Configure correlation searches
A correlation search is a recurring search that Splunk Enterprise Security runs to scan multiple data sources for defined patterns. When the search finds a pattern, it generates an alert. Splunk ES includes over 60 pre-configured correlation searches and categorizes them by the corresponding security domain.
Enable the correlation searches
By default, Enterprise Security installs with all correlation searches disabled. You must enable correlation searches to produce alerts.
- On the Content Management page, filter by Type: Correlation Search to view all correlation searches.
- Find and review the Description field in the correlation search for the intended correlation use-case.
- Enable the correlation searches that correspond to the security domain, data sources, and defined use-case for the Enterprise Security installation.
Once correlation searches are enabled, dashboards will display notable events and risk scores.
- Use the Incident Review dashboard to review the notable events.
- Configure notable event throttling or suppression as needed.
- Use the Risk Analysis dashboard to review the current risk scores.
The Content Management page
You can use the Content Management page to view and configure all correlation, key indicator, and entity investigator searches. To access the page, navigate to Configure > Content Management.
When viewing correlation searches on the Content Management page, you can use the Actions column to:
- Enable or disable a correlation search
- Change the default search type of a correlation search from real-time to scheduled.
Caution: Splunk Enterprise Security uses indexed real-time searches by default. The use of indexed real-time is a global configuration change, and applies to all apps and searches run from the search head hosting Enterprise Security. For more information about real-time searches, see "About real-time searches and reports" in the Splunk Enterprise Search Manual.
Edit Correlation Search page
This page allows you to set or change the advanced options for a correlation search.
- Browse to Configure > Content Management and filter by Type: Correlation Search
- Select a correlation search name to view the Edit Correlation Search page.
Note: It is possible to edit correlation searches from the Splunk Settings menu, but it is not recommended. Editing the search this way could break the correlation search or you might not be able to edit other related settings. Correlation searches are more complex than regular searches, and their configuration settings are spread across multiple .conf files.
Every pre-configured correlation search will have these fields defined:
|Search Name||A brief descriptor of the search.|
|Application Context||The name of the app that contains the search.|
|Description||A sentence that describes what type of issue the correlation search is intended to detect.|
|Search||The correlation search string to run. The search will be grayed-out if it supports using guided mode:
|Start Time||The earliest time period for the search, expressed in relative time.|
|End Time||The latest time period for the search, expressed in relative time. Use "relative time modifiers" in the start and end times. For examples of time modifiers, see "Specify time modifiers in your search" in the Splunk Enterprise Search Manual.|
|Cron Schedule||Edit or change the schedule frequency using standard cron notation. For more information, see the "Crontab" page on Wikipedia (http://en.wikipedia.org/wiki/Cron#crontab_syntax).|
Use throttling to limit the number of alerts generated by a correlation search.
When a correlation search matches an event, it triggers an alert. By default, each result returned by the correlation search will generate an alert. Typically, you may only want one alert of a certain type. You can use throttling to prevent a correlation search from creating more than one alert.
Throttling applies to any type of correlation search alert and occurs before notable event suppression. See Create and manage notable event suppressions for more on notable event suppression.
|Window duration||A relative time range defined in seconds. During this window, any additional event that matches any of the Fields to group by will not create a new alert. After the window ends, the next matching event will create a new alert and apply the throttle conditions again.|
|Fields to group by||A search field used to match similar events found during the throttle window. If a field listed here matches a generated alert, the correlation search will not create a new alert. You can define multiple fields, and available fields depend on the search fields that the correlation search returns.|
A notable event is an alert type that creates an event when a search condition is met. See Notable Events in this manual.
Create notable event: Select to enable creation of notable events for the correlation search.
If Create notable event is enabled, additional fields are available:
|Title||Sets the Title of the notable event on the Incident Review dashboard. For more information, see Incident Review in this manual.|
|Description||Sets the Description of the notable event. You can enter a URL in plain text to create a link.|
|Security Domain||Sets the Security Domain of the notable event. Select from the drop-down list.|
|Severity||Sets the severity of a notable event. This is used in the Urgency calculation. See Notable Event Urgency assignment in this manual for more.|
|Default Owner||Sets the Owner of a notable event. The default is unassigned.|
|Default Status||Sets the Status of a notable event. The default is New.|
|Drill-down name||Sets the name for the Contributing Events link in a notable event.|
|Drill-down search||Sets the drilldown search for the Contributing Events link in a notable event.|
|Drill-down earliest offset||Sets the earliest time to look for related events when using the Contributing Events link in a notable event. For example, 1h, 2h, 1d.|
|Drill-down latest offset||Sets the latest time to look for related events when using the Contributing Events link in a notable event. For example, 1m, 5m, 30m.|
A risk modifier is a type of alert that creates an event when a search condition is met. You can view the risk modifier events on the Risk Analysis dashboard in Enterprise Security. You can enable this type of alert independently of other alerting options, such as Notable Event creation and Actions.
Create risk modifier: The checkbox enables risk object scoring for the correlation search. If Create risk modifier is enabled, additional fields are required:
|Score||Sets the default score assignment for an event.|
|Risk Object field||Sets the search field the risk score is applied to.|
|Risk Object type||Sets the type of object the risk score is applied to.|
Actions are other alert types that can be triggered by a correlation search. The Action alert types are enabled independently of other alerting options, such as Notable Event creation and Risk Scoring.
|Include in RSS feed||The checkbox enables a correlation search alert to be included in the Splunk Enterprise RSS feed. See "Create an RSS feed" in the Alerting Manual.|
|Send email||The checkbox enables a correlation search alert to send an email.
|Run a script||The checkbox enables a correlation search alert to run a shell script. See "Configure scripted alerts" in the Alerting Manual.|
|Start a Stream Capture||The checkbox enables a correlation search alert to run a packet capture on all source and destination IP addresses in the event. See "Start a Stream Capture" in this topic.|
Edit search in guided mode
Selecting Edit search in guided mode begins the Guided Search Creation wizard. Use the Guided Search Creation pages to review the search elements in a pre-configured correlation search.
The Guided search creation allows an Enterprise Security administrator to review or change a correlation search using data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, a search parsing check is done and an option to test the results before saving is provided.
Not all correlation searches support guided search creation. If an existing correlation search does not have the link to Edit search manually, or does not appear greyed-out, that search doesn't conform to the requirements for guided search creation.
Modifying the attributes of a correlation search will not affect notable events that have already been generated.
Start a Stream Capture
Select Start Stream capture to start a packet capture job in response to a notable event. The job will capture packets on all IP addresses returned for the selected protocols over the time period that you choose. You can view the results of the capture session on the Protocol Intelligence dashboards. See the "Protocol Intelligence dashboards" in this manual.
In order for the Stream capture to work, you must install the Splunk App for Stream and ensure that a forwarder with the Stream Add-on is available. To see all pre-requisites for performing Stream Captures, see "Splunk App for Stream integration" in the Installation and Upgrade manual'.
Create new correlation searches
This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6