Splunk Enterprise Security

Splunk Enterprise Security: How to use Extreme Search to build Correlation Searches?

mtaylor78
Engager

I am very new using Extreme Searches. I have used the extreme search example that is displayed on the page in Splunk Docs.

| `datamodel("Authentication","Authentication")` | stats values(Authentication.tag) as tag,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | `drop_dm_object_name("Authentication")` | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | `settags("access")`

What I am trying to do is use this to build a Splunk Enterprise Security correlation search and create a notable event for every src that is above medium values.

Anyone got any experience with this?

0 Karma
1 Solution

jstoner_splunk
Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@mtaylor78 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

starcher
SplunkTrust
SplunkTrust

I put out a blog post series on extreme search starting later in December, If you haven't found it you might want to go through those.

jstoner_splunk
Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...