Part 2: Create a correlation search
After you plan the use case that the correlation search covers, create the search.
Create a search
To create a correlation search, start on the Content Management page.
- From Splunk Home, select Splunk Enterprise Security.
- Select Configure > Content > Content Management.
- Select Create New Content > Correlation Search to open the correlation search editor.
- In the Search Name field, type Excessive Failed Logins - Tutorial. Correlation search names cannot be longer than 100 characters.
Character count for correlation searches include the string prefix to the correlation search name, such as "Threat - "
- In the App drop-down list, select SA-AccessProtection as the app where you want the correlation search to be stored. Choose an app context that aligns with the type of search that you plan to build. If you have a custom app for your deployment, you can store the correlation search there.
- In the UI Dispatch Context drop-down list, select None. This is the app used by links in email and other adaptive response actions. The app must be visible for links to work.
- In the Description field, type a description of what the correlation search looks for, and the security use case addressed by the search. For example, Detects excessive number of failed login attempts (this is likely a brute force attack).
If you disable or remove the app where the search is stored, the correlation search is disabled. The app context does not affect how or the data on which the search runs.
Next Step
Part 1: Plan the use case for the correlation search | Part 3: Create the correlation search in guided mode |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!