แสดงเฉพาะ
0:06
S… Speaker 2 (2026-04-13 10-02-48)
In this video,
0:07
S… Speaker 1 (2026-04-13 10-02-48)
we're going to walk through a short kind of hypothetical threat
0:11
S… Speaker 1 (2026-04-13 10-02-48)
hunt just to look at the threat hunting process in Splunk
0:16
S… Speaker 1 (2026-04-13 10-02-48)
from a more theoretical view,
0:18
S… Speaker 1 (2026-04-13 10-02-48)
including, you know,
0:19
S… Speaker 1 (2026-04-13 10-02-48)
what kind of queries you can do when pivoting and things like
0:23
S… Speaker 1 (2026-04-13 10-02-48)
that. So let's put everything together.
0:25
S… Speaker 3 (2026-04-13 10-02-48)
Remember,
0:26
S… Speaker 1 (2026-04-13 10-02-48)
threat hunting is a proactive activity.
0:30
S… Speaker 4 (2026-04-13 10-02-48)
You're not
0:31
S… Speaker 1 (2026-04-13 10-02-48)
necessarily waiting for an alert or a notification
0:35
S… Speaker 1 (2026-04-13 10-02-48)
before you start doing threat hunting.
0:38
S… Speaker 1 (2026-04-13 10-02-48)
Now, alerts and notifications,
0:40
S… Speaker 1 (2026-04-13 10-02-48)
those can serve as triggers for,
0:44
S… Speaker 1 (2026-04-13 10-02-48)
you know,
0:45
S… Speaker 1 (2026-04-13 10-02-48)
potentially starting a threat hunt depending on where you are with your current
0:49
S… Speaker 1 (2026-04-13 10-02-48)
process,
0:50
S… Speaker 1 (2026-04-13 10-02-48)
or they can be used as additional information and ongoing threat
0:54
S… Speaker 1 (2026-04-13 10-02-48)
hunt.
0:54
S… Speaker 1 (2026-04-13 10-02-48)
or they can help with hypothesis creation for a new threat hunt
0:59
S… Speaker 1 (2026-04-13 10-02-48)
or anything like that.
1:00
S… Speaker 1 (2026-04-13 10-02-48)
But threat hunting does not rely on those entirely.
1:04
S… Speaker 1 (2026-04-13 10-02-48)
Your threat hunts should always be hypothesis -driven.
1:09
S… Speaker 1 (2026-04-13 10-02-48)
Your queries should always be driven by the hypothesis
1:13
S… Speaker 1 (2026-04-13 10-02-48)
as well.
1:14
S… Speaker 1 (2026-04-13 10-02-48)
They should be in line with that specific hunt.
1:17
S… Speaker 1 (2026-04-13 10-02-48)
You shouldn't perform threat hunts by just throwing out random
1:21
S… Speaker 1 (2026-04-13 10-02-48)
queries and seeing what kind of results you get.
1:24
S… Speaker 1 (2026-04-13 10-02-48)
Most of the time.
1:25
S… Speaker 1 (2026-04-13 10-02-48)
Sometimes your threat hunt may be like that,
1:29
S… Speaker 1 (2026-04-13 10-02-48)
but that is extremely rare and that would be a very,
1:32
S… Speaker 1 (2026-04-13 10-02-48)
very broad hypothesis.
1:33
S… Speaker 1 (2026-04-13 10-02-48)
So 99 % of the time you're not going to rely on random
1:38
S… Speaker 1 (2026-04-13 10-02-48)
queries.
1:38
S… Speaker 1 (2026-04-13 10-02-48)
They're going to be carefully crafted and they're going to be in line with the hypothesis.
1:44
S… Speaker 1 (2026-04-13 10-02-48)
When you're using or some of the reasons to use
1:48
S… Speaker 1 (2026-04-13 10-02-48)
Splunk in threat hunts or really just any sort of platform like
1:53
S… Speaker 3 (2026-04-13 10-02-48)
Splunk,
1:53
S… Speaker 1 (2026-04-13 10-02-48)
it gives you that visibility.
1:55
S… Speaker 1 (2026-04-13 10-02-48)
It gives you that centralized location for all of your logs.
1:59
S… Speaker 1 (2026-04-13 10-02-48)
It gives you the historical information going back really just
2:03
S… Speaker 1 (2026-04-13 10-02-48)
as far as your log retention goes.
2:05
S… Speaker 1 (2026-04-13 10-02-48)
And it gives you the ease of performing those hunts.
2:09
S… Speaker 1 (2026-04-13 10-02-48)
It also lets you easily pivot.
2:13
S… Speaker 1 (2026-04-13 10-02-48)
to new areas of the search or of the hunt in
2:17
S… Speaker 1 (2026-04-13 10-02-48)
new directions based on the data you have.
2:19
S… Speaker 1 (2026-04-13 10-02-48)
It lets you aggregate all the data together,
2:22
S… Speaker 1 (2026-04-13 10-02-48)
and it lets you,
2:24
S… Speaker 1 (2026-04-13 10-02-48)
like we've seen in other videos in this course,
2:26
S… Speaker 1 (2026-04-13 10-02-48)
it lets you visualize the results of your queries to
2:31
S… Speaker 1 (2026-04-13 10-02-48)
more quickly be able to analyze and understand
2:35
S… Speaker 1 (2026-04-13 10-02-48)
the information that's in those logs.
2:38
S… Speaker 1 (2026-04-13 10-02-48)
One of the best ways to do that in Splunk during a threat hunt is with tables.
2:43
S… Speaker 1 (2026-04-13 10-02-48)
There are many other forms of visualizations in Splunk,
2:46
S… Speaker 1 (2026-04-13 10-02-48)
but for threat hunting,
2:48
S… Speaker 1 (2026-04-13 10-02-48)
one of the most useful ones are tables.
2:51
S… Speaker 1 (2026-04-13 10-02-48)
We've got all that information.
2:53
S… Speaker 1 (2026-04-13 10-02-48)
Let's take a look at a hypothetical scenario here.
2:56
S… Speaker 1 (2026-04-13 10-02-48)
So in this scenario,
2:57
S… Speaker 1 (2026-04-13 10-02-48)
in this threat hunt,
2:58
S… Speaker 1 (2026-04-13 10-02-48)
we're going to kind of walk through an attacker has been using PowerShell
3:03
S… Speaker 1 (2026-04-13 10-02-48)
to download some sort of malicious payload using
3:07
S… Speaker 1 (2026-04-13 10-02-48)
obfuscated or encoded commands.
3:10
S… Speaker 1 (2026-04-13 10-02-48)
So we're going to just kind of step through a few different
3:14
S… Speaker 1 (2026-04-13 10-02-48)
queries that can be used to start the hunt and then a few different ways that
3:18
S… Speaker 1 (2026-04-13 10-02-48)
we can pivot.
3:20
S… Speaker 1 (2026-04-13 10-02-48)
with additional queries.
3:21
S… Speaker 1 (2026-04-13 10-02-48)
So let's take a look at those.
3:24
S… Speaker 1 (2026-04-13 10-02-48)
So.
3:25
S… Speaker 1 (2026-04-13 10-02-48)
When we're starting our hunt,
3:27
S… Speaker 1 (2026-04-13 10-02-48)
the actual hunting activity itself,
3:29
S… Speaker 1 (2026-04-13 10-02-48)
we're going to look at three different steps.
3:32
S… Speaker 1 (2026-04-13 10-02-48)
The first one is going to be figuring out which logs are
3:36
S… Speaker 1 (2026-04-13 10-02-48)
relevant to our specific threat hunt.
3:40
S… Speaker 2 (2026-04-13 10-02-48)
So in this case,
3:41
S… Speaker 1 (2026-04-13 10-02-48)
we're looking at commands that were executed via PowerShell
3:46
S… Speaker 1 (2026-04-13 10-02-48)
and looking at downloaded files specifically that
3:50
S… Speaker 1 (2026-04-13 10-02-48)
were done with some sort of encoded PowerShell command.
3:53
S… Speaker 2 (2026-04-13 10-02-48)
So in our case,
3:54
S… Speaker 1 (2026-04-13 10-02-48)
we're going to want information from the Windows event logs,
3:57
S… Speaker 1 (2026-04-13 10-02-48)
specifically PowerShell information.
3:59
S… Speaker 1 (2026-04-13 10-02-48)
We're going to potentially want information from the Sysmon logs,
4:03
S… Speaker 1 (2026-04-13 10-02-48)
including launched processes,
4:05
S… Speaker 1 (2026-04-13 10-02-48)
because that will give us more information than the native Windows
4:09
S… Speaker 1 (2026-04-13 10-02-48)
event logs.
4:10
S… Speaker 1 (2026-04-13 10-02-48)
And we could potentially even look at network data in this hunt,
4:14
S… Speaker 1 (2026-04-13 10-02-48)
depending on what direction we want to take it.
4:17
S… Speaker 1 (2026-04-13 10-02-48)
There's many different ways you can start this type of threat hunt.
4:22
S… Speaker 2 (2026-04-13 10-02-48)
So in this step,
4:23
S… Speaker 1 (2026-04-13 10-02-48)
we're going to,
4:24
S… Speaker 1 (2026-04-13 10-02-48)
in this case, we're going to take step two and we're going to execute,
4:28
S… Speaker 1 (2026-04-13 10-02-48)
we're going to craft and build our initial queries.
4:31
S… Speaker 1 (2026-04-13 10-02-48)
Remember,
4:32
S… Speaker 1 (2026-04-13 10-02-48)
and I keep saying this over and over,
4:34
S… Speaker 1 (2026-04-13 10-02-48)
use the correct index.
4:36
S… Speaker 1 (2026-04-13 10-02-48)
Make sure you're specifying the index or indexes that
4:40
S… Speaker 1 (2026-04-13 10-02-48)
you need or that the logs are in so that you get the correct
4:45
S… Speaker 1 (2026-04-13 10-02-48)
and appropriate information for your threat hunt.
4:48
S… Speaker 2 (2026-04-13 10-02-48)
So in this case,
4:49
S… Speaker 1 (2026-04-13 10-02-48)
We can do a query that starts off looking at the Sysmon
4:53
S… Speaker 1 (2026-04-13 10-02-48)
index.
4:54
S… Speaker 1 (2026-04-13 10-02-48)
We're looking specifically at event code 1,
4:57
S… Speaker 1 (2026-04-13 10-02-48)
which is a new process creation.
5:00
S… Speaker 1 (2026-04-13 10-02-48)
We are looking at that process to have PowerShell in the name
5:04
S… Speaker 1 (2026-04-13 10-02-48)
somewhere, so this would match PowerShell .exe because we
5:08
S… Speaker 1 (2026-04-13 10-02-48)
have the asterisk in there for that wildcard.
5:11
S… Speaker 1 (2026-04-13 10-02-48)
And we're also looking as part of the command line that was entered
5:15
S… Speaker 1 (2026-04-13 10-02-48)
in there for the letters enc for encoded.
5:19
S… Speaker 1 (2026-04-13 10-02-48)
We are looking for that somewhere in that command line.
5:23
S… Speaker 1 (2026-04-13 10-02-48)
Now, there's many different ways you can carry out this initial query.
5:27
S… Speaker 1 (2026-04-13 10-02-48)
This is just one potential way that it could be
5:31
S… Speaker 1 (2026-04-13 10-02-48)
done.
5:32
S… Speaker 1 (2026-04-13 10-02-48)
And then,
5:33
S… Speaker 1 (2026-04-13 10-02-48)
based on the results,
5:34
S… Speaker 1 (2026-04-13 10-02-48)
we take a look at those and figure out,
5:37
S… Speaker 1 (2026-04-13 10-02-48)
well, what comes next.
5:39
S… Speaker 1 (2026-04-13 10-02-48)
Maybe we did discover commands,
5:41
S… Speaker 1 (2026-04-13 10-02-48)
and then we need to then decode whatever the commands were
5:45
S… Speaker 1 (2026-04-13 10-02-48)
in that PowerShell.
5:47
S… Speaker 1 (2026-04-13 10-02-48)
Did we discover that malware was downloaded?
5:50
S… Speaker 1 (2026-04-13 10-02-48)
If it was,
5:51
S… Speaker 1 (2026-04-13 10-02-48)
was it run?
5:52
S… Speaker 1 (2026-04-13 10-02-48)
Do we have a hash available for that information if we have
5:56
S… Speaker 1 (2026-04-13 10-02-48)
the correct logging?
5:57
S… Speaker 1 (2026-04-13 10-02-48)
If we do have a hash available,
5:59
S… Speaker 1 (2026-04-13 10-02-48)
is this some sort of known malware?
6:01
S… Speaker 1 (2026-04-13 10-02-48)
Have other organizations seen it?
6:03
S… Speaker 1 (2026-04-13 10-02-48)
There's many next directions we can go here.
6:06
S… Speaker 1 (2026-04-13 10-02-48)
Pivot as necessary.
6:08
S… Speaker 1 (2026-04-13 10-02-48)
That's our third step in kind of our initial phase of our threat
6:12
S… Speaker 1 (2026-04-13 10-02-48)
hunt.
6:13
S… Speaker 1 (2026-04-13 10-02-48)
So I mentioned that was just one way we can start that query,
6:17
S… Speaker 1 (2026-04-13 10-02-48)
or start that hunt,
6:19
S… Speaker 1 (2026-04-13 10-02-48)
one query we can use to start that hunt.
6:21
S… Speaker 1 (2026-04-13 10-02-48)
So let's say that we did that query,
6:24
S… Speaker 1 (2026-04-13 10-02-48)
and we discovered an encoded command that was executed
6:28
S… Speaker 1 (2026-04-13 10-02-48)
with PowerShell.
6:29
S… Speaker 1 (2026-04-13 10-02-48)
We decode that,
6:30
S… Speaker 1 (2026-04-13 10-02-48)
and we see that the file of update .ps1
6:35
S… Speaker 1 (2026-04-13 10-02-48)
was downloaded.
6:36
S… Speaker 1 (2026-04-13 10-02-48)
Our next step should be to search and
6:40
S… Speaker 1 (2026-04-13 10-02-48)
see if it was executed.
6:42
S… Speaker 1 (2026-04-13 10-02-48)
So this is essentially the same query as before,
6:45
S… Speaker 1 (2026-04-13 10-02-48)
except this time we are looking in the command line to look for the file
6:49
S… Speaker 1 (2026-04-13 10-02-48)
name run via PowerShell of update .ps1,
6:53
S… Speaker 1 (2026-04-13 10-02-48)
the file that was downloaded.
6:55
S… Speaker 2 (2026-04-13 10-02-48)
Again,
6:56
S… Speaker 1 (2026-04-13 10-02-48)
there are many,
6:57
S… Speaker 1 (2026-04-13 10-02-48)
many different ways to kind of
7:01
S… Speaker 1 (2026-04-13 10-02-48)
build this query.
7:02
S… Speaker 1 (2026-04-13 10-02-48)
This is just one option.
7:03
S… Speaker 2 (2026-04-13 10-02-48)
Now,
7:04
S… Speaker 1 (2026-04-13 10-02-48)
say you don't have sysmon because you can see with the event code equals one,
7:09
S… Speaker 1 (2026-04-13 10-02-48)
that is also the name of the index.
7:12
S… Speaker 1 (2026-04-13 10-02-48)
Strong indication that we're using Sysmon event IDs
7:16
S… Speaker 1 (2026-04-13 10-02-48)
here because one equals process creation.
7:21
S… Speaker 1 (2026-04-13 10-02-48)
So say you don't have Sysmon,
7:23
S… Speaker 1 (2026-04-13 10-02-48)
you can use the Windows event log.
7:25
S… Speaker 1 (2026-04-13 10-02-48)
So we can change up a query and do the win event log index.
7:29
S… Speaker 1 (2026-04-13 10-02-48)
And these, again,
7:29
S… Speaker 1 (2026-04-13 10-02-48)
are hypothetical indexes.
7:31
S… Speaker 1 (2026-04-13 10-02-48)
Production environments will have completely different named indexes more than likely.
7:36
S… Speaker 1 (2026-04-13 10-02-48)
But we can look for event ID or event code,
7:38
S… Speaker 1 (2026-04-13 10-02-48)
as it's listed in the logs,
7:39
S… Speaker 1 (2026-04-13 10-02-48)
of 4688,
7:41
S… Speaker 1 (2026-04-13 10-02-48)
which is the Windows event ID for a new process being created.
7:45
S… Speaker 2 (2026-04-13 10-02-48)
Now,
7:46
S… Speaker 1 (2026-04-13 10-02-48)
this isn't going to give you nearly as much information as Sysmon will,
7:50
S… Speaker 1 (2026-04-13 10-02-48)
but it will still give you information about whether or not it was
7:54
S… Speaker 1 (2026-04-13 10-02-48)
actually created.
7:55
S… Speaker 1 (2026-04-13 10-02-48)
Get the rest of that query up on the screen.
7:58
S… Speaker 1 (2026-04-13 10-02-48)
We're looking here for the process name having PowerShell in it.
8:02
S… Speaker 1 (2026-04-13 10-02-48)
This is the equivalent to saying image equals in the sysmon logs.
8:06
S… Speaker 1 (2026-04-13 10-02-48)
And then the command line,
8:07
S… Speaker 1 (2026-04-13 10-02-48)
except this time it's got an underscore in it,
8:09
S… Speaker 1 (2026-04-13 10-02-48)
we are looking to see if update .ps1 was executed.
8:14
S… Speaker 1 (2026-04-13 10-02-48)
Again, this is just one specific way we're
8:18
S… Speaker 1 (2026-04-13 10-02-48)
looking at this.
8:20
S… Speaker 1 (2026-04-13 10-02-48)
So let's say that if we do find evidence
8:24
S… Speaker 1 (2026-04-13 10-02-48)
that this update .ps1 was executed,
8:27
S… Speaker 1 (2026-04-13 10-02-48)
assuming we're looking at Sysmon logs,
8:29
S… Speaker 1 (2026-04-13 10-02-48)
then we probably have a file hash for it.
8:32
S… Speaker 1 (2026-04-13 10-02-48)
We can search other systems.
8:35
S… Speaker 1 (2026-04-13 10-02-48)
We can look at internet resources like VirusTotal
8:39
S… Speaker 1 (2026-04-13 10-02-48)
for that hash to see if other organizations or other individuals have
8:43
S… Speaker 1 (2026-04-13 10-02-48)
seen this.
8:44
S… Speaker 1 (2026-04-13 10-02-48)
Is this a known script so we can get more information potentially about what it
8:48
S… Speaker 1 (2026-04-13 10-02-48)
does?
8:48
S… Speaker 1 (2026-04-13 10-02-48)
Things like that.
8:50
S… Speaker 1 (2026-04-13 10-02-48)
So we can also kind of reformat this a little bit to
8:55
S… Speaker 1 (2026-04-13 10-02-48)
instead of just showing us the results,
8:59
S… Speaker 1 (2026-04-13 10-02-48)
we can format those results in a table.
9:01
S… Speaker 1 (2026-04-13 10-02-48)
So again,
9:02
S… Speaker 1 (2026-04-13 10-02-48)
we're still looking for update .ps1 being run.
9:06
S… Speaker 1 (2026-04-13 10-02-48)
In this case,
9:07
S… Speaker 1 (2026-04-13 10-02-48)
we have omitted the specific image we're looking for,
9:10
S… Speaker 1 (2026-04-13 10-02-48)
but we're formatting the results in a table.
9:13
S… Speaker 1 (2026-04-13 10-02-48)
So we're looking to see what computer was this file executed on?
9:17
S… Speaker 1 (2026-04-13 10-02-48)
What was the process?
9:20
S… Speaker 1 (2026-04-13 10-02-48)
that actually executed it what was the full command line that was used
9:24
S… Speaker 1 (2026-04-13 10-02-48)
and what hashes were returned now depending
9:28
S… Speaker 1 (2026-04-13 10-02-48)
again on how this search is carried out this
9:32
S… Speaker 1 (2026-04-13 10-02-48)
one depending on the image that was actually run this
9:37
S… Speaker 1 (2026-04-13 10-02-48)
may give you the hashes of that image so you may get if powershell
9:41
S… Speaker 1 (2026-04-13 10-02-48)
was the process name that were a process that was launched
9:45
S… Speaker 1 (2026-04-13 10-02-48)
then chances are you might get hashes of the PowerShell executable.
9:49
S… Speaker 1 (2026-04-13 10-02-48)
It just depends on what's in the logs and how you format
9:53
S… Speaker 1 (2026-04-13 10-02-48)
it.
9:54
S… Speaker 1 (2026-04-13 10-02-48)
Let's say we do have the hash information for
9:58
S… Speaker 1 (2026-04-13 10-02-48)
update .ps.
10:00
S… Speaker 1 (2026-04-13 10-02-48)
The next query we can do is to see
10:04
S… Speaker 1 (2026-04-13 10-02-48)
if there were any other computers where that hash
10:08
S… Speaker 1 (2026-04-13 10-02-48)
or where a process was launched that matches that
10:12
S… Speaker 2 (2026-04-13 10-02-48)
hash.
10:13
S… Speaker 1 (2026-04-13 10-02-48)
So all of this in Splunk.
10:15
S… Speaker 1 (2026-04-13 10-02-48)
We're now doing another query for looking for new
10:19
S… Speaker 1 (2026-04-13 10-02-48)
processes that were created.
10:21
S… Speaker 1 (2026-04-13 10-02-48)
that match the specific hash that we have for update
10:26
S… Speaker 1 (2026-04-13 10-02-48)
.ps1,
10:26
S… Speaker 1 (2026-04-13 10-02-48)
just the kind of hash in brackets.
10:28
S… Speaker 1 (2026-04-13 10-02-48)
The brackets are not really included.
10:30
S… Speaker 1 (2026-04-13 10-02-48)
That's just a placeholder for this example.
10:33
S… Speaker 1 (2026-04-13 10-02-48)
And then we format that information again into a table to see what computer,
10:38
S… Speaker 1 (2026-04-13 10-02-48)
because we're looking at any computer.
10:40
S… Speaker 1 (2026-04-13 10-02-48)
Because this file may have been downloaded onto multiple
10:44
S… Speaker 1 (2026-04-13 10-02-48)
machines, but it may have been downloaded under different file names.
10:49
S… Speaker 1 (2026-04-13 10-02-48)
This will catch any file name that matches that hash value
10:53
S… Speaker 1 (2026-04-13 10-02-48)
and will show us similar information about how
10:57
S… Speaker 1 (2026-04-13 10-02-48)
it was launched,
10:58
S… Speaker 1 (2026-04-13 10-02-48)
including just some visual verification about what hash value,
11:02
S… Speaker 1 (2026-04-13 10-02-48)
just the visual verification that it matches up.
11:06
S… Speaker 1 (2026-04-13 10-02-48)
And it will include the user information that launched the
11:10
S… Speaker 1 (2026-04-13 10-02-48)
process, assuming that information is available in the log.
11:14
S… Speaker 1 (2026-04-13 10-02-48)
So there's several,
11:15
S… Speaker 1 (2026-04-13 10-02-48)
several different ways you can take this hunt,
11:19
S… Speaker 1 (2026-04-13 10-02-48)
several directions you can take this hunt.
11:21
S… Speaker 1 (2026-04-13 10-02-48)
It all depends on the information you discover.
11:25
S… Speaker 1 (2026-04-13 10-02-48)
Number of best practices to keep in mind
11:29
S… Speaker 1 (2026-04-13 10-02-48)
when you are performing threat hunts in Splunk.
11:33
S… Speaker 1 (2026-04-13 10-02-48)
I've said it probably 10,
11:35
S… Speaker 1 (2026-04-13 10-02-48)
20 times so far.
11:36
S… Speaker 2 (2026-04-13 10-02-48)
I'll say it again.
11:37
S… Speaker 1 (2026-04-13 10-02-48)
Remember your indexes.
11:39
S… Speaker 1 (2026-04-13 10-02-48)
Indexes are critically important.
11:42
S… Speaker 1 (2026-04-13 10-02-48)
Said it many times why they're important.
11:45
S… Speaker 1 (2026-04-13 10-02-48)
If you don't include an index in your query,
11:48
S… Speaker 1 (2026-04-13 10-02-48)
Splunk will only look in the default index,
11:53
S… Speaker 1 (2026-04-13 10-02-48)
and chances are your production data is not in that index.
11:57
S… Speaker 1 (2026-04-13 10-02-48)
So remember to include the index.
11:59
S… Speaker 1 (2026-04-13 10-02-48)
Just by default,
12:01
S… Speaker 1 (2026-04-13 10-02-48)
start your query with index equals,
12:03
S… Speaker 1 (2026-04-13 10-02-48)
and then whatever the name of the index you're looking through is.
12:07
S… Speaker 1 (2026-04-13 10-02-48)
Make sure your time frame is correct on your search query.
12:10
S… Speaker 1 (2026-04-13 10-02-48)
Again, that can be very frustrating to know your query is correct,
12:15
S… Speaker 1 (2026-04-13 10-02-48)
know you have the right information,
12:16
S… Speaker 1 (2026-04-13 10-02-48)
know the information is in the log somewhere,
12:19
S… Speaker 2 (2026-04-13 10-02-48)
and spend,
12:20
S… Speaker 1 (2026-04-13 10-02-48)
you know, 20 -30 minutes troubleshooting,
12:22
S… Speaker 1 (2026-04-13 10-02-48)
try to figure out how did you format your query incorrectly to discover you have the wrong
12:26
S… Speaker 1 (2026-04-13 10-02-48)
time frame selected.
12:28
S… Speaker 1 (2026-04-13 10-02-48)
Very frustrating.
12:30
S… Speaker 1 (2026-04-13 10-02-48)
Make sure if you know the source type that you're searching
12:34
S… Speaker 1 (2026-04-13 10-02-48)
for, make sure to include that in the query.
12:37
S… Speaker 1 (2026-04-13 10-02-48)
The purpose of including that and just kind of including
12:42
S… Speaker 1 (2026-04-13 10-02-48)
various bits of information if you know them in that query is just
12:46
S… Speaker 1 (2026-04-13 10-02-48)
to reduce the scope of the search.
12:48
S… Speaker 1 (2026-04-13 10-02-48)
This helps the searches perform faster and helps reduce the performance
12:53
S… Speaker 1 (2026-04-13 10-02-48)
overhead on your Splunk system as well.
12:56
S… Speaker 1 (2026-04-13 10-02-48)
This goes for any fields,
12:58
S… Speaker 1 (2026-04-13 10-02-48)
really.
12:59
S… Speaker 1 (2026-04-13 10-02-48)
Any fields that you might know the information for.
13:03
S… Speaker 1 (2026-04-13 10-02-48)
So, you know,
13:04
S… Speaker 2 (2026-04-13 10-02-48)
example of that,
13:04
S… Speaker 1 (2026-04-13 10-02-48)
if you're searching for PowerShell being executed as a process,
13:08
S… Speaker 1 (2026-04-13 10-02-48)
you would do image equals PowerShell.
13:11
S… Speaker 1 (2026-04-13 10-02-48)
Now, there's wildcards in this.
13:14
S… Speaker 1 (2026-04-13 10-02-48)
The general recommendation is to avoid wildcards
13:18
S… Speaker 1 (2026-04-13 10-02-48)
when you can.
13:19
S… Speaker 1 (2026-04-13 10-02-48)
Use them only when they're needed.
13:21
S… Speaker 1 (2026-04-13 10-02-48)
And there are legitimate times that you do need to use wildcards.
13:25
S… Speaker 1 (2026-04-13 10-02-48)
And the reason you want to narrow all of this down as much
13:29
S… Speaker 1 (2026-04-13 10-02-48)
as possible using specific fields or source
13:33
S… Speaker 1 (2026-04-13 10-02-48)
types and limiting your wildcard usage is for performance
13:37
S… Speaker 1 (2026-04-13 10-02-48)
reasons and just reducing the amount of time it takes to perform
13:42
S… Speaker 1 (2026-04-13 10-02-48)
a search.
13:43
S… Speaker 1 (2026-04-13 10-02-48)
the more information you're trying to search for.
13:46
S… Speaker 1 (2026-04-13 10-02-48)
So say you are looking for PowerShell being executed.
13:50
S… Speaker 1 (2026-04-13 10-02-48)
You could omit the field name of image equals there and
13:54
S… Speaker 1 (2026-04-13 10-02-48)
just search for PowerShell with the wildcards.
13:57
S… Speaker 2 (2026-04-13 10-02-48)
But you,
13:58
S… Speaker 2 (2026-04-13 10-02-48)
in that case,
13:59
S… Speaker 1 (2026-04-13 10-02-48)
are searching through every field in the logs in
14:03
S… Speaker 1 (2026-04-13 10-02-48)
that index, not just the image field.
14:06
S… Speaker 2 (2026-04-13 10-02-48)
Now,
14:06
S… Speaker 1 (2026-04-13 10-02-48)
with a couple of thousand logs in our lab environment,
14:10
S… Speaker 1 (2026-04-13 10-02-48)
you're not going to notice any kind of performance hit.
14:12
S… Speaker 1 (2026-04-13 10-02-48)
You're not going to notice that the search takes longer.
14:14
S… Speaker 1 (2026-04-13 10-02-48)
You're not going to notice anything like that.
14:16
S… Speaker 1 (2026-04-13 10-02-48)
But when you're searching through hundreds of thousands,
14:19
S… Speaker 1 (2026-04-13 10-02-48)
millions of events in an enterprise environment,
14:22
S… Speaker 1 (2026-04-13 10-02-48)
you will notice that your searches will take longer and your
14:26
S… Speaker 1 (2026-04-13 10-02-48)
Splunk server will have degraded performance because you are doing unnecessary
14:31
S… Speaker 1 (2026-04-13 10-02-48)
searches.
14:32
S… Speaker 1 (2026-04-13 10-02-48)
You are searching through unnecessary fields.
14:35
S… Speaker 1 (2026-04-13 10-02-48)
So try to narrow down your searches as much as
14:39
S… Speaker 1 (2026-04-13 10-02-48)
possible when you're executing these queries.
14:43
S… Speaker 1 (2026-04-13 10-02-48)
just to get better results from your system and
14:47
S… Speaker 1 (2026-04-13 10-02-48)
get better information out of your logs.
14:59
S… Speaker 1 (2026-04-13 10-02-48)
In this video, we're going to start exploring the elk stack,
15:04
S… Speaker 1 (2026-04-13 10-02-48)
what it is and how it can be used in threat hunting.
15:07
S… Speaker 1 (2026-04-13 10-02-48)
So first of all,
15:09
S… Speaker 1 (2026-04-13 10-02-48)
what is elk?
15:11
S… Speaker 1 (2026-04-13 10-02-48)
Elk consists of primarily three different
15:15
S… Speaker 1 (2026-04-13 10-02-48)
components that are working together to make up what's known as the elk
15:19
S… Speaker 1 (2026-04-13 10-02-48)
stack, or sometimes also called the elastic stack.
15:23
S… Speaker 1 (2026-04-13 10-02-48)
The first component of it,
15:24
S… Speaker 2 (2026-04-13 10-02-48)
the E,
15:25
S… Speaker 1 (2026-04-13 10-02-48)
is elastic search.

ข้อความที่แปลเป็นภาษาอังกฤษนี้ถูกสร้างขึ้นโดย AI (การรับรู้เสียงอัตโนมัติ) อาจมีข้อผิดพลาด - ตรวจสอบกับเสียงต้นฉบับเพื่อใช้อย่างสำคัญ ข้อกำหนด AI

❤️ ชอบ STT.ai ไหม? บอกต่อเพื่อน ๆ ของคุณสิ!
สรุป
คลิกที่ ทำสรุป เพื่อสร้างสรุป AI ของการแปลนี้
ขอสรุป...
ถาม AI เกี่ยวกับการแปลนี้
ถามอะไรก็ได้เกี่ยวกับบทบันทึกนี้ เอไอจะหาส่วนที่เกี่ยวข้องและตอบ