Creating a Correlation Search in Splunk ES

Creating a Correlation Search in Splunk ES

In this post we intend to help you in Creating a Correlation Search, if you wish to know more about the Correlation searches in Splunk ES, please check our post below on that topic –

Step-1 :  On your Splunk ES GUI navigate to Configure >> Content >> Content Management, click on “Create New Content “  and select Correlation Search.

As an example we are configuring a correlation search to create a notable event for the invalid user login attempts to a server, we have the “linux secure logs” from a server ingested to our main index.

Step-2  :  Configure your search.

cor6

Search Name: Provide a name for the Correlation Search you are about to create.

App: Select the app under which this correlation search will be saved after configuration.

UI Dispatch Context: Set an app to handle the dispatch for this search.

cor_imp
Description: Provide a brief description about the correlation search.

Mode : Select either Guided mode or the Manual mode.

>> We are using the “Manual mode” here, since our search is based on the events directly from the index.

NOTE : The Guided mode can only be used for Data Models and Lookup Files.

Search: Write the SPL query here, for your correlation search.

cor3
Earliest Time: Set the time range for the events to be included in the search, defaults to past 24 hours.

Latest Time: Set the time for the latest events to be considered by the search, defaults to now.

Cron Schedule: Set the schedule of this search, follows cron schedule rules, defaults to every 5 mins.
cor4
Scheduling: Select one of the scheduling styles, Real-time or Continuous, if you are not sure about this option then leave to default.

Schedule Window: Select the schedule window, decides when to run the search if multiple concurrent searches are there to be executed.

Schedule Priority: Set the priority of this search.
cor4 - Copy - Copy
Trigger alert when:  Select the condition based on which you want to trigger the alerts.
cor_imp2
Throttling: Set the time frame for suppressing/ignoring other events with the same field values, field(s) as specified in “Fields to group by” option.

Fields to group by: Mention the fields to be used for the group by operation, selecting an appropriate group by field keeps the number of alerts considerably low.
cor5
Adaptive Response Actions (Optional) : Select one or more of the actions from this list.

Select Notable to create a notable event based on this search, this appears on the Incident Review dashboard.

You can also know about :  What is Splunk DSP| Process of Navigation

Step-3 : Configure the notable event.

cor_imp3

Title: Provide a name for this notable event, this name appears in the incident review dashboard.

>>You can use a variable here, for ex if you want to see the src_ip along with the notable event   name you can put something like-

Possible break-in attempts from $src_ip$

Description: Provide a description for this notable event.
Security Domain: Set the security domain of this notable event.

>> Since break-in attempts are a threat to the organisation, we have set threat.

Severity: Set the severity of this notable event, helps the analysts to prioritize the notables.

Default Owner: assign the default owner for this notable event, if needed.

Default Status: assign the default status for this notable event, if needed.

Drill-down Name: Provide a drill-down name, in case you want to set a drill-down action on the notables.

Variables can be used with this option.

Drilldown Search: Set the SPL query to be used as drill-down, supports variable.

Drill-down Earliest Offset: In most scenarios you don’t need to change this, leave to default value.
cor_imp4
Drill-down latest Offset: In most scenarios you don’t need to change this, leave to default value.

Investigation Profile(Optional): Set the Investigation profile here.

Asset Extraction: Provide the asset information to be extracted from this notable event.

Identity Extraction: Provide the identity information to be extracted from this notable event.

NOTE: This asset and identity information are used for correlations throughout the Splunk ES frameworks.

To know more about the available frameworks in ES please check our post –

You can also know about :  Splunk: A key to Cybersecurity Automation to tackle rising threats

Introduction to Splunk ES

Next Steps: Whether you want your analysts to take some predefined actions/responses on this notable events, select the options from the dropdown list.

>> we have selected two options-

  • Add threat-intelligence : Adds the results from this notable events to the threat intelligence DB.
  • Risk Analysis: Does the risk analysis on the Extracted assets and identities from the notable event.
    
    cor8
    
Recommended Actions: This acts as a suggestion of actions for the analysts, so they don’t have to search through the entire list of available actions.

Step-4 : Click on the Save button to save the correlation search.

Navigate to the Incident Review Dashboard on your Splunk ES app, the notable events created by the correlation searches show up here.

incident

Hope you enjoyed the post how to create a Correlation Search in Splunk ES

Happy Splunking!!

Advertisements

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.