Splunk Enterprise Security

Splunk Enterprise Security: Why are correlations searches being saved as saved searches for some app contexts that start with "DA-ESS-"?

deepu123
Explorer

I tried to create a correlation search by selecting application context as "DA-ESS-AccessProtection", and I am getting a successfully saved message, but while I am checking with the content management page, that particular correlation search type is showing as a saved search, and while I try to edit it, it's opening in saved search window.

I noticed this is happening only for some Application contexts which starts from "DA-ESS-", but for App contexts which start with "SA-", it is working fine.
I have no clue why this is happening for all "DA-ESS-" applications and not for "SA-"

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

@deepu123, what version of ES do you have? What do the correlationsearches.conf and savedsearches.conf files look like? There should be a stanza in both of those .conf files to reflect the correlation search...

View solution in original post

brdr
Contributor

we are running ES 4.1.1 on enterprise 6.4.0.

I'm not sure how the security analyst is using ES:

The issue I'm seeing, and there a few of these is:

The correlation search "Access - FS-ISAC Threat Alert - Rule" in app DA-ESS-NetworkProtection" has no corresponding saved searches stanza"

You can clearly see that when I bump down to CLI and grep the DA-ESS-NetworkProtectiion app you will see the both files have this stanza. Just tryting to figure out why Splunk throws this messages.

correlationsearches.conf:[Access - FS-ISAC Threat Alert - Rule]
correlationsearches.conf:rule_description = A threat alert was detected from the Soltra Edge FS-ISAC TAXII feed
correlationsearches.conf:rule_name = FS-ISAC Threat Alert
correlationsearches.conf:rule_title = FS-ISAC Threat Alert
savedsearches.conf:[Access - FS-ISAC Threat Alert - Rule]

Thx

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

@deepu123, what version of ES do you have? What do the correlationsearches.conf and savedsearches.conf files look like? There should be a stanza in both of those .conf files to reflect the correlation search...

View solution in original post

deepu123
Explorer

Yes, the ES version is not compatible, we upgrade the ES version and it works.
Thank you 🙂

0 Karma

deepu123
Explorer

Yes, the ES version is not compatible, we upgrade the ES version and it works.
Thank you 🙂

0 Karma

deepu123
Explorer

Yes, the ES version is not compatible, we upgrade the ES version and it works.
Thank you 🙂

0 Karma

brdr
Contributor

Was there an answer to why you were getting these messages that said correlation search has no corresponding saved searches stanza?

I'm seeing the same issue.

0 Karma

deepu123
Explorer

Spunk Enterprise version = 6.4.0
Enterprise Security= 4.0.1

savedsearches.conf and correlationsearches.conf look like same search name is available on both conf files.
for example, this is what I can see on both files.

correlationsearches.conf

[Access - Client_DEF_ACC_ShortLivedAccountDetected - Rule]
description = Detects when a account or credential is created and then removed a short time later. This may be an indication of malicious activities.
drilldown_name = View account change events of $user$
drilldown_search = | `datamodel("Change_Analysis", "Account_Management")` | search All_Changes.user="$user$" (All_Changes.action="created" OR All_Changes.action="deleted")
rule_description = Account $user$ on $dest$ created and deleted within $timestr$
rule_name = Client_DEF_ACC_ShortLivedAccountDetected
rule_title = Short-lived Account Detected ($user$)
security_domain = access
severity = high
default_owner = 
default_status = 
disabled = 0
search = 

savedsearches.conf

[Access - Client_DEF_ACC_ShortLivedAccountDetected - Rule]
action.keyindicator.invert = 0
action.risk = 1
action.risk._risk_object = system
action.risk._risk_object_type = system
action.risk._risk_score = 80
action.summary_index = 1
action.summary_index._name = notable
action.summary_index.ttl = 1p
alert.suppress = 1
alert.suppress.fields = const_dedup_id
alert.suppress.period = 14400s
alert.track = 0
counttype = number of events
cron_schedule = */15 * * * *
dispatch.earliest_time = -90m@m
dispatch.latest_time = +0m@m
enableSched = 1
quantity = 0
realtime_schedule = 0
relation = greater than
search = | datamodel Change_Analysis Account_Management search | search "All_Changes.action"="created" OR "All_Changes.action"="deleted" | rename All_Changes.* as * | streamstats values(Account_Management.src_user) AS src_user range(_time) as delta count by user,dest window=2 global=f | where count>1 AND delta
0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

The version of ES that you're using isn't compatible with the version of Enterprise that you have installed (http://docs.splunk.com/Documentation/ES/4.0.1/Install/DeploymentPlanning#Splunk_Enterprise_system_re...) but that may or may not be the cause of this issue.

Are you creating the correlation search on the content management page within Enterprise Security?

There are quite a few correlation searches that come with Enterprise Security that are stored in DA-ESS-* apps (such as DA-ESS-EndpointProtection) so that is not the issue.

0 Karma