Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 4: Schedule the correlation search

Decide how often you want the search to run, and how often you want response actions to be triggered in response to search matches. You can adjust the schedule window and throttling to make sure that duplicate events are not created, which could result in duplicate actions being taken by analysts or the automated response actions that you set up.

Configure a schedule for the correlation search

Correlation searches can run with a real-time or continuous schedule.

  • Use a real-time schedule to prioritize current data and performance. Searches with a real-time schedule are skipped if the search cannot be run at the scheduled time. Searches with a real-time schedule do not backfill gaps in data that occur if the search is skipped.
  • Use a continuous schedule to prioritize data completion, as searches with a continuous schedule are never skipped.

As excessive failed logins matter most when you hear about them quickly, select a real-time schedule for the search. If you care more about identifying all excessive failed logins in your environment, you can select a continuous schedule for the search instead.

Set a cron schedule to run the search every five minutes.

  1. In the Cron Schedule field, type */5 * * * *.
  2. In the Scheduling list, select Real-time Schedule.

Set up throttling to limit the number of alerts

Set up throttling to limit the number of alerts generated by your correlation search. By default, each result returned by the correlation search generates an alert. Typically, you only want one alert of a certain type. You can set up throttling to prevent a correlation search from creating more than one alert of a certain type.

  1. Type a Window Duration of 1 and select day(s) from the drop-down list to throttle alerts to 1 per day.
  2. Type app and src as Fields to group by. You want to select the fields here that you split the aggregates by.

This means that no matter how many Excessive Failed Logins correlation search matches there are in one day that contain the same app and source field values, only one alert is created.

Next Step

Part 5: Choose available adaptive response actions for the correlation search.

Last modified on 13 April, 2017
Part 3: Create the correlation search in guided mode   Part 5: Choose available adaptive response actions for the correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters