hands-on security breakout session- es guided tour
TRANSCRIPT
![Page 1: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/1.jpg)
Copyright © 2015 Splunk Inc.
Hands-On Security
ES Guided Tour
Denver, August 2015
![Page 2: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/2.jpg)
Copyright © 2014 Splunk Inc.
Name: Hyatt Meeting
Access Code: Splunk2015
![Page 3: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/3.jpg)
3
Safe Harbor StatementDuring the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
![Page 4: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/4.jpg)
4
Agenda
What is the Splunk App for Enterprise Security?Guided Tour– General Overview– Common Information Model– Incident Response Exercise– Creating a Correlation Search
Questions?
![Page 5: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/5.jpg)
5
These won’t work…
![Page 6: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/6.jpg)
*** This is a hands-on session ***
Please use your individual URLs and creds.
Want a walkthrough document?Email [email protected]
![Page 7: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/7.jpg)
7
Thank you!
David Veuve
![Page 8: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/8.jpg)
Machine Data contains a definitive record of all Human <-> Machine
&Machine <-> Machine
Interaction
Splunk is a very effective platform to collect, store, and analyze all of that data.
![Page 9: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/9.jpg)
MainframeData
VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
DB Connect MobileForwarders Syslog / TCP / Other
Sensors & Control Systems
Rich Ecosystem of Apps
Across Data Sources, Use Cases and Consumption Models
Stream
9
![Page 10: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/10.jpg)
Rapid Ascent in the Gartner MQ for SIEM
10
2012 20132011
![Page 11: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/11.jpg)
2015: The only one that moved along the “vision” axis!
![Page 12: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/12.jpg)
12
ES Fast Facts• Version 3.3 of the product is shipping now
• We release at least twice a year and add lots of new content
• Content ideas come from industry experts, market analysis, focus groups, internal
brainstorming, but most importantly YOU
• All of the great things about Splunk carry through into ES – this makes it flexible,
scalable, fast, and customizable. It leverages everything cool about Splunk.
• ES has its own development team, dedicated support, services practice, and
training courses
![Page 13: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/13.jpg)
ES Guided Tour
![Page 14: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/14.jpg)
14
Log in with your credentials. Use any modern web browser (works better with non-IE).
![Page 15: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/15.jpg)
15
Click on Security PostureClick
Launch page for all major sections of ES app
ES Content dropdownsSplunk app context
![Page 16: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/16.jpg)
Security Posture
![Page 17: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/17.jpg)
17
Key Security Indicators
Notable Event info
sparklines
editable
![Page 18: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/18.jpg)
Common Information Model
![Page 19: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/19.jpg)
19
Bring up a new tab to http://splunkbase.com and search for “common information model”. Click the first link that comes up.
Search
![Page 20: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/20.jpg)
20
Type “Fireeye Add On” into this search box and press enter.
Search
![Page 21: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/21.jpg)
21
Click
![Page 22: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/22.jpg)
22
CIM Compliant!
![Page 23: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/23.jpg)
23
Navigate to Security Domains -> Endpoint -> Malware Center
Click
![Page 24: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/24.jpg)
24
Click on “Mal/Packer” barClick
Various ways to filter data
KSIs and rest of dash Malware specific
![Page 25: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/25.jpg)
25
Raw data coming from Sophos
Various ways to filter data
Click back button
Click
![Page 26: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/26.jpg)
26
Click on “Hacktool.Rootkit” bar
Click
![Page 27: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/27.jpg)
27
Raw data coming from SEP/SAV
Same dashboard, different data source
![Page 28: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/28.jpg)
28
Click on Search -> Pivot
Click
![Page 29: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/29.jpg)
29
29 (20 shown) Security-relevant data models from CIM
Click on Malware
Click
![Page 30: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/30.jpg)
30
Click “>” next to Malware Attacks
Click
![Page 31: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/31.jpg)
31
CIM attributes related to malware
Click Malware Attacks to pivot
Click
![Page 32: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/32.jpg)
32
Filter Timeframe to Last 60 Minutes
Change
Total count of attacks
Change to over Time (area)
Click
![Page 33: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/33.jpg)
33
The time range we selected
Split out by signature with add color
Click
![Page 34: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/34.jpg)
34
SCROLL to signature
Click
![Page 35: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/35.jpg)
35
Can save as report, dashboard panel
![Page 36: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/36.jpg)
36
Review security domains available
Click
![Page 37: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/37.jpg)
37
“Access” domain
Click Back
Click
![Page 38: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/38.jpg)
38
“Endpoint” domain
Click Back
Click
![Page 39: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/39.jpg)
39
“Network” domain
Click Back
Click
![Page 40: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/40.jpg)
40
“Identity” domain
Click Back
Click
![Page 41: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/41.jpg)
41
Searches that rely on this data model
How much of ES can I use?
What else could I onboard?
(more) searches that rely on this data model
Instructor Only
![Page 42: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/42.jpg)
Risk Analysis
![Page 43: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/43.jpg)
43
Click “Risk Analysis”
Click
![Page 44: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/44.jpg)
44
Filterable
KSIs specific to RiskRisk assigned to system, user or other
Sort by object type, scrollClick
![Page 45: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/45.jpg)
45
Page through to see other objectsClick
Recent risk assignment and sources
sorted
![Page 46: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/46.jpg)
46
Can ad-hoc risk onto object
![Page 47: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/47.jpg)
Threat Activity
![Page 48: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/48.jpg)
48
Click “Threat Activity”Click
![Page 49: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/49.jpg)
49
Filterable, down to IoC
KSIs specific to Threat
Category of IoCsMost active threat source
Scroll down… Scro
ll
![Page 50: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/50.jpg)
50
Specifics about recent threat matches
![Page 51: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/51.jpg)
51
Configure -> Data Enrichment -> Threat Intelligence Downloads
Click
![Page 52: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/52.jpg)
52
Open-source and commercial threat sources
TAXII support
Click “sans”Click
![Page 53: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/53.jpg)
53
URL to retrieve data from
Weight used for “risk”
How often (12h)
How to parse
Click back button
Click
![Page 54: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/54.jpg)
54
Click “Threat Artifacts”
Click
![Page 55: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/55.jpg)
55
Artifact Categories – click different tabs…
STIX feed
Custom feed
![Page 56: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/56.jpg)
56
Click “Threat Intelligence Audit”
Click
![Page 57: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/57.jpg)
57
Status of downloadsDate of last update
Details on download
![Page 58: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/58.jpg)
58
Review the Advanced Threat content
Click
![Page 59: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/59.jpg)
Reports
![Page 60: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/60.jpg)
60
Click “Reports”
Click
![Page 61: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/61.jpg)
61
Over 330 reports to use or customize
Filter (try “malware”)
![Page 62: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/62.jpg)
Incident Response Workflow
![Page 63: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/63.jpg)
63
Click “Security Posture”
Click
![Page 64: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/64.jpg)
64
Click “Threat Activity Seen from Endpoint – Zeus Demo” – you may have to go to page 2 or 3 to see this event.
Click
![Page 65: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/65.jpg)
65
Throttling turned off for purposes of exercise
![Page 66: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/66.jpg)
66
Check the checkbox next to the event matching your timerange
Click
Click “edit all selected” after you’ve selected the event
Click
![Page 67: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/67.jpg)
67
Fill out Status: In Progress. Urgency: High. Owner: <your persona>. Comment: <whatever you want>.
Populate
Click
![Page 68: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/68.jpg)
68
Event updated
Click “>”Click
![Page 69: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/69.jpg)
69
Recent activity on event
Ownership
Data from asset framework
![Page 70: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/70.jpg)
70
Drill down on “115.29.46.99” and select Domain Dossier
Click
Click
Pivot off of everything. Go internal or external. Customize.
![Page 71: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/71.jpg)
71
Oh look! China!
Click back to Incident Review
Click
![Page 72: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/72.jpg)
72
Drill down on “115.29.46.99” and select “Web Search as destination”
Click
Click
![Page 73: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/73.jpg)
73
Lots of dataMalicious IP, TCP instead of HTTPS…
Only one internal address, that’s good…
Change to 24 hours
Change
Click back to Incident Review
Click
![Page 74: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/74.jpg)
74
Drill down on “cgilbert-DC3A297.buttercupgames.com” and select Asset Investigator
Click
Click
![Page 75: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/75.jpg)
75
Data from asset framework
Configurable Swimlanes
Darker=more events
All happened at ~same time
Change to “Today” if needed
Change
![Page 76: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/76.jpg)
76
Select “Exec File Activity” vertical bar
Select
![Page 77: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/77.jpg)
77
“calc.exe” running out of the user profile? Hmmm….
Drill into the raw events
Click
![Page 78: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/78.jpg)
78
Raw events from Microsoft Sysmon
Splunk automatic field extraction
Type “calc” at end of search and hit enter
Add “calc” to search
![Page 79: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/79.jpg)
79
Raw term search highlighting
Click “>” to see event field mapping
Click
![Page 80: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/80.jpg)
80
Parent/child relationship. Calc.exe was dropped by PDF Reader.
Looks like Chris Gilbert was reading his email and opened an attachment.
Scroll to other event Scroll
![Page 81: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/81.jpg)
81
Click “>” to see event field mapping
Click
![Page 82: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/82.jpg)
82
Parent/child relationship. svchost.exe was dropped by calc.exe.
Click on Image name
Click
![Page 83: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/83.jpg)
83
Click “New search”
Click
![Page 84: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/84.jpg)
84
New search for unique pattern in the data…
Click “DestinationIp”
Click
![Page 85: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/85.jpg)
85
There’s our malicious IP!
We now know that something calling itself “svchost.exe” dropped by something calling itself “calc.exe” which was in turn dropped by our PDF reader, upon opening weapolized PDF, is communicating to a “known bad” IP address.
Scroll down…
Scro
ll
![Page 86: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/86.jpg)
86
Click “threat_intel_source”
Clic
k
There’s the threat source it maps to
We could take this further by investigation of email logs, or wire data from Chris’s laptop, or access logs to determine how this PDF got stolen, but in the interest of time let’s update our event…
Click back to Incident Review
Click
![Page 87: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/87.jpg)
87
Select event and “Edit all selected”
Click
Click
![Page 88: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/88.jpg)
88
Fill out Status: Pending. Urgency: Low. Owner: <your persona>. Comment: <whatever you want>.
Populate
Click
![Page 89: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/89.jpg)
89
Event updated
Click “>”Click
![Page 90: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/90.jpg)
90
Click down arrow
Click
![Page 91: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/91.jpg)
91
Scroll and choose “Reimage Workstation…”
Click
![Page 92: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/92.jpg)
92
Hit the green button…
Click
Totally fake! But also totally possible.
Click back to Incident Review
Click
![Page 93: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/93.jpg)
93
Click “Incident Review Audit”Click
![Page 94: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/94.jpg)
94
Recent review activity appears in the panels
Click a reviewer name Click
![Page 95: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/95.jpg)
95
Detailed review activity scoped to the reviewer you clicked on.
![Page 96: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/96.jpg)
Creating a Correlation Search
![Page 97: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/97.jpg)
97
Select “Zeus Demo”
Click
![Page 98: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/98.jpg)
98
Select More -> Reports
Select
![Page 99: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/99.jpg)
99
Click “Open in Search” for the “Successful Portal Brute Force” report
Click
![Page 100: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/100.jpg)
100
Returns data if we see a lot of logon attempts and then access to portal admin pages from a single IP on a known threat list
![Page 101: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/101.jpg)
101
We COULD select this text, copy it, and use it in a correlation search…but let’s make it easy.
Select
![Page 102: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/102.jpg)
102
Go back to the Enterprise Security app
Click
![Page 103: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/103.jpg)
103
Select “Custom Searches” under Configure -> General
Select
![Page 104: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/104.jpg)
104
~200 correlation searches, KSIs, Swimlanes, etc
Click “new”
Select
![Page 105: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/105.jpg)
105
Click “Correlation Search”
Select
![Page 106: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/106.jpg)
106
We’re going to fill out this form…but sit tight.
![Page 107: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/107.jpg)
107
Second half of the form after scroll down
How to assign risk
Other actions of interest (like Stream Capture)
![Page 108: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/108.jpg)
108
Click the link!
Click
Then click save…
Click
![Page 109: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/109.jpg)
109
Return to Incident Review
Click
![Page 110: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/110.jpg)
110
Search for events owned by you (remove All)
Search
Note custom description
![Page 111: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/111.jpg)
Q & A(next slides please…)
![Page 112: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/112.jpg)
The 6th Annual Splunk Worldwide Users’ ConferenceSeptember 21-24, 2015 The MGM Grand Hotel, Las Vegas
• 50+ Customer Speakers• 50+ Splunk Speakers • 35+ Apps in Splunk Apps Showcase• 65 Technology Partners
• 4,000+ IT & Business Professionals• 2 Keynote Sessions • 3 days of technical content (150+ Sessions)• 3 days of Splunk University
– Get Splunk Certified– Get CPE credits for CISSP, CAP, SSCP, etc.– Save thousands on Splunk education!
112
Register at: conf.splunk.com
![Page 113: Hands-On Security Breakout Session- ES Guided Tour](https://reader030.vdocuments.mx/reader030/viewer/2022033021/55d381b5bb61eb44048b466d/html5/thumbnails/113.jpg)
113
We Want to Hear your Feedback!
After the Breakout Sessions concludeText Splunk to 878787
And be entered for a chance to win a $100 AMEX gift card!