Splunk Enterprise Security
Highlighted

Correlation Search does not fire an email or notable when it should

New Member

I have this correction search we use to help detect common potential web attacks in IIS logs. The problem is that while the correlation is enabled, it does not fire off when a matching result is found. When we run the same search in a Search window for the same time frame, results are found that the correlation search missed. I cannot figure out why the Correlation Search does not fire.

This is the configuration of the correlation search we are running:

| tstats summariesonly=t count from datamodel=Web by _time, host, Web.uri_path, Web.uri_query, Web.http_user_agent, Web.src, Web.status 
| rename "Web.*" as * 
| makemv delim=";" attack_type 
| eval attack_type=(if(match(uri_path, "(?i)(javascript|vbscript|script|expression|applet|eval|phpinfo|iframe|frame|frameset)(?![a-z0-9\.]|$)"), mvappend(attack_type, "Script Inject"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i)(javascript|vbscript|script|expression|applet|eval|phpinfo|iframe|frame|frameset)(?![a-z0-9\.]|$)"), mvappend(attack_type, "Script Inject"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i)(select|union|insert|exec|replace|truncate)(?![a-z0-9]|$)"), mvappend(attack_type, "SQLi"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i).*[^a-z]xp_.*"), mvappend(attack_type, "XP Call"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i).*((\%3c)|<)((\%2f)|\/)*[a-z0-9\%]+((\%3e)|>).*"), mvappend(attack_type, "XSS"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i).*(\/|\\|%2f|%5c)((\.|%2e)(?!\w)).*"), mvappend(attack_type, "Dir Traverse"), attack_type)) 
| eval attack_type=(if(match(uri_path, "(?i).*(\/|\\|%2f|%5c)((\.|%2e)(?!\w)).*"), mvappend(attack_type, "Dir Traverse"), attack_type)) 
| eval attack_type=(if(match(http_user_agent, "(?i)^\(\)(\+|\s)"), mvappend(attack_type, "Shellshock"), attack_type)) 
| search attack_type=* NOT uri_query="*&lt;br/&gt;*" NOT http_user_agent="*bingbot*" NOT 
[| inputlookup Security_IPs.csv 
 | table c_ip 
 | rename c_ip as src]

Earliest Time: 10m@m
Latest Time: @m
Cron Schedule: Run every 10 minutes
Scheduling: Real-Time
Schedule Window: 0
Schedule Priority: Default

Trigger alert when: Number of results is greater than 0

An email and a notable is set to generate. The email is set to go to my corporate mailbox.

0 Karma
Highlighted

Re: Correlation Search does not fire an email or notable when it should

New Member

I was asked by a co-worker to set the correlation search to look at the last 24 hours, but set the inline search to limit the results from the last 10 minutes.

I used the "minutesago" and "earliest" time variables, and neither worked.

0 Karma