270 --> 00:12:11.579 now. And how often do I want it to run? 00:12:11.579 --> 00:12:13.260 You know what? I'm going to let it run 00:12:13.260 --> 00:12:16.090 every five minutes. And that's going to 00:12:16.090 --> 00:12:17.760 be important so that I actually have 00:12:17.760 --> 00:12:20.911 events. And that'll work. 00:12:20.911 --> 00:12:23.459 I'm going to come down here, and I'm going to say do I 00:12:23.459 --> 00:12:25.380 want it to run as real time or 00:12:25.380 --> 00:12:28.560 continuous. We'll just leave it at its default. 00:12:28.560 --> 00:12:30.899 What's my scheduling window? Again, 00:12:30.899 --> 00:12:33.330 these are...I'm not going over these, this 00:12:33.330 --> 00:12:36.060 is just basically how you want to run 00:12:36.060 --> 00:12:37.590 your times. I'm going to run this 00:12:37.590 --> 00:12:39.420 every five minutes. Schedule priorities 00:12:39.420 --> 00:12:41.459 in case there's conflicts. Hopefully with 00:12:41.459 --> 00:12:43.260 your enterprise security, you actually do 00:12:43.260 --> 00:12:45.839 not overload your system so these become 00:12:45.839 --> 00:12:47.040 a big deal. 00:12:47.040 --> 00:12:48.660 Trigger conditions, number of results 00:12:48.660 --> 00:12:50.269 greater than zero, that's always going to 00:12:50.269 --> 00:12:51.660 be the case because I'm getting back one. 00:12:51.660 --> 00:12:53.820 But if I was doing this, if I want to do 00:12:53.820 --> 00:12:55.920 thresholds I could make it...the thing has 00:12:55.920 --> 00:12:58.440 to occur at least 10 times, or 15 times, 00:12:58.440 --> 00:13:01.320 or whatever. Then windows durations 00:13:01.320 --> 00:13:03.999 filled to group by...that's it. That's all 00:13:03.999 --> 00:13:06.540 I want to deal with. Really, the only 00:13:06.540 --> 00:13:08.519 places I put around with this is I wrote 00:13:08.519 --> 00:13:10.840 a query in the most basic format to get 00:13:10.840 --> 00:13:13.070 your correlation searches going. Pick a 00:13:13.070 --> 00:13:15.839 search. I would tie it to an annotation, 00:13:15.839 --> 00:13:18.278 but you don't have to, not required. 00:13:18.278 --> 00:13:20.243 You come down, here pick your time window, 00:13:20.243 --> 00:13:22.120 these three boxes, how far back do you 00:13:22.120 --> 00:13:24.120 want to look, latest time, earliest time, 00:13:24.120 --> 00:13:26.369 and your cron schedule, and then you 00:13:26.369 --> 00:13:27.779 really don't have to touch anything else, 00:13:27.779 --> 00:13:31.510 except this 'add adaptive response'. I'm 00:13:31.510 --> 00:13:33.140 going to come and modify this in a 00:13:33.140 --> 00:13:35.700 minute. There is, when we talk about RBA, 00:13:35.700 --> 00:13:37.780 I'm going to put a risk analysis. For the 00:13:37.780 --> 00:13:40.090 sake of keeping this simple, I am only 00:13:40.090 --> 00:13:41.459 going to do 00:13:41.459 --> 00:13:43.600 notables for now. So I'm going to come in 00:13:43.600 --> 00:13:45.070 here and I'm going to click a notable. 00:13:45.070 --> 00:13:47.220 A notable is an alert that goes to 00:13:47.220 --> 00:13:48.779 your triage system. 00:13:48.779 --> 00:13:52.260 Gonna go...'YouTube 00:13:52.260 --> 00:13:55.440 notable'. Give it a description. 00:13:55.440 --> 00:13:57.899 I can actually use... 00:13:59.820 --> 00:14:01.980 variable substitution, so I'm going to do 00:14:01.980 --> 00:14:05.830 'Alert for $src_Ip'. 00:14:05.830 --> 00:14:07.618 I need to make sure that field comes 00:14:07.618 --> 00:14:10.860 back, and this does have a source IP, so I 00:14:10.860 --> 00:14:12.720 can use it, and you just call it like you 00:14:12.720 --> 00:14:15.180 do in with the dollar sign on both sides 00:14:15.180 --> 00:14:17.339 of a variable, and that'll be dynamic. And 00:14:17.339 --> 00:14:19.680 so my description will come back with 00:14:19.680 --> 00:14:22.680 this. And just because I 00:14:22.680 --> 00:14:24.679 want to, what if I...yeah, we'll just 00:14:24.679 --> 00:14:26.220 leave it at that. 00:14:26.220 --> 00:14:29.160 YouTube notable security domain. There 00:14:29.160 --> 00:14:31.430 are a bunch of domains. This is dealing 00:14:31.430 --> 00:14:33.600 with access areas, that would be 00:14:33.600 --> 00:14:35.880 authentication, endpoint, a lot of your 00:14:35.880 --> 00:14:39.420 host logs, network logs, threat, identity, 00:14:39.420 --> 00:14:41.459 and audit. And so those are the six areas 00:14:41.459 --> 00:14:43.880 Splunk has as security domains. We'll 00:14:43.880 --> 00:14:47.579 just leave it as a... we'll put as a network. 00:14:47.579 --> 00:14:49.680 In the network domain, I'm going to put 00:14:49.680 --> 00:14:52.579 the severity 00:14:53.899 --> 00:14:56.300 as low. 00:14:56.300 --> 00:14:59.430 And default owner, I can put in these, 00:14:59.430 --> 00:15:01.560 I can leave it unassigned. 00:15:01.560 --> 00:15:03.700 I'm going to put it as unassigned to start with. 00:15:03.700 --> 00:15:05.100 Again, you don't have to. 00:15:05.100 --> 00:15:09.120 Default status, I'm going to put it as unassigned. 00:15:09.120 --> 00:15:11.379 And I could put a drill down search in 00:15:11.379 --> 00:15:15.079 there, and let's do that. 00:15:15.480 --> 00:15:17.880 We're going to take this very same query. 00:15:17.880 --> 00:15:19.930 Just to keep things really simple, one of 00:15:19.930 --> 00:15:23.519 the very first drill downs I want to put in there 00:15:23.519 --> 00:15:25.920 is the actual query 00:15:25.920 --> 00:15:28.680 that created this log. 00:15:28.680 --> 00:15:30.899 But in this case, I'm not going to put 00:15:30.899 --> 00:15:32.800 head 1, I'm going to put...I'm going to 00:15:32.800 --> 00:15:34.380 take the head out. 00:15:34.380 --> 00:15:36.320 Oh, it looks like I've lost the 128 on 00:15:36.320 --> 00:15:38.940 there. 128. 00:15:38.940 --> 00:15:41.459 Make sure 128 is up here. 00:15:41.459 --> 00:15:44.399 Yeah, it is. Okay, and I can choose... 00:15:44.399 --> 00:15:46.500 the drill down search will be 00:15:46.500 --> 00:15:49.160 'See... 00:15:49.260 --> 00:15:53.880 what caused alert'. 00:15:55.079 --> 00:15:56.880 There are other ways of doing this I'll 00:15:56.880 --> 00:15:58.019 show, but I'm just going to 00:15:58.019 --> 00:15:59.860 create a few add drill down searches. 00:15:59.860 --> 00:16:02.459 And here, we're going to just do 00:16:04.560 --> 00:16:07.560 'why does 00:16:07.560 --> 00:16:10.399 this 00:16:10.459 --> 00:16:14.000 drilldown exist'. 00:16:14.880 --> 00:16:17.579 I just want to show I can go search anything. 00:16:17.579 --> 00:16:21.199 'Index equals internal'. 00:16:21.199 --> 00:16:22.800 Why would you be looking at your 00:16:22.800 --> 00:16:26.279 internal logs? It doesn't really matter. 00:16:28.260 --> 00:16:30.040 Well, actually, let's just do this. 00:16:30.040 --> 00:16:33.370 I'm going to put in '$src_ip$'. 00:16:33.370 --> 00:16:35.319 So I'm basically looking in my internal 00:16:35.319 --> 00:16:37.139 logs, and I'm going to see if I find that 00:16:37.139 --> 00:16:40.039 IP address popping up. It's just kind 00:16:40.039 --> 00:16:41.820 of an interesting way you can add 00:16:41.820 --> 00:16:45.660 additional searches to your information. 00:16:46.500 --> 00:16:48.360 So I'm going to be searching my internal 00:16:48.360 --> 00:16:50.459 logs for the source IP. 00:16:50.459 --> 00:16:53.160 And I hope you saw this earliest offset, 00:16:53.160 --> 00:16:56.099 latest offset. You can change this, or you 00:16:56.099 --> 00:16:57.759 can you can let it just go by its 00:16:57.759 --> 00:16:59.920 default. Or you can say, for here I'm 00:16:59.920 --> 00:17:01.139 going to go 00:17:01.139 --> 00:17:06.480 plus, this is a earliest, for example, one hour 00:17:06.480 --> 00:17:10.520 and I'm going to leave the other one as zero. 00:17:10.559 --> 00:17:12.456 Does that make sense? So I hope 00:17:12.456 --> 00:17:14.640 this helps. I can change my time. 00:17:14.640 --> 00:17:16.439 It's basically going to look in this 00:17:16.439 --> 00:17:22.220 window one hour back, based off of 00:17:25.079 --> 00:17:27.780 the time this event occurred. 00:17:27.780 --> 00:17:29.140 So this might actually look a little bit 00:17:29.140 --> 00:17:30.280 in the future, this is gonna look a little bit 00:17:30.280 --> 00:17:31.100 in the future. 00:17:31.100 --> 00:17:32.316 It's going to use time in the back. 00:17:32.316 --> 00:17:35.299 So let's go... 00:17:35.960 --> 00:17:37.440 we're going to go one hour.... 00:17:37.440 --> 00:17:40.220 this is going to go one hour in the 00:17:40.220 --> 00:17:43.320 future and one hour in the past. 00:17:43.320 --> 00:17:45.640 Sounds good. I'm going to leave my 00:17:45.640 --> 00:17:48.080 investigation profile alone. And these 00:17:48.080 --> 00:17:50.690 are...extractions, and what it's 00:17:50.690 --> 00:17:52.440 going to do is it's going to 00:17:52.440 --> 00:17:55.919 identify identities, these are users 00:17:55.919 --> 00:17:57.240 and stuff like that on your network. 00:17:57.240 --> 00:18:00.240 Assets would be like IPs, and machines, 00:18:00.240 --> 00:18:02.840 and files, and URLs that it might have 00:18:02.840 --> 00:18:06.020 found. I'm going to...we got assets here. 00:18:06.020 --> 00:18:08.760 Source dest. 00:18:08.760 --> 00:18:10.390 Does my log, do my logs contain 00:18:10.390 --> 00:18:11.760 source and dest? 00:18:11.760 --> 00:18:14.940 Well, let's go look. Had one, do I actually 00:18:14.940 --> 00:18:18.200 have a source and a dest here? 00:18:18.299 --> 00:18:20.589 I have a source IP, but no source. 00:18:20.589 --> 00:18:23.270 So I don't have the field it's looking for to 00:18:23.270 --> 00:18:25.240 be able to identify it. So what I need to 00:18:25.240 --> 00:18:27.960 do is I need to come in here, and I'm going to go 00:18:27.960 --> 00:18:30.780 '$src_ip$', 00:18:30.780 --> 00:18:33.539 except it's on identity. 00:18:33.539 --> 00:18:35.760 The identity...it's an asset so I'm going, 00:18:35.760 --> 00:18:36.880 to come in here and I'm going to go 00:18:36.880 --> 00:18:39.679 'source IP'. 00:18:40.400 --> 00:18:43.120 And just because we might 00:18:43.120 --> 00:18:46.010 want to identify the other 00:18:46.010 --> 00:18:47.061 machine in question. 00:18:47.061 --> 00:18:49.176 We're going to put dest IP in there as well. 00:18:49.176 --> 00:18:50.792 So I'm going to have my source IP 00:18:50.792 --> 00:18:52.260 and my destination IP. 00:18:52.260 --> 00:18:53.959 They're going to be assets that are 00:18:53.959 --> 00:18:56.100 extracted. And that's all I'm going to do. 00:18:56.100 --> 00:18:57.539 I just want to make sure that 00:18:57.539 --> 00:18:59.850 anything that might be identifiable in 00:18:59.850 --> 00:19:01.359 these queries...not these queries, 00:19:01.359 --> 00:19:03.733 the query up here. Let's call them out. 00:19:03.733 --> 00:19:05.630 And I hope all this will make more sense as 00:19:05.630 --> 00:19:07.380 you actually see the stuff come back. 00:19:07.380 --> 00:19:09.360 There's just a lot of capabilities here. 00:19:09.360 --> 00:19:12.760 I can write steps if I want to, I can set 00:19:12.760 --> 00:19:14.720 things up to, for example, send an 00:19:14.720 --> 00:19:17.640 email, stream capture if you have 00:19:17.640 --> 00:19:20.230 Splunk Stream, nbstat and it's... 00:19:20.230 --> 00:19:21.600 You can make your system do a lot of 00:19:21.600 --> 00:19:23.720 things. Like, I could have Splunk go ping 00:19:23.720 --> 00:19:26.220 an IP address. You know what? 00:19:26.220 --> 00:19:28.350 In a little bit, I'll actually show me 00:19:28.350 --> 00:19:30.140 doing that. I can have it do a risk 00:19:30.140 --> 00:19:32.290 analysis, run a scripts, send a UBA, send a 00:19:32.290 --> 00:19:34.110 Splunk mobile. Splunk mobile is really 00:19:34.110 --> 00:19:36.670 cool. Now it's being sent to my phone. Add 00:19:36.670 --> 00:19:38.760 thread intelligence from it, web hooks, 00:19:38.760 --> 00:19:40.860 whatever. You have a lots of capabilities, 00:19:40.860 --> 00:19:43.569 don't need to do it. The minimum you 00:19:43.569 --> 00:19:45.120 need for a notable: 00:19:45.120 --> 00:19:48.059 title, description, 00:19:48.059 --> 00:19:50.100 you don't even need these drilldowns, 00:19:50.100 --> 00:19:52.320 you can let this be set as default, 00:19:52.320 --> 00:19:54.280 probably should pick a security domain, 00:19:54.280 --> 00:19:57.530 and literally, that's it. Make sure...it's a 00:19:57.530 --> 00:19:59.390 lot more helpful if you can identify 00:19:59.390 --> 00:20:01.140 your stuff coming back as identities and 00:20:01.140 --> 00:20:03.059 sources. And I'm going to show you that 00:20:03.059 --> 00:20:05.720 in the next video with workbenches and 00:20:05.720 --> 00:20:07.799 stuff like that, but for the sake of this, 00:20:07.799 --> 00:20:09.299 don't worry about it. 00:20:09.299 --> 00:20:10.799 Just know that it's it's good if you 00:20:10.799 --> 00:20:12.600 can call it out, but if you don't, 00:20:12.600 --> 00:20:14.580 it's not like the query will break. 00:20:14.580 --> 00:20:17.539 I'm going to hit save, 00:20:18.299 --> 00:20:20.570 and I should have a correlation search done. 00:20:20.570 --> 00:20:22.070 Now I'm going to have to wait. 00:20:22.070 --> 00:20:24.780 I probably just missed my window. It's 00:20:24.780 --> 00:20:28.500 supposed to be kicking off five minutes after the hour, 00:20:28.500 --> 00:20:30.840 so I can almost guarantee that if I come 00:20:30.840 --> 00:20:35.400 to incident review, I will not find an alert 00:20:35.400 --> 00:20:38.640 called 'YouTube notable'. 00:20:38.640 --> 00:20:40.513 I'm gonna have to wait 'til five more 00:20:40.513 --> 00:20:42.920 minutes go by, but let's go ahead and 00:20:42.920 --> 00:20:44.690 check that. So I can come down, I can 00:20:44.690 --> 00:20:47.460 refresh the page here, or I can refresh 00:20:47.460 --> 00:20:50.300 the page here. But either way, that is not 00:20:50.300 --> 00:20:52.380 the purpose of this video is to look at 00:20:52.380 --> 00:20:54.349 the incidents coming in. Mine was to talk 00:20:54.349 --> 00:20:56.120 about correlation searches and how to 00:20:56.120 --> 00:20:58.320 make my own. I have set up a correlation 00:20:58.320 --> 00:21:01.250 search, and so I've accomplished my task. 00:21:01.250 --> 00:21:03.120 I'm gonna come see it here 00:21:03.120 --> 00:21:06.960 with a configure content. 00:21:06.960 --> 00:21:10.049 Configure content, content management. 00:21:10.049 --> 00:21:12.942 My new correlation search is in here. 00:21:12.942 --> 00:21:16.850 We can see that when I go 'all correlation search'... 00:21:16.850 --> 00:21:18.651 And when you create them, by default, 00:21:18.651 --> 00:21:20.700 they are enabled. 00:21:20.700 --> 00:21:24.000 So if I come in here and I enable, 00:21:24.000 --> 00:21:26.806 I can see 'YouTube correlation search' for Lame Creations. 00:21:26.806 --> 00:21:29.700 If I want to make any changes to it, 00:21:29.700 --> 00:21:32.049 I just hit search. Now, that's interesting 00:21:32.049 --> 00:21:35.840 that it doesn't say that it's actually scheduled. 00:21:40.740 --> 00:21:42.780 Alright, well, probably because it 00:21:42.780 --> 00:21:44.940 hasn't run the very first time. Once it 00:21:44.940 --> 00:21:47.039 runs, I should see 00:21:47.039 --> 00:21:49.360 here the next schedule time. 00:21:49.360 --> 00:21:50.579 But it's really easy, 00:21:50.579 --> 00:21:53.900 just keep it under the enabled 00:21:54.539 --> 00:21:58.140 and correlation searches. 00:21:58.140 --> 00:22:00.496 So...yep, there it is. 00:22:00.496 --> 00:22:02.814 Now I've got a time for the next scheduled time. 00:22:02.814 --> 00:22:04.484 stored in the Enterprise Security app. 00:22:04.484 --> 00:22:05.668 What have we covered? 00:22:05.668 --> 00:22:07.539 We've talked about correlation searches, 00:22:07.539 --> 00:22:09.179 what they are, they're safe 00:22:09.179 --> 00:22:11.640 searches that can be used to create 00:22:11.640 --> 00:22:15.430 notables. Notables fill out tickets that 00:22:15.430 --> 00:22:17.760 will go into a ticket triaging 00:22:17.760 --> 00:22:19.620 system, which we will cover in the next 00:22:19.620 --> 00:22:21.520 video in this playlist. Please look at 00:22:21.520 --> 00:22:23.280 the link below, notice that this is a 00:22:23.280 --> 00:22:25.140 playlist. Go ahead and join the playlist 00:22:25.140 --> 00:22:27.299 and watch the videos. This is meant to be 00:22:27.299 --> 00:22:29.360 a comprehensive training to help you 00:22:29.360 --> 00:22:31.620 understand enterprise security. 00:22:32.220 --> 00:22:34.830 Click that link. We have now....I've 00:22:34.830 --> 00:22:36.480 shown you how to see the correlation 00:22:36.480 --> 00:22:38.159 search that come out of the box, and I've 00:22:38.159 --> 00:22:40.080 shown you how to create your own from 00:22:40.080 --> 00:22:42.249 scratch. I hope this has been helpful, I 00:22:42.249 --> 00:22:44.299 hope this helps you move from being a 00:22:44.299 --> 00:22:47.490 lame analyst to a Splunk Ninja, that 00:22:47.490 --> 00:22:49.140 you'll keep following, particularly this 00:22:49.140 --> 00:22:51.120 playlist, watch the videos in it, and that 00:22:51.120 --> 00:22:51.749 they're helpful. 00:22:51.749 --> 00:22:55.000 Anyway, hope to see you around.