Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Enterprise Security: what makes a correlation search a correlation search?

danielbb
Motivator
‎08-15-2019 12:07 PM

I'm looking at a sample correlation search called Abnormally High Number of HTTP Method Events By Src -

| tstats `summariesonly` count as web_event_count from datamodel=Web.Web by Web.src, Web.http_method 
| `drop_dm_object_name("Web")` 
| xswhere web_event_count FROM count_by_http_method_by_src_1d in web by http_method is above high

What makes it a correlation search?

Reply
1 Solution
Solved! Jump to solution
Solution

lkutch_splunk
Splunk Employee
Splunk Employee
‎08-15-2019 12:16 PM

Hi,
According to the ES tutorial... it's not just a search, but a search that then does one of the following:
"A correlation search is a type of search that evaluates events from one or more data sources for defined patterns. When the search finds a pattern, it creates a notable event, adjusts a risk score, or performs an adaptive response action. A correlation search is a saved search with extended capabilities making it easier to create, edit, and use searches for security use cases."
https://docs.splunk.com/Documentation/ES/5.3.1/Tutorials/CorrelationSearch

So since it creates a notable event, it's a correlation search.

View solution in original post

Reply
Solved! Jump to solution
Solution

lkutch_splunk
Splunk Employee
Splunk Employee
‎08-15-2019 12:16 PM

Hi,
According to the ES tutorial... it's not just a search, but a search that then does one of the following:
"A correlation search is a type of search that evaluates events from one or more data sources for defined patterns. When the search finds a pattern, it creates a notable event, adjusts a risk score, or performs an adaptive response action. A correlation search is a saved search with extended capabilities making it easier to create, edit, and use searches for security use cases."
https://docs.splunk.com/Documentation/ES/5.3.1/Tutorials/CorrelationSearch

So since it creates a notable event, it's a correlation search.

Reply
Solved! Jump to solution

danielbb
Motivator
‎08-15-2019 12:23 PM

Ok, makes sense.

This particular search has the following Adaptive Response Actions -

1) Risk Analysis
2) Notable

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...