Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Part 5: Choose available adaptive response actions for the correlation search

After you write the correlation search and determine how often the search runs and performs actions, choose which response actions the search should perform. Determine which response actions are appropriate for your search and add them to the search.

The Excessive Failed Logins search creates a notable event alerting security analysts to the fact that a host has a large number of failed logins, and modifies the risk score of the host by 60 to ensure that analysts are able to identify that it is a host that people are attempting (and failing) to log in to.

Create a notable event for analysts to triage.

  1. Click Add New Response Action and select Notable to add a notable event.
  2. Type a Title of Excessive Failed Logins - Tutorial.
  3. Type a Description of The system $src$ has failed $app$ authentication $count$ times using $user_count$ username(s) against $dest_count$ target(s) in the last hour.
  4. Select a security domain of Access.
  5. Select a Severity of medium.
  6. Leave the Default Owner and Default Status as leave as system default.
  7. Type a Drill-down name of View all login failures by system $src$ for the application $app$.
  8. Type a Drill-down search of

    | from datamodel:"Authentication"."Failed_Authentication" | search src="$src$" app="$app$"

    This search shows the contributing events for the notable event.
  9. Type a Drill-down earliest offset of $info_min_time$ to match the earliest time of the search.
  10. Type a Drill-down latest offset of $info_max_time$ to match the latest time of the search.
  11. (Optional) Add Next Steps for an analyst to take when triaging this notable event. For example, Review user activity on the Identity Investigator dashboard.
  12. (Optional) Add Recommended Actions for an analyst to run when triaging this notable event.

Create a second response action to increase the risk score of the system on which the failed logins occurred.

  1. Click Add New Response Action to add a risk score.
  2. Click Risk Analysis.
  3. Type a Risk Score of 60.
  4. Type a Risk Object Field of src.
  5. Select a Risk Object Type of System.

Save the correlation search

  1. Click Save to save the correlation search.

Next Step

Additional resources for creating a correlation search.

Last modified on 18 December, 2017
Part 4: Schedule the correlation search
Additional resources for creating a correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters