Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 3: Create the correlation search in guided mode

After you define the title, app context, and description of the search, it is time to build it. The best way to build a correlation search with syntax that parses and works as expected is to use guided search creation mode.

Open the guided search creation wizard

From the correlation search editor, click Edit search in guided mode.

Select the data source for the search

Start your correlation search by choosing a data source.

  1. For the Source field, select the source for your data.
    • Select Data model if your data is stored in a data model. The data model defines which objects, or datasets, the correlation search can use as a data source.
    • Select Lookup if your data is stored in a lookup. If you select a lookup file for the Source, then select a lookup file by name.
    To recreate the Excessive Failed Logins search, select Data model.
  2. In the Data model list, select the data model that contains the security-relevant data for your search. Select the Authentication data model because it contains login-relevant data.
  3. In the Object list, select the Failed_Authentication object. The Excessive Failed Logins search is looking for failed logins, and that information is stored in this data model object.
  4. Under Other Options, select the Summaries-only check box to restrict the search to accelerated data only.
  5. Click Next to continue building the search.

Limit the search to a time range

Define the time range of events for the correlation search to scan. Set this time range based on the security use case. Excessive failed logins that occur during a one hour time span are more of a security issue than if they occur during a longer time span. For a different security use case, one hour might not be a long enough time span.

For Excessive Failed Logins, configure a one hour real-time search that runs at a 5 minute delay. The delay ensures data is available before the correlation search runs.

  1. Set the Preset time-range field to 1 hour window. This selection configures the next two fields for you, but does not include the offset.
  2. In Latest time, change the value of rt to rt-5m@m to specify an offset of 5 minutes.
  3. In Earliest time, change the value to rt-65m@m to ensure the search still runs over the full 60 minutes.
  4. Click Next.

For information on time ranges, see Specify time modifiers in your search in the Splunk Enterprise Search Manual.


Filter the data with a where clause

Filter the data that the correlation search examines for a match using a where clause. The search applies the filter before applying statistics.

The Excessive Failed Logins search by default does not include any where clause filters, but you can add one if you want to focus on failed logins for specific hosts, users, or authentication types.

On this screen, the search preview shows you the correlation search string so that you can see if the correlation search string parses. The search string appends filter commands as you type them, letting you see if the filter command you type is a valid where clause. You can run the search to see if it returns the preliminary results that you expect. If the where clause filters on a data model dataset such as Authentication.dest, enclose the data model dataset with single quotes. For example, a where clause that excludes authentication events where the destination is local host would look as follows: | where 'Authentication.dest'!="127.0.0.1".

  1. Leave the Filter field blank and click Next.

Analyze your data with statistical aggregates

Analyze your data with statistical aggregates. Each aggregate is a function that applies to a specific attribute in a data model or field in a lookup file. Use the aggregates to identify the statistics that are relevant to your use case.

For example, the Excessive Failed Logins correlation search uses four statistical aggregate functions to surface the important data points needed to define alerting thresholds. For this search, the aggregates identify the following:

  • Tags associated with the authentication attempts
  • Number of users involved
  • Number of destinations involved
  • Total count of attempts

To replicate this search, create the aggregates.

Create the tags aggregate

Identify the successes and failures in authentication attempts with tags.

  1. Click Add a new aggregate.
  2. Select the values function from the Function list.
  3. Select Authentication.tag from the Attribute list.
  4. Type tag in the Alias field.
  5. Click Next to return to the list of aggregates.

Create the user count aggregate

Identify the number of distinct users involved.

  1. Click Add a new aggregate.
  2. Select the dc function from the Function list.
  3. Select Authentication.user from the Attribute list.
  4. Type user_count in the Alias field.
  5. Click Next to return to the list of aggregates.

Create the destination count aggregate

Identify the number of distinct destinations involved.

  1. Click Add a new aggregate.
  2. Select the dc function from the Function list.
  3. Select Authentication.dest from the Attribute list.
  4. Type dest_count in the Alias field.
  5. Click Next to return to the list of aggregates.

Create a total count aggregate

Identify the overall count.

  1. Click Add a new aggregate.
  2. Select the count function from the Function list.
  3. Leave the attribute and alias fields empty.
  4. Click Next to return to the list of aggregates.
  5. Click Next again to continue.

Fields to split by

Identify the fields that you want to split the aggregate results by. Split-by fields define the fields that you want to group the aggregate results by. For example, you care more about excessive failed logins if the users were logging into the same application and from the same source. In order to get more specific notable events and to avoid over-alerting, define split-by fields for the aggregate search results.

  1. In the Split-by field, type Authentication.app to split the aggregates by application.
  2. In the Split-by field, type Authentication.src to split the aggregates by source.
  3. Click Next to set aliases for the split-by fields.

For more information on split-by fields, see Optional arguments in the Splunk Enterprise Search Reference.

Define aliases for split-by fields

Alias the split-by fields for readability.

  1. In the Alias field for the Authentication.app field, type app.
  2. In the Alias field for the Authentication.src field, type src.
  3. Click Next.

Define the correlation search match criteria for analysis

Identify the criteria that define a match for the correlation search. The correlation search performs an action when the search results match predefined conditions. Define the statistical function to use to look for a match.

For Excessive Failed Logins, when a specific user has six or more failed logins from the same source and attempting to log in to the same application, the correlation search identifies a match and takes action.

  1. In the Attribute list, select the aggregate function count. The Attribute list is pre-populated with the attributes used in the aggregates and with the fields used in the split-by.
  2. In the Operation list, select Greater than or equal to.
  3. In the Value field, type 6.
  4. Click Next.

Test the correlation search string

The guided mode wizard ensures that your search string parses and produces events. You can run the search to see if it returns the results that you expect.

  1. Open a new tab in your browser and navigate to the Splunk platform Search page.
  2. Run the correlation search to validate that it produces events that match your expectations.
    1. If your search does not parse, but parsed successfully on the filtering step, return to the correlation search guided editor aggregates and split-bys to identify errors.
    2. If your search parses but does not produce events that match your expectations, adjust the elements of your search as needed.
  3. After you validate your search string on the search page, return to the guided search editor and click Save to return to the correlation search editor.

Next Step

Part 4: Schedule the correlation search.

Last modified on 03 February, 2017
Part 2: Create a correlation search   Part 4: Schedule the correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters