they're in this session I'm gonna show

you the steps to install and configure

the IBM key radar s I am the security

information and event management okay so

without further ado let's get started so

let's visit this website the developer

that ibm.com slash key Raiders less see

II so this is the link and here we can

actually find the what I call is the

link to download key Raider Community

Edition version seven point three point

three so this is the latest edition at

the moment and what is actually key

Raider Community Edition yeah this is

actually a software is a fully featured

free version of you know the famous T

Raider that is low in memory low I EPS

and also includes perpetual license yeah

so this version is specifically released

for the public to encourage users

students security professional and

application developers to learn and

experience the latest features of the

key Raider seven point three point three

there's no expiration or time limit and

this version is limited to 50 events per

second and five thousand never flows a

minute

so well it's good enough for us to you

know experience the I would say open

source or community edition of the s I

am security incident security

information and event management such as

you know the other tools like for

example we

the alienvault awesome or maybe was ooh

or any others you know similar tools it

so step number one we need to download

eraider Community Edition in this case

I'm going to download this with my what

we call this internet downloader so it's

gonna take a while but to speed up the

the this video this tutorial i have

previously prepared the downloaded

version of the theater community edition

so let's have a look so i have the

folder called curator and i have

downloaded the key raider ce7 3 3 GA

underscore v underscore 0 dot t they are

this is actually the compressed format

so what I need to do is you know program

provided that I've already downloaded

this from the website I've shown you

this I mean I've shown you yeah

so the next thing to do is to

right-click and extract this zip file

with the 7-zip I'm using 7-zip and

extract so the same directory will

automatically create the new new

directory or folder to hold the

extracted files it's gonna take a while

to actually extract all the files from

the tar zip

okay so I would expect that we have the

files extracted yeah so let's have a

look at the folder I look so notice that

there's a folder called Kiera Darcy e73

3 GA yeah create that and when you

double click this one you will see the

same like what I have here so we have

several files like the Emma file of the

app which stands for the open

virtualization format yeah where you can

actually compress all the files into a

single folder this is actually a default

I would say what we call this default

file format so hold the or used by many

virtualization software such as VMware

virtual box and others yeah so notice

that we have several files yeah and the

next thing to do is you need to

right-click on the OVF file which is the

open virtualization format and select

open wait yeah so you can select whether

you want to open it with for example

VirtualBox manager VMware Player or even

VMware Workstation or in my case I am

actually running in VMware Workstation

version 15 so I'm gonna use this as my

default what we call this program to

open the OVF file so let's click this

one and in a few seconds you'll see this

import virtual machine so when you right

click open with this VMware it will

actually pop up with the prompts you

need so what we call this enter the new

virtual machine name yeah so be able to

import this word

so I will put as John 20:22 letter yeah

sorry Jan 20 2003 yeah then after that I

couldn't just create a folder somewhere

here in my VM so yeah I'll put this into

CCE Jam which I've created of course you

can actually delete this and then you

know create whatever new file you want

to use so you can just go to any any

folder and you want to you that you want

to be used to extract the file so let's

just keep putting s qce jan 20 2008 this

one just to make sure it I it actually

you know build it will be used you know

to hold the extracted files and select

import so it's gonna take a while to

import this REM or virtual machine yeah

so I'm gonna pause the video for a while

until the important process is completed

yeah okay hang on for a while okay back

to the VM so the importing process took

about you know ten minutes and now I am

at discrete okay so let's do a quick

review on the virtual machine settings

so what you need to check is the the

settings what we call is the the default

settings used by the VM okay so

according to the website we need to make

sure that we have you know this

requirements like such as memory memory

memory requirements is able to go by or

10 gigabyte with the application disk

space 2015 gigabyte so we have okay let

me repeat memory minimum requirements is

aging a byte or 10 gigabyte for best

performance this space 1 a 50 gigabyte

CPU 2 cores minimum or six cores

recommended to speed up process and then

one network adapter with access to the

Internet is wired a tatak public and

private IP addresses is required for it

for curator Community Edition and the

assign hosts name must be fully

qualified domain ting ok so after

reviewing the minimum requirements we

need to of course do some you know

slight change or changes on the memory

so let's increase the memory to a tick

bite as per the requirements recommended

requirements and then for the processor

let's increase this to 4 processors

because by default it was set to number

processor 2 and number 4 processor 1 and

then you might also want to use this

virtualized intel vt-x

or EBT or AMD - v / / VI that would also

you know helps you to help you to

increase the performance of your vm 8

and the next thing to do is once we are

done with the you know changes on the

virtual machine settings the next step

is to power on this virtual machine and

it's quick yeah so you just need to

press enter and select the first one I

mean the first option

okay and we got into the log in what I

call this prompt yeah so by default yeah

you can actually use the log in that was

previously set it will automatically ask

you to change the what it called is the

password so just use the root as we

default localhost login now you will see

that you are required to change your

password immediately yeah root enforce

so you can put new password should be it

should be I mean the password should be

the new password should be what you call

this complex so can put something like

yeah okay then okay can put any any

password you like okay so the next thing

thing to do is to actually run the setup

yeah so to run a setup you can just type

LS to see what what is inside yeah and

to make it easier for you to see the

progress I would personally know

recommend you to use the you know turn

up like tool to connect to this host so

I'm going to check the IP address the

command is not I have config yeah we

normally use the ifconfig right so but

the comment is not this this one because

for the Santos version seven the latest

version of the CentOS Linux operating

system we need to use the IP address

command or just type IP eight yeah also

like this is okay yeah so notice that I

have the Internet address of 192.168.0.0

default IP address yeah remember that

yeah I forgot to mention that when you

go to these settings you can check the

yeah by default the network adapter yeah

I'm using his bridge it was actually the

default settings that was actually set

by the you know I mean from the from the

default recall this configuration file

that you have extracted we all we have

the open virtualization format so we got

this settings network adapter was set to

bridge meaning that it it will your

virtual machine will connect directly to

the physical network so if you have like

wireless you'll get the IP address from

your wireless access point okay so

that's my IP 1.2 yeah it could be like

one doc 10 or something like that right

so Explorer and I'm gonna show you on

how to use the tool called party yeah

run as admin

and because you know the IP address you

know the password so you just type 1

into 168 the 102 and open just select

yes and that is that you see this

re-stream Appa that your party is

running so next step is to you know do

some changes like for example the

appearance this is not really important

but if you like to you know deal with

the better you know font and size to

later on you know when you want to type

something it will be much clearer so

let's login to this QC the curator

community edition by typing route and of

course the password that you have

previously previously set okay now that

you're inside the VM or the key curator

community edition yeah so the next thing

to do is to look at the files by typing

LS now we found a setup file yeah let's

just you know a to see that ok the setup

is actually pointing to this is actually

a hard link pointing to /opt IBM cloud

something something right so let's set

up so just type what slash setup so this

is actually the second step also it

supposed to be the third step so once

your you have downloaded the OVA or the

ready-made virtual machine the next step

is to extract or import the OVF or the

OVA file

the virtual machine fall and then once

you have successfully log on and of

course change the password previously

the third step is to do the setup yeah

to run the setup this setup would

actually install the theater completely

yep just run the curator setup it'll

prompt you with this one and it says

blah blah blah

please enter to accept this term yeah

enter and press yeah so you have to

scroll down to read everything you can

use the pitch down yeah and press Q to

quit and press Enter except again it

will automatically run this one and

about the installed key better Community

Edition

used to continue press yes or Y to

proceed and that's it

all you need to do is just sit back and

relax wait for installation to finish

okay so hang on for a while I'm going to

get back to you once the installation is

that get back to our installation so

here we are prompted with the

installation completed successfully and

you need to you know enter a password

for the admin user this is used to log

on to to log into key whether user

interface so all you need to do is set

the admin password so the username will

be admin and password will be the new

password that you are setting up now and

confirm the password and if the password

or both passwords are correct it will

tell you the admin password has changed

okay so the next step to do is you can

actually check whether the what I called

is the service or services one of the

services is actually the Tomcat so

curator is actually utilizing Tomcat so

let's check the status if Tomcat has

already running correctly so what do you

need to do is just type cyst CTL status

Tomcat and it looks nice Tomcat is

running correctly so you can see the

active running yeah and now you can

launch I'm going to use a different

browser perhaps like me maybe like

Firefox to launch my key reader user

interface so just type 1 into 1 6 8 to

1.2 which is actually the IP address if

you forgot you just need to type IP add

and this is our IP and yeah I forgot to

put the HV yes because the default one

was HTTP on V you will see the prompt

warning potential skip use ahead so just

select advanced and scroll down and

select accept the recent continue and

this is what you will see

IBM Kiera's get intelligent Community

Edition so all on try to login using

admin and the password you have setup in

a previous screen and you can save the

password for easy access so scroll down

and read the license agreement

okay select accept and yeah so just wait

for a while you will see the

applications loading so meanwhile let's

check the several things here yeah okay

so so we don't have anything here so

this is the main what I call the screen

of your IBM key reader security

intelligent community edition okay so of

course you can adjust the screen up to

your preferences or your preference

now the next tab is once we're done with

the installation

I believe that we need to do the

installation on the DSM so with that let

me get back to you so just give me a

minute

our next step once we're done with our

download and install and of course

pre-configured settings by the batch or

the script the next step is to add the

data sources and for this we will need

to you know add the device support

module or DSM that receives event for

parsing and normalizing to standard

taxonomy format and just for your info

not too many DSM modules or the device

support modules are installed in our

community edition so you can check the

pre-installed DSM from the documentation

so what you need to do is to find the

list and add the list by I mean install

the DSM require DSM by looking at the

list and this is what I'm going to do so

I'll be opening this getting events from

sources that are not supported by the

default installation yeah so let's do

this first we need to mount the curator

Community Edition yeah so just copy this

and I'm going back my what I call this

console connected from tari so

right-click and you see sudo mount look

IBM I so damn cute just press tab and

then we need to mount this to slash

media cd-rom

/media cd-rom okay already mounted now

[Music]

next we need to go to the media just

need to copy this by the way you can

actually download this curator Community

Edition what I call this the

installation guide or the overview by

downloading from the same what you call

this website which is actually this one

yeah so you can just click on this get

DSM configuration guide and you can get

documentation a lot of PDFs can actually

download to help you in completing your

curator okay so I'm gonna copy this and

paste this one and you can just type LS

to see the DSM a lot of the SMS are you

know our Oracle is listed yeah okay so

let me check if I can actually down you

know install this Microsoft Windows

Event so this is what I need so yeah all

maybe DSM sorry supposed to be this a

Microsoft so here this a Microsoft

Windows citizen yeah so I'm going to

install this to install this you need to

run yum - why

install space install and the RPM name

so let's just type yum - why install DSM

then Microsoft
in those yep just press tab to

autocomplete this and I think that's it

yeah so you just need to install it

okay save that little plugin la blah

blah this is not registered with

entitlement server so let's look at ours

just to show you something

ms the sm star so we cut you know

Microsoft from here without Microsoft

Azure DHCP server operations manager

Microsoft Windows this is actually

correct one thing yeah so let's just try

again YUM that's why install yeah this

does that have the install package

nevermind

yeah so it's just to show you on how to

actually install any supported modules

you can also check for nieces for

example arrests ESM vastness estar oops

done okay we got no Nessus or maybe like

a small

we got so close but no snort okay anyway

this is optional

yeah so if you want to get you know in

touch with the DSM please do some

readings on the guide so once we're done

with this one then we can connect and

configure some other things here yeah so

the next thing to do is to install the

wind clock

yeah so when collect is actually an

agent that will be installed on the

Windows machine

so therefore we need to do in two

different location the first thing to do

is to actually install the wind logon so

it will collect what I call is on the

appliance like on this particular

curator manager manager yeah so we can

go to the admin and let's check whether

wouldn't collect has already installed

or not okay go to the system's called

data sources I think yeah go to the data

sources yeah we don't see any wind

collect here yeah so what we need to do

to add a data sources is by adding the

wind collect so for that I'll be using

the you know let me open up win SCP

because you can actually use win as

teepee to actually you know quickly you

know

copy and paste the file from and to the

next machine SFTP see with yeah oh yeah

wooden SCP not the FTP sorry so I'm

going to use this to you know assist me

on copying the file or files from

Windows my Windows machine to my curator

see so I'll connect to one into one

sixty eight dot one dot two which is the

curator sorry then we just click OK I

forgot to mention put the username

password so one and two and six eight

two and username is root the password is

the password that helped set earlier so

like yes to accept the key without

adding the key okay now we are here and

if you want to go for the wind collect

insulation let's have a look at the wind

khalaq lations here so so we need to

download the wind collect from the

support yes it is one yeah you can just

use Google to find the wind collect

agent SMS bundle insulation and we need

to create media yeah so let me create

media updates so here

Kinkaid ears that's media updates and

sorry supposed to be here this is mine

yeah and I need to also create a store

TMP just oops sorry okay dear

the store TMP it looks like it's already

exist okay now I need to copy the file

this is actually the latest version of

the SAFS file yeah that I have

downloaded yeah and again let me show

you so this is the file that I have

previously downloaded from IBM website

so you need to copy this file to just

drag and drop and okay so once the file

is already there we can three

right-click and oh sorry I need to

actually let me just delete this I need

to go to the store Tempe and drag and

drop this file actually you can you know

go to any different directory or folder

and then copy the file yeah so I'm just

following the procedure okay so just go

to the store EMP and let's type the LS

store the SS so we got a file next is we

need to use this command let me see

example bound sample something look

something something in a media T just

copied and seven-30

okay and then go to the media updates

and you know install oops so go to the

media updates MLS and then type dot

slash install installer okay this will

actually install the server

you know component of the we don't

collect used to continue yes

remember that previously we do not see

any wind Clegg here on this data sources

menu so I will select here so it says

that you need to restart you ban or

you'll need to start a user interface

advanced we start even connection

services so I will just number two and

thirteen packages to install it's gonna

take a while to finish the installation

yeah but it's definitely much faster

than the previous installation the

previous installation of the curator

itself took about roughly 45 minutes

yeah so it says installing a genuine

Clack with agent something something the

version number seven point two point

nine dash 96

so again I would suggest that you use

the win SCP to do the copy and paste

from your window system to your theater

of vm yeah to a specific directory where

the guides told you to

yeah so I'm gonna finish this insulation

and I'll get back to you soon s

looks like the insulation is done so by

the way during the installation of the

this SF s the patch you see something

like this oops sorry

it actually you know pop up with a small

map message I was not able to catch it

so let me try to log on again to the

yeah to the curator and because we do

not use anything else with the win SCP

so you can just I can just close it so

so oops you are an evil yes

so once we're done let's check yeah

you'll see something like this earlier

it says that connection terminated you

need to restore connection yeah don't

worry still in our Tomcat is restarting

yeah so you need to go to the admin oops

yeah thing is still restarting so we can

try to connect or reconnect I think we

need to wait for a while for the Tomcat

to finish restarting

let me refresh you're still not ready

yet so let's get back later think it's

ready so it says that we need to press

ENTER to throw screen so running the

cleanup blah blah okay so you can now

press ENTER to close the screen yeah and

let's refresh this page of course you

can type system GPL state this okay it

looks like it's running correctly active

or running it's gonna take a while to

reconnect to the console

so you need to hang on for a while yeah

meanwhile let me open up a client yeah

this is an example of a client that will

be or I would say the operating system

rating system that will be used as the

Oracle is as the asset to be monitored

and therefore we need to install the

agent let me just refer this fashion so

or maybe then I will just refer to

snapshot yeah

so I'm going to uninstall the agent just

to make it clean
okay let's just go to the folder where

we installed the we normally install the

program so here let me see okay it looks

like clean we collect agent was not

installed yeah yeah nothing yet so this

is a clean windows so I've already

copied in collect so in order to install

your wind you will need to download them

correct from the IBM website you can

easily use Google to search and yeah so

let's login to the theater security

intelligent console ok the next step to

do is just to make sure everything works

fine okay so you have to wait for a

while for the wait for the application

to load correctly now let's go to the

admin and verify verify that win collect

agent the server component has been

correctly installed it is very important

because you'll need to make sure that

your agent for the data sources has

correctly been installed so go to the

data sources and yeah now we can see the

wind khalaq let me so we can just go to

the wind collect so

you have to do this before you even

install your wind cut agent on your

Windows machine yeah that will be used

as your asset okay to be monitored okay

so if you go to the wind crack and you

need to do certain things here

oops I think we need to authorize the

services first so to go to the sub

configuration and let me see it's under

let me see

we will need to find a an option for us

to actually enable the service let me

get back suppose the humber system

called equation you see authorized yeah

here under user management so go to the

admin system configuration user

management or under user management you

can find authorized services this is

where we can actually authorize the

service so you need to add this add

authorized service and you can put

service name for example wind collec

engine yeah

and user all we'd be like wind crack

yeah this user role is will be used for

the account that will start with

collection scoot profile admin and SAP

no expire and create a service once the

service is created take note on this

authentication token okay so you were

going to use this later on okay so let

me just copy this of course you can get

back to this one later and then we can

go to the data sources and go to the

with Lac and next is we need to specify

our destination yeah so you go to the

destination this will be used by the

wind crack and add this nation will

collect for winning the station

properties you put like women collect

destination was named wind Kleck example

one anything yeah this is just for your

you know

you're the setting that will be used for

you before you install or while you're a

tree installing your big crack okay so

we got this destination of course you

can actually use many different

destinations that will provide the 4d

from the client or from the agent to the

theater

yeah so don't forget to select deploy

changes yeah and you have to wait for a

while on this one now

while waiting for this deployment to

commence let's get back to our VM let's

try to install this right click run as

the admin this is actually the wind

collect agent executable file I'm

running the 64-bit of this with crack

and oh yeah

it looks like I used to I mean I can

stop the wind crack previously so remove

and then that's to reinstall yeah it's

okay for your experience

okay so just close it

okay next except the license you can put

any organisation you like and then here

this is where you need to select whether

you want to install in collect agent to

be managed by a curator console or a

standalone that will be managed by that

will not be managed by curator console

by default I want used to use this map

and manage which is the stating that we

collect agent will be managed by curator

console pick net yeah

you can put your host for example win

ten GST over the stop remember the

authentication code that I copied from

the authorized services this is the time

you will use that authentication token

okay so I copy this one control V and

then input configuration for the console

which is one and two and sixty eight the

order to my theater manager or the

console by default it will open port or

use this port eight four one three yeah

and if you want to check whether the

port is open on theater is very simple

you can go to the console and then type

net start and LP then grab it for let me

see eight four one three eight four one

three see it's listening yeah

okay now let's get back to this one

click Next and this is where you can

create the log source now remember they

identify you we have to configure

earlier in the source or destination you

remember earlier let's let me get back

to you so I'm there the data sources

then collect and go to destinations this

is where you can actually enable or add

D for D for many destinations yeah so

name is when click test host name is

when correct one okay let's get back to

this one okay so when we connect let's

meet Russ right downwind connect let's

remember that the name should be must be

the same and this nation is we'll

collect one and you can take on any

event locks that you want to be ported

by default I'm using this security

system application right next and next

and yeah so there's a syslog stateís

server we don't use this yeah so just

leave it blank and next it's gonna take

a while to install the agent

okay we're done and let's check these

theories by selecting or typing services

and press ENTER and you can check the

wind collect services and by default if

you look at this one

by default the wind collect service is

running yeah so this is your incline

okay now so test you can actually open

up MMC and then we will need to enable

certain things here like for example

audit so app and they move snap-in

called group policy and click finish and

then you can expand this go to the we

see security settings go to the local

policies

so here we will need to enable the audit

policy so for example audit logon events

success failure audit account management

success failure logon events

successfully R object access such

failure it depends on your difference

may be privilege use success failure

system event success fear okay and so

you can close this one and then run the

command key P update slash force I'm

sorry supposed to be DP updates class

force to update the policy right and

let's get back to our key reader admin

console we will need to go to the fences

for example just to see if we can

configure certain rules that will be

triggered yeah so actually you don't

need to go to these offenses yeah but if

you want to fine-tune the rules to get

immediate effect you can go to the rows

and modify so for the meantime let's

just go to the lock if activity yeah and

let me try to log off and log on to this

one right click

sign up and before that that's tried to

go to the admin just to verify whether

our wind collect agent has been

configured correctly I mean installed

and configured correctly and detected by

our curator so you go to the agent yep

looks like the agent is not there yet

what happened let me see

she

under user management see what our

services can check again

let me lock on so this windows and if

you want you can reinstall your in

correct but anyway let me just restart

my agent

yeah so sometimes it will take a while

to actually see the agent being

monitored here under the winter lack you

should actually see that the agent has

been correctly installed so if you don't

see this you might want to repeat the

steps okay so hang on for a while

let me get back to you on the wind

collect agents problem so the problem

exists because of this I uninstalled and

rinsed all the even crack agents so I

was wrongly putting the lost source and

inquire as wind collect destination

supposed to be a reverse one o'clock so

lock source identifier should be this

one let me yeah so when you go to the

link leg and the identifier should be de

the hostname okay while the destination

is the wind collect dust

so that's locked source identifier will

collect one and the station in correct

destination okay and next and next and

finish and can check again

in connect it is started okay so in

collect should be started running

automatically you can of course restart

this if you like and if there's no issue

you should actually be able to see the

wind current agent being registered

being managed by the console

okay so while the service is being

restarted let me check

by selecting the agent hopefully nothing

goes wrong see ya so sorry apologize for

the mistake yeah

so now we have the pinnacle of agent

being monitored by this curator console

so notice that the status is unavailable

[Music]
but everything update is true okay so

just close it for a while let's get back

to this one and wait until the pin click

is started or we started directly and

then let's revisit the wind collect

agent status on our curator

key is done mmm looks like there's an

error but it's just revisit this we need

to deploy changes if you want you can

also restore this machine just to make

sure it's correctly being configured by

the windows

okay so just leave it running and

so I long for a while

see the status of our agent

so here we'll collect agent running on

the hosts Winton DST and the status is

running and it is enabled and the

automatic updates is also a de Ville

we're done with this one with the

installation of the Asia and by default

this agent will be monitored and you can

even look at the log sources by

selecting lock sources okay

now nothing much here yeah so let's open

up the lock activities and let's

generate some docks

nothing nothing here yeah on the warning

message and something yeah

so let's to login let's plug it to this

one using different password for example

wrong password one so because we have

enabled the audit earlier it's

effectively generate block

okay so Cassie

because system not vacation local

trying to log on incorrectly

if you want you can go to the link click

agent again and check the law related to

the agent see if the lock is being

collected

even the yeah so remind me later maybe

can go to this show events yeah because

event matches and you go to the locker

if it is I should be able to see some

locks in

let me check again if we have

successfully enabled audit so to mm see

at the group policy

a little bit slow here go to the MMC at

the colossi snap-in expand local

computer policy Windows settings you can

go to these security settings and local

policies and then go to the other

policies that is correctly set

successfully there this one

yeah so let's have a look like this so

we have enabled this this this this this

and this this one are not enabled okay

should be ok yeah it should be correct

yeah I've got some it's just go to the

last hour

it looks like it's running but it

doesn't actually show me something

related to the year block on anyway

let's check let's go to the offenses and

then let's create a very simple rule

before that let me check what is the IP

address of this and this is 1.8 or 1.8

we go to the rules and let's just create

a very simple rules or rule or maybe

just modify any rules of it like for

example ports can

and I'll customize this for what scan

detected double click and yeah let me

test one rule see if it works correctly

so let me remove the remaining one okay

so on events okay potential port scan

detected an event or flow which are

detected by global yeah then you can go

to the when the local network is one of

the following Network and double click

and double click on the station and then

you change the following Network so

example all because we're monitoring all

of the networks just go to all edit add

and then click Submit and on the

following network also set to all submit

and yeah so by default it will be set to

recon group it next

and this is where you can actually yeah

so you can select role actions or ensure

detected event or flow is part of the

offense so it will be shown in the

offense tab more offenses can put any

annotation and example test annotation

and under the role response you can also

modify the severity credibility and

relevance for the meantime I do not

change any to anything yet I do not

change CVT credibility and relevance and

you can put ensure that this patty event

is part of the offense and you can put

like you know just for testing should

set or replace the name of associative

and defense okay so this will actually

it should be selected as part of this

dispatch you event yeah this one is also

that one yeah just sample and don't

forget to select enable this whole right

in next

okay we're done with this you can review

and by default Issa now you can go to

the admin and yeah

let's try to look at the lot events and

let's try to do a very simple scan on

our target and map

- my ninth 168 the 1.8 and see if we can

actually detect the event

Yesi orphans created and we got this

potential for scan detected so ok so you

can even add a metric and then modify

the perimeter to associated with offense

ok and add a filter and you can see the

events you can clear the events just to

see I've seen the lock created earlier

yes yes this notification local blah

blah blah and let's look at the offenses

see we can actually get this in our

offenses yeah it is shown as potential

local port scan detected the fan sources

11.6 which is my IP yeah this is my IP

and the target shown is o destination IP

is 2 and it has multiple one yeah so

anyway we have successfully tested the

offenses and yeah the locks yeah

and let's try again on the non

successful log in our oops write fake

sign out

try to incorrectly put the password

several times and see we can get the

events created

hmm okay I need to check the oh let me

see why did not record that let me just

get back to the in collect

let's go to this nation thing we need to

check the data sources let me see so

under the lock sources double-click and

let's have a look in this one yeah

ok so let me check the region just

correct source type with this even love

which is correct lock source identifier

correct okay even nothing much

so we love this security lock type no

filtering event type informational

warning all

nothing much here

looks like our lock sources has been

correctly configured yeah so anyway

let's check again

gijin show events

okay then go to the Lord if it is again

okay I'm trying to find out why I did

not a tree trigger yeah so let me get

back to you on this

do the troubleshooting on the law

activity or the windows event or events

which were not shown in the dislodge

activity so let's go to the admin go to

the law sources and I think we need to

configure something we've taken go to

the Edit slack and then scroll down okay

so everything looks fine until here

so here when crack agent is this one

correct and target internal destinations

yeah

initially it was none now is that Event

collector zero localhost TCP and target

destination is when collect deaths which

were configured which was actually

configured earlier in the previous steps

and looks okay and okay close it and

then let's see if we can get the locks

so shown here check for the no changes

to deploy let's try to log on

incorrectly put different password or

one password and see if we can catch

this

you

okay let me enable this to leave us to

edit this again

okay so try to leave the changes not too

much there looks like nothing here let

me start my windows see we can actually

test the the log or the events being

boarded

two three okay see this yeah now we got

this incorrect message and showing me

something yeah yeah success audit yeah

I've seen this yeah I saw this the

orphans creator can go to the offenses

lot of DVDs yeah

this one success audit yeah but this is

what I'm looking for so we're done with

this yeah so yeah so we can see the

offenses being shown here yeah and oh

how come there's no fences here okay

then one if you really have any problem

with the offenses not being showed here

yeah what you can do is you can go to

this yeah here there's an IPM community

discussion about fences not being

created in yeah you can expand the the

the post and these are the steps okay so

I did some if we go to the YouTube

earlier you can search for the wind

clack

curator and there are several

information about installing wind clack

yeah so you can try to check from this

or some of these videos okay I was

opening this earlier here and it did it

did give me something but not really

that much yeah so anyway so once your

you can see all of this which are

expected then we're done with our

installation and configuration okay so I

hope that this tutorial will be is

useful for you and we have any questions

let me know

you