Part 4: Schedule the correlation search
Decide how often you want the search to run, and how often you want response actions to be triggered in response to search matches. You can adjust the schedule window and throttling to make sure that duplicate events are not created, which could result in duplicate actions being taken by analysts or the automated response actions that you set up.
Configure a time range for the correlation search
Set a time range for the search. The time range depends on the use case for your search. Excessive failed logins are important if they happen in an hour, but the same pattern of failed logins is not important if they happen across a period of one or two days. Add an offset to the start and end time fields if the data model that the search runs against has a lot of data.
This correlation search searches across a one-hour time-range of data with a 5 minute offset.
- In the Start time field, type
rt-65m@m
to express the earliest time period in relative time. - In the End time field, type
rt-5m@m
to express the latest time period in relative time.
Configure a schedule for the correlation search
Correlation searches can run with a real-time or continuous schedule. Use a continuous schedule to prioritize data completion, as searches with a continuous schedule are never skipped. Use a real-time schedule to prioritize current data and performance, as searches with a real-time schedule are skipped if the search cannot be run at the scheduled time.
As excessive failed logins matter most when you hear about them quickly, select a real-time schedule for the search. Set a cron schedule to run the search every five minutes.
- In the Cron Schedule field, type
*/5 * * * *
. - In the Scheduling list, select Real-time Schedule.
Set up throttling to limit the number of alerts
Set up throttling to limit the number of alerts generated by your correlation search. By default, each result returned by the correlation search generates an alert. Typically, you only want one alert of a certain type. You can set up throttling to prevent a correlation search from creating more than one alert of a certain type.
- Type a Window Duration of 86300s to throttle alerts to 1 per day.
- Type app and src as Fields to group by. You want to select the fields here that you split the aggregates by.
This means that no matter how many Excessive Failed Logins correlation search matches there are in one day that contain the same app and source field values, only one alert is created.
Next Step
Part 5: Choose available adaptive response actions for the correlation search.
Part 3: Create the correlation search in guided mode | Part 5: Choose available adaptive response actions for the correlation search |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3
Feedback submitted, thanks!