1
00:00:07,660 --> 00:00:14,370
All right, so on the last picture, we got the juice shop logs ingested in this park and now we're

2
00:00:14,370 --> 00:00:17,290
just going to install the apps and then we'll be done.

3
00:00:17,310 --> 00:00:22,340
And these are apps that are really going to take you through hunting and you're blaming incident response,

4
00:00:22,380 --> 00:00:25,390
all that stuff to the next level.

5
00:00:25,530 --> 00:00:30,480
And so I'm just going to click on apps and more apps.

6
00:00:33,960 --> 00:00:38,850
Let's start with a six month assessment app.

7
00:00:38,850 --> 00:00:41,360
Facebook will install this one.

8
00:00:44,610 --> 00:00:48,960
And these are your Splunk dotcom credentials that you put here.

9
00:00:52,390 --> 00:00:59,070
All right, we will restart later because we have a few to install, will also install the Splunk ad

10
00:00:59,080 --> 00:01:00,700
on for Microsoft this month.

11
00:01:03,310 --> 00:01:04,750
Click, login and install.

12
00:01:07,370 --> 00:01:11,300
We start later right now that we've got this one here.

13
00:01:11,330 --> 00:01:14,150
Let's get the power show logs past.

14
00:01:17,830 --> 00:01:21,700
Hacker Hurricaine Labs add on for windows, partial transcription logging.

15
00:01:27,870 --> 00:01:29,820
All right, and then we need some Windows apps.

16
00:01:32,700 --> 00:01:34,740
So spoke out on four Microsoft Windows.

17
00:01:40,810 --> 00:01:42,940
You want the Microsoft defender ATP.

18
00:01:50,930 --> 00:01:57,470
We want the defender to from Microsoft Defender.

19
00:01:59,420 --> 00:02:03,740
This one is Windows Defender, built into every version of Windows.

20
00:02:04,070 --> 00:02:11,060
This is Microsoft Defender for Endpoint, which is a premium Edgar Eppy, endpoint detection, a response

21
00:02:11,240 --> 00:02:17,290
tool kind of like carbon black crowd strike Phalcon a counter-attack by Gosha Care.

22
00:02:18,200 --> 00:02:23,060
You know, it's top of the line and we're actually going to try to get this installed in the next lecture.

23
00:02:23,510 --> 00:02:29,660
But for this one, we're just going to install the to for Microsoft Windows defender here so that our

24
00:02:29,660 --> 00:02:32,360
defender logs our past properly.

25
00:02:34,950 --> 00:02:38,270
I believe we already installed the SIM.

26
00:02:39,680 --> 00:02:41,040
We did OK, that's good.

27
00:02:41,750 --> 00:02:45,410
And then the last thing we want is the security essentials.

28
00:02:51,140 --> 00:02:52,310
You're really going to like this out.

29
00:02:52,390 --> 00:02:54,140
Security essentials is really, really cool.

30
00:02:55,470 --> 00:02:55,740
Right.

31
00:02:55,740 --> 00:03:01,010
So let's go ahead and restart everything and then we'll come back once we're able to get back into the

32
00:03:01,010 --> 00:03:01,380
portal.

33
00:03:02,420 --> 00:03:02,830
All right.

34
00:03:02,840 --> 00:03:07,250
So we're back after about five minutes that like five long minutes.

35
00:03:09,020 --> 00:03:13,950
Because I was just staring at the screen, so now to go to Splunk Enterprise.

36
00:03:14,540 --> 00:03:15,740
You're going to see something pretty cool.

37
00:03:16,440 --> 00:03:17,320
Look at all these apps.

38
00:03:18,290 --> 00:03:18,800
Pretty cool, right?

39
00:03:20,650 --> 00:03:22,510
So one of my favorites is.

40
00:03:24,000 --> 00:03:25,600
This one, security essentials.

41
00:03:26,670 --> 00:03:31,110
So this is a app, there's a lot of places you can go with it and we're not going to get into the details

42
00:03:31,110 --> 00:03:31,610
over here.

43
00:03:32,240 --> 00:03:34,500
There are tons of free tutorials online about how to use it.

44
00:03:35,220 --> 00:03:36,210
But I just want to show you something.

45
00:03:36,220 --> 00:03:40,200
If you go to find content and then click on advanced detection contact.

46
00:03:42,530 --> 00:03:44,300
You can click on the advanced threat detection.

47
00:03:47,780 --> 00:03:52,980
You can see the security journey, but this is a really fun thing right here.

48
00:03:53,990 --> 00:03:56,480
You've got all these kind of hand searches.

49
00:03:57,000 --> 00:04:01,340
So if you want to look at, you know, basic tour traffic, you know, or you want to detect past the

50
00:04:01,340 --> 00:04:05,030
harsh attacks or, you know, a bit more clearing events.

51
00:04:05,060 --> 00:04:10,370
I mean, there's so many in here and you can just go through all the, like, minicabs, right?

52
00:04:11,850 --> 00:04:15,420
This is all the stuff you can detect just by clicking through these different portals.

53
00:04:18,590 --> 00:04:23,450
So let's say, like I want to look at Windows event, like clearing events first, you can see we are

54
00:04:23,450 --> 00:04:25,940
operating on the live data, not the demo data.

55
00:04:27,140 --> 00:04:29,710
And then it tells you what this does, right.

56
00:04:30,340 --> 00:04:32,720
You're looking to see if the Windows audit logs were tampered with.

57
00:04:33,600 --> 00:04:34,340
Scroll down.

58
00:04:35,300 --> 00:04:37,060
It maps everything against the might attack.

59
00:04:37,190 --> 00:04:38,510
You can click here for details.

60
00:04:39,710 --> 00:04:43,660
And if you scroll down even more, get even more goodness.

61
00:04:43,670 --> 00:04:45,770
So it's telling you you have all the prerequisites, right?

62
00:04:46,430 --> 00:04:51,080
We have the Windows security logs, we have system logs and we have these audit log events.

63
00:04:51,240 --> 00:04:53,300
That's because of the work we did in earlier lectures.

64
00:04:53,690 --> 00:04:54,670
All this is built out.

65
00:04:55,280 --> 00:04:56,690
So now this query runs.

66
00:04:58,130 --> 00:04:59,210
And we can see.

67
00:05:00,310 --> 00:05:03,730
Pretty much what it does, it detected on the Windows Dominque controller.

68
00:05:04,470 --> 00:05:06,400
There was this one one 00 event.

69
00:05:07,300 --> 00:05:11,860
So, you know, this is kind of interesting because, you know, our boxes haven't been exploited.

70
00:05:11,860 --> 00:05:13,240
We haven't ran any attacks yet.

71
00:05:13,780 --> 00:05:16,900
And it's showing us windows a bit more clear that.

72
00:05:18,020 --> 00:05:22,700
And which is perfectly normal in this case, so you always have to investigate everything to make sure

73
00:05:23,180 --> 00:05:25,650
you know that it's actually legitimate or not.

74
00:05:26,180 --> 00:05:29,450
And by the way, some of these apps might not do everything you want them to do.

75
00:05:30,740 --> 00:05:31,930
It might require some tuning.

76
00:05:31,940 --> 00:05:35,720
So if we go back to the app list, I want to click on this map and show you something.

77
00:05:37,160 --> 00:05:41,030
We click on the system on apass blog.

78
00:05:42,080 --> 00:05:47,490
You'll notice that the dashboards are broken, but I want you to see how you can fix it, right?

79
00:05:47,680 --> 00:05:48,970
It's not that difficult.

80
00:05:48,980 --> 00:05:51,470
It can be, but it's not impossible for you to do this.

81
00:05:52,550 --> 00:05:56,870
So you see here, it's saying like waiting for him, but right now, showing you anything, or if you

82
00:05:56,870 --> 00:06:02,510
click on edit, you can edit the dashboard looking at the source.

83
00:06:04,000 --> 00:06:08,140
And if you scroll down the example, you can see the query.

84
00:06:09,930 --> 00:06:14,850
Has this thing right here, it says Single tactics, isman tactic, that's a macro.

85
00:06:15,600 --> 00:06:20,880
OK, so if you go to settings, I believe it's advanced search.

86
00:06:23,080 --> 00:06:24,300
In a search, macro's.

87
00:06:25,720 --> 00:06:31,840
And we'll type in this month, and if you look at the definition and notice, that source type is incorrect.

88
00:06:33,230 --> 00:06:35,540
That's not the type that we can think of for Zisman.

89
00:06:36,710 --> 00:06:38,930
So what we need to do is click this macro and edit it.

90
00:06:43,670 --> 00:06:45,300
Sauce equals Systema.

91
00:06:46,130 --> 00:06:46,970
That's what it should be.

92
00:06:48,740 --> 00:06:53,290
We'll save it and then we'll go back to this morning and see if it works.

93
00:06:58,060 --> 00:06:58,810
Click submit.

94
00:07:02,120 --> 00:07:03,590
Now no longer says waiting for data.

95
00:07:04,240 --> 00:07:06,510
So we're making progress, right?

96
00:07:11,230 --> 00:07:18,340
So what you can do is you can go back to the search your reporting app and back the data summary.

97
00:07:20,200 --> 00:07:21,490
And you can look at the source type.

98
00:07:21,550 --> 00:07:24,520
OK, so we see the source type is actually Sesemann, not source.

99
00:07:26,070 --> 00:07:33,090
There's no source called the assessment, so we should change the source type assessment, but that's

100
00:07:33,090 --> 00:07:35,730
the type click save.

101
00:07:38,460 --> 00:07:39,370
But back over here.

102
00:07:41,010 --> 00:07:46,000
Should get some data and refresh the page so it pulls down the new data.

103
00:07:49,250 --> 00:07:51,680
And we can kind of investigate what's going on here.

104
00:07:53,300 --> 00:08:00,810
If we click on this little search button, you'll see it's actually using the wrong fields in the stats

105
00:08:00,840 --> 00:08:07,010
count because, you know, these apps aren't necessarily developed in concert with the app they're monitoring.

106
00:08:07,010 --> 00:08:07,240
Right.

107
00:08:07,250 --> 00:08:10,000
So Sismondo has its own development lifecycle.

108
00:08:10,540 --> 00:08:13,280
An assessment spot app has its own development lifecycle.

109
00:08:13,700 --> 00:08:15,320
So sometimes the buildings change.

110
00:08:15,320 --> 00:08:17,990
When that happens, you get this right.

111
00:08:18,230 --> 00:08:22,100
But look, we can point this out if he's looking for a field named event description.

112
00:08:22,100 --> 00:08:22,360
Right.

113
00:08:23,980 --> 00:08:25,950
Take this out just from the macro by itself.

114
00:08:30,020 --> 00:08:31,980
You'll see there's no the best description.

115
00:08:32,160 --> 00:08:36,990
Well, it's not showing up here because we're not allowed to change it over to we're both.

116
00:08:41,580 --> 00:08:50,520
Yeah, so you don't see it if we go to all fields and we type description, there's no field with any

117
00:08:52,560 --> 00:08:53,300
description.

118
00:08:53,660 --> 00:08:54,180
There it is.

119
00:08:55,320 --> 00:09:00,000
So it's actually called the description, not event description, so you'd have to modify the app and

120
00:09:00,000 --> 00:09:04,470
change it to description in order for that part of the functionality to work.

121
00:09:06,250 --> 00:09:13,320
But you can see everything else is here for the computers, the messages, everything is being adjusted,

122
00:09:13,320 --> 00:09:14,020
the we want to take.

123
00:09:16,630 --> 00:09:20,880
I just wanted to show you that, and in the next lecture, we're going to we are going to jump in to

124
00:09:21,390 --> 00:09:23,630
Microsoft to the point of.