In this article, we’ll learn more about how Cyber threats occur, how we can detect them and how we can avoid them.
Watch the Video
https://www.youtube.com/watch?v=_Xw43NLo2kg&ab_channel=GrantCollins
00:00
all right so i'm finally back with the
00:01
cyber security home lab project and in
00:02
today's video
00:03
it's going to be over a sem or system
00:06
information event management
00:07
system i've done a video here talking
00:09
about what asm does
00:11
and how it works and in today's video
00:13
i'm going to be
00:14
working with splunk splunk is a industry
00:17
grade
00:18
sem and they offer a community edition
00:20
so what i'm going to be doing today
00:22
is setting up this sem and using a
00:24
universal forwarder
00:26
to forward data from a linux server over
00:29
to the sem so that i can visualize
00:32
and understand what's going on with the
00:34
different systems connected to the scent
00:36
i really have no idea what i'm doing
00:38
here
00:38
so it's going to be a lot of research so
00:40
yeah let me go ahead and give you an
00:42
overview of what i have found so far
00:44
all right so transitioning over to my
00:45
computer here i have a couple of things
00:47
that i'm running right now so i'm gonna
00:48
be separating myself
00:49
from the virtualization that i've done
00:51
on my other cybersecurity home lab
00:53
computer
00:54
and i'm actually gonna be using lenode
00:56
here and in front of me
00:58
i have a couple of machines already set
01:00
up this includes my splunk test
01:02
environment
01:03
as well as a basic linux server so i'm
01:06
gonna be using leno to
01:07
power this project i'm gonna be working
01:10
with
01:10
this guide here to go ahead and just
01:12
basically set up the splunk dashboard
01:15
and from there i can use the splunk
01:17
official documentation
01:19
to understand what's going on with uh
01:22
the universal forward or to get data
01:23
into
01:24
the dashboard probably a lot more
01:25
resources i'll be working with but here
01:27
is what i have so far so let's go ahead
01:28
and get started by setting up the splunk
01:30
dashboard
01:38
all right a couple hours later here i am
01:40
in front of me i have
01:42
the splunk dashboard up and running
01:45
so as you can see here i went ahead and
01:48
set up the splunk dashboard
01:49
on my base ubuntu server node
01:52
and from that i'm able to get into the
01:55
splunk enterprise website
01:57
by going through the ip address as well
01:59
as the default
02:00
port i'll leave that link up in the
02:02
description below so now the next thing
02:04
is to go ahead and get the data into the
02:07
splunk machine and understand what the
02:08
heck is going on here all right so while
02:10
setting up the splunk 4 i want to
02:12
quickly mention
02:12
the flexispot desk which has been sent
02:15
to me by the flexispot team
02:17
i already have a couple of flexispot
02:18
desks and they were actually generous
02:20
enough to send over
02:21
one for my home office specifically i
02:23
received the
02:24
flexi spot glass black eg8b from my home
02:27
office and so as you know i'm
02:29
all about productivity with these
02:31
standing desks the flexi spot glass
02:33
black
02:34
is a perfect standing test to meet my
02:36
productivity needs
02:37
comes with a motorized lifting system
02:39
for ease of use
02:40
there are four different numbered modes
02:42
you can use to set different height
02:44
adjustments
02:45
whether you want to stand sit or if
02:47
something in between but it also comes
02:49
with the standard up and down arrows
02:51
to meet your height needs the glass
02:53
finish looks great even comes with a
02:54
little
02:55
drawer supply for notepads and pencils
02:58
the flexispot glass black desk is a
03:00
perfect desk to boost your productivity
03:02
so if you're interested you can go ahead
03:03
and use the link in description below
03:05
and
03:05
thanks again for spot team for sending
03:08
one of these over
03:10
okay so after getting lost for a long
03:12
time i finally used that youtube video
03:14
and i figured out something the splunk
03:16
architecture processing components
03:18
so here they are in smug we have three
03:20
major components
03:21
forwarders indexers and search heads
03:23
borders are used to
03:25
forward or send data into the splunk
03:28
enterprise machine
03:29
this is going to be the centralized
03:30
device which is going to store all that
03:32
information
03:33
and populate that data so that it can be
03:35
queried after the data is forwarded it's
03:37
indexed meaning it's stored
03:39
indexers store the data so that it can
03:41
be query once the data is stored
03:43
you can go into the search heads this is
03:45
where you can actually look up the data
03:47
look for what is anomalous whatever type
03:49
of data that you're looking for
03:50
and you can use the search query
03:52
language to set up
03:54
and actively look for different types of
03:56
data and populate dashboards
03:58
from that so now that we know the basic
04:00
splunk processing components
04:02
it's time to set up this universal
04:04
forwarder okay so to actively
04:05
set up the universal forwarder you can
04:07
actually download the
04:09
splunk universal folder on the official
04:11
web page
04:12
i'm gonna be using a bare bones linux
04:14
server so i'm going to use the wpit
04:16
command
04:16
to go ahead and install this folder into
04:19
my
04:26
machine all right so it's a couple hours
04:29
later
04:29
and i finally finished kind of my basic
04:32
goal of getting
04:33
data into splunk so that i can go ahead
04:35
and search
04:36
for it all right so here in front of me
04:38
as you can see i have my
04:40
linux machine which is running splunk
04:42
right now
04:43
as well as another linux machine running
04:46
the splunk forwarder
04:48
sending data specifically the syslogs
04:51
into
04:51
my splunk dashboard here so if we close
04:54
out it here you can go ahead and see the
04:56
data coming in like i said before we can
04:58
go ahead and use
04:59
the search query for specific data
05:01
matching
05:02
a pattern or a string so in this case
05:04
you can go ahead and
05:05
use host but you can go ahead and pipe
05:08
things and
05:09
you can add other information such as
05:11
using the table
05:12
to go ahead and query for specific data
05:15
so here in front of me as you can see i
05:17
went ahead and created a table
05:19
with the source type in date hour and as
05:21
you can see it just pops up here
05:23
the query language in splunk is very
05:25
powerful
05:26
i didn't really touch a lot on it but
05:28
definitely a lot to be learned
05:29
in that front because i'm interested in
05:31
the security side of splunk i went ahead
05:33
and tested some
05:34
test use cases where you would actually
05:37
look for indicators of compromise
05:38
what i tried doing was a basic test
05:42
i wanted to see if i let's say logged
05:46
into a linux machine
05:47
and had the root username and password
05:50
as nothing
05:51
or whatever information would it be sent
05:54
to the splunk
05:54
son so that's what i went ahead and did
05:56
with a new putty session uh you can see
05:58
that the logs are sent
06:00
to the dashboard you know let's say you
06:02
had 5000 different login attempts
06:04
in two minutes and you didn't have rate
06:06
limiting or
06:07
some sort of control on that linux
06:10
machine that could be a tell that
06:11
someone is trying to break into that
06:13
linux server for instance
06:16
so just want to see you know other types
06:18
of indicators of compromise or other
06:20
types of activities that you could do on
06:22
a linux machine
06:23
so that was just a basic one that i just
06:25
performed there another very powerful
06:27
feature that i
06:28
figured out here of course i knew this
06:30
before but actually doing it
06:32
is you can go ahead and create new
06:34
dashboards
06:35
from the data that is sent to the send
06:38
so for instance you could visualize this
06:40
data so that
06:41
you know you could show in a dashboard
06:43
how many attempts you have per day
06:45
on that linux server with ssh very basic
06:49
stuff here and what you can do is you
06:51
can add new dashboards and you can
06:53
create the different types of
06:55
panel content now i didn't create any
06:56
dashboards because i didn't have a
06:58
sufficient amount of data but
07:00
using a quick youtube search as you can
07:02
tell you can make some pretty powerful
07:04
graphs line graphs bar graphs all types
07:07
of different
07:08
dashboards to visualize your data so
07:10
that was it
07:11
for what i did within this project a
07:14
very basic setup of setting up splunk
07:16
and getting a universal forwarder to
07:18
send data into splunk to search for that
07:19
data all right so that is it for today's
07:21
video
07:21
this actually wraps up the cyber
07:23
security home lab project
07:25
so today's video was pretty basic with
07:28
setting up
07:28
a sem and getting data inside it
07:30
hopefully you have enjoyed this
07:32
series and finally it is time to wrap
07:35
up alright so that is it for today's
07:36
video until the next video
07:38
have a good day
English (auto-generated)
AllRelatedWatched