Splunk Enterprise Security

What is the criteria for the correlation rules present in the Splunk Enterprise Security app?



I was looking at the logic behind the correlation rules that are built-in to the Splunk Enterprise Security app, but it was not so clear. For example, I would like to know the criteria for triggering the bruteforcing rule.

By editing the rule, I am able to see it runs every five min, but on what basis does this rule match the events to trigger as bruteforcing? (example :Number of login failure more than 10 times in a minute. etc.)

Similarly, I would like to know the criteria for the rules present in the ES App.



Have you read about extreme search? The example goes over the brute force correlation search.



There was a presentation about extreme search at .conf 2015. It also goes over the brute force search.

Learn How to Build Powerful Correlation Searches in Splunk Enterprise with Extreme Search


Guys?? please let me know any docs that specify the criteria or the threshold for these correlation rules in ES App. ;(

0 Karma

Splunk Employee
Splunk Employee

Look at the search string in the Correlation rules. These are what decides the rule and how it is triggered. The thresholds and alerting is tunable by you, the user / Splunk Admin / Security Expert.

Each rule is different. I recommend you go through the rules.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...