Hello everyone,
I'd appreciate if anyone could step in to help me with an unclarity that I have.
For use cases (anything in the Enterprise Security > content), I have found out that for the NEW correlation searches that will be created I can use macros or eventtypes/tags in my correlation search to address all existing source types AND new source types that might be onboarded to have all my use cases (CSs up to date).
Could someone explain, how is this working with the content that comes by default with Enterprise Security? How do those out-of-the-box correlation searches (saved searches and all the others) know how to look into data from my source types if the source types aren't specified?
Thank you in advance to anyone that will take they time to make this clear to me
So basically unless the correlation searches that come by default out-of-the-box with Enterprise Security are being modified/customized they won't apply straight forward to the logs that are being forwarded from the nodes?
Hi @tokio13,
the most of them are applied to datamodels, to have better performances especially having large volume of data, but there are some of them directly applied to indexes (not many!).
Anyway, also after customization they continue to use datamodels, as I said in this way you have better performaces.
Ciao.
Giuseppe
Hi @tokio13,
at first, if you need to customize a Correlation Search I hint to clone it and work on the cloned one, don't customize the existing one, yes it's saved in local so it will not be ovewritten on the next update, but it s a best practice.
Then you can take your CS and run it in a the search dashboard viewing the results.
If it uses a datamodel and you cannot see the sourcetypes because it isn't displayed, you can see in the datamodel data running a simpe search on the data contained in that datamodel so you can see the sourcetype, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/From
If it don't use a datamodel, you can run the main search and see the sourcetype.
If it uses a macro, you can see the macro or in the job inspector you have the full search.
ES usually uses datamodel or macros or both.
Ciao.
Giuseppe