1
00:00:07,830 --> 00:00:11,100
All right, so this is super, super exciting.

2
00:00:11,670 --> 00:00:17,220
Now, before we get into, you know, validating all of our data is getting into flux, we need to do

3
00:00:17,220 --> 00:00:17,840
a couple of things.

4
00:00:17,970 --> 00:00:22,800
Number one, take snapshots of everything right now just right.

5
00:00:22,800 --> 00:00:29,300
Click on your VMS or go up to them, go to snapshot and put it take snapshot.

6
00:00:30,060 --> 00:00:34,470
You want to do this for each of the tabs you have over here because you don't want to lose any data

7
00:00:34,470 --> 00:00:39,390
if something breaks, you want to have a pristine state to go back to and get your seatbelt passed.

8
00:00:39,930 --> 00:00:40,270
Right.

9
00:00:40,330 --> 00:00:44,990
I think we're going to we're going to make sure that we can get our data into sports.

10
00:00:45,390 --> 00:00:47,860
And so let's log into Splunk for the first time.

11
00:00:47,860 --> 00:00:53,790
We're looking into Splunk Enterprise with Ataman and the password you created in the last lecture,

12
00:00:54,660 --> 00:00:55,450
whatever that was.

13
00:00:55,890 --> 00:00:56,220
All right.

14
00:00:56,220 --> 00:00:58,230
So you're going to see the search, your reporting app, right?

15
00:00:58,260 --> 00:01:03,080
This is the main app that you're using, Splunk, when you're trying to do incident response and then

16
00:01:03,090 --> 00:01:04,050
hunting and things like that.

17
00:01:04,470 --> 00:01:06,510
So I'm going to say never receiving a password.

18
00:01:06,900 --> 00:01:08,010
And I get it.

19
00:01:09,240 --> 00:01:10,230
Hoping to get more value from.

20
00:01:10,550 --> 00:01:11,220
Yeah, whatever.

21
00:01:11,400 --> 00:01:12,540
So if you go to certain sporting.

22
00:01:13,230 --> 00:01:14,070
So I got to calm down.

23
00:01:14,070 --> 00:01:15,180
I'm so excited right now.

24
00:01:16,290 --> 00:01:21,150
But if you go to certain reporting, you'll see that you can look at a data summary after we get past

25
00:01:21,150 --> 00:01:21,630
this tour.

26
00:01:22,110 --> 00:01:25,830
Actually, you might want to go through the tour if you've never used Punke go through the tour, don't

27
00:01:25,830 --> 00:01:26,250
skip it.

28
00:01:26,490 --> 00:01:28,470
But right now, I just want to show you something.

29
00:01:28,800 --> 00:01:30,300
If you go into the data summary right here.

30
00:01:31,350 --> 00:01:33,010
You'll see it says, waiting for results.

31
00:01:33,120 --> 00:01:34,770
You're probably wondering why, what gives?

32
00:01:35,130 --> 00:01:36,590
Like, why don't I see any data?

33
00:01:36,960 --> 00:01:40,140
That's because we need to configure the receiver.

34
00:01:40,660 --> 00:01:47,060
OK, so we need to configure report on Splunk to receive the events from all of the instrumented endpoints.

35
00:01:47,490 --> 00:01:53,850
So if we go to settings forwarding and receiving, right, then you go down here to configure receiving,

36
00:01:54,450 --> 00:01:55,770
you'll probably notice there's nothing here.

37
00:01:56,310 --> 00:01:58,950
So we're going to go ahead and add a new receiver.

38
00:01:59,760 --> 00:02:01,560
So a new receiving port like that.

39
00:02:02,100 --> 00:02:04,500
And we're going to put in nine nine nine seven.

40
00:02:05,880 --> 00:02:09,160
It looks good, click save now we've got our receiver and it's enabled.

41
00:02:09,600 --> 00:02:10,140
Very good.

42
00:02:11,250 --> 00:02:14,850
All right, search and reporting, loading, loading, loading.

43
00:02:15,540 --> 00:02:17,010
All right, we'll collect data summary.

44
00:02:18,630 --> 00:02:21,430
And you can see one, this PC has some data coming in.

45
00:02:22,470 --> 00:02:24,390
If you look you see we have application logs.

46
00:02:24,390 --> 00:02:26,350
We have the security logs we have set up.

47
00:02:26,350 --> 00:02:29,400
We have everything we configured, you know, back in the earlier videos.

48
00:02:30,360 --> 00:02:30,690
Right.

49
00:02:30,730 --> 00:02:31,760
You can see our source types here.

50
00:02:32,430 --> 00:02:34,290
So, you know, this is really, really good.

51
00:02:34,630 --> 00:02:37,920
For example, you know, if we click on one of these, click on the security logs.

52
00:02:44,270 --> 00:02:46,250
You'll see we've got our logs here, right?

53
00:02:46,270 --> 00:02:50,060
We can look at the ports on our network, we can look at the computer.

54
00:02:50,930 --> 00:02:57,290
Of course, right now the computer's only PC one because two PC two over here is turned off.

55
00:02:57,950 --> 00:03:01,220
But we're going to fix all that and we're going to make sure that the DC is getting data in as well.

56
00:03:02,020 --> 00:03:04,950
But right now, what we need to do is get the other logs in.

57
00:03:05,330 --> 00:03:10,100
OK, so I want to make sure that we have the transcription logs and everything else properly configured.

58
00:03:11,800 --> 00:03:16,030
So if you go into that transfer that we created earlier, you notice it's empty, right?

59
00:03:17,980 --> 00:03:19,310
So let's go out and test what's going on.

60
00:03:19,660 --> 00:03:25,600
I take power, shell control shift enter to open an elevated prompt.

61
00:03:28,660 --> 00:03:29,680
Administrator.

62
00:03:33,310 --> 00:03:37,180
So we're going to leave that window in the background so you can see both and we're going to take some

63
00:03:37,180 --> 00:03:38,650
powerful comments and show you something

64
00:03:41,560 --> 00:03:45,580
I do like invoke Webcke request

65
00:03:49,090 --> 00:03:51,760
and I pull yourself up like Google, right?

66
00:03:53,330 --> 00:03:54,710
Or if I do get services.

67
00:03:56,700 --> 00:04:01,110
You should see transcription here, Roger, and you are very good now, I was going to say, if it didn't

68
00:04:01,110 --> 00:04:03,240
work, what you could do is the following.

69
00:04:04,200 --> 00:04:05,720
What you don't want to do is go into the group.

70
00:04:05,730 --> 00:04:07,590
Policy editor edit.

71
00:04:09,050 --> 00:04:10,550
And you want to know this as an admin,

72
00:04:13,640 --> 00:04:15,050
you run as administrator.

73
00:04:16,450 --> 00:04:17,340
Oh,

74
00:04:20,810 --> 00:04:22,910
God, mode activated man.

75
00:04:22,920 --> 00:04:24,650
Whenever I say God, I think of doing that.

76
00:04:24,650 --> 00:04:27,840
You guys ever play the game back in the day game?

77
00:04:28,580 --> 00:04:28,970
All right.

78
00:04:29,480 --> 00:04:35,870
So so if we go to administrative templates, Windows components.

79
00:04:38,180 --> 00:04:44,930
Windows power show noticed that transcription is on, but it is not working for you, what you could

80
00:04:44,930 --> 00:04:51,080
do if you could set the path here, you could say transcript output directory and put in second backslash.

81
00:04:52,070 --> 00:04:52,390
Right.

82
00:04:53,090 --> 00:04:54,800
Then you click apply, you click.

83
00:04:54,800 --> 00:04:55,280
Okay.

84
00:04:56,000 --> 00:05:02,120
And he commands that you type here would be echoed in that transcription log so we can actually take

85
00:05:02,120 --> 00:05:03,020
a look at that log.

86
00:05:03,020 --> 00:05:03,680
Double click it.

87
00:05:05,270 --> 00:05:11,700
And you can see the exact command I typed, so obviously this is exactly what you want as a defender.

88
00:05:12,080 --> 00:05:14,920
I mean, look, this is exactly what I typed and there's the output.

89
00:05:15,530 --> 00:05:17,370
So we want to make sure we're getting this log.

90
00:05:17,390 --> 00:05:19,160
So how do we make sure we're logging everything we want?

91
00:05:19,160 --> 00:05:22,880
Because right now we don't have sismondo inside, as you might have noticed, that we don't have Windows

92
00:05:22,880 --> 00:05:23,240
Defender.

93
00:05:23,250 --> 00:05:23,790
We don't have power.

94
00:05:23,810 --> 00:05:26,010
So it's the input, Sturckow.

95
00:05:26,450 --> 00:05:30,000
So what we're going to do is I'm going to modify that file and show you how you can do.

96
00:05:30,590 --> 00:05:32,570
And you can see the path where we're located.

97
00:05:33,200 --> 00:05:40,640
C Colon Backslash Program Files, Universal Forwarder ETSI Apps spoke Universal Forwarder, local inputs.

98
00:05:41,150 --> 00:05:45,830
I know it's a mouthful, but you'll get used to this as you go through this course.

99
00:05:45,830 --> 00:05:47,510
But here you can see these are the inputs, right?

100
00:05:47,870 --> 00:05:50,750
This was the data, the data we saw in Splunk.

101
00:05:50,780 --> 00:05:54,830
So what we're going to do is we're going to first add those transcription logs and actually a bunch

102
00:05:54,830 --> 00:05:55,320
of different things.

103
00:05:55,320 --> 00:06:00,560
So I'm going to include everything I need to add inside of the resource section of this course so that

104
00:06:00,560 --> 00:06:01,910
you don't have to manually type out everything.

105
00:06:01,910 --> 00:06:05,660
Right, because there's a lot of data that I'm just going to copy and paste everything in and then we'll

106
00:06:05,660 --> 00:06:07,760
check back and Splunk to see if it's collecting.

107
00:06:08,300 --> 00:06:12,950
So here you can see we are monitoring the directory that contains our transcription logs or creating

108
00:06:12,950 --> 00:06:16,790
a new source type called Partial Transcript and the Paracel index.

109
00:06:17,190 --> 00:06:20,090
We are also logging all the power show events.

110
00:06:21,180 --> 00:06:25,110
And we're seeing that and what this source type here, we're doing the same for this morning.

111
00:06:26,650 --> 00:06:27,790
Sort of type says on.

112
00:06:29,470 --> 00:06:31,450
So we got a double here, so let's take this one out.

113
00:06:31,460 --> 00:06:32,130
We don't need both

114
00:06:34,830 --> 00:06:37,630
and then we've got Windows Defender, right?

115
00:06:37,650 --> 00:06:38,730
So this should do it.

116
00:06:39,150 --> 00:06:40,260
I'm going to go ahead and save it.

117
00:06:43,270 --> 00:06:48,640
And then close it out and restart the universal forwarder service

118
00:06:52,090 --> 00:06:53,620
services that MASC.

119
00:06:54,780 --> 00:06:56,100
Run as admin.

120
00:07:04,410 --> 00:07:08,010
Again, I'm going to skip down to the as part of services.

121
00:07:09,580 --> 00:07:12,280
Speaking of her supporters running, let's go ahead and click restart.

122
00:07:13,470 --> 00:07:17,130
And if this fails, it's probably because you have a typo somewhere inside of your inputs dot com,

123
00:07:18,090 --> 00:07:21,180
which means that I gave you a typo Burgen to copy and paste.

124
00:07:21,220 --> 00:07:24,870
So hopefully that doesn't happen until this starts up.

125
00:07:27,140 --> 00:07:29,900
All right, so it is running back over to the browser

126
00:07:32,660 --> 00:07:34,280
and let's go back.

127
00:07:35,990 --> 00:07:39,050
Take me back, baby, OK, take me back.

128
00:07:39,870 --> 00:07:42,420
OK, I'll stick to sidebar, I'll stop with the singing.

129
00:07:44,510 --> 00:07:47,830
Dated summer, and that's cool, look, our damage control was automatically coming in.

130
00:07:47,870 --> 00:07:48,630
That's pretty cool, right?

131
00:07:48,630 --> 00:07:48,650
It.

132
00:07:50,600 --> 00:07:52,310
And you can see some of the stuff is already coming in.

133
00:07:52,490 --> 00:07:54,320
Look, we've got Windows Defender.

134
00:07:58,610 --> 00:08:04,250
And some of the other actually start to come in as many as we ran into this morning, look at what we

135
00:08:04,250 --> 00:08:08,570
can do in the next lecture, which is going to make sure that our shop and our open sense appliances

136
00:08:08,570 --> 00:08:09,730
are also something different as well.

137
00:08:10,040 --> 00:08:13,250
OK, so I'll see you guys in the next lecture by.