Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Scan your data sources for defined patterns in

A correlation search scans multiple data sources for defined patterns. When the search finds a pattern, it performs an adaptive response action.

With correlation searches enabled, dashboards start to display notable events, risk scores, and other data.

Disable correlation searches

installs with all appropriate correlation searches enabled. Disable correlation searches to stop running adaptive response actions and stop receiving notable events in Incident Review.

  1. From the menu bar, select Detections.
    This takes you directly to the Content Management page with the following filters selected:
    • Type filter of Correlation Search
    • App filters for the apps and add-ons specific to Splunk Security Analytics for AWS:
      • SA-AccessProtection
      • DA-ESS-AccessProtection
      • SA-AuditAndDataProtection
      • SA-IdentityManagement
      • DA-ESS-NetworkProtection
      • SA-NetworkProtection
      • SA-ThreatIntelligence
      • DA-ESS_AmazonWebServices
    • Status filter of Enabled
  2. Review the names and descriptions of the correlation searches to determine which ones to keep enabled to support your security use cases.
    For example, if console logins in new countries are no longer a concern, consider disabling the ESCU - Detect AWS Console Login by User from New Country - Rule correlation searches.
  3. In the Actions column, click Disable to disable the searches that you don't want to use.

Only enable correlation searches that you use. For example, don't enable Untriaged Notable Events in an unattended production environment.

Last modified on 10 August, 2021
PREVIOUS
Find actionable guidance for your use cases in
  NEXT
Triage notable events in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters