Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Can I use correlation search to search for IoC?

kkkelvinkk
New Member
‎04-12-2017 10:05 AM

Hi all,

I am now researching Splunk Enterprise Security. From my understanding, it is an app with some dashboard, which integrate some pre-defined correlation query, CIM and other App. I would like to know if correlation search is actually a "search query" that I can use to search for IoC (Inversion of Control)?

Also, for the security posture dashboard, will it show all the correlation search that hits the condition? Let's say the enabled correlation search only has 5 results. Will these 5 results will all be shown in security posture dashboard?
Thanks all.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎04-12-2017 11:00 AM

Yes, Correlation searches are actually search queries which generates notable events. The security posture shows Notable events. Please note it's not necessary that all the results from your search are added to notable index. This depends on the configuration of suppression within correlation search. You can definately write your own correlation search.

The ES app has number of inbuilt framework such as Correlation Search, Risk Score, Extreme Search and Threat Analysis Framework.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kkkelvinkk
New Member
‎04-13-2017 02:35 AM

Thanks. Is "configuration of suppression within correlation search" means selected the option "Create notable event" ?

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎04-13-2017 04:37 AM

Throttlling under Trigger Conditions. There are two fields time window and fields to group by.

0 Karma
Reply
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎04-12-2017 11:00 AM

Yes, Correlation searches are actually search queries which generates notable events. The security posture shows Notable events. Please note it's not necessary that all the results from your search are added to notable index. This depends on the configuration of suppression within correlation search. You can definately write your own correlation search.

The ES app has number of inbuilt framework such as Correlation Search, Risk Score, Extreme Search and Threat Analysis Framework.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...