I am now researching Splunk Enterprise Security. From my understanding, it is an app with some dashboard, which integrate some pre-defined correlation query, CIM and other App. I would like to know if correlation search is actually a "search query" that I can use to search for IoC (Inversion of Control)?
Also, for the security posture dashboard, will it show all the correlation search that hits the condition? Let's say the enabled correlation search only has 5 results. Will these 5 results will all be shown in security posture dashboard?
Yes, Correlation searches are actually search queries which generates notable events. The security posture shows Notable events. Please note it's not necessary that all the results from your search are added to notable index. This depends on the configuration of suppression within correlation search. You can definately write your own correlation search.
The ES app has number of inbuilt framework such as Correlation Search, Risk Score, Extreme Search and Threat Analysis Framework.
Thanks. Is "configuration of suppression within correlation search" means selected the option "Create notable event" ?
Throttlling under Trigger Conditions. There are two fields time window and fields to group by.