Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Part 2: Create a correlation search

After you plan the use case that the correlation search covers, create the search.

Create a search

To create a correlation search, start on the Content Management page.

  1. From Splunk Home, select Splunk Enterprise Security.
  2. Select Configure > Content Management.
  3. Select Create New Content > Correlation Search to open the correlation search editor.
  4. In the Search Name field, type Excessive Failed Logins - Tutorial. Correlation search names cannot be longer than 80 characters.
  5. In the Application Context drop-down list, select SA-AccessProtection as the app where you want the correlation search to be stored. Choose an app context that aligns with the type of search that you plan to build. If you have a custom app for your deployment, you can store the correlation search there.
  6. In the UI Dispatch Context drop-down list, select None. This is the app used by links in email and other adaptive response actions. The app must be visible for links to work.
  7. In the Description field, type a description of what the correlation search looks for, and the security use case addressed by the search. For example, Detects excessive number of failed login attempts (this is likely a brute force attack).
    This screen image shows the excessive failed logins tutorial search with the search name, application context, UI dispatch context, and description fields completed.

If you disable or remove the app where the search is stored, the correlation search is disabled. The app context does not affect how or the data on which the search runs.

Next Step

Part 3: Create the correlation search in guided mode.

Last modified on 09 March, 2018
Part 1: Plan the use case for the correlation search
Part 3: Create the correlation search in guided mode

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters