back to day 19
WEEK_3 · DAY_19 · LAB
Lab 19 — Author a Correlation Search
Author the rules that produce Notable Events
LAB PROGRESS0/4 steps · 0%
Lab Objectives
- ›Anatomy of a correlation search
- ›Author a brute-force-succeeded search
- ›Configure Notable + Risk + Email actions
- ›Throttle, schedule, tune false positives
Lab Instructions
- 1Open Splunk ES → Configure → Content Management → Correlation Searches.
- 2Build 'Brute force succeeded' (use the SPL above).
- 3Schedule every 5 min, throttle 1h by src.
- 4Add adaptive responses: Notable (urgency=high), Risk (+50 system, +25 user), Email.
SPL for this Lab
Brute force succeeded open in Splunk
| tstats summariesonly=t count
from datamodel=Authentication
where Authentication.action=failure earliest=-1h
by Authentication.src, Authentication.user
| where count > 20
| join Authentication.src
[| tstats summariesonly=t count
from datamodel=Authentication
where Authentication.action=success earliest=-1h
by Authentication.src]
| `drop_dm_object_name(Authentication)`// 20+ fails followed by a success from same src in 1h.