Create new correlation searches
Correlation search overview
A correlation search is designed to:
- Search across multiple data sources. Data sources include events from any security domain, assets lists, identities lists, threat lists, and other data in Splunk Enterprise.
- Aggregate the results, applying context to the events.
- Notify on events that match the search conditions. When a correlation search finds an event that matches the correlation, it creates an alert. An alert can be any combination of a Notable event, Risk score, or other action such as an email.
Correlation search examples
- A single event, such as an access attempt from an expired account.
- The correlation of an identities list and an authentication attempt logged on a host or device.
- Multiple similar events, such as a high number of hosts with a specific infection, or a single host with a high number of infections.
- The correlation of an asset list and an event from an endpoint protection system.
- A high number of authentication failures on a single host followed by a successful authentication.
- The correlation of an identities list and an authentication attempt logged on a host or device. A threshold setting is applied in the search to count the number of authentication attempts.
New correlation search
You can create your own correlation searches to generate notable events, risk scores, or other alerts. A new correlation search can be built manually using the Splunk search language, or with guidance using the Guided search creation wizard.
Create a search
Create a search that will find the intersection of events across various data sources.
Manual search creation
The preconfigured correlation searches in ES provide good examples of the search methodology and available options. Navigate to Configure > Content Management and sort on a Type of Correlation search to view pre-configured correlation searches. Test your search ideas using the Search dashboard. Correlation search names cannot be more than 80 characters.
Guided search creation
Guided search creation allows an Enterprise Security administrator to create a correlation search that uses data models. Guided search creation offers options about data model selection, time range, filtering, split-by fields, and conditions in a defined order. Before the guided search creation completes, it does a search parsing check and provides an option to test the results before saving.
- Browse to Configure > Content Management and select Create New Content to show a list of search types.
- Choose Correlation Search to open the New correlation search page.
- Select Edit search in guided mode to begin the guided search creation.
After the Guided search creation completes, the search results will populate the Search: field on the New correlation search page. See Edit Correlation Search page in this manual for a list of the fields and their uses.
Security Posture dashboard
Configure correlation searches
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only