Part 5: Choose available adaptive response actions for the correlation search
After you write the correlation search and determine how often the search runs and performs actions, choose which response actions the search should perform. Determine which response actions are appropriate for your search and add them to the search.
The Excessive Failed Logins search creates a notable event alerting security analysts to the fact that a host has a large number of failed logins, and modifies the risk score of the host by 60 to ensure that analysts are able to identify that it is a host that people are attempting (and failing) to log in to.
Create a notable event for analysts to triage.
- Click Add New Response Action and select Notable to add a notable event.
- Type a Title of Excessive Failed Logins - Tutorial.
- Type a Description of The system $src$ has failed $app$ authentication $count$ times using $user_count$ username(s) against $dest_count$ target(s) in the last hour.
- Select a security domain of Access.
- Select a Severity of medium.
- Leave the Default Owner and Default Status as leave as system default.
- Type a Drill-down name of View all login failures by system $src$ for the application $app$.
- Type a Drill-down search of
This search shows the contributing events for the notable event.| from datamodel:"Authentication"."Failed_Authentication" | search src="$src$" app="$app$"
- Type a Drill-down earliest offset of $info_min_time$ to match the earliest time of the search.
- Type a Drill-down latest offset of $info_max_time$ to match the latest time of the search.
- (Optional) Add Investigation Profiles that apply to the notable event.
For example, add an investigation profile that fits a use case of "Malware" to malware-related notable events. - Add the
src
,dest
,dvc
, andorig_host
fields in Asset Extraction to add the values of those fields to the investigation workbench as artifacts when the notable event is added to an investigation. - Type the
src_user
anduser
fields in Identity Extraction to add the values of those fields to the investigation workbench as artifacts when the notable event is added to an investigation. - (Optional) Add Next Steps for an analyst to take when triaging this notable event. Use next steps if you want to recommend response actions that should be taken in a specific order. For example, "Ping a host to determine if it is active on the network. If the host is active, increase the risk score by 100, otherwise, increase the risk score by 50." You can only type plain text and links to response actions in the format of
[[action|ping]]
. - (Optional) Add Recommended Actions for an analyst to run when triaging this notable event.
Create a second response action to increase the risk score of the system on which the failed logins occurred.
- Click Add New Response Action to add a risk score.
- Click Risk Analysis.
- Type a Risk Score of 60.
- Type a Risk Object Field of src.
- Select a Risk Object Type of System.
Save the correlation search
- Click Save to save the correlation search.
Next Step
Part 4: Schedule the correlation search | Additional resources for creating a correlation search |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!