Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Create new correlation searches

Correlation search overview

A correlation search is designed to:

  1. Search across multiple data sources. Data sources include events from any security domain, assets lists, identities lists, threat lists, and other data in Splunk Enterprise.
  2. Aggregate the results, applying context the the events.
  3. Notify on events that match the search conditions. When an event is found that matches the correlation, an alert is created. An alert can be any combination of a Notable event, a Risk score, or other action such as an email.

Correlation search examples

  • A single event, such as an access attempt from an expired account.
The correlation of an identities list and an authentication attempt logged on a host or device.
  • Multiple similar events, such as a high number of hosts with a specific infection or a single host with a high number of infections.
The correlation of an asset list and an event from an endpoint protection system.
  • A high number of authentication failures on a single host followed by a successful authentication.
The correlation of an identities list and an authentication attempt logged on a host or device. A threshold setting is applied in the search to count the number of authentication attempts.

New correlation search

You can create your own correlation searches to generate notable events, risk, other other alerts. A new correlation search can be made manually using the search language, or through the use of the Guided search creation wizard.

Create your search

Create a search that will find the intersection of events across various data sources. The pre-configured correlation searches in the Enterprise Security app will provide good examples of the search methodology and options available. Creating the search and honing the results will require testing.

The Enterprise Security app has a Search dashboard for testing search ideas. In addition, on the Custom Searches page you can create a new correlation search using the Guided Search Creation wizard.

Guided Search Creation

  1. Browse to Configure > General > Custom Searches and select the New button to show a list of search types.
  2. Choose Correlation Search to open the New correlation search page.
  3. Select the Edit search in guided mode link to begin the guided search creation.

The Guided search creation allows an Enterprise Security administrator to create a correlation search that utilizes data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, a search parsing check is done and an option to test the results before saving is provided.

After the Guided search creation completes, the search results will be automatically filled in the Search: field on the New correlation search page. See the Edit Correlation Search page topic in the Installation and Configuration manual for a list of the fields and their uses.

PREVIOUS
Audit dashboards
  NEXT
Add a custom dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters