2026-04-13 10-02-48
May 25, 2026 14:58
· 15:31
· English
· Whisper Turbo
· 4 Mga Speaker
Ang transcript na ito ay magtatapos ngayon.
Upgrade para sa permanenteng imbakan →
Pagsasama-sama lamang
0:06
S…
Speaker 2 (2026-04-13 10-02-48)
In this video,
0:07
S…
Speaker 1 (2026-04-13 10-02-48)
we're going to walk through a short kind of hypothetical threat
0:11
S…
Speaker 1 (2026-04-13 10-02-48)
hunt just to look at the threat hunting process in Splunk
0:16
S…
Speaker 1 (2026-04-13 10-02-48)
from a more theoretical view,
0:18
S…
Speaker 1 (2026-04-13 10-02-48)
including, you know,
0:19
S…
Speaker 1 (2026-04-13 10-02-48)
what kind of queries you can do when pivoting and things like
0:23
S…
Speaker 1 (2026-04-13 10-02-48)
that. So let's put everything together.
0:25
S…
Speaker 3 (2026-04-13 10-02-48)
Remember,
0:26
S…
Speaker 1 (2026-04-13 10-02-48)
threat hunting is a proactive activity.
0:30
S…
Speaker 4 (2026-04-13 10-02-48)
You're not
0:31
S…
Speaker 1 (2026-04-13 10-02-48)
necessarily waiting for an alert or a notification
0:35
S…
Speaker 1 (2026-04-13 10-02-48)
before you start doing threat hunting.
0:38
S…
Speaker 1 (2026-04-13 10-02-48)
Now, alerts and notifications,
0:40
S…
Speaker 1 (2026-04-13 10-02-48)
those can serve as triggers for,
0:44
S…
Speaker 1 (2026-04-13 10-02-48)
you know,
0:45
S…
Speaker 1 (2026-04-13 10-02-48)
potentially starting a threat hunt depending on where you are with your current
0:49
S…
Speaker 1 (2026-04-13 10-02-48)
process,
0:50
S…
Speaker 1 (2026-04-13 10-02-48)
or they can be used as additional information and ongoing threat
0:54
S…
Speaker 1 (2026-04-13 10-02-48)
hunt.
0:54
S…
Speaker 1 (2026-04-13 10-02-48)
or they can help with hypothesis creation for a new threat hunt
0:59
S…
Speaker 1 (2026-04-13 10-02-48)
or anything like that.
1:00
S…
Speaker 1 (2026-04-13 10-02-48)
But threat hunting does not rely on those entirely.
1:04
S…
Speaker 1 (2026-04-13 10-02-48)
Your threat hunts should always be hypothesis -driven.
1:09
S…
Speaker 1 (2026-04-13 10-02-48)
Your queries should always be driven by the hypothesis
1:13
S…
Speaker 1 (2026-04-13 10-02-48)
as well.
1:14
S…
Speaker 1 (2026-04-13 10-02-48)
They should be in line with that specific hunt.
1:17
S…
Speaker 1 (2026-04-13 10-02-48)
You shouldn't perform threat hunts by just throwing out random
1:21
S…
Speaker 1 (2026-04-13 10-02-48)
queries and seeing what kind of results you get.
1:24
S…
Speaker 1 (2026-04-13 10-02-48)
Most of the time.
1:25
S…
Speaker 1 (2026-04-13 10-02-48)
Sometimes your threat hunt may be like that,
1:29
S…
Speaker 1 (2026-04-13 10-02-48)
but that is extremely rare and that would be a very,
1:32
S…
Speaker 1 (2026-04-13 10-02-48)
very broad hypothesis.
1:33
S…
Speaker 1 (2026-04-13 10-02-48)
So 99 % of the time you're not going to rely on random
1:38
S…
Speaker 1 (2026-04-13 10-02-48)
queries.
1:38
S…
Speaker 1 (2026-04-13 10-02-48)
They're going to be carefully crafted and they're going to be in line with the hypothesis.
1:44
S…
Speaker 1 (2026-04-13 10-02-48)
When you're using or some of the reasons to use
1:48
S…
Speaker 1 (2026-04-13 10-02-48)
Splunk in threat hunts or really just any sort of platform like
1:53
S…
Speaker 3 (2026-04-13 10-02-48)
Splunk,
1:53
S…
Speaker 1 (2026-04-13 10-02-48)
it gives you that visibility.
1:55
S…
Speaker 1 (2026-04-13 10-02-48)
It gives you that centralized location for all of your logs.
1:59
S…
Speaker 1 (2026-04-13 10-02-48)
It gives you the historical information going back really just
2:03
S…
Speaker 1 (2026-04-13 10-02-48)
as far as your log retention goes.
2:05
S…
Speaker 1 (2026-04-13 10-02-48)
And it gives you the ease of performing those hunts.
2:09
S…
Speaker 1 (2026-04-13 10-02-48)
It also lets you easily pivot.
2:13
S…
Speaker 1 (2026-04-13 10-02-48)
to new areas of the search or of the hunt in
2:17
S…
Speaker 1 (2026-04-13 10-02-48)
new directions based on the data you have.
2:19
S…
Speaker 1 (2026-04-13 10-02-48)
It lets you aggregate all the data together,
2:22
S…
Speaker 1 (2026-04-13 10-02-48)
and it lets you,
2:24
S…
Speaker 1 (2026-04-13 10-02-48)
like we've seen in other videos in this course,
2:26
S…
Speaker 1 (2026-04-13 10-02-48)
it lets you visualize the results of your queries to
2:31
S…
Speaker 1 (2026-04-13 10-02-48)
more quickly be able to analyze and understand
2:35
S…
Speaker 1 (2026-04-13 10-02-48)
the information that's in those logs.
2:38
S…
Speaker 1 (2026-04-13 10-02-48)
One of the best ways to do that in Splunk during a threat hunt is with tables.
2:43
S…
Speaker 1 (2026-04-13 10-02-48)
There are many other forms of visualizations in Splunk,
2:46
S…
Speaker 1 (2026-04-13 10-02-48)
but for threat hunting,
2:48
S…
Speaker 1 (2026-04-13 10-02-48)
one of the most useful ones are tables.
2:51
S…
Speaker 1 (2026-04-13 10-02-48)
We've got all that information.
2:53
S…
Speaker 1 (2026-04-13 10-02-48)
Let's take a look at a hypothetical scenario here.
2:56
S…
Speaker 1 (2026-04-13 10-02-48)
So in this scenario,
2:57
S…
Speaker 1 (2026-04-13 10-02-48)
in this threat hunt,
2:58
S…
Speaker 1 (2026-04-13 10-02-48)
we're going to kind of walk through an attacker has been using PowerShell
3:03
S…
Speaker 1 (2026-04-13 10-02-48)
to download some sort of malicious payload using
3:07
S…
Speaker 1 (2026-04-13 10-02-48)
obfuscated or encoded commands.
3:10
S…
Speaker 1 (2026-04-13 10-02-48)
So we're going to just kind of step through a few different
3:14
S…
Speaker 1 (2026-04-13 10-02-48)
queries that can be used to start the hunt and then a few different ways that
3:18
S…
Speaker 1 (2026-04-13 10-02-48)
we can pivot.
3:20
S…
Speaker 1 (2026-04-13 10-02-48)
with additional queries.
3:21
S…
Speaker 1 (2026-04-13 10-02-48)
So let's take a look at those.
3:24
S…
Speaker 1 (2026-04-13 10-02-48)
So.
3:25
S…
Speaker 1 (2026-04-13 10-02-48)
When we're starting our hunt,
3:27
S…
Speaker 1 (2026-04-13 10-02-48)
the actual hunting activity itself,
3:29
S…
Speaker 1 (2026-04-13 10-02-48)
we're going to look at three different steps.
3:32
S…
Speaker 1 (2026-04-13 10-02-48)
The first one is going to be figuring out which logs are
3:36
S…
Speaker 1 (2026-04-13 10-02-48)
relevant to our specific threat hunt.
3:40
S…
Speaker 2 (2026-04-13 10-02-48)
So in this case,
3:41
S…
Speaker 1 (2026-04-13 10-02-48)
we're looking at commands that were executed via PowerShell
3:46
S…
Speaker 1 (2026-04-13 10-02-48)
and looking at downloaded files specifically that
3:50
S…
Speaker 1 (2026-04-13 10-02-48)
were done with some sort of encoded PowerShell command.
3:53
S…
Speaker 2 (2026-04-13 10-02-48)
So in our case,
3:54
S…
Speaker 1 (2026-04-13 10-02-48)
we're going to want information from the Windows event logs,
3:57
S…
Speaker 1 (2026-04-13 10-02-48)
specifically PowerShell information.
3:59
S…
Speaker 1 (2026-04-13 10-02-48)
We're going to potentially want information from the Sysmon logs,
4:03
S…
Speaker 1 (2026-04-13 10-02-48)
including launched processes,
4:05
S…
Speaker 1 (2026-04-13 10-02-48)
because that will give us more information than the native Windows
4:09
S…
Speaker 1 (2026-04-13 10-02-48)
event logs.
4:10
S…
Speaker 1 (2026-04-13 10-02-48)
And we could potentially even look at network data in this hunt,
4:14
S…
Speaker 1 (2026-04-13 10-02-48)
depending on what direction we want to take it.
4:17
S…
Speaker 1 (2026-04-13 10-02-48)
There's many different ways you can start this type of threat hunt.
4:22
S…
Speaker 2 (2026-04-13 10-02-48)
So in this step,
4:23
S…
Speaker 1 (2026-04-13 10-02-48)
we're going to,
4:24
S…
Speaker 1 (2026-04-13 10-02-48)
in this case, we're going to take step two and we're going to execute,
4:28
S…
Speaker 1 (2026-04-13 10-02-48)
we're going to craft and build our initial queries.
4:31
S…
Speaker 1 (2026-04-13 10-02-48)
Remember,
4:32
S…
Speaker 1 (2026-04-13 10-02-48)
and I keep saying this over and over,
4:34
S…
Speaker 1 (2026-04-13 10-02-48)
use the correct index.
4:36
S…
Speaker 1 (2026-04-13 10-02-48)
Make sure you're specifying the index or indexes that
4:40
S…
Speaker 1 (2026-04-13 10-02-48)
you need or that the logs are in so that you get the correct
4:45
S…
Speaker 1 (2026-04-13 10-02-48)
and appropriate information for your threat hunt.
4:48
S…
Speaker 2 (2026-04-13 10-02-48)
So in this case,
4:49
S…
Speaker 1 (2026-04-13 10-02-48)
We can do a query that starts off looking at the Sysmon
4:53
S…
Speaker 1 (2026-04-13 10-02-48)
index.
4:54
S…
Speaker 1 (2026-04-13 10-02-48)
We're looking specifically at event code 1,
4:57
S…
Speaker 1 (2026-04-13 10-02-48)
which is a new process creation.
5:00
S…
Speaker 1 (2026-04-13 10-02-48)
We are looking at that process to have PowerShell in the name
5:04
S…
Speaker 1 (2026-04-13 10-02-48)
somewhere, so this would match PowerShell .exe because we
5:08
S…
Speaker 1 (2026-04-13 10-02-48)
have the asterisk in there for that wildcard.
5:11
S…
Speaker 1 (2026-04-13 10-02-48)
And we're also looking as part of the command line that was entered
5:15
S…
Speaker 1 (2026-04-13 10-02-48)
in there for the letters enc for encoded.
5:19
S…
Speaker 1 (2026-04-13 10-02-48)
We are looking for that somewhere in that command line.
5:23
S…
Speaker 1 (2026-04-13 10-02-48)
Now, there's many different ways you can carry out this initial query.
5:27
S…
Speaker 1 (2026-04-13 10-02-48)
This is just one potential way that it could be
5:31
S…
Speaker 1 (2026-04-13 10-02-48)
done.
5:32
S…
Speaker 1 (2026-04-13 10-02-48)
And then,
5:33
S…
Speaker 1 (2026-04-13 10-02-48)
based on the results,
5:34
S…
Speaker 1 (2026-04-13 10-02-48)
we take a look at those and figure out,
5:37
S…
Speaker 1 (2026-04-13 10-02-48)
well, what comes next.
5:39
S…
Speaker 1 (2026-04-13 10-02-48)
Maybe we did discover commands,
5:41
S…
Speaker 1 (2026-04-13 10-02-48)
and then we need to then decode whatever the commands were
5:45
S…
Speaker 1 (2026-04-13 10-02-48)
in that PowerShell.
5:47
S…
Speaker 1 (2026-04-13 10-02-48)
Did we discover that malware was downloaded?
5:50
S…
Speaker 1 (2026-04-13 10-02-48)
If it was,
5:51
S…
Speaker 1 (2026-04-13 10-02-48)
was it run?
5:52
S…
Speaker 1 (2026-04-13 10-02-48)
Do we have a hash available for that information if we have
5:56
S…
Speaker 1 (2026-04-13 10-02-48)
the correct logging?
5:57
S…
Speaker 1 (2026-04-13 10-02-48)
If we do have a hash available,
5:59
S…
Speaker 1 (2026-04-13 10-02-48)
is this some sort of known malware?
6:01
S…
Speaker 1 (2026-04-13 10-02-48)
Have other organizations seen it?
6:03
S…
Speaker 1 (2026-04-13 10-02-48)
There's many next directions we can go here.
6:06
S…
Speaker 1 (2026-04-13 10-02-48)
Pivot as necessary.
6:08
S…
Speaker 1 (2026-04-13 10-02-48)
That's our third step in kind of our initial phase of our threat
6:12
S…
Speaker 1 (2026-04-13 10-02-48)
hunt.
6:13
S…
Speaker 1 (2026-04-13 10-02-48)
So I mentioned that was just one way we can start that query,
6:17
S…
Speaker 1 (2026-04-13 10-02-48)
or start that hunt,
6:19
S…
Speaker 1 (2026-04-13 10-02-48)
one query we can use to start that hunt.
6:21
S…
Speaker 1 (2026-04-13 10-02-48)
So let's say that we did that query,
6:24
S…
Speaker 1 (2026-04-13 10-02-48)
and we discovered an encoded command that was executed
6:28
S…
Speaker 1 (2026-04-13 10-02-48)
with PowerShell.
6:29
S…
Speaker 1 (2026-04-13 10-02-48)
We decode that,
6:30
S…
Speaker 1 (2026-04-13 10-02-48)
and we see that the file of update .ps1
6:35
S…
Speaker 1 (2026-04-13 10-02-48)
was downloaded.
6:36
S…
Speaker 1 (2026-04-13 10-02-48)
Our next step should be to search and
6:40
S…
Speaker 1 (2026-04-13 10-02-48)
see if it was executed.
6:42
S…
Speaker 1 (2026-04-13 10-02-48)
So this is essentially the same query as before,
6:45
S…
Speaker 1 (2026-04-13 10-02-48)
except this time we are looking in the command line to look for the file
6:49
S…
Speaker 1 (2026-04-13 10-02-48)
name run via PowerShell of update .ps1,
6:53
S…
Speaker 1 (2026-04-13 10-02-48)
the file that was downloaded.
6:55
S…
Speaker 2 (2026-04-13 10-02-48)
Again,
6:56
S…
Speaker 1 (2026-04-13 10-02-48)
there are many,
6:57
S…
Speaker 1 (2026-04-13 10-02-48)
many different ways to kind of
7:01
S…
Speaker 1 (2026-04-13 10-02-48)
build this query.
7:02
S…
Speaker 1 (2026-04-13 10-02-48)
This is just one option.
7:03
S…
Speaker 2 (2026-04-13 10-02-48)
Now,
7:04
S…
Speaker 1 (2026-04-13 10-02-48)
say you don't have sysmon because you can see with the event code equals one,
7:09
S…
Speaker 1 (2026-04-13 10-02-48)
that is also the name of the index.
7:12
S…
Speaker 1 (2026-04-13 10-02-48)
Strong indication that we're using Sysmon event IDs
7:16
S…
Speaker 1 (2026-04-13 10-02-48)
here because one equals process creation.
7:21
S…
Speaker 1 (2026-04-13 10-02-48)
So say you don't have Sysmon,
7:23
S…
Speaker 1 (2026-04-13 10-02-48)
you can use the Windows event log.
7:25
S…
Speaker 1 (2026-04-13 10-02-48)
So we can change up a query and do the win event log index.
7:29
S…
Speaker 1 (2026-04-13 10-02-48)
And these, again,
7:29
S…
Speaker 1 (2026-04-13 10-02-48)
are hypothetical indexes.
7:31
S…
Speaker 1 (2026-04-13 10-02-48)
Production environments will have completely different named indexes more than likely.
7:36
S…
Speaker 1 (2026-04-13 10-02-48)
But we can look for event ID or event code,
7:38
S…
Speaker 1 (2026-04-13 10-02-48)
as it's listed in the logs,
7:39
S…
Speaker 1 (2026-04-13 10-02-48)
of 4688,
7:41
S…
Speaker 1 (2026-04-13 10-02-48)
which is the Windows event ID for a new process being created.
7:45
S…
Speaker 2 (2026-04-13 10-02-48)
Now,
7:46
S…
Speaker 1 (2026-04-13 10-02-48)
this isn't going to give you nearly as much information as Sysmon will,
7:50
S…
Speaker 1 (2026-04-13 10-02-48)
but it will still give you information about whether or not it was
7:54
S…
Speaker 1 (2026-04-13 10-02-48)
actually created.
7:55
S…
Speaker 1 (2026-04-13 10-02-48)
Get the rest of that query up on the screen.
7:58
S…
Speaker 1 (2026-04-13 10-02-48)
We're looking here for the process name having PowerShell in it.
8:02
S…
Speaker 1 (2026-04-13 10-02-48)
This is the equivalent to saying image equals in the sysmon logs.
8:06
S…
Speaker 1 (2026-04-13 10-02-48)
And then the command line,
8:07
S…
Speaker 1 (2026-04-13 10-02-48)
except this time it's got an underscore in it,
8:09
S…
Speaker 1 (2026-04-13 10-02-48)
we are looking to see if update .ps1 was executed.
8:14
S…
Speaker 1 (2026-04-13 10-02-48)
Again, this is just one specific way we're
8:18
S…
Speaker 1 (2026-04-13 10-02-48)
looking at this.
8:20
S…
Speaker 1 (2026-04-13 10-02-48)
So let's say that if we do find evidence
8:24
S…
Speaker 1 (2026-04-13 10-02-48)
that this update .ps1 was executed,
8:27
S…
Speaker 1 (2026-04-13 10-02-48)
assuming we're looking at Sysmon logs,
8:29
S…
Speaker 1 (2026-04-13 10-02-48)
then we probably have a file hash for it.
8:32
S…
Speaker 1 (2026-04-13 10-02-48)
We can search other systems.
8:35
S…
Speaker 1 (2026-04-13 10-02-48)
We can look at internet resources like VirusTotal
8:39
S…
Speaker 1 (2026-04-13 10-02-48)
for that hash to see if other organizations or other individuals have
8:43
S…
Speaker 1 (2026-04-13 10-02-48)
seen this.
8:44
S…
Speaker 1 (2026-04-13 10-02-48)
Is this a known script so we can get more information potentially about what it
8:48
S…
Speaker 1 (2026-04-13 10-02-48)
does?
8:48
S…
Speaker 1 (2026-04-13 10-02-48)
Things like that.
8:50
S…
Speaker 1 (2026-04-13 10-02-48)
So we can also kind of reformat this a little bit to
8:55
S…
Speaker 1 (2026-04-13 10-02-48)
instead of just showing us the results,
8:59
S…
Speaker 1 (2026-04-13 10-02-48)
we can format those results in a table.
9:01
S…
Speaker 1 (2026-04-13 10-02-48)
So again,
9:02
S…
Speaker 1 (2026-04-13 10-02-48)
we're still looking for update .ps1 being run.
9:06
S…
Speaker 1 (2026-04-13 10-02-48)
In this case,
9:07
S…
Speaker 1 (2026-04-13 10-02-48)
we have omitted the specific image we're looking for,
9:10
S…
Speaker 1 (2026-04-13 10-02-48)
but we're formatting the results in a table.
9:13
S…
Speaker 1 (2026-04-13 10-02-48)
So we're looking to see what computer was this file executed on?
9:17
S…
Speaker 1 (2026-04-13 10-02-48)
What was the process?
9:20
S…
Speaker 1 (2026-04-13 10-02-48)
that actually executed it what was the full command line that was used
9:24
S…
Speaker 1 (2026-04-13 10-02-48)
and what hashes were returned now depending
9:28
S…
Speaker 1 (2026-04-13 10-02-48)
again on how this search is carried out this
9:32
S…
Speaker 1 (2026-04-13 10-02-48)
one depending on the image that was actually run this
9:37
S…
Speaker 1 (2026-04-13 10-02-48)
may give you the hashes of that image so you may get if powershell
9:41
S…
Speaker 1 (2026-04-13 10-02-48)
was the process name that were a process that was launched
9:45
S…
Speaker 1 (2026-04-13 10-02-48)
then chances are you might get hashes of the PowerShell executable.
9:49
S…
Speaker 1 (2026-04-13 10-02-48)
It just depends on what's in the logs and how you format
9:53
S…
Speaker 1 (2026-04-13 10-02-48)
it.
9:54
S…
Speaker 1 (2026-04-13 10-02-48)
Let's say we do have the hash information for
9:58
S…
Speaker 1 (2026-04-13 10-02-48)
update .ps.
10:00
S…
Speaker 1 (2026-04-13 10-02-48)
The next query we can do is to see
10:04
S…
Speaker 1 (2026-04-13 10-02-48)
if there were any other computers where that hash
10:08
S…
Speaker 1 (2026-04-13 10-02-48)
or where a process was launched that matches that
10:12
S…
Speaker 2 (2026-04-13 10-02-48)
hash.
10:13
S…
Speaker 1 (2026-04-13 10-02-48)
So all of this in Splunk.
10:15
S…
Speaker 1 (2026-04-13 10-02-48)
We're now doing another query for looking for new
10:19
S…
Speaker 1 (2026-04-13 10-02-48)
processes that were created.
10:21
S…
Speaker 1 (2026-04-13 10-02-48)
that match the specific hash that we have for update
10:26
S…
Speaker 1 (2026-04-13 10-02-48)
.ps1,
10:26
S…
Speaker 1 (2026-04-13 10-02-48)
just the kind of hash in brackets.
10:28
S…
Speaker 1 (2026-04-13 10-02-48)
The brackets are not really included.
10:30
S…
Speaker 1 (2026-04-13 10-02-48)
That's just a placeholder for this example.
10:33
S…
Speaker 1 (2026-04-13 10-02-48)
And then we format that information again into a table to see what computer,
10:38
S…
Speaker 1 (2026-04-13 10-02-48)
because we're looking at any computer.
10:40
S…
Speaker 1 (2026-04-13 10-02-48)
Because this file may have been downloaded onto multiple
10:44
S…
Speaker 1 (2026-04-13 10-02-48)
machines, but it may have been downloaded under different file names.
10:49
S…
Speaker 1 (2026-04-13 10-02-48)
This will catch any file name that matches that hash value
10:53
S…
Speaker 1 (2026-04-13 10-02-48)
and will show us similar information about how
10:57
S…
Speaker 1 (2026-04-13 10-02-48)
it was launched,
10:58
S…
Speaker 1 (2026-04-13 10-02-48)
including just some visual verification about what hash value,
11:02
S…
Speaker 1 (2026-04-13 10-02-48)
just the visual verification that it matches up.
11:06
S…
Speaker 1 (2026-04-13 10-02-48)
And it will include the user information that launched the
11:10
S…
Speaker 1 (2026-04-13 10-02-48)
process, assuming that information is available in the log.
11:14
S…
Speaker 1 (2026-04-13 10-02-48)
So there's several,
11:15
S…
Speaker 1 (2026-04-13 10-02-48)
several different ways you can take this hunt,
11:19
S…
Speaker 1 (2026-04-13 10-02-48)
several directions you can take this hunt.
11:21
S…
Speaker 1 (2026-04-13 10-02-48)
It all depends on the information you discover.
11:25
S…
Speaker 1 (2026-04-13 10-02-48)
Number of best practices to keep in mind
11:29
S…
Speaker 1 (2026-04-13 10-02-48)
when you are performing threat hunts in Splunk.
11:33
S…
Speaker 1 (2026-04-13 10-02-48)
I've said it probably 10,
11:35
S…
Speaker 1 (2026-04-13 10-02-48)
20 times so far.
11:36
S…
Speaker 2 (2026-04-13 10-02-48)
I'll say it again.
11:37
S…
Speaker 1 (2026-04-13 10-02-48)
Remember your indexes.
11:39
S…
Speaker 1 (2026-04-13 10-02-48)
Indexes are critically important.
11:42
S…
Speaker 1 (2026-04-13 10-02-48)
Said it many times why they're important.
11:45
S…
Speaker 1 (2026-04-13 10-02-48)
If you don't include an index in your query,
11:48
S…
Speaker 1 (2026-04-13 10-02-48)
Splunk will only look in the default index,
11:53
S…
Speaker 1 (2026-04-13 10-02-48)
and chances are your production data is not in that index.
11:57
S…
Speaker 1 (2026-04-13 10-02-48)
So remember to include the index.
11:59
S…
Speaker 1 (2026-04-13 10-02-48)
Just by default,
12:01
S…
Speaker 1 (2026-04-13 10-02-48)
start your query with index equals,
12:03
S…
Speaker 1 (2026-04-13 10-02-48)
and then whatever the name of the index you're looking through is.
12:07
S…
Speaker 1 (2026-04-13 10-02-48)
Make sure your time frame is correct on your search query.
12:10
S…
Speaker 1 (2026-04-13 10-02-48)
Again, that can be very frustrating to know your query is correct,
12:15
S…
Speaker 1 (2026-04-13 10-02-48)
know you have the right information,
12:16
S…
Speaker 1 (2026-04-13 10-02-48)
know the information is in the log somewhere,
12:19
S…
Speaker 2 (2026-04-13 10-02-48)
and spend,
12:20
S…
Speaker 1 (2026-04-13 10-02-48)
you know, 20 -30 minutes troubleshooting,
12:22
S…
Speaker 1 (2026-04-13 10-02-48)
try to figure out how did you format your query incorrectly to discover you have the wrong
12:26
S…
Speaker 1 (2026-04-13 10-02-48)
time frame selected.
12:28
S…
Speaker 1 (2026-04-13 10-02-48)
Very frustrating.
12:30
S…
Speaker 1 (2026-04-13 10-02-48)
Make sure if you know the source type that you're searching
12:34
S…
Speaker 1 (2026-04-13 10-02-48)
for, make sure to include that in the query.
12:37
S…
Speaker 1 (2026-04-13 10-02-48)
The purpose of including that and just kind of including
12:42
S…
Speaker 1 (2026-04-13 10-02-48)
various bits of information if you know them in that query is just
12:46
S…
Speaker 1 (2026-04-13 10-02-48)
to reduce the scope of the search.
12:48
S…
Speaker 1 (2026-04-13 10-02-48)
This helps the searches perform faster and helps reduce the performance
12:53
S…
Speaker 1 (2026-04-13 10-02-48)
overhead on your Splunk system as well.
12:56
S…
Speaker 1 (2026-04-13 10-02-48)
This goes for any fields,
12:58
S…
Speaker 1 (2026-04-13 10-02-48)
really.
12:59
S…
Speaker 1 (2026-04-13 10-02-48)
Any fields that you might know the information for.
13:03
S…
Speaker 1 (2026-04-13 10-02-48)
So, you know,
13:04
S…
Speaker 2 (2026-04-13 10-02-48)
example of that,
13:04
S…
Speaker 1 (2026-04-13 10-02-48)
if you're searching for PowerShell being executed as a process,
13:08
S…
Speaker 1 (2026-04-13 10-02-48)
you would do image equals PowerShell.
13:11
S…
Speaker 1 (2026-04-13 10-02-48)
Now, there's wildcards in this.
13:14
S…
Speaker 1 (2026-04-13 10-02-48)
The general recommendation is to avoid wildcards
13:18
S…
Speaker 1 (2026-04-13 10-02-48)
when you can.
13:19
S…
Speaker 1 (2026-04-13 10-02-48)
Use them only when they're needed.
13:21
S…
Speaker 1 (2026-04-13 10-02-48)
And there are legitimate times that you do need to use wildcards.
13:25
S…
Speaker 1 (2026-04-13 10-02-48)
And the reason you want to narrow all of this down as much
13:29
S…
Speaker 1 (2026-04-13 10-02-48)
as possible using specific fields or source
13:33
S…
Speaker 1 (2026-04-13 10-02-48)
types and limiting your wildcard usage is for performance
13:37
S…
Speaker 1 (2026-04-13 10-02-48)
reasons and just reducing the amount of time it takes to perform
13:42
S…
Speaker 1 (2026-04-13 10-02-48)
a search.
13:43
S…
Speaker 1 (2026-04-13 10-02-48)
the more information you're trying to search for.
13:46
S…
Speaker 1 (2026-04-13 10-02-48)
So say you are looking for PowerShell being executed.
13:50
S…
Speaker 1 (2026-04-13 10-02-48)
You could omit the field name of image equals there and
13:54
S…
Speaker 1 (2026-04-13 10-02-48)
just search for PowerShell with the wildcards.
13:57
S…
Speaker 2 (2026-04-13 10-02-48)
But you,
13:58
S…
Speaker 2 (2026-04-13 10-02-48)
in that case,
13:59
S…
Speaker 1 (2026-04-13 10-02-48)
are searching through every field in the logs in
14:03
S…
Speaker 1 (2026-04-13 10-02-48)
that index, not just the image field.
14:06
S…
Speaker 2 (2026-04-13 10-02-48)
Now,
14:06
S…
Speaker 1 (2026-04-13 10-02-48)
with a couple of thousand logs in our lab environment,
14:10
S…
Speaker 1 (2026-04-13 10-02-48)
you're not going to notice any kind of performance hit.
14:12
S…
Speaker 1 (2026-04-13 10-02-48)
You're not going to notice that the search takes longer.
14:14
S…
Speaker 1 (2026-04-13 10-02-48)
You're not going to notice anything like that.
14:16
S…
Speaker 1 (2026-04-13 10-02-48)
But when you're searching through hundreds of thousands,
14:19
S…
Speaker 1 (2026-04-13 10-02-48)
millions of events in an enterprise environment,
14:22
S…
Speaker 1 (2026-04-13 10-02-48)
you will notice that your searches will take longer and your
14:26
S…
Speaker 1 (2026-04-13 10-02-48)
Splunk server will have degraded performance because you are doing unnecessary
14:31
S…
Speaker 1 (2026-04-13 10-02-48)
searches.
14:32
S…
Speaker 1 (2026-04-13 10-02-48)
You are searching through unnecessary fields.
14:35
S…
Speaker 1 (2026-04-13 10-02-48)
So try to narrow down your searches as much as
14:39
S…
Speaker 1 (2026-04-13 10-02-48)
possible when you're executing these queries.
14:43
S…
Speaker 1 (2026-04-13 10-02-48)
just to get better results from your system and
14:47
S…
Speaker 1 (2026-04-13 10-02-48)
get better information out of your logs.
14:59
S…
Speaker 1 (2026-04-13 10-02-48)
In this video, we're going to start exploring the elk stack,
15:04
S…
Speaker 1 (2026-04-13 10-02-48)
what it is and how it can be used in threat hunting.
15:07
S…
Speaker 1 (2026-04-13 10-02-48)
So first of all,
15:09
S…
Speaker 1 (2026-04-13 10-02-48)
what is elk?
15:11
S…
Speaker 1 (2026-04-13 10-02-48)
Elk consists of primarily three different
15:15
S…
Speaker 1 (2026-04-13 10-02-48)
components that are working together to make up what's known as the elk
15:19
S…
Speaker 1 (2026-04-13 10-02-48)
stack, or sometimes also called the elastic stack.
15:23
S…
Speaker 1 (2026-04-13 10-02-48)
The first component of it,
15:24
S…
Speaker 2 (2026-04-13 10-02-48)
the E,
15:25
S…
Speaker 1 (2026-04-13 10-02-48)
is elastic search.
Ang transcript na ito ay ginawa ng AI (automatic speech recognition). Maaaring may mga pagkakamali — suriin ang orihinal na audio para sa kritikal na paggamit. Patakaran ng AI
Buod
I-click ang Summarize upang makabuo ng isang AI buod ng transcript na ito.
Pagbubuod...
Magtanong sa AI Tungkol sa Transcript na Ito
Magtanong ng anumang bagay tungkol sa transcript na ito - ang AI ay makahanap ng mga kaugnay na mga seksyon at sagot.