Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 5: Choose available adaptive response actions for the correlation search

After you write the correlation search and determine how often the search runs and performs actions, choose which response actions the search should perform. Determine which response actions are appropriate for your search and add them to the search.

The Excessive Failed Logins search creates a notable event alerting security analysts to the fact that a host has a large number of failed logins, and modifies the risk score of the host by 60 to ensure that analysts are able to identify that it is a host that people are attempting (and failing) to log in to.

Create a notable event for analysts to triage.

  1. Click Add New Response Action and select Notable to add a notable event.
  2. Type a Title of Excessive Failed Logins - Tutorial.
  3. Type a Description of The system $src$ has failed $app$ authentication $count$ times using $user_count$ username(s) against $dest_count$ target(s) in the last hour.
  4. Select a security domain of Access.
  5. Select a Severity of medium.
  6. Leave the Default Owner and Default Status as leave as system default.
  7. Type a Drill-down name of View all login failures by system $src$ for the application $app$.
  8. Type a Drill-down search of

    | from datamodel:"Authentication"."Failed_Authentication" | search src="$src$" app="$app$"

    This search shows the contributing events for the notable event.
  9. Type a Drill-down earliest offset of $info_min_time$ to match the earliest time of the search.
  10. Type a Drill-down latest offset of $info_max_time$ to match the latest time of the search.
  11. (Optional) Add Investigation Profiles that apply to the notable event.
    For example, add an investigation profile that fits a use case of "Malware" to malware-related notable events.
  12. Add the src, dest, dvc, and orig_host fields in Asset Extraction to add the values of those fields to the investigation workbench as artifacts when the notable event is added to an investigation.
  13. Type the src_user and user fields in Identity Extraction to add the values of those fields to the investigation workbench as artifacts when the notable event is added to an investigation.
  14. (Optional) Add Next Steps for an analyst to take when triaging this notable event. Use next steps if you want to recommend response actions that should be taken in a specific order. For example, "Ping a host to determine if it is active on the network. If the host is active, increase the risk score by 100, otherwise, increase the risk score by 50." You can only type plain text and links to response actions in the format of [[action|ping]].
  15. (Optional) Add Recommended Actions for an analyst to run when triaging this notable event.

Create a second response action to increase the risk score of the system on which the failed logins occurred.

  1. Click Add New Response Action to add a risk score.
  2. Click Risk Analysis.
  3. Type a Risk Score of 60.
  4. Type a Risk Object Field of src.
  5. Select a Risk Object Type of System.

Save the correlation search

  1. Click Save to save the correlation search.

Next Step

Additional resources for creating a correlation search.

Last modified on 22 November, 2021
Part 4: Schedule the correlation search   Additional resources for creating a correlation search

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters