Part 1: Plan the use case for the correlation search
Create a correlation search to address a security use case or problem that you want to solve. If you want to know when vulnerability scanners scan your network, or a high number of devices are infected with the same strain of malware, you can create a correlation search to detect that behavior and alert you.
Correlation searches allow you to search across one or more types of data and identify patterns that could indicate suspicious or malicious activity in your environment.
When to use a correlation search
Use a correlation search to identify patterns in your data that can indicate a security risk.
- You want to know when high-risk users log in to machines infected with malware.
- Identify vulnerability scanning behavior in your network.
- Validate that your access control deprovisioning process is working as expected by monitoring inactive and expired account activity.
- Look for compromised accounts by identifying geographically impossible logins.
Define the use case for the search
Develop a use case that you want the search to address before you start creating the search. This tutorial walks you through creating the Excessive Failed Logins search, which is designed to detect brute force access attempts.
For example, a security analyst wants to know all the users that attempted to log in to an application and failed to type their passwords correctly at least six times. The Excessive Failed Logins correlation search included in Splunk Enterprise Security captures that use case and performs the following functions:
- Search the authentication source events from an application.
- Count the number of failures by user.
- Create an alert for more than six failures over a selected time period.
This search addresses the use case by searching authentication events, counting the number of access failures, and alerting if there are too many failures over a specific period of time.
As another example, a security analyst wants to know if more than ten computers on the network failed to update their virus signatures for a week. The High Number of Hosts Not Updating Malware Signatures correlation search included in Splunk Enterprise Security captures that use case and performs the following functions:
- Search the antivirus source events.
- Evaluate the date of the last antivirus signature file update on a host.
- Compare the last updated date to the time that the search is running.
- Collect events where the last updated date is more than seven days before the time that the search is running.
- Count the collected events.
- If there are more than 10 collected events, create an alert.
Find the data to fit the use case
After you determine the security use case that you want your correlation search to address, determine which data sources are relevant to the use case.
- Determine what data you need to address the use case.
- Determine which data models and data model objects contain that data in the Splunk App for CIM.
- Make sure that the data is in the data model.
In this case, the Excessive Failed Logins search looks for data related to logins, so it uses the Authentication data model as the data source. By using a data model rather than searching a specific source type directly, the correlation search can search a wide variety of data sources related to authentication, such as operating systems, applications, or RFID badge readers, without needing to be changed. Relying on data models in correlation searches allow you to write one search for multiple types of data.
Create a correlation search
Part 2: Create a correlation search
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0