Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Download manual as PDF

Download topic as PDF

Part 2: Create a correlation search

After you plan the use case that the correlation search covers, create the search.

Create a search

To create a correlation search, start on the Content Management page.

  1. From Splunk Home, select Splunk Enterprise Security.
  2. Select Configure > Content > Content Management.
  3. Select Create New Content > Correlation Search to open the correlation search editor.
  4. In the Search Name field, type Excessive Failed Logins - Tutorial. Correlation search names cannot be longer than 100 characters.
  5. In the App drop-down list, select SA-AccessProtection as the app where you want the correlation search to be stored. Choose an app context that aligns with the type of search that you plan to build. If you have a custom app for your deployment, you can store the correlation search there.
  6. In the UI Dispatch Context drop-down list, select None. This is the app used by links in email and other adaptive response actions. The app must be visible for links to work.
  7. In the Description field, type a description of what the correlation search looks for, and the security use case addressed by the search. For example, Detects excessive number of failed login attempts (this is likely a brute force attack).
    This screen image shows the excessive failed logins tutorial search with the search name, application context, UI dispatch context, and description fields completed.

If you disable or remove the app where the search is stored, the correlation search is disabled. The app context does not affect how or the data on which the search runs.

Next Step

Part 3: Create the correlation search in guided mode.

Last modified on 25 January, 2019
Part 1: Plan the use case for the correlation search
Part 3: Create the correlation search in guided mode

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters