Splunk Enterprise Security

Splunk Enterprise Security: How to use Extreme Search to build Correlation Searches?

Engager

I am very new using Extreme Searches. I have used the extreme search example that is displayed on the page in Splunk Docs.

| `datamodel("Authentication","Authentication")` | stats values(Authentication.tag) as tag,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | `drop_dm_object_name("Authentication")` | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | `settags("access")`

What I am trying to do is use this to build a Splunk Enterprise Security correlation search and create a notable event for every src that is above medium values.

Anyone got any experience with this?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

View solution in original post

Splunk Employee
Splunk Employee

@mtaylor78 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

SplunkTrust
SplunkTrust

I put out a blog post series on extreme search starting later in December, If you haven't found it you might want to go through those.

Splunk Employee
Splunk Employee

Correlation searches that use extreme search takes a two step approach.

The first step is the context generation saved search. There are examples within ES for this like Network - Traffic Volume per 30m - Context Gen which is essentially pulling a count or sum of total data for a specific time frame. There is a context name that is defined as well and needs to be noted because it will be used in the correlation search.

The context gen is then used in the correlation search. The XSWHERE statement is going to leverage the names into that you created with your context gen.

View solution in original post