Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configure correlation searches

A correlation search is a recurring search that scans across multiple data sources for defined patterns, and will alert when the pattern is found. The Splunk App for Enterprise Security correlation searches are configured to find specific security-related patterns across many sources.

Enable the correlation searches

The Splunk App for Enterprise Security comes with over 50 pre-configured correlation searches. The searches correspond to the security domains available in the Enterprise Security app. All pre-configured correlation searches are disabled by default.

  1. Use the Custom Searches page to find and review the Description field in the correlation search for the intended correlation use-case.
  2. Enable the correlation searches that correspond to the security domain, data sources, and defined use-case for the Enterprise Security installation.
  3. Use the Incident Review dashboard to review the notable events.
  4. Configure notable event throttling or suppression as needed.
  5. Use the Risk Analysis dashboard to review the current risk scores.

The Custom Searches page

The Custom Searches page is a status page used to display and configure all correlation, key indicator, and entity investigator searches.

Actions

Browse to Configure > General > Custom Searches. Use the Actions column on the Custom Searches page to:

  • Enable or disable a correlation search
  • Change the default search type of a correlation search between scheduled and real-time.

Important: The Splunk App for Enterprise Security uses indexed real-time searches by default. The use of indexed real-time is a global configuration change, and applies to all apps and searches run from the search head hosting the Enterprise Security app. For more information about real-time searches, see "About real-time searches and reports" in the Splunk Enterprise Search Manual.

Edit Correlation Search page

The page allows you to set or change the advanced options for a correlation search.

  • Browse to Configure > General > Custom Searches and select a correlation search name to view the Edit Correlation Search page.

Note: Technically, you can also edit the searches from the Settings menu, but editing the search this way could break the correlation search or you might not be able to edit other necessary, related settings. Correlation searches are more complex than regular searches in Splunk.

Default fields

Every pre-configured correlation search will have these fields defined:

Field Description
Search Name A brief descriptor of the search.
Application Context The name of the app that contains the search.
Description A sentence that describes what type of issue the correlation search is intended to detect.
Search The correlation search string to run. The search will be greyed-out if it supports using guided mode:
  • Edit search in guided mode See "Edit search in guided mode" in this topic.
  • Edit search manually: Allows the contents of a guided mode supported search field to be edited or copied directly.

Time Range

Field Description
Start Time The earliest time period for the search, expressed in relative time.
End Time The latest time period for the search, expressed in relative time. Use "relative time modifiers" in the start and end times. For examples of time modifiers, see "Specify time modifiers in your search" in the Splunk Enterprise Search Manual.
Cron Schedule Edit or change the schedule frequency using standard cron notation. For more information, see the "Crontab" page on wikipedia (http://en.wikipedia.org/wiki/Cron#crontab_syntax).

Throttling

When the correlation search matches an event, an alert triggers. By default, each result returned by the correlation search will generate its own alert. In a typical alerting scenario, only one alert of any type is desired. Use the throttling option to prevent the creation of additional alerts. Throttling applies to any correlation search alert type: email, notable events, risk assignments, etc. and occurs before "notable event suppression".

Field Description
Window duration A relative time range defined in seconds. During that time, any additional event that matches any of the Fields to group by will not create a new alert. After the time range has passed, the next matching event will create a new alert and apply the throttle conditions again.
Fields to group by A search field used to match similar events. During the Window duration, any additional matches for the correlation search will be compared to the field defined in Fields to group by. If the field matches, it will not allow a new alert to be created. You can define multiple fields. The fields available will depend upon the search fields returned in the correlation search.

Notable Event

A notable event is an alert type that creates an event when a search condition is met. When a notable event is created, it is indexed on disk, like other events indexed by Splunk Enterprise. The notable event object is tracked, managed, and updated using the Incident Review dashboard in the Enterprise Security app. Notable event creation is enabled independently of other alerting options, such as Risk Scoring and Actions.

  • Create notable event: The checkbox enables notable event creation for the correlation search.

If Create notable event is enabled, additional fields are available:

Field Description
Title Sets the notable event Title as it appears on the Incident Review dashboard. For more information, see Incident Review Dashboard in the Enterprise Security User Manual.
Description Sets the Description field in a notable event. This field supports a plain text URL as a link.
Security Domain Sets the Security Domain field in a notable event.
Severity Sets the severity of a notable event. This is used in the Urgency calculation.
Default Owner Sets the Owner of a notable event. The default is unassigned.
Default Status Sets the Status of a notable event. The default is New.
Drill-down name Sets the name for the Contributing Events link in a notable event.
Drill-down search Sets the drilldown search for the Contributing Events link in a notable event.
Drill-down earliest offset Sets the earliest time to look for related events when using the Contributing Events link in a notable event. ex. 1h, 2h, 1d
Drill-down latest offset Sets the latest time to look for related events when using the Contributing Events link in a notable event. ex. 1m, 5m, 30m

Default statuses

By default, the correlation searches included in the Enterprise Security app assign a notable event a status of New, and the default owner is Unassigned. The initial urgency is determined by priority and severity levels. See "Configure notable events" in this manual.

Risk Scoring

A risk modifier is an alert type that creates an event when a search condition is met. When a risk modifier is created, it is indexed on disk, like other events indexed by Splunk Enterprise. The risk event object is tracked using the Risk Analysis dashboard in the Enterprise Security app. A risk modifier alert type is enabled independently of other alerting options, such as Notable Event creation and Actions.

  • Create risk modifier: The checkbox enables risk object scoring for the correlation search.

If Create risk modifier is enabled, additional fields are required:

Field Description
Score Sets the default score assignment for an event.
Risk Object field Sets the search field the risk score is applied to.
Risk Object type Sets the type of object the risk score is applied to.

Actions

Actions are other alert types that can be triggered by a correlation search. The Action alert types are enabled independently of other alerting options, such as Notable Event creation and Risk Scoring.

Field Description
Include in RSS feed The checkbox enables a correlation search alert to be posted on the Splunk Enterprise RSS feed. See "Create an RSS feed" in the Alerting Manual.
Send email The checkbox enables a correlation search alert to send an email.
  • Email subject: The email subject defaults to "Splunk Alert: $name$", where $name$ is the correlation search Search Name.
  • Email address(es): Insert email addresses and/or distribution lists that should receive the alert. After inserting email addresses, use the Tab key to leave the field.
    The mail server must be configured in Splunk Enterprise. See "Configure email notification settings" in the Alerting Manual.
Run a script The checkbox enables a correlation search alert to run a shell script. See "Configure scripted alerts" in the Alerting Manual.
Start a Stream Capture The checkbox enables a correlation search alert to run a packet capture on all source and destination IP addresses in the event. See "Start a Stream Capture" in this manual.

Edit search in guided mode

Selecting to Edit search in guided mode begins the Guided Search Creation wizard. Use the Guided Search Creation pages to review the search elements in a pre-configured correlation search.

The Guided search creation allows an Enterprise Security administrator to review or change a correlation search using data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, a search parsing check is done and an option to test the results before saving is provided.

  • Not all correlation searches support guided search creation. If an existing correlation search does not have the link to Edit search manually, or does not appear greyed-out, that search doesn't conform to the requirements for guided search creation.

Start a Stream Capture

A Stream capture is a packet capture job. To initiate a Stream Capture, the Splunk App for Stream and a forwarder with the Stream Add-on must be available. For a list of the pre-requisites to perform Stream Captures, see "Splunk App for Stream integration" in this manual'.

Selecting Start Stream capture opens two selection boxes to choose the protocol and time period of the capture session. The correlation search event result must include an IP or host address to create a Stream capture.

When this option is chosen, each notable event begins a packet capture on all IP addresses returned for the selected protocols over the time period chosen. The results of the capture session are viewed on the Protocol Intelligence dashboards. See the "Protocol Intelligence dashboards" in the Enterprise Security User Manual.

PREVIOUS
Configure threat intelligence sources
  NEXT
Configure notable events

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters