Create new correlation searches
Correlation search overview
A correlation search is designed to:
- Search across multiple data sources. Data sources include events from any security domain, assets lists, identities lists, threat lists, and other data in Splunk Enterprise.
- Aggregate the results, applying context the the events.
- Notify on events that match the search conditions. When an event is found that matches the correlation, an alert is created. An alert can be any combination of a Notable event, a Risk score, or other action such as an email.
Correlation search examples
- A single event, such as an access attempt from an expired account.
- The correlation of an identities list and an authentication attempt logged on a host or device.
- Multiple similar events, such as a high number of hosts with a specific infection or a single host with a high number of infections.
- The correlation of an asset list and an event from an endpoint protection system.
- A high number of authentication failures on a single host followed by a successful authentication.
- The correlation of an identities list and an authentication attempt logged on a host or device. A threshold setting is applied in the search to count the number of authentication attempts.
New correlation search
You can create your own correlation searches to generate notable events, risk, other other alerts. A new correlation search can be made manually using the search language, or through the use of the Guided search creation wizard.
Create your search
Create a search that will find the intersection of events across various data sources. The pre-configured correlation searches in the Enterprise Security app will provide good examples of the search methodology and options available. Creating the search and honing the results will require testing.
The Enterprise Security app has a Search dashboard for testing search ideas. In addition, on the Custom Searches page you can create a new correlation search using the Guided Search Creation wizard.
Guided Search Creation
- Browse to Configure > General > Custom Searches and select the New button to show a list of search types.
- Choose Correlation Search to open the New correlation search page.
- Select the Edit search in guided mode link to begin the guided search creation.
The Guided search creation allows an Enterprise Security administrator to create a correlation search that utilizes data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, a search parsing check is done and an option to test the results before saving is provided.
After the Guided search creation completes, the search results will be automatically filled in the Search: field on the New correlation search page. See the Edit Correlation Search page topic in the Installation and Configuration manual for a list of the fields and their uses.
Audit dashboards | Add a custom dashboard |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Feedback submitted, thanks!