Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 2: Create a correlation search

After you plan the use case that the correlation search covers, create the search.

Create a search

To create a correlation search, start on the Content Management page.

  1. From Splunk Home, select Splunk Enterprise Security.
  2. Select Configure > Content > Content Management.
  3. Select Create New Content > Correlation Search to open the correlation search editor.
  4. In the Search Name field, type Excessive Failed Logins - Tutorial.

    Correlation search names cannot be longer than 83 characters. However, if you include the string prefix, such as "Threat - " and the string suffix such as "-Rule" to the correlation search name, the maximum character count for correlation searches is 99 characters.

    Splunk Enterprise Security supports only support correlation searches ending with the string suffix "-Rule".

  5. In the App drop-down list, select SA-AccessProtection as the app where you want the correlation search to be stored. Choose an app context that aligns with the type of search that you plan to build. If you have a custom app for your deployment, you can store the correlation search there.
  6. In the UI Dispatch Context drop-down list, select None. This is the app used by links in email and other adaptive response actions. The app must be visible for links to work.
  7. In the Description field, type a description of what the correlation search looks for, and the security use case addressed by the search. For example, Detects excessive number of failed login attempts (this is likely a brute force attack).
    This screen image shows the excessive failed logins tutorial search with the search name, application context, UI dispatch context, and description fields completed.

    If you disable or remove the app where the search is stored, the correlation search is disabled. The app context does not affect how or the data on which the search runs.

Next Step

Part 3: Create the correlation search in guided mode.

Last modified on 28 February, 2023
Part 1: Plan the use case for the correlation search   Part 3: Create the correlation search in guided mode

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters