Correlation Searches in Splunk Enterprise Security
A Correlation Search is basically a saved search running on a schedule that can search across multiple sources of data in the Splunk Environment, these correlation searches are targeted to detect malicious events/patterns. Whenever a correlation search matches the specified criteria/condition/events it can trigger one or more of the available “Adaptive Response Actions”, the most common of which is creating a notable event which surfaces the results on the Incident review dashboard for further investigation and analytics.
Splunk Enterprise Security offers 60 out of the box correlation searches, spanning through the various security domains like access, identity, network, endpoint, threat intelligence etc., depending upon the data that you have on your Splunk platform you can enable one or more of these correlation searches. These correlation searches pull the data from different CIM data models present in Splunk. Before you enable any of the correlation searches you must make sure that the data models are getting the feeds from the related indexes and the fields are getting populated properly.
In a nutshell, below is the relation
You can get the list of all the correlation searches on your Splunk ES as shown below:
| inputlookup correlationsearches_lookup
To enable/disable a correlation search on the Splunk ES app navigate to Configure >> Content >> Content Management , click on Type and select Correlation Search.
Under Actions you can enable/disable these searches.
That’s all in this post for now, keeping following us for more interesting blog updates on Splunk, we are soon going to cover “How to create a correlation search in Spunk ES”.