Configuring correlation searches
Enable correlation searches
Enable correlation searches to start running adaptive response actions and receiving notable events. Splunk Enterprise Security installs with all correlation searches disabled so that you can choose the searches that are most relevant to your security use cases.
- From the Splunk ES menu bar, select Configure > Content Management.
- Filter the Content Management page by a Type of Correlation Search to view only correlation searches.
- Review the names and descriptions of the correlation searches to determine which ones to enable to support your security use cases.
For example, if compromised accounts are a concern, consider enabling the Concurrent Login Attempts Detected and Brute Force Access Behavior Detected correlation searches.
- In the Actions column, click Enable to enable the searches that you want to enable.
After you enable correlation searches, dashboards will start to display notable events, risk scores, and other data.
Change correlation search scheduling
Change the default search type of a correlation search from real-time to scheduled. Splunk Enterprise Security uses indexed real-time searches by default.
- From the Content Management page, locate the correlation search you want to change.
- In the Actions column, click Change to scheduled.
Editing correlation searches
You can make changes to correlation searches to fit your environment. For example, modify the thresholds used in the search, change the response actions that result from a successful correlation, or change how often the search runs. Modifying a correlation search does not affect existing notable events.
- Click the name of a correlation search on the Content Management page to edit it.
Note: Do not edit correlation searches from the Splunk Settings menu. Editing the search this way can break the correlation search itself, or you might not be able to edit related settings. Correlation searches are more complex than regular searches, and their configuration settings are spread across multiple
Edit the correlation search in guided mode
You can edit some correlation searches in guided mode. Not all correlation searches support guided search editing. If a search appears grayed-out and has the option to Edit search manually or Edit search in guided mode, the search was built in guided mode and can be edited in guided mode. If a search can be edited in the search box and only has the option to Edit search in guided mode, editing the search in guided mode overwrites the existing search.
- Click Edit search in guided mode to open the guided search creation wizard.
- Review the search elements in the correlation search, making changes if you want.
- Save the search.
Throttle the number of response actions generated by a correlation search
Set up throttling to limit the number of response actions generated by a correlation search. When a correlation search matches an event, it triggers a response action.
By default, every result returned by the correlation search generates a response action. Typically, you may only want one alert of a certain type. You can use throttling to prevent a correlation search from creating more than one alert. Some response actions allow you to specify a maximum number of results in addition to throttling. See Set up adaptive response actions in Splunk Enterprise Security.
- Select Configure > Content Management.
- Click the title of the correlation search you want to edit.
- Type a Window duration. During this window, any additional event that matches any of the Fields to group by will not create a new alert. After the window ends, the next matching event will create a new alert and apply the throttle conditions again.
- Type the Fields to group by to specify which fields to use when matching similar events. If a field listed here matches a generated alert, the correlation search will not create a new alert. You can define multiple fields, and available fields depend on the search fields that the correlation search returns.
- Save the correlation search.
Throttling applies to any type of correlation search response action and occurs before notable event suppression. See Create and manage notable event suppressions for more on notable event suppression.
Obtain a list of correlation searches
To obtain a list of correlation searches enabled in Splunk Enterprise Security, use a REST search to extract the information that you want in a table.
For example, create a table with the app, security domain, name, and description of all correlation searches in your environment.
| rest splunk_server=local /services/alerts/correlationsearches | rename eai:acl.app as app, title as csearch_name | table app security_domain csearch_name description
As another example, create a table with the enabled correlation searches and the adaptive response actions associated with those searches in your environment.
| rest splunk_server=local count=0 /services/saved/searches search="name=\"*- Rule\"" | eval actions=split(actions, ",") | foreach action.*.enabled [eval actions=if('<<FIELD>>'=1,mvappend(actions,NULL,replace("<<FIELD>>","action\.(.*?)\..*","\1")),actions)] | table title,actions
Creating correlation searches
Export content as an app from Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3