Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Part 4: Schedule the correlation search

Decide how often you want the search to run, and how often you want response actions to be triggered in response to search matches. You can adjust the schedule window and throttling to make sure that duplicate events are not created, which could result in duplicate actions being taken by analysts or the automated response actions that you set up.

Configure a time range for the correlation search

Set a time range for the search. The time range depends on the use case for your search. Excessive failed logins are important if they happen in an hour, but the same pattern of failed logins is not important if they happen across a period of one or two days. Add an offset to the start and end time fields if the data model that the search runs against has a lot of data.

This correlation search searches across a one-hour time-range of data with a 5 minute offset.

  1. In the Start time field, type rt-65m@m to express the earliest time period in relative time.
  2. In the End time field, type rt-5m@m to express the latest time period in relative time.

Configure a schedule for the correlation search

Correlation searches can run with a real-time or continuous schedule. Use a continuous schedule to prioritize data completion, as searches with a continuous schedule are never skipped. Use a real-time schedule to prioritize current data and performance, as searches with a real-time schedule are skipped if the search cannot be run at the scheduled time.

As excessive failed logins matter most when you hear about them quickly, select a real-time schedule for the search. Set a cron schedule to run the search every five minutes.

  1. In the Cron Schedule field, type */5 * * * *.
  2. In the Scheduling list, select Real-time Schedule.

Set up throttling to limit the number of alerts

Set up throttling to limit the number of alerts generated by your correlation search. By default, each result returned by the correlation search generates an alert. Typically, you only want one alert of a certain type. You can set up throttling to prevent a correlation search from creating more than one alert of a certain type.

  1. Type a Window Duration of 86300s to throttle alerts to 1 per day.
  2. Type app and src as Fields to group by. You want to select the fields here that you split the aggregates by.

This means that no matter how many Excessive Failed Logins correlation search matches there are in one day that contain the same app and source field values, only one alert is created.

Next Step

Part 5: Choose available adaptive response actions for the correlation search.

Last modified on 03 February, 2017
PREVIOUS
Part 3: Create the correlation search in guided mode 		  NEXT
Part 5: Choose available adaptive response actions for the correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters