Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Download manual as PDF

Download topic as PDF

Part 5: Choose available adaptive response actions for the correlation search

After you write the correlation search and determine how often the search runs and performs actions, choose which response actions the search should perform. Determine which response actions are appropriate for your search and add them to the search.

The Excessive Failed Logins search creates a notable event alerting security analysts to the fact that a host has a large number of failed logins, and modifies the risk score of the host by 60 to ensure that analysts are able to identify that it is a host that people are attempting (and failing) to log in to.

Create a notable event for analysts to triage.

  1. Click Add New Response Action and select Notable to add a notable event.
  2. Type a Title of Excessive Failed Logins - Tutorial.
  3. Type a Description of The system $src$ has failed $app$ authentication $count$ times using $user_count$ username(s) against $dest_count$ target(s) in the last hour.
  4. Select a security domain of Access.
  5. Select a Severity of medium.
  6. Leave the Default Owner and Default Status as leave as system default.
  7. Type a Drill-down name of View all login failures by system $src$ for the application $app$.
  8. Type a Drill-down search of

    | from datamodel:"Authentication"."Failed_Authentication" | search src="$src$" app="$app$"

    This search shows the contributing events for the notable event.
  9. Type a Drill-down earliest offset of $info_min_time$ to match the earliest time of the search.
  10. Type a Drill-down latest offset of $info_max_time$ to match the latest time of the search.
  11. (Optional) Add Investigation Profiles that apply to the notable event.
    For example, add an investigation profile that fits a use case of "Malware" to malware-related notable events.
  12. Add the src, dest, dvc, and orig_host fields in Asset Extraction to add the values of those fields to the investigation workbench as artifacts when the notable event is added to an investigation.
  13. Type the src_user and user fields in Identity Extraction to add the values of those fields to the investigation workbench as artifacts when the notable event is added to an investigation.
  14. (Optional) Add Next Steps for an analyst to take when triaging this notable event. For example, Review user activity on the Identity Investigator dashboard.
  15. (Optional) Add Recommended Actions for an analyst to run when triaging this notable event.

Create a second response action to increase the risk score of the system on which the failed logins occurred.

  1. Click Add New Response Action to add a risk score.
  2. Click Risk Analysis.
  3. Type a Risk Score of 60.
  4. Type a Risk Object Field of src.
  5. Select a Risk Object Type of System.

Save the correlation search

  1. Click Save to save the correlation search.

Next Step

Additional resources for creating a correlation search.

PREVIOUS
Part 4: Schedule the correlation search
  NEXT
Additional resources for creating a correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters