1
00:00:07,830 --> 00:00:13,230
All right, so my last lecture, we got our open since data and two o'clock, as you can see the beauty

2
00:00:13,410 --> 00:00:14,250
before your eyes.

3
00:00:14,580 --> 00:00:16,880
And now we're going to do the same for.

4
00:00:17,100 --> 00:00:17,410
Got it.

5
00:00:17,910 --> 00:00:23,100
So in order to make this work, we need to download these T8 for Surakarta.

6
00:00:23,460 --> 00:00:29,040
So if you just go to this link here or you Google sponte for sars-cov-2, you get to this page, you'll

7
00:00:29,040 --> 00:00:30,720
see it says an app has been archived.

8
00:00:30,750 --> 00:00:31,980
You know, it's old, doesn't matter.

9
00:00:31,980 --> 00:00:32,640
It still works.

10
00:00:33,340 --> 00:00:34,540
So don't let that scare you away.

11
00:00:35,070 --> 00:00:36,700
So we're going to do this.

12
00:00:36,720 --> 00:00:38,370
We're going to click login to download.

13
00:00:38,940 --> 00:00:40,910
We're just going to log in with our Splunk Cretz.

14
00:00:47,400 --> 00:00:47,730
All right.

15
00:00:47,730 --> 00:00:48,270
Let's grab it.

16
00:00:50,760 --> 00:00:52,620
Agreed to download, yes.

17
00:00:56,720 --> 00:00:58,350
All right, so the download is done.

18
00:00:58,430 --> 00:01:01,490
Let's go ahead and copy it over to our appliance.

19
00:01:04,580 --> 00:01:11,480
Fire up the good old command prompt CD downloads and there it is right there, right?

20
00:01:11,990 --> 00:01:16,280
So what we can do is we have SEP built into Windows 10 by default.

21
00:01:16,460 --> 00:01:21,620
It ships with Windows 10, which is really convenient for us because now we can use ASEP to basically

22
00:01:21,620 --> 00:01:22,490
send this file over.

23
00:01:22,640 --> 00:01:25,850
So we're going to put the file name in there.

24
00:01:25,970 --> 00:01:32,060
I'm going to log it as a route and we're going to put it in route home directory.

25
00:01:33,890 --> 00:01:38,960
We're going to connect, yes, and we'll put in a password for Root on our open sense appliance and

26
00:01:38,960 --> 00:01:39,530
it's been copied.

27
00:01:40,400 --> 00:01:42,370
Now we can association as well

28
00:01:45,530 --> 00:01:48,670
and we can press eight to go into a shell.

29
00:01:50,660 --> 00:01:52,340
You see, we are in route's home directory.

30
00:01:52,340 --> 00:01:58,580
And if we do it, unless you can see we now have this Pontiac right there.

31
00:01:58,580 --> 00:01:58,790
Right.

32
00:01:59,420 --> 00:02:03,770
That's what we're going to do, is we're going to send it to the right directory so we can to extract

33
00:02:04,130 --> 00:02:04,690
the zip.

34
00:02:05,210 --> 00:02:15,680
We were both in the file name is Splunk T for Cerqueira and we're going to send it to Opt Splunk Forwarder

35
00:02:16,370 --> 00:02:18,380
Etsi EPP's.

36
00:02:19,540 --> 00:02:20,930
And that's exactly where we wanted to be.

37
00:02:21,550 --> 00:02:24,580
So let's go ahead and go to that directory.

38
00:02:33,040 --> 00:02:34,640
This system.

39
00:02:38,450 --> 00:02:39,200
At the apps.

40
00:02:46,180 --> 00:02:47,200
All right, so we're there.

41
00:02:48,150 --> 00:02:54,060
And you can see we've got the folder there, T8, Dash, Surakarta.

42
00:02:54,840 --> 00:02:59,660
OK, so that is our circle of Splunk app and we just need to do some configuration now.

43
00:02:59,880 --> 00:03:07,650
So if we go to the we're going to configure the output configuration file.

44
00:03:08,950 --> 00:03:10,820
You see, it doesn't exist, so we're going to create it.

45
00:03:10,990 --> 00:03:11,980
How do we know it doesn't exist?

46
00:03:11,980 --> 00:03:13,790
Because when I hit Tab, I don't see it.

47
00:03:14,440 --> 00:03:15,670
It is just a dot.

48
00:03:16,690 --> 00:03:21,820
So we're going to create outputs that come in in here.

49
00:03:22,360 --> 00:03:24,130
I'm going to type TCP out.

50
00:03:25,110 --> 00:03:29,790
In their default group equals cyber range.

51
00:03:30,840 --> 00:03:39,360
And then we'll do TCP out in the name of that group, cyber range server, and this is going to be our

52
00:03:39,360 --> 00:03:40,860
Splunk index indexer

53
00:03:43,590 --> 00:03:43,990
scape.

54
00:03:44,990 --> 00:03:50,610
Chief thesea, let's make sure the file is there as we think it is.

55
00:03:50,630 --> 00:03:54,730
I'd like to verify it is we should be able to carry it out.

56
00:03:57,580 --> 00:03:58,890
Yeah, so that looks pretty good.

57
00:04:00,370 --> 00:04:05,070
All right, now, what we're going to do is we're going to back up the current inputs that come in and

58
00:04:05,080 --> 00:04:05,850
create a new one.

59
00:04:05,860 --> 00:04:10,040
And this is going to basically give us the magic we need to ship Surakarta into Splunk.

60
00:04:10,690 --> 00:04:14,440
So let's go ahead and move the existing input's

61
00:04:17,200 --> 00:04:19,250
file in the Circle app.

62
00:04:19,720 --> 00:04:20,470
That's what we're doing here.

63
00:04:20,470 --> 00:04:28,060
We're going into the Surakarta app, the one we just set to this box, and we're going to say that.

64
00:04:35,860 --> 00:04:38,970
We're going to save it as inputs that that back.

65
00:04:39,760 --> 00:04:42,850
All right, what we're going to do is open the original input stack of.

66
00:04:52,620 --> 00:04:58,290
I am we're going to monitor a couple of things first, we want to monitor the EHV log, so if we do

67
00:04:58,650 --> 00:05:03,210
two slashes forward slash, the next slash represents the slash for the directory.

68
00:05:03,240 --> 00:05:04,710
So this is slash VA.

69
00:05:07,630 --> 00:05:14,980
Bar in that directory, there's a lot folder is a kind of folder, and then there is a EHV Jason file,

70
00:05:16,030 --> 00:05:24,730
that's what we want to monitor under the source type Surakarta post will be the hostname of our firewall

71
00:05:24,730 --> 00:05:26,960
and index will be sort of Qatar.

72
00:05:28,420 --> 00:05:35,620
And we also want to monitor, monitor the sensa logs

73
00:05:40,930 --> 00:05:42,280
or the log files in that folder.

74
00:05:44,430 --> 00:05:52,680
And the source type here will name it, since they both equals open since and the index equals network.

75
00:05:54,560 --> 00:05:55,310
That looks good.

76
00:05:55,500 --> 00:05:58,580
You know, we can do is restart the universal forwarder.

77
00:06:04,410 --> 00:06:07,950
And then once it's restarts, we're going to go back in his bunker to make sure it's actually working.

78
00:06:09,830 --> 00:06:17,990
All right, very, very cool, let's flip back over and next equals Surakarta.

79
00:06:20,130 --> 00:06:25,580
This is a good sign, guys, we've got the circle of here and just for sanity check, let's make sure

80
00:06:25,580 --> 00:06:26,390
that it's being passed.

81
00:06:27,020 --> 00:06:27,420
Look at that.

82
00:06:27,440 --> 00:06:28,100
That is beautiful.

83
00:06:29,780 --> 00:06:35,270
You've got the alert signatures, we've got the signature severities, all this is this is this is so

84
00:06:35,270 --> 00:06:35,570
good.

85
00:06:38,980 --> 00:06:40,410
You see the source type here, Sakata.

86
00:06:40,870 --> 00:06:45,220
Let's see if we have the Sensa logs index equals.

87
00:06:47,300 --> 00:06:50,150
Network source type equals syncing.

88
00:06:53,340 --> 00:06:55,470
Oh, yes, yes, yes, yes, yes.

89
00:06:56,510 --> 00:07:01,100
And we have a sense logs, so this isn't processed nicely because we don't have a technical.

90
00:07:01,220 --> 00:07:02,540
We don't have to say.

91
00:07:03,570 --> 00:07:08,760
But I bet if we go to open at Facebook, we're going to see some awesomeness, let's just double check

92
00:07:09,480 --> 00:07:10,110
this out here.

93
00:07:12,740 --> 00:07:16,370
Oh, yeah, look at these dashboard's look at how beautiful it is.

94
00:07:17,280 --> 00:07:18,930
I mean, guys, this is what you want to see in your lap.

95
00:07:18,950 --> 00:07:24,200
This is our summer range where we can learn, we can hack, we can attack, we can run red team exercises

96
00:07:24,200 --> 00:07:27,500
and penetration tests, and then we can build the defenses and detections.

97
00:07:27,800 --> 00:07:31,260
And this is how you learn, guys, and it's just going to get even better.

98
00:07:31,280 --> 00:07:35,090
We see the upcoming lectures that I have in store for you guys, and this is going to be insane.

99
00:07:36,090 --> 00:07:40,070
I you look at this, I'm getting my traffic destination's top sources.

100
00:07:40,070 --> 00:07:43,400
You know, I'm looking at everything I need to do into those spots.

101
00:07:44,600 --> 00:07:44,870
Right.

102
00:07:45,440 --> 00:07:47,180
So this that's what we want.

103
00:07:47,180 --> 00:07:50,440
Guys, in the next lecture, we are going to jump into Duchamp.

104
00:07:51,010 --> 00:07:55,000
I'm going to show you how you can put those Web application logs in textbooks.

105
00:07:55,340 --> 00:08:00,370
That way we can see a sequel injection, ximo external entity attacks and all that goodness crosshatch

106
00:08:00,380 --> 00:08:00,740
scripting.

107
00:08:00,860 --> 00:08:02,390
We're going to see all that stuff in catalogues.

108
00:08:02,810 --> 00:08:04,700
So I'll see you guys in the next lecture by.