I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions.

The correlated search I'm reviewing is "Access - Brute Force Access Behavior Detected - Rule."

In effort to attribute the authentication failures to systems with a src and a dst so that I can present the data to sysadmins for investigation and resolution of possible misconfiguration, I wanted to better understand the correlated search:

| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium

I have an understanding of most of the search, but the parameters of xswhere are throwing me off. If I understand the documentation well enough, I see the entities:

• hedge
• concept
• context
• container

However, I do not understand where they are defined.

Very tangibly, in this example... where can I locate the definitions of: failure, failures_by_src_count_1h, authentication, above, medium.

Are these contained within the data model?

As an aside (as in not for me to understand conceptually and specifically what's going on), what is best practice for tweaking correlated searches in ES? I wanted to use this canned correlated search as a template, and clone it to two additional correlated searches with different thresholds and different in-scope assets (by excluding assets in a lookup table).

Thanks,

Matt