Splunk Enterprise Security Free Training | Correlation Searches

Rollback to version 1

0:02 - 0:04

foreign
0:04 - 0:11

[Music]
0:11 - 0:15

welcome to my Enterprise security uh
0:15 - 0:17

video playlist this time we're going to
0:17 - 0:20

be covering correlation searches this is
0:20 - 0:23

a fancy word for a safe search that
0:23 - 0:26

creates an alert that's really what it
0:26 - 0:29

comes down to they call them notables
0:29 - 0:31

there's a lot of terminology involved
0:31 - 0:33

but the ultimate concept is a
0:33 - 0:36

correlation search is a search that
0:36 - 0:39

fires off at predefined periods of time
0:39 - 0:40

maybe every five minutes every hour
0:40 - 0:43

searches back across your logs for
0:43 - 0:45

certain behaviors and if it sees it it
0:45 - 0:48

creates a it creates an alert you can
0:48 - 0:51

make it create a notable technically it
0:51 - 0:52

doesn't have to create a notable and
0:52 - 0:55

I'll explain how that works but it's
0:55 - 0:57

really just just save search so let's go
0:57 - 0:58

break right into Enterprise security and
0:58 - 1:00

let's talk about that
1:00 - 1:02

so I come into Enterprise security we're
1:02 - 1:04

going to show what is already outcomes
1:04 - 1:07

out of the box so if I go configure I'm
1:07 - 1:09

in my Enterprise security and I come
1:09 - 1:10

into
1:10 - 1:13

content and I go to content management
1:13 - 1:16

these are all the knowledge objects that
1:16 - 1:19

come with Enterprise security and I'm
1:19 - 1:22

going to flip this to a correlation
1:22 - 1:24

search
1:25 - 1:28

I click that
1:28 - 1:30

we can see that it's going to come back
1:30 - 1:33

with lots and lots of results 58 Pages
1:33 - 1:39

plus of them and multiple to a page you
1:39 - 1:41

can read this so I I'm just going to go
1:41 - 1:44

to the very first one and this is
1:44 - 1:46

abnormally High number of endpoint
1:46 - 1:50

changes by a user if I go and open this
1:50 - 1:52

up a little bit
1:52 - 1:54

detection abnormally hard number of
1:54 - 1:56

endpoint change by user account as it
1:56 - 1:58

relate to restart audits file system
1:58 - 2:01

user registry notifications if I go into
2:01 - 2:02

this
2:02 - 2:04

I'm actually going to be able to see
2:04 - 2:07

the query I'm not going to go explain it
2:07 - 2:08

because I can already tell you it's
2:08 - 2:09

probably going to be written with lots
2:09 - 2:13

of data models and macros but out of the
2:13 - 2:16

box you can see here's the query and
2:16 - 2:17

it's basically it's going to look at
2:17 - 2:19

your data model you'll hear me talk
2:19 - 2:22

about data models I've discussed data
2:22 - 2:23

model but this is going to be the
2:23 - 2:25

endpoint data model and it's going to
2:25 - 2:28

look at file systems for changes by the
2:28 - 2:29

user it's going to do a bunch of other
2:29 - 2:30

things that ultimately it's going to
2:30 - 2:33

come back and say if you meet a certain
2:33 - 2:35

criteria and you can see that it's
2:35 - 2:36

actually using the machine learning
2:36 - 2:39

toolkit so down here it's actually
2:39 - 2:41

building a threshold saying what is the
2:41 - 2:44

normal amount of use of changes and is
2:44 - 2:46

it jumping out of that at normal level
2:46 - 2:49

it's really cool put some really cool uh
2:49 - 2:52

analytics out there for you you can just
2:52 - 2:56

use what they've got what I love is I
2:56 - 2:57

don't want to I don't want to I hear oh
2:57 - 3:00

well aren't correlation searches
3:00 - 3:03

attached to now Frameworks well you can
3:03 - 3:05

see the very first ones sometimes they
3:05 - 3:07

are but here these are Frameworks I've
3:07 - 3:09

heard this in my own work well they're
3:09 - 3:12

all mapped to the miter well
3:12 - 3:15

are they I'll just grab the very first
3:15 - 3:17

one and there's no miter technique
3:17 - 3:20

mapped what should it be well there's a
3:20 - 3:23

lot of things that could cause a miter
3:23 - 3:26

technique to uh if there's endpoint
3:26 - 3:27

changes it could be many different types
3:27 - 3:30

of tact then I'll have a mapped you
3:30 - 3:31

could come in here and you could map it
3:31 - 3:34

we'll discuss that later but point is we
3:34 - 3:36

come down here uh
3:36 - 3:38

make that go away that's all
3:38 - 3:40

we can see that it's looking back 1450
3:40 - 3:44

minutes and the latest time is zero this
3:44 - 3:48

runs at five after the hour that's how I
3:48 - 3:51

read that five after the hour
3:51 - 3:53

um it's if the results are greater than
3:53 - 3:57

zero it groups by user and change type
3:57 - 4:00

and we see that it creates it does not
4:00 - 4:02

create a notable it actually just
4:02 - 4:04

provides a risk analysis and we'll
4:04 - 4:06

discuss risk analysis when we talk about
4:06 - 4:09

RBA but the point is you can make it do
4:09 - 4:10

a bunch of adaptive responses
4:10 - 4:12

I my job here is not to help you
4:12 - 4:14

understand every correlation search
4:14 - 4:16

comes out of the box I'm here to discuss
4:16 - 4:17

the part that most people don't know how
4:17 - 4:20

to do create your own so I've shown you
4:20 - 4:23

that you can go look through there's
4:23 - 4:26

uh the documentation on Splunk says 1400
4:26 - 4:29

plus I don't know how they Define what a
4:29 - 4:31

correlation search is I'm going to tell
4:31 - 4:35

you that it's it's it's a lot there's a
4:35 - 4:38

lot of them and by default
4:38 - 4:41

uh Enterprise security is smart they do
4:41 - 4:43

not come enabled if I look at the
4:43 - 4:46

enabled correlation searches
4:46 - 4:49

this is mine that I was using as I
4:49 - 4:50

started to help understand Enterprise
4:50 - 4:53

security and these two were turned on
4:53 - 4:55

and this is for risk-based approach
4:55 - 4:58

other than that there are no correlation
4:58 - 5:00

searches that come out of the box why
5:00 - 5:02

well one they don't want to turn
5:02 - 5:03

something on that doesn't fit your data
5:03 - 5:06

set to often you have to tweak them the
5:06 - 5:08

correlation search is great but it's not
5:08 - 5:09

always going to be perfect for your
5:09 - 5:11

environment and so as a general rule
5:11 - 5:12

they're there as a guidance use them
5:12 - 5:15

when they make sense turn one on test it
5:15 - 5:17

see how it works if it doesn't modify it
5:17 - 5:19

and typically you'll just clone the
5:19 - 5:21

correlation search and build your own
5:21 - 5:23

anyway enough talking about that let's
5:23 - 5:25

talk about actually building my own
5:25 - 5:28

correlation search so I'm in configure
5:28 - 5:30

content and I went to content management
5:30 - 5:32

if I do create new content that's how
5:32 - 5:35

I'm going to build one and so we're
5:35 - 5:36

going to create a new content we're
5:36 - 5:39

going to make a correlation search
5:39 - 5:42

this is the way that I do correlation
5:42 - 5:44

searches that doesn't mean it's the way
5:44 - 5:45

that has to be done but it's the way it
5:45 - 5:48

works for me I'm going to call this I
5:48 - 5:50

would hopefully have a much better name
5:50 - 5:52

for this but I'm going to do YouTube
5:52 - 5:56

correlation search
6:01 - 6:03

horrible name because someone who comes
6:03 - 6:05

across this will have no idea what it's
6:05 - 6:07

for but for me when I need to purchase
6:07 - 6:08

stuff from my system it's really easy
6:08 - 6:10

and it stands out so I'm going to put it
6:10 - 6:12

that way then here in my description I'm
6:12 - 6:14

going to go
6:14 - 6:15

um
6:15 - 6:20

grab one event from Network logs
6:21 - 6:22

I'm not actually going to build
6:22 - 6:24

something that I'm looking for that
6:24 - 6:26

that's not the point of this video I'm
6:26 - 6:28

just showing how to build one and I want
6:28 - 6:31

them to always fire so I'm going to
6:31 - 6:33

uh fudge the numbers so that I always
6:33 - 6:35

get what I want and so the first thing I
6:35 - 6:37

do is I don't try to build a search
6:37 - 6:39

through here you can use a guided
6:39 - 6:41

guidance cool it'll allow you it'll pick
6:41 - 6:43

data models you can pick fields from it
6:43 - 6:46

so if I enable the guided mode you'll
6:46 - 6:47

see the data it'll say all right what
6:47 - 6:50

data model do you want to look at I
6:50 - 6:52

might come down to network traffic
6:52 - 6:56

and what data set do I want to use all
6:56 - 6:58

traffic do I want to use summaries only
6:58 - 7:01

I'll discuss summaries only when later
7:01 - 7:04

this is not the place for it time range
7:04 - 7:08

and there is your basic query I can run
7:08 - 7:10

the search and see how it looks
7:10 - 7:13

um then I'm going to hit
7:13 - 7:19

filter and filter would be like
7:19 - 7:22

all DOT traffic
7:23 - 7:29

all traffic dot best IP
7:29 - 7:31

oh
7:31 - 7:34

it's a Boolean where
7:35 - 7:37

and I actually don't know how to make
7:37 - 7:40

this work all traffic Dot
7:43 - 7:45

I'd have to go look this up well that's
7:45 - 7:46

not very good helpful there the point is
7:46 - 7:48

I'm not actually going through the
7:48 - 7:50

guided search tour I'm going to stay
7:50 - 7:52

right here with a manual query where I
7:52 - 7:54

can write it it does have guided again
7:54 - 7:56

you got to understand exactly what
7:56 - 7:57

you're polling guided is nice if you
7:57 - 8:00

know follow the docs I'm not here for
8:00 - 8:02

following the docs I'm here to take a
8:02 - 8:04

query this is my home network I'm going
8:04 - 8:06

to look at the correlate logs I'm going
8:06 - 8:08

to look at my core light con logs I'm
8:08 - 8:10

going to say where Source IP is
8:10 - 8:13

192.1680.star that is only so I make
8:13 - 8:15

sure that I'm looking at a specific
8:15 - 8:18

subnet section of my network this is
8:18 - 8:21

primarily my network designed for doing
8:21 - 8:24

Splunk videos and so this isn't my whole
8:24 - 8:25

this is part of my home network but it's
8:25 - 8:28

a subnet on my network that I use for
8:28 - 8:32

testing pen testing setup of systems
8:32 - 8:33

that I tear up and pick up and tear down
8:33 - 8:35

and so I just want to know what they're
8:35 - 8:37

doing and so I wanted the source IP
8:37 - 8:39

maybe you don't want the source AP all I
8:39 - 8:40

really cared about though is I just
8:40 - 8:42

wanted this because ultimately later
8:42 - 8:44

down I'm going to do inventory and I'm
8:44 - 8:46

going to have a very simple inventory of
8:46 - 8:49

that subnet and so I only want IPS that
8:49 - 8:51

at least at least one piece of the data
8:51 - 8:54

ties to my inventory and so as you can
8:54 - 8:56

see this here has nothing to do with my
8:56 - 8:58

network but this one does and I'm going
8:58 - 9:01

to do a headwind one because I don't
9:01 - 9:03

want lots and lots of results
9:03 - 9:05

basically I want to query
9:05 - 9:07

and I'm always going to return one
9:07 - 9:10

result as long and that's what I built
9:10 - 9:12

this isn't bad this isn't actually a
9:12 - 9:14

known bad I just wanted data to come
9:14 - 9:16

back so then I can put other stuff on it
9:16 - 9:19

I'm doing this as a demo for you guys to
9:19 - 9:21

understand how
9:21 - 9:24

to build a query you would want to build
9:24 - 9:25

a query that actually is looking for
9:25 - 9:27

something malicious right now I just
9:27 - 9:30

want a query to return a result so that
9:30 - 9:32

I can when I do my next video about
9:32 - 9:35

triage and the triage system there are
9:35 - 9:38

actually tickets coming in if I write a
9:38 - 9:39

query that's looking for bad well that
9:39 - 9:41

bad better be occurring on my network or
9:41 - 9:43

it's not going to fire and so it's a lot
9:43 - 9:44

harder to troubleshoot if the thing is
9:44 - 9:46

working if you're building queries right
9:46 - 9:49

if you build something that isn't you
9:49 - 9:50

hope to not actually see on your network
9:50 - 9:52

so I actually hope to see correlatecon
9:52 - 9:54

logs I sure hope so that means my
9:54 - 9:57

network has traffic anyway and I'm just
9:57 - 9:58

going to put the head 1 because I only
9:58 - 10:00

wanted to create one alert if I let it
10:00 - 10:02

come back it's every event that comes
10:02 - 10:05

back in here would be a notable alert I
10:05 - 10:07

don't want my triage system getting
10:07 - 10:09

inundated so I'm just going to do this
10:09 - 10:10

head one
10:10 - 10:12

now I'm going to map it I'm going to go
10:12 - 10:15

to miter and I'm going to
10:15 - 10:18

put in some
10:18 - 10:20

tickets so I'm going to go t1143 I
10:20 - 10:22

actually can't remember what all these
10:22 - 10:23

mean off the top of my head you can go
10:23 - 10:27

look them up I'm going to say this and
10:27 - 10:29

this has note no bases whatsoever but
10:29 - 10:31

again it's this is this these videos are
10:31 - 10:33

going to build on themselves and so I'm
10:33 - 10:35

building these minor attacks so when I
10:35 - 10:37

go to the RBA section of this video
10:37 - 10:41

playlist you'll see how it maps all the
10:41 - 10:42

different techniques together and so I'm
10:42 - 10:45

going to put this down here and and
10:45 - 10:49

actually because I want this to work on
10:49 - 10:51

um my system I'm going to actually do I
10:51 - 10:54

want it always to be 0.128.
10:54 - 10:57

that way I'm only going to get alerts
10:57 - 11:00

that are relating to this system that
11:00 - 11:02

means my risk-based Approach will cross
11:02 - 11:04

the threshold that actually makes a lot
11:04 - 11:06

more sense for me I'll explain that when
11:06 - 11:09

we actually get to RBA but basically I'm
11:09 - 11:11

going to give me give me an alert every
11:11 - 11:12

time
11:12 - 11:15

0.128 is the source of network traffic
11:15 - 11:17

and that should fire off quite
11:17 - 11:19

frequently
11:19 - 11:19

um
11:19 - 11:21

ignore the picture up in the top we're
11:21 - 11:24

just going to move on had one my videos
11:24 - 11:27

are done rendering anyway so I'm going
11:27 - 11:30

to map it to these ttps again this is
11:30 - 11:31

all for demo purposes so I just pick
11:31 - 11:36

some tptps and I can come down here and
11:36 - 11:38

I can put a confidence score an impact
11:38 - 11:39

score
11:39 - 11:41

contacts analytics we're just gonna
11:41 - 11:43

leave that alone for now I can create my
11:43 - 11:45

own framework and now here it's going to
11:45 - 11:47

say how far back do I want to look do I
11:47 - 11:49

look back 24 hours I could but I know
11:49 - 11:51

how often my logs are firing I'm going
11:51 - 11:53

to look back one hour doesn't really
11:53 - 11:54

matter because I'm just grabbing head
11:54 - 11:56

one
11:56 - 11:59

and I'm I have you I probably get I get
11:59 - 12:02

hundreds of events every probably
12:02 - 12:04

thousands of events every hour
12:04 - 12:06

on this particular subnet and so I it's
12:06 - 12:08

not going to be a problem getting data
12:08 - 12:09

I'm going to go look back one hour to
12:09 - 12:12

now and how often do I want it to run
12:12 - 12:13

you know what I'm going to let it run
12:13 - 12:16

every five minutes and that's going to
12:16 - 12:18

be important so that I actually have
12:18 - 12:22

events and that'll work I'm going to
12:22 - 12:23

come down here and I'm going to say do I
12:23 - 12:25

want it to run as real time or
12:25 - 12:27

continuous we'll just leave it at its
12:27 - 12:29

default
12:29 - 12:31

uh what's my scheduling window again
12:31 - 12:33

these are I'm not going over these this
12:33 - 12:36

is just basically how oft how you want
12:36 - 12:38

to run your times I'm going to run this
12:38 - 12:39

every five minutes schedule priorities
12:39 - 12:41

in case there's conflicts hopefully with
12:41 - 12:43

your Enterprise security you actually do
12:43 - 12:46

not overload your system so these become
12:46 - 12:47

a big deal
12:47 - 12:49

trigger conditions number of results
12:49 - 12:50

greater than zero that's always going to
12:50 - 12:52

be the case because I'm getting back one
12:52 - 12:54

but if I was doing this if I want to do
12:54 - 12:56

thresholds I could make it the thing has
12:56 - 12:58

to occur at least 10 times or 15 times
12:58 - 13:01

or whatever then Windows durations
13:01 - 13:04

filled to group by that's it that's all
13:04 - 13:07

I want to deal with I really the only
13:07 - 13:09

places I put around with this is I wrote
13:09 - 13:11

a query in the most basic format to get
13:11 - 13:13

your correlation searches going pick a
13:13 - 13:16

search I would tie it to an annotation
13:16 - 13:19

but you don't have to not required you
13:19 - 13:20

come down here pick your time window
13:20 - 13:22

these three boxes how far back do you
13:22 - 13:24

want to look latest time earliest time
13:24 - 13:26

and your cron schedule and then you
13:26 - 13:28

really don't have to touch anything else
13:28 - 13:32

except this add adaptive response I'm
13:32 - 13:33

going to come and modify this in a
13:33 - 13:36

minute there is when we talk about RBA
13:36 - 13:38

I'm going to put a risk analysis for the
13:38 - 13:40

sake of keeping this simple I am only
13:40 - 13:41

going to do
13:41 - 13:44

notables for now so I'm going to come in
13:44 - 13:45

here and I'm going to click a notable
13:45 - 13:47

and notable is an alert that goes to
13:47 - 13:49

your triage system
13:49 - 13:52

gonna go YouTube
13:52 - 13:55

notable give a description
13:55 - 13:58

I can actually use
13:58 - 14:00

um foreign
14:00 - 14:02

variable substitution so I'm going to do
14:02 - 14:06

alert for dollar sign Source IP
14:06 - 14:08

I need to make sure that field comes
14:08 - 14:11

back and this does have a source IP so I
14:11 - 14:13

can use it and you just call it like you
14:13 - 14:15

do in with the dollar sign on both sides
14:15 - 14:17

of a variable and that'll be dynamic and
14:17 - 14:20

so my description will come back with
14:20 - 14:23

this and just because I
14:23 - 14:25

want to what if I do yeah we'll just
14:25 - 14:26

leave it at that
14:26 - 14:29

YouTube notable security domain there
14:29 - 14:32

are a bunch of domains this is dealing
14:32 - 14:34

with access areas that would be
14:34 - 14:36

authentication endpoint a lot of your
14:36 - 14:39

host logs Network logs threat identity
14:39 - 14:41

and audit and so those are the six areas
14:41 - 14:44

splunkcast as security domains we'll
14:44 - 14:47

just leave it as a we'll put as a
14:47 - 14:48

network
14:48 - 14:50

in the network domain I'm going to put
14:50 - 14:53

the severity
14:54 - 14:56

as low
14:56 - 15:00

and default owner I can put in these I
15:00 - 15:02

can leave it unassigned
15:02 - 15:03

I'm going to put it as unassigned to
15:03 - 15:05

start with again you don't have to
15:05 - 15:07

default status I'm going to put it as
15:07 - 15:09

unassigned
15:09 - 15:12

and I could put a drill down search in
15:12 - 15:15

there and let's do that
15:15 - 15:18

we're going to take this very same query
15:18 - 15:20

just to keep things really simple one of
15:20 - 15:22

the very first drill Downs I want to put
15:22 - 15:24

in there
15:24 - 15:26

is the actual query
15:26 - 15:29

that created this log
15:29 - 15:31

but in this case I'm not going to put
15:31 - 15:33

head 1 I'm going to put I'm going to
15:33 - 15:34

take the head out
15:34 - 15:36

oh it looks like I've lost the 128 on
15:36 - 15:39

there 128.
15:39 - 15:41

make sure 128 is up here
15:41 - 15:45

yeah it is okay and I can choose the
15:45 - 15:46

drill down search will be
15:46 - 15:49

C
15:49 - 15:54

what caused alert
15:55 - 15:57

there are other ways of doing this I'll
15:57 - 15:58

show but I'm just I'm just going to
15:58 - 16:00

create a few ad drill down searches and
16:00 - 16:02

here we're going to just do
16:02 - 16:05

um
16:05 - 16:08

Y is
16:08 - 16:10

this
16:10 - 16:14

drill down exist
16:15 - 16:16

I just want to show I can go search
16:16 - 16:18

anything
16:18 - 16:21

index equals internal
16:21 - 16:23

why would you be looking at your
16:23 - 16:26

internal logs it doesn't really matter
16:26 - 16:28

um
16:28 - 16:30

well actually let's just do this I'm
16:30 - 16:33

going to put in dollar sign Source IP
16:33 - 16:35

so I'm basically looking in my internal
16:35 - 16:37

logs and I'm going to see if I find that
16:37 - 16:40

IP address popping up it it's just kind
16:40 - 16:42

of an interesting way you can add
16:42 - 16:46

additional searches to your information
16:46 - 16:46

um
16:46 - 16:48

so I'm going to be searching my internal
16:48 - 16:50

logs for the source IP
16:50 - 16:53

and I hope you saw this earliest offset
16:53 - 16:56

latest Offset you can change this or you
16:56 - 16:58

can you can let it just go by its
16:58 - 17:00

default or you can say for here I'm
17:00 - 17:01

going to go
17:01 - 17:05

plus this is a earliest for example one
17:05 - 17:06

hour
17:06 - 17:08

and I'm going to leave the other one as
17:08 - 17:11

zero
17:11 - 17:12

does that make sense so I hope this
17:12 - 17:15

makes this helps I can change my time
17:15 - 17:17

it's basically going to look in this
17:17 - 17:22

window one hour back of based off of
17:23 - 17:25

um
17:25 - 17:28

the the time this event occurred
17:28 - 17:29

so this might actually look a little bit
17:29 - 17:30

in the future this can look a little bit
17:30 - 17:32

in the future it's going to use time in
17:32 - 17:35

the back so let's go
17:36 - 17:38

we're going to go one hour one way this
17:38 - 17:40

is going to go one hour and in the
17:40 - 17:43

future and one hour in the past
17:43 - 17:46

sounds good I'm going to leave my
17:46 - 17:48

investigation profile alone and these
17:48 - 17:51

are I uh extractions and these what it's
17:51 - 17:52

going to do is it's going to it's going
17:52 - 17:56

to identify identities these are users
17:56 - 17:57

and stuff like that on your network
17:57 - 18:00

assets would be like IPS and machines
18:00 - 18:03

and files and URLs that it might have
18:03 - 18:06

found I'm going to we got assets here
18:06 - 18:09

Source test
18:09 - 18:10

um does my lock do my logs contain
18:10 - 18:12

source and test
18:12 - 18:15

well let's go look had one do I actually
18:15 - 18:18

have a source and a desk here
18:18 - 18:21

I have a source IP but no source so I
18:21 - 18:23

don't have the field it's looking for to
18:23 - 18:25

be able to identify it so what I need to
18:25 - 18:27

do is I need to come in here and I'm
18:27 - 18:28

going to go
18:28 - 18:31

source IP
18:31 - 18:34

except it's on identity
18:34 - 18:36

the identity it's an asset so I'm going
18:36 - 18:37

to come in here and I'm going to go
18:37 - 18:40

Source IP
18:40 - 18:44

and just because it's we might we might
18:44 - 18:46

want to identify the uh the other
18:46 - 18:48

machine in question we're going to put
18:48 - 18:50

desktop in there as well so I'm going to
18:50 - 18:52

have my source IP and my destination IP
18:52 - 18:54

they're going to be assets that are
18:54 - 18:56

extracted and that's all I'm going to do
18:56 - 18:58

I just want to make sure that the
18:58 - 19:00

anything that might be identifiable in
19:00 - 19:02

these queries not these queries the
19:02 - 19:04

query up here let's call them out and I
19:04 - 19:06

hope all this will make more sense as
19:06 - 19:07

you actually see the stuff come back
19:07 - 19:09

there's just a lot of capabilities here
19:09 - 19:13

I can write steps if I want to I can set
19:13 - 19:15

things up to uh for example send an
19:15 - 19:18

email stream capture if you have uh
19:18 - 19:20

Splunk stream nbstat and it's look up
19:20 - 19:22

you can make your system do a lot of
19:22 - 19:24

things like I could have Splunk go ping
19:24 - 19:26

an IP address you know what
19:26 - 19:28

um in a little bit I'll actually show me
19:28 - 19:30

doing that I can have it do a risk
19:30 - 19:32

analysis run a scripts and a uba send a
19:32 - 19:34

split mobile Splunk mobile is really
19:34 - 19:37

cool now it's being sent to my phone add
19:37 - 19:39

thread intelligence from it web hooks
19:39 - 19:41

whatever you have a lots of capabilities
19:41 - 19:44

don't need to do it the the minimum you
19:44 - 19:45

need for a notable
19:45 - 19:48

title description
19:48 - 19:50

you don't even need these drill Downs
19:50 - 19:52

you can let this be set as default
19:52 - 19:54

probably should pick a security domain
19:54 - 19:58

and literally that's it make sure it's a
19:58 - 20:00

lot more helpful if you can identify
20:00 - 20:01

your stuff coming back as identities and
20:01 - 20:03

sources and I'm going to show you that
20:03 - 20:06

in the next video with workbenches and
20:06 - 20:08

stuff like that but for the sake of this
20:08 - 20:09

don't worry about it
20:09 - 20:11

um just know that it's it's good if you
20:11 - 20:13

can call it out but if you don't you're
20:13 - 20:15

it's not like the query will break
20:15 - 20:18

I'm going to hit save
20:18 - 20:20

and I should have a correlation search
20:20 - 20:22

done now I'm going to have to wait I
20:22 - 20:25

probably just missed my window it's
20:25 - 20:26

supposed to be kicking off five minutes
20:26 - 20:28

after the hour
20:28 - 20:31

so I can almost guarantee that if I come
20:31 - 20:34

to incident review I will not find an
20:34 - 20:35

alert
20:35 - 20:39

called YouTube notable
20:39 - 20:41

I'm gonna have to wait till five more
20:41 - 20:43

minutes to go by but let's go ahead and
20:43 - 20:45

check that so I can come down I can
20:45 - 20:47

refresh the page here or I can refresh
20:47 - 20:50

the page here but either way that is not
20:50 - 20:52

the purpose of this video is to look at
20:52 - 20:54

the incidents coming in mine was to talk
20:54 - 20:56

about correlation searches and how to
20:56 - 20:58

make my own I have set up a correlation
20:58 - 21:01

search and so I've accomplished my task
21:01 - 21:03

I'm gonna I'm gonna come see it here
21:03 - 21:05

with a configure
21:05 - 21:07

content
21:07 - 21:11

configure content content management my
21:11 - 21:14

new correlation search is in here we can
21:14 - 21:16

see that when I go all
21:16 - 21:18

correlation search and when you create
21:18 - 21:21

them by default they are enabled
21:21 - 21:24

so if I come in here and I enable
21:24 - 21:26

I can see YouTube correlation search for
21:26 - 21:27

line Creations if I want to make any
21:27 - 21:30

changes to it
21:30 - 21:32

I just hit search now that's interesting
21:32 - 21:33

that it doesn't say that it's actually
21:33 - 21:36

scheduled
21:41 - 21:43

all right well probably because it
21:43 - 21:45

hasn't run the very first time once it
21:45 - 21:47

runs I should see
21:47 - 21:50

here the next schedule time but it's
21:50 - 21:51

really easy just keep it under the
21:51 - 21:54

enabled
21:55 - 21:58

and correlation searches
21:58 - 21:59

so
21:59 - 22:02

yep there it is now I've got a time for
22:02 - 22:03

the next scheduled time stored in the
22:03 - 22:05

Enterprise Security app what have we
22:05 - 22:07

covered we've talked about correlation
22:07 - 22:09

searches what they are they're saved
22:09 - 22:12

searches that can be used to create
22:12 - 22:16

notables notables fill out tickets that
22:16 - 22:18

you will go into a ticket triaging
22:18 - 22:20

system which we will cover in the next
22:20 - 22:22

video in this playlist please look at
22:22 - 22:23

the link below notice that this is a
22:23 - 22:25

playlist go ahead and join the playlist
22:25 - 22:27

and watch the videos this is meant to be
22:27 - 22:30

a comprehensive training to help you
22:30 - 22:32

understand Enterprise security
22:32 - 22:32

um
22:32 - 22:35

click that link we have now create I've
22:35 - 22:36

shown you how to see the correlation
22:36 - 22:38

search that come out of the box and I've
22:38 - 22:40

shown you how to create your own from
22:40 - 22:42

scratch I hope this has been helpful I
22:42 - 22:44

hope this helps you move from being a
22:44 - 22:48

lame analyst to a Splunk ninja that
22:48 - 22:49

you'll keep following particularly this
22:49 - 22:51

playlist watch the videos in it and that
22:51 - 22:53

they're helpful anyway hope to see you
22:53 - 22:55

around

Title:: Splunk Enterprise Security Free Training | Correlation Searches
Description:: more » « less
Video Language:: English
Duration:: 22:55

	OEVIDEOS edited English subtitles for Splunk Enterprise Security Free Training \| Correlation Searches
	OEVIDEOS edited English subtitles for Splunk Enterprise Security Free Training \| Correlation Searches
	OEVIDEOS edited English subtitles for Splunk Enterprise Security Free Training \| Correlation Searches

English subtitles

Revisions Compare revisions

Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

Splunk Enterprise Security Free Training | Correlation Searches

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)