Configure correlation searches in Splunk Enterprise Security
Configure correlation searches to enable or disable them, update the settings associated with how they run, change the search logic, and throttle their resulting adaptive response actions. See Correlation search overview for Splunk Enterprise Security to learn more about correlation searches.
Enable correlation searches
Enable correlation searches to start running adaptive response actions and receiving notable events. Splunk Enterprise Security installs with all correlation searches disabled so that you can choose the searches that are most relevant to your security use cases.
- From the Splunk ES menu bar, select Configure > Content > Content Management.
- Filter the Content Management page by a Type of Correlation Search to view only correlation searches.
- Review the names and descriptions of the correlation searches to determine which ones to enable to support your security use cases.
For example, if compromised accounts are a concern, consider enabling the Concurrent Login Attempts Detected and Brute Force Access Behavior Detected correlation searches.
- In the Actions column, click Enable to enable the searches that you want to enable.
Only enable correlation searches that you use. For example, don't enable Untriaged Notable Events in an unattended production environment.
After you enable correlation searches, dashboards start to display notable events, risk scores, and other data.
Change correlation search scheduling
Change the default search type of a correlation search from real-time to scheduled. Splunk Enterprise Security uses indexed real-time searches by default.
- From the Content Management page, locate the correlation search you want to change.
- In the Actions column, click Change to scheduled.
After changing a search to be scheduled, you can modify the schedule settings of the search.
- From the Content Management page, click the name of the correlation search you want to change.
- (Optional) Modify the search schedule.
Correlation searches can run with a real-time or continuous schedule. Use a real-time schedule to prioritize current data and performance. Searches with a real-time schedule are skipped if the search cannot be run at the scheduled time. Searches with a real-time schedule do not backfill gaps in data that occur if the search is skipped. Use a continuous schedule to prioritize data completion, as searches with a continuous schedule are never skipped.
- (Optional) Modify the cron schedule to control how frequently the search runs.
- (Optional) Specify a schedule window for the search. Type 0 to not use a schedule window, type auto to use the automatic schedule window set by the scheduler, or type a number that corresponds with the number of minutes that you want the schedule window to last.
When there are many scheduled reports set to run at the same time, specify a schedule window to allow the search scheduler to delay running this search in favor of higher-priority searches.
- (Optional) Specify a schedule priority for the search. Change the default to Higher or Highest depending on how important it is that this search runs, and that it runs at a specific time.
The schedule priority setting overrides the schedule window setting, so you do not need to set both.
If you manually convert a real-time search to a scheduled search, this does not automatically adjust the earliest or latest dispatch times. The time range default remains the same as the original real-time search, such as -5m@m ~ +5m@m which does discard events based on the extracted time being slightly in the future versus in the past. You will also need to evaluate the syntax of the converted search. This is because | datamodel is in use for real-time searches. However, if you are moving to a scheduled search, you can use | tstats for efficiency. If you use guided mode to convert the search, it can automatically switch the syntax from | datamodel to | tstats for you.
For information on search schedule priority, see the Splunk platform documentation.
- For tstats syntax, see Tstats in the Splunk Enterprise Search Reference .
- For Splunk Enterprise, see Prioritize concurrently scheduled reports in Splunk Web in the Splunk Enterprise Reporting Manual.
- For Splunk Cloud, see Prioritize concurrently scheduled reports in Splunk Web in the Splunk Cloud Reporting Manual.
Edit a correlation search
You can make changes to correlation searches to fit your environment. For example, modify the thresholds used in the search, change the response actions that result from a successful correlation, or change how often the search runs. Modifying a correlation search does not affect existing notable events.
- From the Content Management page, locate the correlation search you want to edit.
- Click the name of a correlation search on the Content Management page to edit it.
- Modify the parameters of the search, then click Save.
Edit the correlation search in guided mode
You can edit some correlation searches in guided mode. Not all correlation searches support guided search editing. If a search appears grayed-out and has the option to Edit search in guided mode, the search was built in guided mode and can be edited in guided mode. If a search can be edited in the search box, you cannot edit it in guided mode. Attempting to switch to guided mode overwrites your existing search with a new search.
- Click Edit search in guided mode to open the guided search creation wizard.
- Review the search elements in the correlation search, making changes if you want.
- Save the search.
Clone a correlation search
You can clone correlation searches, but you must revise the action.correlationsearch.label setting to see the newly cloned search in Content Management.
- Go to Settings > Searches, reports, and alerts.
- Use the filter box to search for the correlation search that you would like to clone.
- If you don't see any results, change the filters to Type: All and App: All.
- In the Actions column of the correlation search, from the Edit drop-down, select Clone.
- Click Clone Alert.
- Close the "Alert has been cloned" window by clicking the x.
- For the cloned correlation search, in the Actions column, from the Edit drop-down, select Advanced Edit.
- Change the action.correlationsearch.label of the cloned search to a unique and meaningful name that you will see in Content Management.
- Click Save.
- Your new correlation search with the unique name now appears in Content > Content Management within a few minutes.
Throttle the number of response actions generated by a correlation search
Set up throttling to limit the number of response actions generated by a correlation search. When a correlation search matches an event, it triggers a response action.
By default, every result returned by the correlation search generates a response action. Typically, you may only want one alert of a certain type. You can use throttling to prevent a correlation search from creating more than one alert within a set period. To change the types of results that generate a response action, define trigger conditions. Some response actions allow you to specify a maximum number of results in addition to throttling. See Set up adaptive response actions in Splunk Enterprise Security.
- Select Configure > Content > Content Management.
- Click the title of the correlation search you want to edit.
- Type a Window duration. During this window, any additional event that matches any of the Fields to group by will not create a new alert. After the window ends, the next matching event will create a new alert and apply the throttle conditions again.
- Type the Fields to group by to specify which fields to use when matching similar events. If a field listed here matches a generated alert, the correlation search will not create a new alert. You can define multiple fields. Available fields depend on the search fields that the correlation search returns.
- Save the correlation search.
Throttling applies to any type of correlation search response action and occurs before notable event suppression. See Create and manage notable event suppressions for more on notable event suppression.
If you have throttling set for an existing adaptive response action, such as a notable event alarm, editing the details of the alarm causes the throttling to be disregarded. The change to the alarm causes the throttle file, which notes how long to ignore events, to get removed. Therefore the throttling does not occur again until the next event is triggered.
Define trigger conditions for adaptive response actions generated by a correlation search
You can modify the conditions that control when an adaptive response action is generated by a correlation search. Throttling is different from defining trigger conditions and happens after search results meet the trigger conditions. When you define trigger conditions, the correlation search results are evaluated to check if they match the conditions. If the search results match the conditions, throttling rules control whether an adaptive response action is generated.
You can set up trigger conditions to generate response actions per-result, based on the number of results returned by the correlation search, based on the number of hosts, number of sources, or based on custom criteria. For custom criteria, type a custom search string to create a condition. Trigger conditions act as a secondary search against the results of the correlation search.
For information on trigger conditions and configuring those conditions for a search, see the Splunk platform documentation.
- For Splunk Enterprise, see Configure alert trigger conditions in the Splunk Enterprise Alerting Manual.
- For Splunk Cloud, see Configure alert trigger conditions in the Splunk Cloud Alerting Manual.
Create correlation searches in Splunk Enterprise Security
List correlation searches in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0