Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Correlation Search does not fire an email or notab...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correlation Search does not fire an email or notable when it should
I have this correction search we use to help detect common potential web attacks in IIS logs. The problem is that while the correlation is enabled, it does not fire off when a matching result is found. When we run the same search in a Search window for the same time frame, results are found that the correlation search missed. I cannot figure out why the Correlation Search does not fire.
This is the configuration of the correlation search we are running:
| tstats summariesonly=t count from datamodel=Web by _time, host, Web.uri_path, Web.uri_query, Web.http_user_agent, Web.src, Web.status
| rename "Web.*" as *
| makemv delim=";" attack_type
| eval attack_type=(if(match(uri_path, "(?i)(javascript|vbscript|script|expression|applet|eval|phpinfo|iframe|frame|frameset)(?![a-z0-9\.]|$)"), mvappend(attack_type, "Script Inject"), attack_type))
| eval attack_type=(if(match(uri_query, "(?i)(javascript|vbscript|script|expression|applet|eval|phpinfo|iframe|frame|frameset)(?![a-z0-9\.]|$)"), mvappend(attack_type, "Script Inject"), attack_type))
| eval attack_type=(if(match(uri_query, "(?i)(select|union|insert|exec|replace|truncate)(?![a-z0-9]|$)"), mvappend(attack_type, "SQLi"), attack_type))
| eval attack_type=(if(match(uri_query, "(?i).*[^a-z]xp_.*"), mvappend(attack_type, "XP Call"), attack_type))
| eval attack_type=(if(match(uri_query, "(?i).*((\%3c)|<)((\%2f)|\/)*[a-z0-9\%]+((\%3e)|>).*"), mvappend(attack_type, "XSS"), attack_type))
| eval attack_type=(if(match(uri_query, "(?i).*(\/|\\|%2f|%5c)((\.|%2e)(?!\w)).*"), mvappend(attack_type, "Dir Traverse"), attack_type))
| eval attack_type=(if(match(uri_path, "(?i).*(\/|\\|%2f|%5c)((\.|%2e)(?!\w)).*"), mvappend(attack_type, "Dir Traverse"), attack_type))
| eval attack_type=(if(match(http_user_agent, "(?i)^\(\)(\+|\s)"), mvappend(attack_type, "Shellshock"), attack_type))
| search attack_type=* NOT uri_query="*<br/>*" NOT http_user_agent="*bingbot*" NOT
[| inputlookup Security_IPs.csv
| table c_ip
| rename c_ip as src]
Earliest Time: 10m@m
Latest Time: @m
Cron Schedule: Run every 10 minutes
Scheduling: Real-Time
Schedule Window: 0
Schedule Priority: Default
Trigger alert when: Number of results is greater than 0
An email and a notable is set to generate. The email is set to go to my corporate mailbox.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was asked by a co-worker to set the correlation search to look at the last 24 hours, but set the inline search to limit the results from the last 10 minutes.
I used the "minutesago" and "earliest" time variables, and neither worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, did you find any solution for this issue. i am facing the same now
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
