Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Part 4: Schedule the correlation search

Decide how often you want the search to run, and how often you want response actions to be triggered in response to search matches. You can adjust the schedule window and throttling to make sure that duplicate events are not created, which could result in duplicate actions being taken by analysts or the automated response actions that you set up.

Configure a schedule for the correlation search

Correlation searches can run with a real-time or continuous schedule.

  • Use a real-time schedule to prioritize current data and performance. Searches with a real-time schedule are skipped if the search cannot be run at the scheduled time. Searches with a real-time schedule do not backfill gaps in data that occur if the search is skipped.
  • Use a continuous schedule to prioritize data completion, as searches with a continuous schedule are never skipped.

As excessive failed logins matter most when you hear about them quickly, select a real-time schedule for the search. If you care more about identifying all excessive failed logins in your environment, you can select a continuous schedule for the search instead.

Set a cron schedule to run the search every five minutes.

  1. In the Cron Schedule field, type */5 * * * *.
  2. For Scheduling, select Real-time.

Optionally, you can set a schedule window and a schedule priority for the search. The schedule priority setting overrides the schedule window setting, so you do not need to set both.

When there are many scheduled reports set to run at the same time, specify a schedule window to allow the search scheduler to delay running this search in favor of higher-priority searches. When detecting excessive failed logins, time matters but there are other searches that are more important so you want to use the automatic setting to rely on the search scheduler.

  1. Type a Schedule Window of 0 to not use a schedule window. If you want, type auto to use the automatic schedule window set by the scheduler, or type a number that corresponds with the number of minutes that you want the schedule window to last. For example, type 15 to set a schedule window 15 minutes long.

If this search is more important to run and see results from than other searches, you can change the schedule priority to "Higher" or "Highest" instead of the default. Detecting excessive failed logins is a priority, but not higher than other potential security incidents.

  1. Select a Schedule Priority of Default.

Define trigger conditions for the alerts

You can choose to trigger an alert based on a number of factors associated with the search. By default, the trigger conditions are set to alert you when the number of results is greater than zero. For this search, leave the default value.

Set up throttling to limit the number of alerts

Set up throttling to limit the number of alerts generated by your correlation search. By default, each result returned by the correlation search generates an alert. Typically, you only want one alert of a certain type. You can set up throttling to prevent a correlation search from creating more than one alert of a certain type.

  1. Type a Window Duration of 1 and select day(s) from the drop-down list to throttle alerts to 1 per day.
  2. Type app and src as Fields to group by. You want to select the fields here that you split the aggregates by.

This means that no matter how many Excessive Failed Logins correlation search matches there are in one day that contain the same app and source field values, only one alert is created.

Next Step

Part 5: Choose available adaptive response actions for the correlation search.

Last modified on 22 November, 2021
Part 3: Create the correlation search in guided mode
Part 5: Choose available adaptive response actions for the correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters