In this article, we’ll learn more about how Cyber threats occur, how we can detect them and how we can avoid them. Watch the Video https://www.youtube.com/watch?v=_Xw43NLo2kg&ab_channel=GrantCollins 00:00 all right so i'm finally back with the 00:01 cyber security home lab project and in 00:02 today's video 00:03 it's going to be over a sem or system 00:06 information event management 00:07 system i've done a video here talking 00:09 about what asm does 00:11 and how it works and in today's video 00:13 i'm going to be 00:14 working with splunk splunk is a industry 00:17 grade 00:18 sem and they offer a community edition 00:20 so what i'm going to be doing today 00:22 is setting up this sem and using a 00:24 universal forwarder 00:26 to forward data from a linux server over 00:29 to the sem so that i can visualize 00:32 and understand what's going on with the 00:34 different systems connected to the scent 00:36 i really have no idea what i'm doing 00:38 here 00:38 so it's going to be a lot of research so 00:40 yeah let me go ahead and give you an 00:42 overview of what i have found so far 00:44 all right so transitioning over to my 00:45 computer here i have a couple of things 00:47 that i'm running right now so i'm gonna 00:48 be separating myself 00:49 from the virtualization that i've done 00:51 on my other cybersecurity home lab 00:53 computer 00:54 and i'm actually gonna be using lenode 00:56 here and in front of me 00:58 i have a couple of machines already set 01:00 up this includes my splunk test 01:02 environment 01:03 as well as a basic linux server so i'm 01:06 gonna be using leno to 01:07 power this project i'm gonna be working 01:10 with 01:10 this guide here to go ahead and just 01:12 basically set up the splunk dashboard 01:15 and from there i can use the splunk 01:17 official documentation 01:19 to understand what's going on with uh 01:22 the universal forward or to get data 01:23 into 01:24 the dashboard probably a lot more 01:25 resources i'll be working with but here 01:27 is what i have so far so let's go ahead 01:28 and get started by setting up the splunk 01:30 dashboard 01:38 all right a couple hours later here i am 01:40 in front of me i have 01:42 the splunk dashboard up and running 01:45 so as you can see here i went ahead and 01:48 set up the splunk dashboard 01:49 on my base ubuntu server node 01:52 and from that i'm able to get into the 01:55 splunk enterprise website 01:57 by going through the ip address as well 01:59 as the default 02:00 port i'll leave that link up in the 02:02 description below so now the next thing 02:04 is to go ahead and get the data into the 02:07 splunk machine and understand what the 02:08 heck is going on here all right so while 02:10 setting up the splunk 4 i want to 02:12 quickly mention 02:12 the flexispot desk which has been sent 02:15 to me by the flexispot team 02:17 i already have a couple of flexispot 02:18 desks and they were actually generous 02:20 enough to send over 02:21 one for my home office specifically i 02:23 received the 02:24 flexi spot glass black eg8b from my home 02:27 office and so as you know i'm 02:29 all about productivity with these 02:31 standing desks the flexi spot glass 02:33 black 02:34 is a perfect standing test to meet my 02:36 productivity needs 02:37 comes with a motorized lifting system 02:39 for ease of use 02:40 there are four different numbered modes 02:42 you can use to set different height 02:44 adjustments 02:45 whether you want to stand sit or if 02:47 something in between but it also comes 02:49 with the standard up and down arrows 02:51 to meet your height needs the glass 02:53 finish looks great even comes with a 02:54 little 02:55 drawer supply for notepads and pencils 02:58 the flexispot glass black desk is a 03:00 perfect desk to boost your productivity 03:02 so if you're interested you can go ahead 03:03 and use the link in description below 03:05 and 03:05 thanks again for spot team for sending 03:08 one of these over 03:10 okay so after getting lost for a long 03:12 time i finally used that youtube video 03:14 and i figured out something the splunk 03:16 architecture processing components 03:18 so here they are in smug we have three 03:20 major components 03:21 forwarders indexers and search heads 03:23 borders are used to 03:25 forward or send data into the splunk 03:28 enterprise machine 03:29 this is going to be the centralized 03:30 device which is going to store all that 03:32 information 03:33 and populate that data so that it can be 03:35 queried after the data is forwarded it's 03:37 indexed meaning it's stored 03:39 indexers store the data so that it can 03:41 be query once the data is stored 03:43 you can go into the search heads this is 03:45 where you can actually look up the data 03:47 look for what is anomalous whatever type 03:49 of data that you're looking for 03:50 and you can use the search query 03:52 language to set up 03:54 and actively look for different types of 03:56 data and populate dashboards 03:58 from that so now that we know the basic 04:00 splunk processing components 04:02 it's time to set up this universal 04:04 forwarder okay so to actively 04:05 set up the universal forwarder you can 04:07 actually download the 04:09 splunk universal folder on the official 04:11 web page 04:12 i'm gonna be using a bare bones linux 04:14 server so i'm going to use the wpit 04:16 command 04:16 to go ahead and install this folder into 04:19 my 04:26 machine all right so it's a couple hours 04:29 later 04:29 and i finally finished kind of my basic 04:32 goal of getting 04:33 data into splunk so that i can go ahead 04:35 and search 04:36 for it all right so here in front of me 04:38 as you can see i have my 04:40 linux machine which is running splunk 04:42 right now 04:43 as well as another linux machine running 04:46 the splunk forwarder 04:48 sending data specifically the syslogs 04:51 into 04:51 my splunk dashboard here so if we close 04:54 out it here you can go ahead and see the 04:56 data coming in like i said before we can 04:58 go ahead and use 04:59 the search query for specific data 05:01 matching 05:02 a pattern or a string so in this case 05:04 you can go ahead and 05:05 use host but you can go ahead and pipe 05:08 things and 05:09 you can add other information such as 05:11 using the table 05:12 to go ahead and query for specific data 05:15 so here in front of me as you can see i 05:17 went ahead and created a table 05:19 with the source type in date hour and as 05:21 you can see it just pops up here 05:23 the query language in splunk is very 05:25 powerful 05:26 i didn't really touch a lot on it but 05:28 definitely a lot to be learned 05:29 in that front because i'm interested in 05:31 the security side of splunk i went ahead 05:33 and tested some 05:34 test use cases where you would actually 05:37 look for indicators of compromise 05:38 what i tried doing was a basic test 05:42 i wanted to see if i let's say logged 05:46 into a linux machine 05:47 and had the root username and password 05:50 as nothing 05:51 or whatever information would it be sent 05:54 to the splunk 05:54 son so that's what i went ahead and did 05:56 with a new putty session uh you can see 05:58 that the logs are sent 06:00 to the dashboard you know let's say you 06:02 had 5000 different login attempts 06:04 in two minutes and you didn't have rate 06:06 limiting or 06:07 some sort of control on that linux 06:10 machine that could be a tell that 06:11 someone is trying to break into that 06:13 linux server for instance 06:16 so just want to see you know other types 06:18 of indicators of compromise or other 06:20 types of activities that you could do on 06:22 a linux machine 06:23 so that was just a basic one that i just 06:25 performed there another very powerful 06:27 feature that i 06:28 figured out here of course i knew this 06:30 before but actually doing it 06:32 is you can go ahead and create new 06:34 dashboards 06:35 from the data that is sent to the send 06:38 so for instance you could visualize this 06:40 data so that 06:41 you know you could show in a dashboard 06:43 how many attempts you have per day 06:45 on that linux server with ssh very basic 06:49 stuff here and what you can do is you 06:51 can add new dashboards and you can 06:53 create the different types of 06:55 panel content now i didn't create any 06:56 dashboards because i didn't have a 06:58 sufficient amount of data but 07:00 using a quick youtube search as you can 07:02 tell you can make some pretty powerful 07:04 graphs line graphs bar graphs all types 07:07 of different 07:08 dashboards to visualize your data so 07:10 that was it 07:11 for what i did within this project a 07:14 very basic setup of setting up splunk 07:16 and getting a universal forwarder to 07:18 send data into splunk to search for that 07:19 data all right so that is it for today's 07:21 video 07:21 this actually wraps up the cyber 07:23 security home lab project 07:25 so today's video was pretty basic with 07:28 setting up 07:28 a sem and getting data inside it 07:30 hopefully you have enjoyed this 07:32 series and finally it is time to wrap 07:35 up alright so that is it for today's 07:36 video until the next video 07:38 have a good day English (auto-generated) AllRelatedWatched