Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF

Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Create new correlation searches

Correlation search overview

A correlation search is designed to:

  1. Search across multiple data sources. Data sources include events from any security domain, assets lists, identities lists, threat lists, and other data in Splunk Enterprise.
  2. Aggregate the results, applying context to the events.
  3. Notify on events that match the search conditions. When a correlation search finds an event that matches the correlation, it creates an alert. An alert can be any combination of a Notable event, Risk score, or other action such as an email.

Correlation search examples

  • A single event, such as an access attempt from an expired account.
The correlation of an identities list and an authentication attempt logged on a host or device.
  • Multiple similar events, such as a high number of hosts with a specific infection, or a single host with a high number of infections.
The correlation of an asset list and an event from an endpoint protection system.
  • A high number of authentication failures on a single host followed by a successful authentication.
The correlation of an identities list and an authentication attempt logged on a host or device. A threshold setting is applied in the search to count the number of authentication attempts.

New correlation search

You can create your own correlation searches to generate notable events, risk scores, or other alerts. A new correlation search can be built manually using the Splunk search language, or with guidance using the Guided search creation wizard.

Create a search

Create a search that will find the intersection of events across various data sources.

Manual search creation

The preconfigured correlation searches in ES provide good examples of the search methodology and available options. Navigate to Configure > Content Management and sort on a Type of Correlation search to view pre-configured correlation searches. Test your search ideas using the Search dashboard. Correlation search names cannot be more than 80 characters.

Guided search creation

Guided search creation allows an Enterprise Security administrator to create a correlation search that uses data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, it does a search parsing check and provides an option to test the results before saving.

  1. Browse to Configure > Content Management and select Create New Content to show a list of search types.
  2. Choose Correlation Search to open the New correlation search page.
  3. Select Edit search in guided mode to begin the guided search creation.

After the Guided search creation completes, the search results will populate the Search: field on the New correlation search page. See Edit Correlation Search page in this manual for a list of the fields and their uses.

Last modified on 04 October, 2016
Security Posture dashboard
Configure correlation searches

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters