5.4 Custom Properties Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> In our last lesson,
00:00
we were building up the radix
00:00
>> in order to capture those custom properties.
00:00
>> We had to take a short break.
00:00
However, let's continue where we left off.
00:00
I just mentioned you can actually modify it.
00:00
You can come here add the radix again.
00:00
Then we expand this
00:00
again so we can see more.
00:00
>> There we go.
00:00
>> Now we're going to do source port right here.
00:00
I'm going to call it PFSense Source port.
00:00
I'm going to show you how capture works right now.
00:00
You have one parentheses here and the other one here.
00:00
That's what I was
00:00
talking about that we can actually modify.
00:00
If we come here,
00:00
>> we actually added the wrong symbol. I apologize.
00:00
>> We can do this,
00:00
and actually we are going to do this as well.
00:00
Marking, this one, however,
00:00
if we change Capture Group to Capture Group 2,
00:00
you can see it now captures the source port,
00:00
I apologize, and if you go to three,
00:00
it captures the destination port.
00:00
You can see that you can actually use the same radar
00:00
>> you can just change a little value at the end as well,
00:00
>> and it's a good option as well to do this.
00:00
>> In this case, for example, I can copy this.
00:00
It's two centimeters source port, for pfSense.
00:00
>> It's safe.
00:00
>> Then you can literally come again,
00:00
and it's going to be like a first value at the radix.
00:00
I call it the PFSense Destination port.
00:00
Then here it come to three.
00:00
Test, is working and you're going to
00:00
make sure on the top it's highlighted.
00:00
Itself highlighting, I don't have
00:00
any search functions as you can see.
00:00
Then it's safe and now you can see
00:00
>> that you're getting 1, 2, 3, 4 different values.
00:00
>> The other thing, we got a search,
00:00
Is search for the action itself,
00:00
and this case the action being block.
00:00
Let's go back to the DSM.
00:00
I apologize.
00:00
The Custom Event Extract, expand it.
00:00
I'm going to do pfSense action.
00:00
In this case we can type the whole thing even though,
00:00
we're not going to use the whole thing because
00:00
technically we have to get up to here,
00:00
and the last things curator
00:00
process the better in my opinion.
00:00
I can come up to here,
00:00
for example, and stop this
00:00
>> and see how much it attacks
00:00
>> and that's pretty good.
00:00
>> Let's remove two more just to be safe, around here.
00:00
I like to leave the comma
00:00
and there is the last thing to the tag,
00:00
that way, it doesn't keep searching
00:00
>> for more information.
00:00
>> You have found the comma that said,
00:00
it's not going to be like W plus,
00:00
there's a lot of characters.
00:00
No, stop in the comma
00:00
>> if there's a space even better.
00:00
>> In many software do have spaces
00:00
>> when they're sending the SIS logs
00:00
>> and I will use this space itself
00:00
>> to determine where a variable ends.
00:00
>> Now we have it here.
00:00
We're going to add that Capture Group right here,
00:00
not there actually, wrote that by accident,
00:00
period for some reason.
00:00
Block, right, tested to detect them.
00:00
I know it's on the top, always adapted and its safe,
00:00
and now you should see the action,
00:00
destination source port, source IP,
00:00
>> and destination IP and the default domain.
00:00
>> This basically, it's a wrap up
00:00
>> for how to create custom properties.
00:00
>> Now obviously if you go back to "return to event list",
00:00
right, then you come here
00:00
>> you can now see even now here.
00:00
>> See it's still sisters
00:00
>> but if you come to "edit search",
00:00
>> let's give it a second for it to load.
00:00
It's taking a little bit longer than a second.
00:00
There we go.
00:00
>> Lets just keep it as is as five minutes.
00:00
>> Now here we're going to search for a pfSense,
00:00
and all of these variables we are going to add in here.
00:00
Okay. We're going to grab all of
00:00
them and put them in there,
00:00
and then grab all of them and move them up.
00:00
Except one thing I do want to have,
00:00
and the top is the Start Time.
00:00
Let's hit "Search",
00:00
>> and you can see now we've performed a search.
00:00
>> Here we go, and here is itself how you can see
00:00
the curator data formatted to pfSense.
00:00
You can see, yes,
00:00
it's an action block from this source IP
00:00
>> to this destination IP, sorry.
00:00
>> Destination port, source port, source IP.
00:00
Now if you don't like the order,
00:00
you can always come back
00:00
>> and hit "Search" right in here.
00:00
>> You can then say, "Okay, I want to
00:00
see the source IP first,"
00:00
source IP followed by the source port,
00:00
let's say, followed by the destination IP,
00:00
followed by destination port,
00:00
and where do I want to see
00:00
the action the beginning or the end.
00:00
Well, it's the first thing we want to see.
00:00
Let's go with port and then search again.
00:00
Here you go.
00:00
Source IP, source port, destination IP,
00:00
destination port, and name,
00:00
Lock sorts, etc.
00:00
You can play around,
00:00
once you do that, you can save the criteria.
00:00
You can say this is pfSense.
00:00
You can include in a quick
00:00
search to share with everyone
00:00
>> in case somebody else wants to use it in real time,
00:00
>> because you want to see it in real time
00:00
>> and you can set it as your default search.
00:00
>> That way whenever you come into lock searching,
00:00
you see the pfSense log.
00:00
Now, one of the pros and cons,
00:00
is obviously that this is very specific for this,
00:00
and obviously, if you have other lock sources,
00:00
then obviously you won't see the data
00:00
or the IPs will not match.
00:00
Therefore that's the option of
00:00
a universal DSM that you can create.
00:00
For hour, this is the wrap up for
00:00
today and let's carry on.
00:00
What did we learn today?
00:00
>> We created custom properties
00:00
>> for our new log source pfSense and sign curator.
00:00
>> It took a little bit of building using radixes
00:00
>> and if you're not familiar with them,
00:00
>> I highly recommend the radix course
00:00
>> or some radix tutorials in order
00:00
>> to build these custom radixes in your own environment.
00:00
In our next lesson, we're actually going
00:00
to go over and use the custom,
00:00
the DSM for pfSense.
00:00
You will notice that this intergration is more complete
00:00
>> and better overall for even correlation.
00:00
>> I hope to see you soon.
00:00
>> Have a great day.
Up Next