dashboard
WEEK_3 · DAY_19 · 1 HOUR
Correlation Searches
Author the rules that produce Notable Events
Learning Objectives
- ›Anatomy of a correlation search
- ›Author a brute-force-succeeded search
- ›Configure Notable + Risk + Email actions
- ›Throttle, schedule, tune false positives
Module 1 — Anatomy
A scheduled saved search that runs against accelerated data models, with adaptive response actions.
Lives in Configure → Content Management → Correlation Searches.
Module 2 — Authoring Workflow
1) Hypothesis (e.g. brute force succeeded). 2) SPL on accelerated DM. 3) Schedule cron. 4) Throttle. 5) Adaptive Response (Notable + Risk + Email).
Module 3 — Best Practices
Use tstats on accelerated DMs (always).
Throttle by entity (src, user) for at least 1 hour.
Set urgency = priority based on criticality, NOT static.
Document the runbook in the search description.
SPL Queries
Brute force succeeded
| tstats summariesonly=t count
from datamodel=Authentication
where Authentication.action=failure earliest=-1h
by Authentication.src, Authentication.user
| where count > 20
| join Authentication.src
[| tstats summariesonly=t count
from datamodel=Authentication
where Authentication.action=success earliest=-1h
by Authentication.src]
| `drop_dm_object_name(Authentication)`// 20+ fails followed by a success from same src in 1h.
Lab 19 — Author a Correlation Search
- Open Splunk ES → Configure → Content Management → Correlation Searches.
- Build 'Brute force succeeded' (use the SPL above).
- Schedule every 5 min, throttle 1h by src.
- Add adaptive responses: Notable (urgency=high), Risk (+50 system, +25 user), Email.
Key Takeaways
- ✓Always tstats on accelerated DMs
- ✓Throttle or perish
- ✓Document the runbook inline