Splunk Enterprise Security

Splunk Enterprise Security: How to use Extreme Search to build Correlation Searches?

mtaylor78
Engager

I am very new using Extreme Searches. I have used the extreme search example that is displayed on the page in Splunk Docs.

| `datamodel("Authentication","Authentication")` | stats values(Authentication.tag) as tag,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | `drop_dm_object_name("Authentication")` | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | `settags("access")`

What I am trying to do is use this to build a Splunk Enterprise Security correlation search and create a notable event for every src that is above medium values.

Anyone got any experience with this?

0 Karma
1 Solution

jstoner_splunk
Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@mtaylor78 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

starcher
Influencer

I put out a blog post series on extreme search starting later in December, If you haven't found it you might want to go through those.

jstoner_splunk
Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...