Splunk Enterprise Security Training | Splunk Security Training | Intelllipaat

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] let us start with Splunk security the cloud is a simple keyword which you can type and you can go in here and take it right let's play website where you will get it you just register yourself okay I'm just taking a quick run through here right you have your Splunk cloud learn security all these things and I have one doubt also is it can be possible for like application app instead of cloud as well both both are possible like you know you want to have it on a cloud this is why we put it up for a cloud is mainly to just showcase on a quick note okay okay so Splunk deployment it goes in two ways one is on-premise another is on a cloud right so okay when when we when we talk about on a cloud it is especially a SAS mode and software as a service or a soft security software as a service right okay you can rear you know this plan gives you a particular public IP address like an AWS instance if you have used ever okay you guys might have used as you or Google Cloud or AWS instances right where where you where they give you a dedicated IP address right so where they open you can open certain amount of ports right can put hands and then how that port pointed in your respective local systems or any other systems maybe it is on other cloud or on the same cloud or it may be compromised but it should be available on public domain right so public IP addresses that is a require okay okay now all your traffic to be diverted to this traffic in the sense logs okay it's a long read excuse me so what are the things we are doing flung cloud and in imprimatur that then it will be same or tips or something will be b'fer yeah I am coming to the same point just how a patient's that the thing is on the cloud it is ready-made lung would have already installed the base Splunk security system right and it is ready for you are used and you just need to configure the ports so that it can your Splunk cloud can accept the logs from the standalone sisters so that is thing which is available but on premise when you take it on on premise you need to install it's plunk Splunk is available especially you go to here on this you know run website you have here something for them I have kept it here anyway reading correct plant installing on Windows or Linux or there is also for Mac but Mac it's not widely used right for Splunk security either you can use it on Windows or on units people typically security organizations install Splunk security on the next because that is easy to troubleshoot easy to configure etcetera etcetera right where you can get it to the back end of the system and then configure yourself or something maybe you can castle also calculation all such Jennifer states okay right so this is on permits now in case of on-premise what happened then network topology changes right if you have it on a cloud it kind of public look if you have it in on-premise then you are network topology changes at that time your you know you may have multiple offices right an office in India may be in Bangalore another office may be you know Washington DC another office may be in London another office may be anywhere in here you know sibling or something of that sort you you have a distributed network in corporate environment you will security devices such as firewalls or intrusion prevention devices or gateway antiviruses or such kind of security devices would have the how to help a you know will they will be the part of different different LAN segments right different land so at that time what happens is you might be connected on an FL MPLS connectivity which is a common Club for line organization are you may want to connect our point-to-point network right by this point or maybe over the Internet now where you can create a particular hub spoke or such kind of a VPN model VPN topology so at that time you need to take care of your networking part so that all those devices security devices at various places of the world need to send the logs to your Splunk on-premise set up which may be in one of these locations okay the DAP will be you free we can use for 30 days enter by security Apple absolutely absolutely right you see here you have damn right security incident and event management right sugar what is it here you can see through this and you can download that particular solution being here security and here say a the analysis and response this litigation all these things actually if I say this I can be able to download the trial version and you people can do it you can register yourself and then do that are you can get sandbox which is not allowed for your practice right to get the sandbox you how to obtain your login that's it right you see here you will start trial this trial especially is a cloud cloud okay there is another also we can install add-on right the whole load has a standard node application and then you can start using it is a the installation procedure is quite quick and I can show you that other products of lund especially also are there you can see your security strong securities plain idea operation it's not for IOT you see these are all the main categories of clock where our concentration is secured right it's like enterprise security app yes simple solution is enterprise security no sandbox sandbox in the sense it is you prayin box you can use in your own way you know sandboxes this is sandbox what I have ok ok ok so once I said is you know I'm trying to save time in the middle because am i doing is plug security when I click on free sandbox ok well again this after registration procedure registration itself three or four steps of registration where you are to give you your email id or the details personal details and you have to give you all the things you want to create your login nothing other than that ok you know to this raishin user account registration and then you will land on to this particular page by log e okay yeah let us go through this screen so I will install a Splunk instant in Windows 7 or whatever maybe on top of that I will install the security app enterprise security efforts plunk so it will be okay or it requires a it requires a licensed version see for the installation it is starting with there is a trial version there is a licensed version ok ok what you can make purpose it is a trial version only but full fledged you utilization of Spawn security you need Enterprise version okay thank various features and everything okay so in high school okay also get seven days trial right after seven eight seven day it will ask for whoever activation of something like that you want to activate you can activate otherwise you have to do a fresh download and try using it okay then that means I can license version free trial I can use and purpose security applied exactly right now right now what am I trying to explain you guys is use this global thing first of all you get used through the Splunk system okay okay you can see here the menu what you are what is there on the top of the screen one is home next is a security posture next is okay well it's got it clicked off okay well and next is a incident review next is investigations glass tables security intelligence security domains or date search and cons okay you have here complete security stack or security audit spec I could say right or it you know I will explain you each of the tabs now is home screen is a typical home screen where you have all the various pins stacked in a particular screen that you know again says it's a nothing but these tabs itself are replicated here security posture security posture what does a poster mean in a general language general English posture means like the look and how appearance right how you up here that is a posture so now the posture of your entire physical network security overview of your entire organization is shown in this particular posture tap where that covers on like a bird's-eye view on security infrastructure next is an incident review okay there is a difference between you know there are two things when we consider about security incident and event management right there are two words one is incident another is event okay let me explain this particular concept what event event is about something happening on a particular system which is getting reported into Splunk such as if I have 100 security devices reporting to stay Splunk security right then each device report to Frank about the happenings on that those happenings are recorded in logs of each of those systems which gets reported by means of forwarding those events into Splunk those are called events that is a simple happening without any intelligence right now what is incident incident is correlation or combination of multiple events and it is also collection of sequence of events right so am i clear here incident is a set of events in a sequential order right that means an incident is something that has happened and that requires attention and response to it so the incident review like there are set of events happened and that because of that a particular incident occurred plunk records in the same manner next is investigations investigations is what investigations is the third step of machine learning very first step of machine learning was the historical analysis next was a diagnosis right so sorry next next was the review and then the diagnosis now the investigation is about diagnosis so which does the detailed analytics of any incident or event that happened why it happened who created it who it was destined to all such kind of details and what kind of a protocol everything comes in investigations which you can deep dive into an event or incident that is investigations next glass tables these are all like certain kind of you know the showcasing of the mechanism like how can an incident happened and he went happen other investigation these are all they know meters and this is what we found after investigations so that's on the glass table next is intelligence building insane intelligence so in case of security intelligence what I have I have first one is a risk analysis right for on my network next is a protocol intelligence next is a threat Intel next is a user Intendant and next is a rebel right so as I told earlier all these four models we are going to study these are based on the threat models is any of you aware of what a threat model is the threat model right the various different models are there such as stride model faster model strike model right so this security intelligence page or is inspired by such kind of threat models where it gives you one internal risk analysis and then the next you know the mitigating measures where a protocol intelligence is there threat intelligence is there user intelligence is there in February so for intelligence intelligence how many protocols are in transaction on my network and what is their behavior whether they are compliant to the respective standards the protocols in the internet any protocols or all the protocols how to comply to RFC standard RFC as a request for comment standards you want to learn about any protocol visit the RFC pages right because there is a I Triple E standard which is defined on under OSI model where it is quite clearly and detailed ly depicted that how a protocol should look like and how a protocol should behave next threat intelligence such as what are the what is the threat diaspora which is impacting my network so that's about threat intelligence such as how many ransomware attacks tried how many succeeded how many did not succeed how many were caught and how it was caught and how many viruses how many worms and what are those all such kind of details you see the threat intelligence where threat intelligence pulses as a precautionary measure for your future events that is the benefit of predator next is the user intelligence user intelligence is about the user behavior on your network if you have on your network there may be thousand users hundred users or maybe millions of users right Splunk will keep flagging you know stating that all gays so-and-so is not behaving great right so he is attracting more and more threat his system is attracting more and more threat and he is trying more and more violations that is what it is so you know raising such kind of flags is in user intelligent and it takes the help of the system such as Identity Management or replace next is a verb intelligence as I told you the most transacted protocol is HTTP II right so in case of HTTP so a lot of attacks such as cross-site scripting or DDoS or any such kind of a stealth attacks or something that happens are actually the this particular web intelligence it should it captures everything on web intelligence whether so the next one is security domains in case of security domains we are both configure the access list that is who can use who can log-in the plug system such as endpoint network identity and all such kind of a things next is odd it this is a detailed audit right so like it's a complete security audit tools means you don't need to do any manual job where bulk will use gather all those intelligences and then it would present the respective audits such as incident review audit so this is also called root cause analysis and separation audit and adaptive response Action Center per panel Phil trotted like you can create your own customized filters out there for Reddington or audit yes and various such kind of audits right so next is you can search for a respective dashboard or reports or predictive analytics or data sets then comes system basic confirmation right so where it gives you what all the things you can configure on the Splunk system it is let you to slug system okay so this is a high-level overview and you could see here there is a topmost bar which is like like it's an act you know the notification bar right how you have it on your linkedin space books it's a cat eating so that immediate the those things that require immediate attention can be flagged here for that purpose there is a notification bar okay see you see here extreme search all those quick you know the tools are mentioned here same way there are quick messages which are high you know critical critical most at this moment on Splunk those events are recorded here as a message and settings which are typical settings on this link where you can configure the devices etcetera as a trial these are on schedule tasks especially a particular scheduled task whether it is done or why on set up the quickly you know quick access tools these are especially so it takes because it is quite rich screen right so it has a lot of things on it one by one this is a widget based system where you see there the numbers at the top most you know the section of the screen being populated right so these are based on currently whatever the Splunk load has got that data okay it does not don't think that it is you know my data okay I have not configured this because Splunk has for their demonstration purposes they have configured some systems in their respective cloud or it's showcasing this well good for our study anyhow right so access no tables total count 350 endpoint not embers Oh God got clicked and go back to security posture because when I click on them it takes me to the detailed incident okay you okay we are back on this and point notables like what are all the systems at all Network notables identity notables audit notables threat notables it is covering every menu item which you saw in the top right with the statistics next is notable events by urgency you can see there types of events right so starting from the informational events till the critical so Splunk has right now three things categorized one is low another medium another critical so right now there are a lot of medium events which are being recorded correct on this plug system so there are some criticals okay next notable events over time like this is your time stamp now you know time scale or a timeline on this plug sister right so where you see here you know the by access by audit by endpoint network and threat you have color coding where you can see yourself you can go through this the shows the time stamp and there is a peaking time between 4 a.m. to 8 a.m. there is lot of things happen correct so where you see peaking 156 active events happened occurred during that time right endpoint events 35 as well as audit events of number of 40 right next top notable events here you get your threat intelligence ok hosts with multiple ins in infections are 169 excessive failed logins that means there is lot of brute force happening on your network those forces in somebody's trying to enter into the systems by trying you know login attempt making login attempts so those are failing which is being recorded on your end devices which send it to Splunk ok next threat activity detected so threat activity detected are 58 and so on so forth there are many if you wanna good on the screen you can go here itself in exited here it's right there is a pagination which is magnetic okay should oh ho now you see here something right for a detailed search this is for detailed search of more and more events and this is like in you you can export this because you may want to send it through escalated to the top level of your organization say for example if ur say sock operator is you know operating this plunk on day-to-day basis he can download it and escalate it to his next level manager that okay this is my plans report for the for this particular day or week or whatever the number of days next inspect more and refresh form a new image I could do this it was refresh four minutes ago and i refresh now and it is the same state right and there is something else here the top notable event sources okay so yes yeah I just want to try based on what you've been explaining right now the screen were looking at is the security poster screaming and the notable event source that gives us like the specific location where those events ordinated from maybe DRC like IP addresses neck hello yes yes carry on carry on yes oh I see like arm the specific IP address I don't know if those and then we call those port numbers it is just an idea denied yeah so he gives you an IP address and then I see a correlation count that also means like the number of times that that event has originated from that particular IP address then security domain Council it's like in detail of the security posture of a particular event from a particular source yeah yes yes oh yes yes yes it's it's correct but let me make it more correct okay yeah so here when I talk about the source right so source is don't think it is a fire one I explained you guys about the seek the deployment model of Splunk right yes sir lunk is not implemented like a firewall right Splunk is implemented as a standalone device that you know accepts the set of events from firewall kind of devices correct okay that means these are the events forwarded from the connected and devices such as if 10 firewalls are connected and they are forwarding the logs to Splunk right I have a firewall on my network which is carrying IP address 192 168 50 6.10 - right so that firewall is generating 23 counts of that has generated 23 counts of events that has given me so many events and security domain count and correlation search count here right if we deep that right now I'm going to click on list it's going to take me to the next screen of incident review right now if I know this incident what I can see here search source racket source here now you see here set of events right that means the it may be a fire one okay this fire wall or this security device has detected so many the threat activities of urgency level of critical and currently these are new state means each event has to undergo a particular life cycle current means a new event occurred and somebody needs to acknowledge that event now if I could do this here no sorry there here the new instead of knew if I address it it becomes acknowledged and then it it can go to you know it can go out of this list right so now I will Hilla print it here now let us see what it is right this is the detail of that particular event which was forwarded to me by a device off 192 168 56.1 0 2 and here you have what is attack source sorry attacks destination and what is the source of attack also would be here right all these attack details are here source is this right yeah now I have risk score of 2 that is when I go into this you know risk management it will be more detail anyway I am NOT taking so deep down right now but I am going to explain simply the threat activity you see here the description third activity was discovered in the destination field based on the threat intelligence available at the IP until collection that means Splunk has already collected some amount of threat intelligence based on that it is categorizing this as a description right now what is the type of the a event you have here the type and place and etc of the us here more details are here correct so this is a third activity which was detected and at this respective time which is of this nature right that means you have here more and more details here even tidy even type notable and all those things now you have action here the correlation search the related investigation currently not investigated it was not investigated right there is a correlation search where it gives you a threat source and destination matches third-gen right and history view all review activity for this notable event and what is the next step because since it is not investigated you would not have the next step what to do right there is no prescriptive analytics till done on this event because it is waiting for user to respond on this event right now I would say action what should I do if I take an action then I could see the prescriptive analytic on the respective event now in the action I can say add this to a threat Intel or add event for to the investigation and take it further take it for the further investigation or create a notable event because this kind of event I want to create and keep it in notable events where did we see that notable events you know one of this you know the taps right especially in the events tab or I can build event type or extract the fields for further detailing of it or run adaptive response actions or share notable event or suppress the notable events means this may be a noisy event this may not make sense right at that time I want to suppress it okay or I can remiss the workstation this is like reinstalling that respective system okay but for this there is a certain other requirement in the future classes will come to know about those things anyway but reimage a workstation is still possible this is a thing all right so this is what about the security posture screen yeah so as you told actually the data sources already in the top notable event sources data source is reflecting right how to add these data sources to the Splunk instance is so where we have to configure the data sources such as log forward us and those logs get forwarded into Splunk actually right so there is a you know for syslog it is a different type of configuration no we have especially adding the data sources where we have to configure a data source right now we do not have it here because we are looking into the cloud system yes let this is this is like an AWS that like this is publicly available domain name also okay right so on this respective ports put some port number 8000 that is what is the standard port on that port we have to get the data sources received from various different systems maybe it is a firewall simulation or any other security device simulation where we will be getting it to know I'm beginning to get a scope and a graph of water this plum security framework is all about so my question is out in the field in the work environment when we say you working on the enterprise-c coach or the SIEM framework right is this it are we going to use this just as plug up that we're going to use this particular training is concentrated on Splunk but there are many others siem tools ok such as there is a curator there is arcsight right on such kind of a tools are there and there may be in open source there is something called awesome OSS I am yes now I'm just talking in terms of Splunk right because for example let me let me go back it'd be what we do like Splunk I mean like power use and stuff like that we would learn how to ingest it you know like you know Universal for dance or those star token if you go to sports bring in that time to explore and then confer and index the data right so that's at the no user and an impact of Spallone but my question is when we talk of no let me say ok for right now let me just put it this way let me say I come to you and I'm like okay know what I'm looking for a job to do Splunk enterprise security my question is this what we'll be doing is this the app you use for the enterprise security yes we do use this is the app to use for it you see here yes name yeah security yes splints product name is enterprising this plank at enterprise security is the name of slugs siem product SI horizontal okay instead it's a analogy security incident and event management is a common terminology there are multiple vendors are this lunk also is one of the vendor of such kind of a technology your course delivery kind of a technology in the form of product flunks products name is Splunk enterprise security okay thank you so so we wish i will be working with that that has already forwarded or we have to do like like no important that and then try to do all it is not importing that Splunk works on all live data okay right yes all those various devices which have been deployed on your network will start forwarding the data into Splunk okay right that's how it works it is like Splunk is a kind of a center of gravity for all event collections will be looking to the deployment model of Monk and we are going to go through the remaining screens on select console web console right so and also what are the various different product lines that Splunk gives ok so just let me start with the you know the product lines that Splunk use and where you can download blessed download dot HTML file page on plunks Fairport that website right so and you get all these various different versions of slunk out here right one is what you have Splunk Enterprise Leung clouds plunk light and sprinkle three right so this enterprise is having they can mode Li or more about all the mostly about all the enterprising light products so such as or security or machine learning or anything of that sort that's what link load is like both into you know security and non-security product lines same way there is something called Splunk light which is you know to store the data or alerts and reports etc on you know you will desktop or any such kind of smaller capacity system such as it may not have good high storage or something but it's for a small implementation and free is the free Splunk enterprise platform for log log redirection it would not have much of correlation and all those capabilities it will only have basic level of the features that's the thing okay you can see here there is something called comparison chart which we can just take a look quickly for the feature differences between all these products yeah is he here so features are so many so many features the maximum daily indexing volume so daily indexing volume that means how much from how much of the data that month can accumulate on daily basis right so in case of free version it's just limited to 500 MB means you can redirect the logs up to a quantity of 400 MB per day lunk light up to 20 GB and SES or sse2 and enterprise in not necessarily only security other other problems also unlimited and still um cloud also unusual interest these are all like a premium products next maximum users monfriez for only one user like himself ease and operator himself ease and of administrator and all those things the multiple roles in a single user and Splunk light will give up to five users so and splint enterprise unlimited number of users plunk load also unlimited number of choices my my query is this is per data daily data indexing licensing model right so so for enterprise security they depends upon how many security devices in logs and type of sexual P right that is also these are all four different types of you know in packages kind of a thing that you can avail from Splunk yet one is free that is for one user for any you know very small deployment second one is a Splunk light which is for a medium kind of a deployment where you will be having the five user roles used right and splint enterprise and snow cloud are unlimited where the number of devices somewhere here it will come to already single sign-on alone once again okay so the the price per the device number of security devices forwarding to it they do calculate based on that okay so here in case of slink Enterprise and splint cloud they do give you unlimited okay but however it is there you know calculating the scalability depending on the amount of that you know the data that is pumped into splint got it the four first wire three models the storage is all of you like what you buy all right and in case of Splunk cloud also because it's a premium license that you will get the storage and they will dynamically allocated it's like an AWS cloud it is nothing else right okay it's on a little as you know the c-loc of model right elastic cloud model okay so we're a mad who are able to exhaust the initial air location it will automatically scale it up yeah so then Universal data collection indexing is available all these features are available but Splunk base apps these are all available for all other things however only for AWS in case of the light right so Splunk premium solutions these are all available only in the paid version that is either enterprise or low high availability Splunk premium solution disaster recovery clustering distributed search performance acceleration all these things right and access control single sign of these two because in case of the difference between the third and fourth that is like lunch enterprise and Splunk cloud is on the cloud itself you should have your LDAP set up or Active Directory or any such kind of a barrier to servers to be set up in your cloud itself and then you can join slung to that particular system which is on the top it does that request public IP address on public domain name to be join two domain then developer environment they give this API sadistic is why do they do this who they do this main list you know Splunk can be integrated northbound with some other soft some other tool may be you may have a ticketing to right remedy force or any such kind of for ticketing to or IBM Tivoli tsrm of such kind of tools where flunks incidents and events can get logged in as tickets so Splunk will redirect the ticket info information that can get generated as a ticket on a ticketing system so there's an odd mode access northbound integration for that purpose they give you write API s-- and SDKs then dynamic data only in the plug cloud in case of support in case of the free edition there is no support it's a community support like you can for login to open source stuff and all those people like you know like the way you can ask anybody and everybody kind of a support it is not official support by length and remaining models there is a support plan which is given however now Splunk Enterprise is a free download lunk free is a free download okay it is like this one free enterprise but in case of enterprise there is a requirement of key and all those things okay so these are the various models available a chin like now we are using this prank Enterprise 5 20 GB of license so if you want to integrate I mean you're on board Splunk security this we need any separate license or we can yes is a separate one okay so if you want to learn what security means we have to get that particular license enabled from Splunk so see various other things like you know you have it here it's plug for security phantom and enterprise security this is what you need to get forever in compromised or that's on-premise deployment itself this one fine so now we will move on to the deployment model so the flunk can be deployed in you know signifier article model our multi-layer article model so when I talk of single hierarchical model it is about Splunk index law as a single okay let's just deep dive into this there are some diagrams and show you how it is getting deployed okay so this is one simple way of deploying where okay so this is your Splunk line currents basically you know how house plunk works let us see little bit in depth slunk uses syslog D server okay syslog BD much so that is typically any UNIX or Linux systems use for you know keeping track of and recording the system locks where if you are aware on Windows Windows events how we windows event servers work similarly for recording all the system related events in various different you know the under various different facility and severity the syslog D also is a daemon that start that talks starting from the kernel of the system that is most internal part of the operating system till the shell of the system including the services and kernel modules and shell programs or scripts or anything of that sort right so where each of the system can each of the application of the system can also log their respective logs using syslog be it so syslog is a demon demon by nature it it you know runs in the background it's not demin it is demon okay right so that by nature it runs in the background and keeps listening on a particular port okay so syslog typically has categorizes the logs under tooth parameters one is for the severe it another for a self facility so okay just let me pull out all those things for your benefit okay so say this love right so facility code keyword and description okay and next comes civility level that is severity of the respective event say for example if I have a sample syslog okay there is a facility facility is to identify what kind of a service it is on the operating system because flunk also runs on an operating system like the way routers switches all those things run on a respective operating system right so they need to keep track of their historical events that had happened on the system that's the reason they use modern mechanism right so facility code zero if it is then it is a kernel message right so that kernel message is you know something that systems quite internal but that records next is the user that means user level messages next is a mail system next is a system demons likes this log D is a demon there must be lots of daemon services which are running on the system next is authentication authorization related messages like who logged in who logged out what is happening in the logged in session and all such kind of ethics next is syslog these are the internal message to the syslog service itself next is the line printer subsystem this is now hope not many people are using it but you know how because we are on using most of the cases Network printers right but if you see there on that respective system of where the printer could be attached in a simple user network there there is something called spooling right the printer printer typically based works based on the spooling of the jobs so if a job is pulled to the printer it required some kind of a messages that is NPR type of message and next is Network News subsystem that's like any news tie those type means there are n NTP servers right news network transmission protocol servers and all such kind of a civil services could run it as a network news and uucp of course it is being used uucp used to be used during unix times most and initial days of dinners most next is a Quran Quran is a cron it is like you know you might have heard of crontab they just like it is to schedule the job to automatically get executed at a particular time or at a particular frequency so cron job you know the cron jobs are all recorded like whenever the tasks are scheduled tasks are run and in syslog file or current type of a message gets recorded next is authentication privilege that is earth probe so whether who is allowed to mommy who is prohibited from login who has made failed login attempts all these things it under this similar to that you now see why you are seeing so many ftp UCP nntp or are because syslog is quite a Joan okay so during those days these were all like standalone independent important services but no longer they are because ntp is replaced with NTP is a network time protocol okay n and TP is also kind of replaced uucp is also kind of replaced that's the reason you don't see much of importance to these states but security console etcetera etcetera see these are all quite important once like a demon kernel user these are all system related some of them are network related and some of them are respective services related okay so facility code you see here 0 to 23 there are different codes and severity level severity in the sense like what grabs the attention that is severity right and what requires the attention and at what level and what what order now if you see up in a syslog file if you see something like emerge then it is an emergency issue panic condition in the system that needs immediate mitigation attention so say they'll there are starting from emerge to debug eight different severa T's are that it is as good as like how you have in case of tickets right so ticketing system how it has increase of ticketing system it will have severity one two three four five like that right important critical etc also so similarly here it starts with emergency then alert then critical then error messages and warning messages then noticias information and deeper okay so if a service is recording any message starting from zero to pour qu'ils Islam zero to three I could say not necessarily Fork is 0 to 3 then the service cannot run service will be stopped if it is warning yes it may run but not properly if it is notice informational and deeper no issues it is just forever you know the informational purpose so this is how the syslog is you want to see a syslog message you can visit this particular RFC which will give you a sample system of also research it should be fine okay mr. sample sample I'm just trying to see if RS that is for the purpose of sake of simplicity syslog fight message okay and take this let me have those okay you see here this is a samples its losses where each syslog parameter is you know be limited using the delimiter of : can you identify that yeah so we taped it and after then there is a : which time it has a happened there is a : sorry which date is the date and time together is a Pollin sorry okay so date and time and then you see here something called this you see here 48 and then there is an ID ID user error right so and then all these things then you see what is a type of the message type of the messages partition health measures slash where did not suffice still using 96% space damn way block requests if you see block requests what had happened here it says no a low rule matching for requests with this particular URL that means blocking the user from using this right you see here following columns are given column 1 column 2 3 4 5 6 it's explained clearly so request aggregation events and certain cases you may also find when we go back and try for a simpler one log sample okay say let us say logins existence okay you see here login successful this is what when that for and where it has happened BAM right not capable authentication model from UNIX that is a service on a UNIX system if you use su let's switch to use their command then you will be getting this kind of a message in your law typically where it will be on a UNIX system or a Linux system is slash where log messages slash where slash log slash messages that is the party will how these things run okay so now moving on to how Splunk uses this okay okay so now to understand that house plant uses that let us go to one more small topic in the middle that is syslog redirection okay to everybody uses this thing so unless simple disco for dinner Linux sister this is what I wanted to showcase wealth so there is a system for order Linux computers multiple Linux computers each system each UNIX or Linux system will have its own syslog service running so in that if you could type a simple command such as syslog - R and the remote host that is that remote the most remote host can be us plug box the IP address of the flood box so then that respective Linux system will start forwarding all those laws it will not record any longer locally it will start forwarding that log messages to that respective I be addressed so slunk needs it to be done that way if any of those systems on which you have to enable the log forwarding then log forwarding to this plunge IP address so that Splunk and laser link and captures on behalf of all those systems it will start recording those things so if you see here the respective diagram in a book on girls and I'm slightly and who's this you have here Network Devices you have here Linux computers all these are redirecting it into this particular box this is another Linux computer right so here these are systems this of course this Linux computer also will have its own applications running right even those are all logged in and all the remote systems logs are also getting forwarded into this and these are all recorded until this particular thing itself and then it can go ahead whatever you want to do the next part forget about it that is not enough our attention at this moment right so similarly I guru this deployment model you are seeing here what are all the various different kind of a system could be forward the logs to Splunk Solaris any router may be supposed juniper or whatever routers because on all the routers that are available in the market you get a feature of log forwarding and AIX systems and switches of course all the make and models of switches also quicken forward of the log to a remote host and Linux this systems right so but in case of Windows what do you do in case of Windows based security devices or anything of that sort then you have to configure that he went we were Windows event we were the following right now let's go back to this models of deployment this is one more order stuck with the direct network inputs you see this again same because Cisco typically uses UDP because it doesn't care whether naivety right so you have all these things however syslog records it and then all these things are stored in the Splunk database correct what are the things you see here is link installed on existing aggregation host uses simple 6 log D Splunk with the direct network inputs right it takes into the Splunk directly and stores on the database right next if it is plunk installed on host receiving bachelor IT data moves like for example you are accumulating all the logs here and in the batch you are going to redirect there like using if the remote system copy like you know our CB or any such kind of protocol copying the logs all together and putting it in offline and archiving and then Splunk analyzing it that is another model next Lisa Splunk indexing model where Splunk there is a middle box here they have shown as Solaris it may be Linux also right it may be a IX also it needs to be one kind of an operating system where all your network hosts are forwarding their respective logs into our particular common box and that common box forwards it into Splunk this is another model right then a Splunk is installed on all servers where say you have the single users plunk installed on all these things and then gets get all these logs forwarded from Splunk through Splunk into your Splunk cloud or plug security enterprise security so these are the various different types like you have options the simplest one is simple log forwarding that is the directive a position to make an urgent call about laughter last bubble Berkeley for approval um yeah this is like ah ah you have a window system you have a Linux system or you have any other systems where you install Splunk standalone okay okay installs plug standalone plunk will locally take over the job of locally available log recorder either it may be in case of the nuts or any boxes it may be this long Splunk standalone will replace that syslog locally and if it is Windows it will replace event server or locally and Splunk we redirected to the Splunk cloud of Splunk security or another Splunk it is a Splunk to Splunk imagine on this box there is plunk and here there is plunk plunk to Splunk top level is it like a agent installation it is not age it communicates like agent manager right but is Splunk single user or a multi user odds so which one will be good or in all your free world will be a better one okay so in case of the better one in the sense better one would be the simple system of forwarding if on your web system syslog is available if on your system syslog is not available such as Windows systems Windows servers at that time you have to use this means itself the answer is a combination would be better for you again it depends on the heterogeneous city that you have in your network what are all the different types of the systems that you have if you have all windows network then you have stick to this model last model while because syslog D server is not that correct then you have to out simple Splunk installed on your windows all windows servers so that those Splunk applications will take over the job of event recording on your Windows server and forward reverse Plunkett others Smith bits component we need to install in this solar a sir [Music] like still forwarders exactly well so in case of Solaris and all those things you can do a simple syslog forwarding also okay because when you install another in application of course you have to take care of the respective systems load also load and performance also right so for example if you are running some critical email server on your Linux box which is already having sufficient load of email exchanges then additionally installing a Splunk forwarder application or a Splunk single user application right then it will it may add up to you know it may be little bit expensive operation right that's the reason if there is a syslog redirect are available start using that straightaway deployment with multiple Splunk indexes so this is for high inter you know the large enterprise setups where you have multiple offices right and you have multiple different Splunk server deployment models it is like within Splunk itself it's multiple thing one is with the data balancing this is the load balancing model where you have multiple Splunk installation Splunk server installation and honor you know the load sharing basis the logs are being forwarded where it said you know all these things is a duplicate see ultimately and Splunk each Splunk instance will talk to the other Splunk instance and it will do on a load sharing basis right how these communication will happen with you on the provides you something called clustering models right which yesterday in the configuration screen we might have seen that I think right anyway we can see that now after this there itself let me try ot so this is a cluster of monitoring right could even Plus configure yeah sorry sorry sorry here it was actually so I can have this server settings that will controls in this okay latest city you okay maybe it's a trial version I don't see that I will you wish I should have here several settings here itself I should have that class was sitting okay given otherwise okay even otherwise we can get it here in the server settings where I can have this oh this where the once plink Edition one Splunk instance talks to the another plug-in stunts on a load shading model it has internal cluster services based on that it will do the data balancing right so I'll just get that chatted with the organizer and have a couple of plunk setups done and show you on that in next classes so so in that is that is for orders case yes of course but however you know the question of that which know was how Splunk can speak to each other multiple slugs can yeah so you cannot you can have you know the cluster done in a data balancing more than and next is a data routing in case of data routing there will be data route of Scone figure where this is again a multiple Splunk where we could configure the respective maybe it is a different different operating systems that could route the data into this Splunk and service providers and other systems too so next is a Splunk index and search tears it's for the scalability such as it's a large enterprise network where you have multiples plug serving multiple locations configure where you can isolate the Splunk installation for particular purpose itself such as one is for connecting all that logs and then forwarding it and then certain things only to do the respective operations you can segregate the operation the functionalities to to be done in each of the Splunk instances in a hierarchical model say imagine this is from one data center this is from another data center both of them are redirecting to a common Splunk which has the you know the recording of the events from plunks itself other Splunk service itself and then it could use a SAN or nice box for external storage or archiving the respective splint so this is typically used in the large enterprises case where there may be millions of events per second could record it get recorded give me what is an and max book this is storage boxes so nigeria network attached storage is where plunk is giving when Splunk is giving few millions of events per second right so then you require a large storage at the additional storage right this is how it is in case of all your web servers again server where there will be external storage which will be attached to that respective servers this is a large scope environment so that we need to set up our plan will provide their stories or Splunk cannot provide honest large cloud yes of course because it's Amazon service right AWS early at that you can go for such kind of deployment you can ask the learn to provide such kind of employment or you can buy your own respective additional service you know the storages on AWS all right we will get leftover a go I'm going to configure so we have here multiple different kind of events getting recorded at a particular time and how many of them so let's see that there were there has there has been in a burst of hosts with multiple infection at a number of like 38 numbers of tracks would have happened let's see let's deep dive so incidentally view so when we look at this particular incident that it get populated okay so there are these many course which are you know infected together where you can look at it what is the time what is the type of the event host will be multiple infection in the bracket that you see is what is the host name or IP address right so this is under the security domain of and the point and the point means it must be the end user network that might have happened what is the urgency level is medium so I know if we have to take a look at the event how the events are getting recorded within Splunk again it is deciphering or it is normalizing the syslog message and putting it across here right if you see here first one two three four and five columns are on sorry four columns are on about what syslog has given next three columns are what slunt decides like the Splunk would give it the state status it will give the status flag it will assign the owner flag and it will assign the actions flag right so for example an event has occurred on the network of the by the name on the host by the name host 0 1 3 where at the particular time of the date and time of this and the particular host belongs to endpoint domain and the type of the event the urgency of the event is medium so this is what the event was communicated from host 0 1 3 to splat right now this is a fresh event that is not yet nobody has attempted this event that's the reason Splunk has kept it as a new Oh next is owner so currently since the standards of this particular event is new right the it is not assigned to anybody it is a lasagna so the next tab says that action what has to be taken so now this event can also be can also be assigned to somebody right we can edit this particular tag and we can mention whatever is the value and then say save once we do that then we can also edit this particular thing and we can make it as assign to somebody so if we have users then we can assign this event to somebody and then we can take this particular event to under respective actions we can configure the respective actions such as add event for investigation further investigation or create notable event build the UN type extract the fields and all those things but however it starts doing okay I want to investigate more would be the values of this dad has an owner what will be what will be the values for this dad as an owner if the users are created on the system right okay you can expect abuser to do this like say in case of multi operator so like it speak ADA's heading to someone in the team that's what you think yeah it is like that exactly Oh same way okay so that is it is I said to them what they need to work on that Loeb is that there are ok so I would do as an ad event for further investigation then I can create the respective investigation right you see here you are adding the following events this is the event with host 0 1 3 4 investigation there are no investigation to add currently ok I can create the investor I can kill you the investigation of my own test investigation then I can say new on in progress or pending result closed what you saw there right that you currently it is in new right I can say in Pro ghosts and I can say best investigation for that research then I can say start the investigation saved and it is taking me to the start of the investigation I have it figuring out here correct see here now this is the workbench view in the workbench view I can see what are all the investigations that are pending for investigation so I can say explore this and see this see more details of this correct so this says this is ideas of it correct you see here that is model is given one side give me a second let me hide this box so I have here the type of the event visible out here with a particular risk score assigned at 160 and risk object is this particular host name and risk type II system system you know discounted type is system and risk modifier over that time like you know how this particular risk has been modified over the period of time you see here it was at particular time it was 80 that means twice once 80 again 80 so the risks Hoover became it a plus eighty right so next what is the type of this particular alert so this type of this particular event is ideas about ideas means inclusion detection system alert okay so what a type of the alert it was giving the source of the IP the alert triggered with the host name and was given a signature ID with the makeup-free yeah in intrusion detection event it is actually correct yes okay so this where it has happened on which system it has it was caught one host zero mostly zero one that's the destination of the attack yes what is the source of the attack source of that tag is xxx from the IP 30 indoor to 500 three two one two four one two four right so how how what is the type of the intrusion it's a foster type main course through a network type of it is not an adequate network type of event it is a forced type of event that means II that happened on this it is showing it is you know when you have the type of host in the IDS type it says that the H IPS or H IDs has detected this particularly wet and what is that particular signature that has matched the signature is common standard protection prevention modification of McAfee files and settings what does it mean can any a any attempts when I see this kind of a signature triggering what may be the action activity that would have been attempted you maybe any virus will occur no modification of a modification of modifying the files it is detected okay so why would why would somebody do this right so if a spyware or a ransomware or anything that attacks your system very first thing is it will try to disable all the preventive measures that are on your system to do that it needs to change the simple setting file where prevention yes is there it has to try to make that as prevention know correct yes it's matches for the signature yes so that means an attack has happened that attack tried to change the McAfee files and settings means it was tried to modify the file of McAfee configuration means any software that you use on your system that will come with the config files correct set of config files changing a config file means what changing the status of the application now if an outbreak is attempted on your system that outbreak the attacker who does this who causes this outbreak he is trying to modify the settings of your application by means of modifying the configuration file of that respective application now that event got caught because you already had advance and signatures available on your host intrusion detection system right it did not allow that attacker to do that particular activity so this event means that category is HIV file and severity is low means why it is low it's low mainly because the attempt was blocked if a tank attempt was succeeded just detected but McAfee Hipps could not do anything in that case that severity would have gone slightly higher why because it needs attention of the administrator to do something else do-over cannot correct so this is one of them now we have done this context investigation next we can go to endpoint data changes made to resist really of investigated and set identified data source change analysis data model okay so network data there is no data set yet here but here okay it's gone now network data you see here let me explain it let me explain expand it okay this event generated because of some kind of activity using some kind of protocol see what user did to cause this event where did user download this particular attack I'm making it more secure access or else yes he access the test web comm justfab.com here right which is a source for the infant infection infection in this room correct so he tried downloading or something of that sorry he might have simply clicked it means this particular event is some kind of a spyware or adware right so we're a single URL came and user just clicked it and it took him there and then started you know throwing various it created automate unloading of multiple be dot txt user one dot jpg be dot txt again use content five dot jpg in all these various different files this must be an adware or a spyware chances are there and what did it do what did you do in that order you can see there what is it it did first a get HTTP GET means user requested for this file and then there is something called stealth of information which was attempted right post means try to login yes I got the access and then tried to post some data onto that particular server this is like it may be stealing of login information from your desktop that kind of an event it is see me again in which is here it is no user LDAP user for user five all these things when you saw in the previous screen there were 168 number of such kind of user events were there correct [Music] so this is water test and whenever you see a post request it means it's a it must be a login information login information might have been given to the source of attack or on word server that's what is the case right here you see something they get and post together two of the requests meant to kill it means when accessing a dot JPEG kind of a files there were two of the such kind of events together okay so these are all like you know the packet size and everything all those things and totally if you see here there are if you go to the next right so many of them so many you see here different different types of events you can see here she might get this information in a real type what it is to do is simulate an attack are really how to have a attack simulated and you have to have Hipps installed first of all on your desktop and then that desktop redirects all is log to this particular plug server you because plug is compatible with any and every time any and every type of log forward well so next is if you have any other foreign seek information then you can go ahead and add in content here it is like now you got the event understood on the Splunk okay so once once you know the event what do you do now you know the even print pulse now you know the respective host on which it had happened and water on the various different files also correct now adding artifacts comes into the picture that means you can add the content or add an artifact after for the investigation because now Splunk has alerted you that on the host host 13 some issue has happened now you will go as a security administrator what you will do you will go and log on to that respective system and try to find out what really happens on that system this is the reactive measure that you take and do the respective root cause analysis of why it has happened and all those things or you go to the respective okay let us take exact example it's so exact example may be in that particular host 13 there may be a folder by name atrophy and their windows system32 and etcetera etcetera right so in that McAfee folder you may see some configuration files you may want to check all those things and collect that respective articles whether it is worth proper or not proper you collect that and then come back and add the investigation so you can correlate that this particular investigation activity to a typical police investigation activity so how would they do in case of that they first go and register a particular case and then they do the investigation while doing the investigation they collect the fact files right okay I saw the place this is what it looks like I prepare a report out of it and then submit that but same way if I if there are any clues I collect those clues if there are any evidences on the spot of incident then I collect all those evidences and then make it a case file and then submit it so similar to that the artifact is also here so artifact I can say asset or identity right I can mention and I can mention the description of the artifact I can expand this particular artifact to add multiple other artifacts like as many evidences I am getting in under single listing I can add that or I can add multiple articles one by one these are all various different artifacts related to this respective event then I can submit it also right so same way I can do here adding the content solo to the profile go to the additional content or add a single so I can add the content here what you see here there it for our better understanding right so now I have done this particular investigation sorry one questions to know yeah so as you told actually we can get our samples right through so from Splunk itself we can we will get access for that device or else oh we have that from that perspective we have to collect the sample and uploading Splunk is a repository plugin is not told it is not that I don't want stool where it will take you to the system and then jacket so if the system sends it luck will keep it if system doesn't send its luck has no way of collecting it and that was in a real time real time if you don't have access we need to request for that files right whoever is not in my office ask that respective it is like you know an incident has happened and do you are contacting the owner of that respective asset correct this host was post 13 is owned by some other user you will send an email you know I saw some kind of event happen on your system please go here and here and here you get me these information Wow that is one way okay by requesting you and getting it or else good so typically all these security product lines McAfee or semantic or such kind of product lines they have their policy enforces right McAfee has something called McAfee a policy or castrator which will control all the hosts in the network Symantec has Symantec has something called Symantec endpoint protection like this so force and all those people have their own managers like Trend Micro manager is there so all these security companies they have their own managers correct you can being without disturbing or without informing the end-user and asking him to do instead of that you can escalate a ticket or L I talked to the the what you say this policy orchestration managers who handle this mic fep you or someone take a CP or such kind of a things and ask them in your network it's in to get the artifact okay clear identities assets all these things could be added here this is asset naturally right so host 13 is that asset next here are various different things I can edit the entry and change that all those things without simple cosmetic changes correct you see here what Apple event under this is this we have more details here even tidy risk score untrust PCI domain require CV all these things these are all the remaining cosmetic related to the residence between direct host with multiple instructions there have been multiple infections on this coast okay now we get it done right I can now see the summary of this I have here status new unassigned now this has become like I have done this thing and it has become like notable event and created by me correct this is my investigation artifact I have created the artifact here I can see timeline of this particularly and for more details I can list view or flight of view slide we will show you more details like this only thing figure and status is new one design all these disabilities now I can add an action I did this entry say it save the title adding and all those six cosmetic changes to this next is a details of this event here it is field is critical is not true hi not true all these things various hundreds of you know attributes related to that respect acuity it I can see any number of such kind of things what are all the things happened on the system everything is here correct so ListView it will show you multiple things open incident in a different grid I can be here you all those incidents will come again operated by the time let us go and finish our investigation here now I can edit this which is investigation Sai in aggress it is right I can say pending change the status you can say steel you this is a in investigation lifecycle select identity I said or identity identity they say user PPS then type a label is user details and I can say correlate other artifacts expand data first there it would come if it is not that I can see a tactic so I have one is usual type of active an artifact another is asset type of right so then I can go to time ban and see here I have all these events correct and then I can do a date and say this all ended clear and now I see the summary here see two different investigation artifacts are added here one is a host 13 or different test artifact it's a notable event type it's a no suit type because it's a use identity here now after doing this it's a refresh of this and I can go back to investigations right I have test investigation here which is in the status of result we have done an investigation where we have taken a precautions yeah this is investigation it's not mitigation under sedation here medicals next action is next okay now very first thing what do you do well yeah correct investigation while doing investigation you will collect all the data related to the incident correct right so next is you can select all these things and ah we can create a new investigation or anything of that sort so you see here there was another investigation which was earlier added right this is this was another investigation where blue force access behavior detected suspicious access attempts from Windows 2012 server in primary data center let us see what it is means all these users um client and admin and these are the various different hosts right again filter by a self only or I can filter by user zone both are possible now what had happened here sorry I can explore this and see what can happen here these are all the things which are happened here you see here recent risk model so CEO number of failed login attempts risk score 60 access brute-force access behavior detected detects excessive number of a la minute of risk increased 80 so like this it carries on okay you so I just collapse this and go to this part of the screen you here it is coming you that's digital display problem you this is a description of a tension so there are a whole source and is a destination you it is not much related to the user you they just have added a moment Oh extra data here do not added anything extra that would attack you are not a higher user related it is not oh they were just added it for that they split actors but when we go to a sex with so if your contacts per means it will be was a distinction on the big yes say it's like you know typically it won't show you only based on the user it show you it um client logged on to Acme 0:04 then there may be some haunted she may not be this game may not be the user of this particular asset yeah yes this is guy is using this at Mozilla therefore and is there is the user of that see here what happened here excessive number of failed login attempts alerts with post with multiple infections discovered detail extensive number of wind login attempts detects authentication request and transmit the password over the network has a clear text that so this is one of the violations right the rule violation or it's a kind of a vulnerability and discourse autonomous activity such as detection of clearing of log files attackers oftentimes clear the log files because they don't want you to have the traces of what they did so these are all the things under this and we can go to summary you can see here multiple investigation artifacts are created and you can see each of them expat dead here yeah so then let's go back to investigations okay so all investigations these two are that investigation says I'm doing is this just land to me correct my name is here elaborated one person okay so let's go back to incident review this is what it is now I can take a mitigative action also show you and to create notable event I have already done the add event to investigation investigation completed and create a notable event they say how to do all those things then it becomes something has been done you see here facilities and owner and status status can say pending or resolved also right I can do this result let's name the gas Multi fractions multiple infections and series you see here status as the result correct so I can add it is designed not necessarily know I'll still do that okay Boehner is on a night but the current leader status of this is resolved I can change extract fields will type after this okay run adaptive response actions again create a response action stream capture nest lookup and beast and these are all various different type of actions that I can take on this I can do say for example risk analysis I can design the risk score to this I can change this risk object field application of the risk of 10 put asks for Andrus carbonate is application system system is the yeah risk score is it depends on you know in any network first of all what you need to do is you have to identify what is important alert for you what is important what attack is of high risk for you correct so in some organizations they may say that you know I anywhere is that anyway this or any login attempt failure is quite important and that's of high risk right so who must be running online financial servers right we Witcher the banking net banking or any such kind of applications at that time for them it becomes even a friend login attempt is also quite important event but in case of let us say about user domain simple user domain login attempts ok people might be trying to login but it is not that important because these are all Windows users so based on that kind of activity you run something called the event risk assessment Network risk assessment okay and when you do that assessment for each of the activity you have to assign a particular score the highest score is the highest threat lowest score is the lowest threat for you this is risk assessment activity and risk score as I am net activity here yeah
Info
Channel: Intellipaat
Views: 20,633
Rating: undefined out of 5
Keywords: splunk enterprise security training, splunk security training, splunk siem training, splunk siem tutorial, splunk siem, security information and event management, what is splunk siem, splunk siem course, splunk enterprise, splunk enterprise security, splunk, siem, splunk security, siem security, splunk training, intellipaat splunk siem
Id: 9D00ysP5Hbg
Channel Id: undefined
Length: 115min 57sec (6957 seconds)
Published: Thu Jul 16 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.