Splunk Enterprise Security

Splunk Enterprise Security: How to use Extreme Search to build Correlation Searches?

mtaylor78
Engager

I am very new using Extreme Searches. I have used the extreme search example that is displayed on the page in Splunk Docs.

| `datamodel("Authentication","Authentication")` | stats values(Authentication.tag) as tag,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | `drop_dm_object_name("Authentication")` | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | `settags("access")`

What I am trying to do is use this to build a Splunk Enterprise Security correlation search and create a notable event for every src that is above medium values.

Anyone got any experience with this?

0 Karma
1 Solution

jstoner_splunk
Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@mtaylor78 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

starcher
Influencer

I put out a blog post series on extreme search starting later in December, If you haven't found it you might want to go through those.

jstoner_splunk
Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...