splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 19 LAB · LAB 19 — AUTHOR A CORRELATION SEARCH· week 3
Author a 'Brute force succeeded' correlation search end-to-end.
- ›Configure → Correlation Searches → Create.
- ›Use pre-loaded SPL.
- ›Schedule, throttle, add Notable + Risk + Email AR.
- ›Document the inline runbook.
Hint: tstats on accelerated DM = mandatory at scale. Throttle by src for 1h minimum.
Configure
Saved Searches
No saved searches. Save one from the Search tab.