Splunk Enterprise Security

Enterprise Security Correlation Rules

moshahin
Engager

Hi,

How is it possible that a correlation rule is triggering notables based on data dates back to a previous month? 

I have a rule with the below time range modifiers 

moshahin_0-1597408333622.png

It has just been triggered and I tried searching for the matching event for the past day with no luck. 

Expanded my time range to 90 days and I found matching events during the past month only.

Is this scenario familiar to anyone? 

0 Karma

starcher
SplunkTrust
SplunkTrust

A couple of items. Do not put rt into a modern correlation search. You are likely preventing the search from ending. Continuous tells Splunk to run that search for the time it launched with the window provided. It does not advance the window until the search completes. 

Consider how long a search takes to complete and then choose a suitable search interval such as over the last 30 minutes but run every 15 minutes if the search completes in less than the 15 minutes. If your search takes longer to complete than the run interval you get into time back sliding. Meaning Splunk uses continuous mode to ensure it has no time range gaps but if it takes 45 minutes to complete a search that is launched every 30 you over time get notables farther and farther back in time. If you cannot optimize your search immediately to solve the longer run time than schedule interval change to "Realtime" button in the SplunkES UI which is frankly a misleading term. It is not the same thing as "rt". RT means launch this search and keep it running. The search then sucks up a CPU core and all related resources. Bad idea for your search capacity.  In a SplunkES sense the term means for the UI run at the time launched for the earliest and latest based off that launch time. So you will get event search time coverage gaps but your search will at least run "now" and make notables for "now" vs three days ago as the time slide worsens.

 

0 Karma

MaverickT
Communicator

It is probably not a direct answer to your question. But by looking at your printsceen you have selected Continous scheduling, but in the "Latest Time" is formed in real-time format (rt+5m@m).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...