Configure correlation searches
A correlation search is a recurring search that scans across multiple data sources for defined patterns, and will alert when the pattern is found. The Splunk App for Enterprise Security correlation searches are configured to find specific security-related patterns across many sources.
Enable the correlation searches
The Splunk App for Enterprise Security comes with over 50 pre-configured correlation searches. The searches correspond to the security domains available in the Enterprise Security app. All pre-configured correlation searches are disabled by default.
- Use the Custom Searches page to find and review the Description field in the correlation search for the intended correlation use-case.
- Enable the correlation searches that correspond to the security domain, data sources, and defined use-case for the Enterprise Security installation.
- Use the Incident Review dashboard to review the notable events.
- Configure notable event throttling or suppression as needed.
- Use the Risk Analysis dashboard to review the current risk scores.
The Custom Searches page
The Custom Searches page is a status page used to display and configure all correlation, key indicator, and entity investigator searches.
Browse to Configure > General > Custom Searches. Use the Actions column on the Custom Searches page to:
- Enable or disable a correlation search
- Change the default search type of a correlation search between scheduled and real-time.
Important: The Splunk App for Enterprise Security uses indexed real-time searches by default. The use of indexed real-time is a global configuration change, and applies to all apps and searches run from the search head hosting the Enterprise Security app. For more information about real-time searches, see "About real-time searches and reports" in the Splunk Enterprise Search Manual.
Edit Correlation Search page
The page allows you to set or change the advanced options for a correlation search.
- Browse to Configure > General > Custom Searches and select a correlation search name to view the Edit Correlation Search page.
Note: Technically, you can also edit the searches from the Settings menu, but editing the search this way could break the correlation search or you might not be able to edit other necessary, related settings. Correlation searches are more complex than regular searches in Splunk.
Every pre-configured correlation search will have these fields defined:
|Search Name||A brief descriptor of the search.|
|Application Context||The name of the app that contains the search.|
|Description||A sentence that describes what type of issue the correlation search is intended to detect.|
|Search||The correlation search string to run. The search will be greyed-out if it supports using guided mode:
|Start Time||The earliest time period for the search, expressed in relative time.|
|End Time||The latest time period for the search, expressed in relative time. Use "relative time modifiers" in the start and end times. For examples of time modifiers, see "Specify time modifiers in your search" in the Splunk Enterprise Search Manual.|
|Cron Schedule||Edit or change the schedule frequency using standard cron notation. For more information, see the "Crontab" page on wikipedia (http://en.wikipedia.org/wiki/Cron#crontab_syntax).|
When the correlation search matches an event, an alert triggers. By default, each result returned by the correlation search will generate its own alert. In a typical alerting scenario, only one alert of any type is desired. Use the throttling option to prevent the creation of additional alerts. Throttling applies to any correlation search alert type: email, notable events, risk assignments, etc. and occurs before "notable event suppression".
|Window duration||A relative time range defined in seconds. During that time, any additional event that matches any of the Fields to group by will not create a new alert. After the time range has passed, the next matching event will create a new alert and apply the throttle conditions again.|
|Fields to group by||A search field used to match similar events. During the Window duration, any additional matches for the correlation search will be compared to the field defined in Fields to group by. If the field matches, it will not allow a new alert to be created. You can define multiple fields. The fields available will depend upon the search fields returned in the correlation search.|
A notable event is an alert type that creates an event when a search condition is met. When a notable event is created, it is indexed on disk, like other events indexed by Splunk Enterprise. The notable event object is tracked, managed, and updated using the Incident Review dashboard in the Enterprise Security app. Notable event creation is enabled independently of other alerting options, such as Risk Scoring and Actions.
- Create notable event: The checkbox enables notable event creation for the correlation search.
If Create notable event is enabled, additional fields are available:
|Title||Sets the notable event Title as it appears on the Incident Review dashboard. For more information, see Incident Review Dashboard in the Enterprise Security User Manual.|
|Description||Sets the Description field in a notable event. This field supports a plain text URL as a link.|
|Security Domain||Sets the Security Domain field in a notable event.|
|Severity||Sets the severity of a notable event. This is used in the Urgency calculation.|
|Default Owner||Sets the Owner of a notable event. The default is unassigned.|
|Default Status||Sets the Status of a notable event. The default is New.|
|Drill-down name||Sets the name for the Contributing Events link in a notable event.|
|Drill-down search||Sets the drilldown search for the Contributing Events link in a notable event.|
|Drill-down earliest offset||Sets the earliest time to look for related events when using the Contributing Events link in a notable event. ex. 1h, 2h, 1d|
|Drill-down latest offset||Sets the latest time to look for related events when using the Contributing Events link in a notable event. ex. 1m, 5m, 30m|
By default, the correlation searches included in the Enterprise Security app assign a notable event a status of New, and the default owner is Unassigned. The initial urgency is determined by priority and severity levels. See "Configure notable events" in this manual.
A risk modifier is an alert type that creates an event when a search condition is met. When a risk modifier is created, it is indexed on disk, like other events indexed by Splunk Enterprise. The risk event object is tracked using the Risk Analysis dashboard in the Enterprise Security app. A risk modifier alert type is enabled independently of other alerting options, such as Notable Event creation and Actions.
- Create risk modifier: The checkbox enables risk object scoring for the correlation search.
If Create risk modifier is enabled, additional fields are required:
|Score||Sets the default score assignment for an event.|
|Risk Object field||Sets the search field the risk score is applied to.|
|Risk Object type||Sets the type of object the risk score is applied to.|
Actions are other alert types that can be triggered by a correlation search. The Action alert types are enabled independently of other alerting options, such as Notable Event creation and Risk Scoring.
|Include in RSS feed||The checkbox enables a correlation search alert to be posted on the Splunk Enterprise RSS feed. See "Create an RSS feed" in the Alerting Manual.|
|Send email||The checkbox enables a correlation search alert to send an email.
|Run a script||The checkbox enables a correlation search alert to run a shell script. See "Configure scripted alerts" in the Alerting Manual.|
|Start a Stream Capture||The checkbox enables a correlation search alert to run a packet capture on all source and destination IP addresses in the event. See "Start a Stream Capture" in this manual.|
Edit search in guided mode
Selecting to Edit search in guided mode begins the Guided Search Creation wizard. Use the Guided Search Creation pages to review the search elements in a pre-configured correlation search.
The Guided search creation allows an Enterprise Security administrator to review or change a correlation search using data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, a search parsing check is done and an option to test the results before saving is provided.
- Not all correlation searches support guided search creation. If an existing correlation search does not have the link to Edit search manually, or does not appear greyed-out, that search doesn't conform to the requirements for guided search creation.
Start a Stream Capture
A Stream capture is a packet capture job. To initiate a Stream Capture, the Splunk App for Stream and a forwarder with the Stream Add-on must be available. For a list of the pre-requisites to perform Stream Captures, see "Splunk App for Stream integration" in this manual'.
Selecting Start Stream capture opens two selection boxes to choose the protocol and time period of the capture session. The correlation search event result must include an IP or host address to create a Stream capture.
When this option is chosen, each notable event begins a packet capture on all IP addresses returned for the selected protocols over the time period chosen. The results of the capture session are viewed on the Protocol Intelligence dashboards. See the "Protocol Intelligence dashboards" in the Enterprise Security User Manual.
Configure threat intelligence sources
Configure notable events
This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3