Splunk® Enterprise Security

Administer Splunk Enterprise Security

Correlation search overview for Splunk Enterprise Security

A correlation search scans multiple data sources for defined patterns. When the search finds a pattern, it performs an adaptive response action.

Correlation searches can search many types of data sources, including events from any security domain (access, identity, endpoint, network), asset lists, identity lists, threat intelligence, and other data in Splunk platform. The searches then aggregate the results of an initial search with functions in SPL, and take action in response to events that match the search conditions with an adaptive response action.

In Splunk Enterprise Security version 7.0.1 and higher, all available correlation searches are displayed on the Incident Review page whether they create notables or not. This might cause minor performance issues on the Incident Review page. Upgrade to Splunk Enterprise Security version 7.0.2 or higher for better performance.

Examples of correlation searches

  • Identify an access attempt from an expired account by correlating a list of identities and an attempt to authenticate into a host or device.
  • Identify a high number of hosts with a specific malware infection, or a single host with a high number of malware infections by correlating an asset list with events from an endpoint protection system.
  • Identify a pattern of high numbers of authentication failures on a single host, followed by a successful authentication by correlating a list of identities and attempts to authenticate into a host or device. Then, apply a threshold in the search to count the number of authentication attempts.

Correlation searches with special characters

Correlation searches that have special characters may display an error message "Search Does Not Exist" if on-premise customers use a reverse proxy. Using Nginx as a reverse proxy in Splunk Enterprise Security may encode special characters that can prevent correlation searches from being discovered by Splunk Enterprise Security. As a workaround, you may clone the correlation search and remove the special characters in the clone, then turn off the original correlation search. Additionally, it is recommended to configure your reverse proxy to not encode special characters.

Last modified on 31 July, 2023
Identify annotations based risk objects in Splunk Enterprise Security   Create correlation searches in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters