How to collect correlation searches that are enabl...

JLopez · ‎07-26-2023

Hi Splunkers,

I need to show to some stakeholders the correlation searches that we have enabled and are aligned to the mitre att&ck framework.

I've tried using the REST command and I can find all the annotations under "action.correlationsearch.annotations" field but I would like to narrow it down to only mitre att&ck.

Anyone knows how to get this search?

meetmshah · ‎07-31-2023

Hello @JLopez, Can you check if this is something you want -

| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| where disabled=0 
| eval actions=split(actions, ",") 
| rename title as "Correlation Search", cron_schedule as "Cron Schedule" "dispatch.earliest_time" as "Earliest Time" dispatch.latest_time as "Latest Time" actions as "Actions" action.correlationsearch.annotations as "Annotations"
| eval flag=if(LIKE(Annotations,"%mitre_attack%"),1,0)
| table "Correlation Search" "Cron Schedule" "Earliest Time" "Latest Time" "Actions" Annotations flag

How to collect correlation searches that are enabled and aligned to mitre att&ck framework?

administration

correlation search

using Enterprise Security

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update