I was looking at the logic behind the correlation rules that are built-in to the Splunk Enterprise Security app, but it was not so clear. For example, I would like to know the criteria for triggering the bruteforcing rule.
By editing the rule, I am able to see it runs every five min, but on what basis does this rule match the events to trigger as bruteforcing? (example :Number of login failure more than 10 times in a minute. etc.)
Similarly, I would like to know the criteria for the rules present in the ES App.
Have you read about extreme search? The example goes over the brute force correlation search.
There was a presentation about extreme search at .conf 2015. It also goes over the brute force search.
Look at the search string in the Correlation rules. These are what decides the rule and how it is triggered. The thresholds and alerting is tunable by you, the user / Splunk Admin / Security Expert.
Each rule is different. I recommend you go through the rules.