Create new correlation searches

You can create your own correlation searches to create notable events that you want to have stored in the notable index and to appear on the Incident Review dashboard.

Create a custom correlation search using the Content Management page. For this example, create a correlation search for Splunk_DA-ESS_PCICompliance.

1. Select Configure >Content Management.
2. Select Create new content > Correlation Search.
3. Type a search name. Include a domain in the search name if you want.
4. Set the Application Context as PCI Compliance.
5. Create a search with the guided search wizard.
6. Fill out the rest of the fields on the page.
7. Click Save.

For assistance creating correlation searches, see Create a correlation search in Splunk Enterprise Security Tutorials.

Configure thresholds for correlation searches

Correlation searches use thresholds to set the number of security events of a specified type that must occur to trigger a notable event. You can configure the thresholds for these searches based on the typical number of events in your environment.

For example, the Malware Outbreak Detected correlation search triggers when the number of new infections within the last 24 hours exceeds the threshold, alerting you when an organization-wide issue is developing. However, this correlation search may need to be adjusted to reflect the size and load of your environment. A large enterprise might consider ten new infections within a 24-hour period an outbreak, whereas a small company might consider only 3 new infections an outbreak. The threshold sets the number of infections that correlation search considers noteworthy.

Threshold settings are best configured after developing a baseline of security events. Index two weeks of data before finalizing the baseline settings. Thresholds need to be adjusted over time as the network changes.

Add governance to a correlation search

After you create a correlation search, map the correlation search to the relevant PCI DSS controls by adding governance to the search. This step requires file system access on the server. Splunk Cloud customers must work with Support to map a new correlation search to the relevant PCI DSS controls.

Perform these steps in the same directory as the correlationsearches.conf file where the search exists. For example, /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local.

1. Create a governance.conf file.
   /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local/governance.conf
2. Copy the stanza for the custom correlation search from the correlationsearches.conf file and paste it into the governance.conf file.
   [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
3. Add a compliance control mapping by adding a governance and control line under the correlation search stanza.
   
   [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
   compliance.0.governance = pci
   compliance.0.control = 1.3.3
4. (Optional) Add additional compliance control mappings in pairs. The first line indicates the compliance or governance standard. The second line indicates the control mapping for the standard.
   
   [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
   compliance.0.governance = pci
   compliance.0.control = 1.3.3
   compliance.1.governance = pci
   compliance.1.control = 1.3.2
5. Save the file. The results take effect the next time the correlation search matches and creates a notable event.

Note: The governance settings are only applied to notable events created after the changes are made. Notable events created previously do not have the updated governance information.