Time
57 minutes
Difficulty
Beginner
CEU/CPE
1

Video Transcription

00:01
to navigate to this lab, go to www dot cyber dot i t.
00:05
Click browse, then click the link for cyber score Labs
00:09
scrolled through the labs until you find the creating seem reports with ***. Lab
00:15
ready.
00:16
Let's begin.
00:20
Hi and welcome to creating steam reports with ***.
00:23
The objectives for this quarter started Import sis Log information into ***. Import local registry information in this one.
00:30
Ingrate, Multiple compliance reports. In ***
00:33
scenario, Your organization was told to stand up a seam and have no money in their budget. You decided to set ups. Plug and create a few reports to test and determine the feasibility of using *** in your organization.
00:44
Go ahead and log into the Windows seven machine using the user name, administrator and password password.
00:55
From here, you'll go ahead and double click on the Kiwi sis long console. It might take a couple minutes to open. It's usually pretty slow on this, but
01:03
once it does open, we're going to go ahead and verify that the system is being received
01:10
and you'll see messages that have been received.
01:15
You should check for the I P addresses 192.168 dot 0.2, which is the Windows 2012 server
01:23
in 1 90 that 168.0 dot card for which is the sense firewall.
01:41
If you get an error message that says
01:42
the options switched to or whatever, you can go ahead and click. Retry and I will usually read
01:48
Loggers explode.
01:53
So go ahead and open Splunk Enterprise.
02:15
Once you get to the dashboard, go ahead and click. Add data
02:24
and click on the monitor option.
02:32
So from here, we're going to go ahead and point *** to a directory where it can monitor an import log files on a continuous basis. Gordon. Click on files and directories,
02:45
and then you're going to navigate T E sis log de logs and hit select
02:55
Go ahead and hit next at the top of the screen except the default settings and quick review.
03:16
Quick, I'm start searching and go ahead and check out the dashboard that it gives to you.
03:27
So now we're gonna go ahead and import local log files in the Splunk so you're going to navigate back to the ad data section, which is on the dashboard. Click add data
03:38
and then click on the monitor option. We're going to use the local log files from the Windows system,
03:50
select local event logs, and Adam is a log source. And then you're gonna add some specific logs to this, um, analytic application forwarded events, Internet Explorer, key management service security, set up system and Windows Power Show.
04:09
Make sure that you specify what logs any, depending on the organizational standards and scope of the scam in real life.
04:36
Once you've accepted these logs, go ahead and accept all the defaults and go ahead and click. Start searching,
04:42
and then we can go ahead and take a look at the results and note of any differences between the skin and the previous.
05:13
Now, we're gonna go ahead and build a window event report in the toolbar, the top could the abdomen you insert in reporting
05:23
and in the search bar type event, click on the magnifying glass to the right and make sure that you're all put his rate
05:39
next ringer of selected fields and click on source type,
05:46
and then we're gonna go up to the search bar and type in event code equals 10001 And don't forget your quotation marks.
06:26
Once we have our results, we're gonna go up to save as and click on reports
06:30
and then go. I haven't give Give the report the title restarts and click, Steve.
06:35
Now you can click view and go ahead and view the report.
06:47
From here, we'll add the report to the dashboard
06:51
so we'll go to the top. Right? Hit. Quick, quick. Add to dashboard. You don't want to make sure that we're creating a new dashboard entitled the dashboard Windows events.
07:00
Make sure the dashboard permissions are shared an APP and the panel title should be Windows events, and the panel should be powered by the report itself.
07:08
Once all of this is done, hit Save
07:29
the dashboard on view your final report.
07:49
Next, we're gonna go ahead and create a report from the event generated from the firewall. Open up the search area and ***.
08:01
We're gonna go ahead and put the firewall I p address in the search bar, which is 192.168 dot 0.254 Then click the magnifying glass.
08:20
We want to search further. So after this I p, we're gonna go ahead and type match com a block into the search bar and click search again.
08:33
Next, we're gonna create a report. We're gonna call it a fire wall blocks and add it to the dashboard
08:46
again. We'll make a new dashboard.
08:48
Dashboard will be named firewall blocks. Permission shared an app, and then the panel title should be firewall. And then we can click. Steve,
09:16
either report in the dashboard.
09:22
Thanks for tuning into this lab and we'll see you in the next lesson.

Up Next

Introduction to SIEM Tools

In this SIEM training course, you will learn the basics of a Security Information Event Manager (SIEM) and how and why these are used in a SOC.

Instructed By

Instructor Profile Image
Gabrielle Hempel
Instructor