Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Correlation search overview for Splunk Enterprise Security

A correlation search scans multiple data sources for defined patterns. When the search finds a pattern, it performs an adaptive response action.

Correlation searches can search many types of data sources, including events from any security domain (access, identity, endpoint, network), asset lists, identity lists, threat intelligence, and other data in Splunk platform. The searches then aggregate the results of an initial search with functions in SPL, and take action in response to events that match the search conditions with an adaptive response action.

Examples of correlation searches

  • Identify an access attempt from an expired account by correlating a list of identities and an attempt to authenticate into a host or device.
  • Identify a high number of hosts with a specific malware infection, or a single host with a high number of malware infections by correlating an asset list with events from an endpoint protection system.
  • Identify a pattern of high numbers of authentication failures on a single host, followed by a successful authentication by correlating a list of identities and attempts to authenticate into a host or device. Then, apply a threshold in the search to count the number of authentication attempts.

Correlation searches with special characters

Correlation searches that have special characters may display an error message "Search Does Not Exist" if on-premise customers use a reverse proxy. Using Nginx as a reverse proxy in Splunk Enterprise Security may encode special characters that can prevent correlation searches from being discovered by Splunk Enterprise Security. As a workaround, you may clone the correlation search and remove the special characters in the clone, then disable the original correlation search. Additionally, it is recommended to configure your reverse proxy to not encode special characters.

Last modified on 22 November, 2021
PREVIOUS
Manage investigations in Splunk Enterprise Security
  NEXT
Create correlation searches in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters