Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

How Splunk Enterprise Security uses extreme search

Extreme search enhances the Splunk platform search language with a set of commands. For a list of extreme search commands, see Extreme search commands.

As implemented in Splunk Enterprise Security, you can use the extreme search commands to:

  • Build dynamic thresholds based on event data.
  • Provide context awareness by replacing event counts with natural language.

For example, in the Enterprise Security Malware Center dashboard, the Key Security Indicator Total Infections displays the total number of systems with malware infections over the last 48 hours.

ES32 XS example1.png

Splunk ES determines the displayed rate of change by comparing the current count of infections against the count of infected systems from the day before. There is no automatic determination of a normal daily range for infected systems in your environment. The threshold is entirely user-configured. Infections have increased by three, but the value has no context to indicate whether it is a notable increase.

The same indicator using extreme search displays the relevant information, but includes a depth of information that was not available with the default Total Infections indicator.

ES32 XS example2.png

Using extreme search, Splunk ES calculates the infection count and rate of new infections using a dynamically-updating model. The key security indicator uses contextual and easy-to-understand language. In this case, you know that the total malware infection count is not higher than it would be any other day, and the rate of change in infections is not alarming.

The use of context and concept in extreme search

The core ideas of context and concept are critical to the understanding of extreme search. These ideas are responsible for the data model used for dynamic thresholds by an extreme search command.

  1. Context: A context defines a relationship to a field or data in numerical terms. The data to be modeled must be represented by numerical values as the result of a search. Example contexts include total network throughput over the last 24 hours or network latency over the last 24 hours.
  2. Concept: A term that applies to data, representing a qualitative rather than quantitative description. Example concepts include the terms "extreme," "high," "medium," "low," and "minimal".

By combining context and concept, extreme search adds meaning and value to the data.

  • The total network throughput over the last 24 hours was Extreme, high, medium, low, or minimal.
  • The network latency over the last 24 hours was extreme, high, medium, low, or minimal.

The concept terms describe network activity in both examples, but have different meanings based on the context they are applied to. If your environment reports that total network throughput is minimal, it is a warning. If the environment reports that network latency is minimal, the network is operating normally.

Data models and extreme search

After you choose a context and concept to represent your data, Splunk ES creates a data model. Using the extreme search commands, the data model maps the context and event statistics by concept. Extreme search commands refer to this combined model as a context.

Saved searches update contexts, such as the dynamic threshold context. The saved search searches event data for statistics to update the context. For a list of the saved searches that update contexts, see Containers, contexts, and saved searches in this topic.

Configuring extreme search for Enterprise Security

The use of extreme search commands in Enterprise Security requires no additional configuration. The default installation of ES provides all contexts used by the extreme search commands and enables the saved searches that maintain them.

Correlation searches that use extreme search

All correlation searches in Enterprise Security are disabled by default. See Enable correlation searches in this manual.

Guided Search Creation is not available for correlation searches that use extreme search commands. These correlation searches use extreme search.

Search Name Context
Brute Force Access Behavior Detected failures_by_src_count_1h
Brute Force Access Behavior Detected Over One Day failures_by_src_count_1d
Abnormally High Number of Endpoint Changes By User change_count_by_user_by_change_type_1d
Host Sending Excessive Email recipients_by_src_1h
Substantial Increase in Intrusion Events count_by_signature_1h
Substantial Increase in Port Activity count_by_dest_port_1d
Unusual Volume of Network Activity count_30m
Abnormally High Number of HTTP Method Events By Src count_by_http_method_by_src_1d

Extreme search key security indicators

You can easily identify the key indicators that use extreme search by their use of semantic language instead of numerical values. The key security indicators on each dashboard are enabled by default.

Search Name Contexts
Access - Total Access Attempts authentication: count_1d, percentile
Malware - Total Infection Count malware: count_1d, percentile
Risk - Median Risk Score median_object_risk_by_object_type_1d, percentile
Risk - Median Risk Score By System median_object_risk_by_object_type_1d, percentile
Risk - Median Risk Score By User median_object_risk_by_object_type_1d, percentile
Risk - Median Risk Score By Other median_object_risk_by_object_type_1d, percentile
Risk - Aggregated Risk total_risk_by_object_type_1d, percentile
Risk - Aggregated System Risk total_risk_by_object_type_1d, percentile
Risk - Aggregated User Risk total_risk_by_object_type_1d, percentile
Risk - Aggregated Other Risk total_risk_by_object_type_1d, percentile

Containers, contexts, and saved searches

Enterprise Security stores contexts in objects called containers. A container is both an object in the file system and a logical configuration used to classify contexts. In Enterprise Security, the containers are files with the .context extension. A container can contain multiple contexts. You can view the saved searches that generate contexts on the Content Management view in Enterprise Security. See Create and manage saved searches in Splunk Enterprise Security for more information.

Note: Enterprise Security enables the dynamic context saved searches by default.

Container name Context name App location Dynamic context search name
authentication failures_by_src_count_1h SA-AccessProtection Access - Authentication Failures By Source - Context Gen
failures_by_src_count_1d Access - Authentication Failures By Source Per Day - Context Gen
count_1d Access - Authentication Volume Per Day - Context Gen
change_analysis change_count_by_user_by_change_type_1d SA-EndpointProtection Change - Total Change Count By User By Change Type Per Day - Context Gen
email destinations_by_src_1h SA-EndpointProtection Endpoint - Emails By Destination Count - Context Gen
recipients_by_src_1h Endpoint - Emails By Source - Context Gen
malware count_1d SA-NetworkProtection Endpoint - Malware Daily Count - Context Gen
ids_attacks count_by_signature_1h SA-NetworkProtection Network - Event Count By Signature Per Hour - Context Gen
network_traffic count_by_dest_port_1d SA-NetworkProtection Network - Port Activity By Destination Port - Context Gen
src_count_30m Network - Traffic Source Count Per 30m - Context Gen
count_30m Network - Traffic Volume Per 30m - Context Gen
web count_by_http_method_by_src_1d SA-NetworkProtection Web - Web Event Count By Src By HTTP Method Per 1d - Context Gen
risk median_object_risk_by_object_type_1d SA-ThreatIntelligence Risk - Median Object Risk Per Day - Context Gen
total_risk_by_object_type_1d Risk - Total Risk By Risk Object Type Per Day - Context Gen
default percentile SA-Utils ESS - Percentile - Context Gen
default height Splunk_SA_ExtremeSearch None.
trendchange None.
compatibility None.
Last modified on 17 September, 2019
PREVIOUS
Troubleshoot missing notable events in Splunk Enterprise Security
  NEXT
Extreme search example in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters