For internal control, we have to monitor all deactivations and all suppressions of correlation searches. Unfortunately, we were not able to find a corresponding log event in _audit index.
However, all needed information could be find with the search below:
| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rename action.correlationsearch.label as "Name"
| table Name disabled
The result should look like this:
Name | disabled
Outbreak Detected | 0
SQL Injection Detected | 0
Threat Activity Detected | 1
The question is how we can detect two conditions below:
Do you have an idea how those searches could be implemented?
Thanks for the help.