topic How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app? in Splunk Enterprise Security

How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

mjuhasz — Thu, 28 May 2015 16:08:53 GMT

Is there any list available anywhere which contains all the correlation searches and their description together? I would like to present it to some stakeholders, but documentation contains only a few of them. I'm looking for something like the "Search View matrix" in the User Guide of the Splunk Enterprise Security app, but with all the correlation searches in it.

Thanks
Miklos

Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

ekost — Thu, 28 May 2015 19:09:29 GMT

Yes. Use a REST search to expose the information in a table with the fields you're interested in. Example:

| rest /services/alerts/correlationsearches | rename eai:acl.app as app, title as csearch_name | table app security_domain csearch_name description

Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

mjuhasz — Wed, 03 Jun 2015 12:53:48 GMT

Thank you! Elegant. 🙂

Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

Jason — Wed, 18 May 2016 16:42:59 GMT

And if you want to include the actual search text, for analysis of what rules use what data sources for example, you can extend this answer to:

| rest /services/alerts/correlationsearches 
| rename eai:acl.app as app, title as csearch_name 
| join type=outer app csearch_name [ rest /services/saved/searches 
    | rename eai:acl.app as app, title as csearch_name search as csearch 
    | table app csearch_name csearch ] 
| table app security_domain csearch_name description csearch

Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

ekost — Thu, 04 May 2017 14:48:33 GMT

For ES 4.6 and later, the REST endpoint to call has changed.
Sample from the ES admin docs: | rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | table csearch_name, csearch_label, app, security_domain, description

Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

mjuhasz — Fri, 05 May 2017 14:57:11 GMT

Thank you for the update!

Re: How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

martinr8 — Tue, 16 Jul 2019 13:23:22 GMT

Using the search provide in the ES documentation did not list all of the correlation searches in our environment, especially the ones in other apps. I used this search to find them all

| rest /servicesNS/-/-/saved/searches splunk_server=local | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")