Time
1 hour 59 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
in this video, we'll use our Splunk search skills to create alerts.
00:06
Splunk alerts are based on save searches.
00:10
When the conditions you've specified are met, you can set an alert to trigger.
00:16
In this example, we've got a search that looks on an index called Firewall for events where Threat name equals sequel injection and then organizes the results into a table with source I p Destination i p. A message.
00:31
We could save the search as an alert to run every hour and send an email. If in event matches that search in the time frame
00:39
in this other example,
00:42
we could have the search continuously run and trigger an alert when there have been more than five events that have triggered for this in the last 10 minutes.
00:53
Thes save searches for alerts can be scheduled to run every hour every day or on certain days.
01:00
You can also schedule them using chronic CE Russians.
01:03
If you're unfamiliar with chronic expressions, I recommend using a site like Contact Group to help you schedule it.
01:11
This will give you a lot of flexibility for scheduling and help you to stagger your alerts.
01:17
It's a good idea to schedule alerts at different times to spread out the impact of running a search.
01:23
You can also do searches in real time where the continuously running.
01:27
Typically, it's better to do even a really frequent scheduled search or other than real time searches.
01:36
You can set up various actions for an alert, including
01:40
multiple actions in response to
01:42
a triggered alert. You can, for example, send an email notification when over triggers.
01:49
You could also use Web hooks to update a Web resource,
01:53
right? The results to a C. S V file
01:56
ad alerts to a list of recently triggered alerts.
02:00
They're all also a lot of actions that come with APS. For example, a popular ticketing tool called Service now has an app that,
02:08
when you set it up, allows you to easily open a ticket.
02:13
Phantoms Bronx New purchase
02:15
is an automation and orchestration toe,
02:19
and it can take events and and kick off more
02:22
complex action in response to alerts
02:25
to receive phone calls, text notifications
02:29
and push notifications you could use once other recent acquisition Vic drops
02:35
There also
02:36
other good tools for this the integrate with *** like pager duty.
02:40
With that, I think it's time to go in and create a practice alert.
02:46
I've got two machines I'll be working with in this video.
02:51
I have my Splunk search head hosted on this Lennix machine and I have a Windows machine with a universal four door installed.
02:59
The Windows machine will serve to generate new events for us to alert on.
03:04
I'm looking at the search of reporting app on my search out here, and I've searched for Windows event logs that have an idea of 46
03:14
by 46 to 5, which is a code for an account feeling toe log on.
03:20
I further specified that I want events where the field for failure reason equals unknown user name or bad password. And then I've run statistics
03:30
on the returned events where I'm getting account of events by computer name
03:36
and have included other values in the display.
03:40
Right now, I've got one event.
03:43
One event might be pretty reasonable in this environment,
03:46
but maybe I want alerted if there have been more than three of these in lost 60 minutes.
03:52
So I'm going to add ah pipe here
03:54
and say where count is greater than three
04:00
and chooses from for both mode too smart mode because I don't need the full event data. I just want what's, um, going to show up
04:10
in this death?
04:12
I hope I might have left to go to lunch or didn't do last four hours.
04:16
Oh, I didn't leave it wrong.
04:18
If you remember. I said there's only one event there, so
04:23
Ah, something you could do to check and make sure your search is working is
04:28
change. Ah, lower the count you need. So I am getting
04:32
and, um,
04:34
results when I lower the count. So if I want to change that back up to three, I could see this as an alert.
04:45
So I'm just gonna go up here to save as
04:49
and I'm gonna call this
04:53
authentication failures
04:56
and for description. I'll just say this is in progress. I want to see how this lawyer is doing.
05:00
I could set this to run every week, every hour, every day. Um, I'm gonna put it on a Krahn schedule, so I don't have to wait too long to get my results to do that. I'm just going to say,
05:14
Looks like it's 54 right now, so I'm gonna give myself a few minutes for this to run
05:20
and say I want this to happen
05:24
every hour at the 59th minute
05:30
and this is gonna check the last 60 minutes.
05:34
The results of this
05:36
alert will expire in 24 hours, but that doesn't mean the data will disappear
05:43
if I want to. I can go back and run this search again
05:46
on specify this time frame
05:48
of today during these hours and then I can still get the results. But I would need to rerun the search to have those.
05:56
I want this alert trigger when the number of results is greater than zero.
06:00
I've already specified in the search that I want the count to be higher than three.
06:06
And I only want one alert
06:12
and then for alert actions. I'm gonna go ahead and say I'd trigger alerts with the severity of medium.
06:17
And I'm also gonna want to send an email
06:24
fill out
06:27
on email, descended here, send it to here
06:31
and leave that pretty normal.
06:35
And if you see this
06:38
ah, name with the dollar signs around it. This is called a token and is gonna fill in the name of this alert in here.
06:46
So if I want to. I could add extra information like,
06:51
um, if this triggers
06:56
Ah, Bob.
06:58
Or, you know, whatever I want in there, there's gonna be a link to the alert and the results
07:03
in the body of the email. But I'm also gonna want to put the results in line. So it will show this that we had in the search back your, um, in the body of the email and also say a touch of pdf,
07:16
the results.
07:19
And with that, I'm gonna save it.
07:24
I can view the alert if I want.
07:30
Perfect.
07:31
So I've got my two actions here. It's currently enabled.
07:38
And now I'm gonna hop over to my Windows machine and try and trigger some authentication failures.
07:46
So every user called her my knee
07:48
and
07:53
Oh, that didn't work.
07:55
I don't want it to work.
07:59
Just type it away.
08:01
That's a good password. Right?
08:03
But that's not her password.
08:05
So I'm just gonna keep trying to generate these events
08:11
so we can get a higher account here.
08:22
If I want to take a look at my alert, I can go to settings, searches, reports and alerts.
08:31
And I think I called us authentication
08:37
failures. Yep. So this tells me the next scheduled time, which should be in a minute here.
08:43
There's currently no alerts for it.
08:48
And,
08:48
um, in a minute, we should see that count go up.
08:58
Great. So I've got an alert here. Now,
09:01
if I want to take a look at, I go to view Recent.
09:07
Here's this alert. Ah, this is
09:11
when the results were created.
09:13
It ran really quickly, and the status is complete.
09:18
So if I click on this year,
09:22
I can see the results.
09:26
Perfect. So we've got,
09:31
um,
09:33
results here matching
09:37
the search, and this will run every hour
09:41
at what did I haven't said it for So it tells me the next time here, So it's gonna run again in just less than an hour.
09:52
The other thing I can do is go under activity
09:54
and look at triggered alerts
09:56
and also show up there as well.
10:00
So give the severity here,
10:03
and I give you the results from here too, if I want to.
10:11
So with that, we've successfully created an alert,
10:16
and it's
10:18
time for quits
10:22
when an alert triggers, Splunk can
10:26
blink.
10:28
There's a lot of options here, so I'm gonna help you out.
10:33
It's fun. Could send an email,
10:35
could read a script
10:37
at the alert to triggered events.
10:39
Save the results to the machine.
10:43
Other app actions
10:45
do a cheap post requests,
10:48
and with that, we've completed this video
10:54
in the next video will be looking at reports and dashboards.

Up Next

Introduction to Splunk

This Splunk training class is designed to quickly introduce you to Splunk and its many capabilities.

Instructed By

Instructor Profile Image
Natasha Staples
Incident Response Security Engineer at Arrow Electronics
Instructor