What is the criteria for the correlation rules pre...

krish3 · ‎11-10-2015

Hi,

I was looking at the logic behind the correlation rules that are built-in to the Splunk Enterprise Security app, but it was not so clear. For example, I would like to know the criteria for triggering the bruteforcing rule.

By editing the rule, I am able to see it runs every five min, but on what basis does this rule match the events to trigger as bruteforcing? (example :Number of login failure more than 10 times in a minute. etc.)

Similarly, I would like to know the criteria for the rules present in the ES App.

Thanks

spayneort · ‎11-15-2015

Have you read about extreme search? The example goes over the brute force correlation search.

http://docs.splunk.com/Documentation/ES/4.0.0/User/ExtremeSearchExample

http://docs.splunk.com/Documentation/ES/4.0.0/User/ExtremeSearch

There was a presentation about extreme search at .conf 2015. It also goes over the brute force search.

Learn How to Build Powerful Correlation Searches in Splunk Enterprise with Extreme Search

krish3 · ‎11-14-2015

Guys?? please let me know any docs that specify the criteria or the threshold for these correlation rules in ES App. ;(

esix_splunk · ‎11-15-2015

Look at the search string in the Correlation rules. These are what decides the rule and how it is triggered. The thresholds and alerting is tunable by you, the user / Splunk Admin / Security Expert.

Each rule is different. I recommend you go through the rules.

What is the criteria for the correlation rules present in the Splunk Enterprise Security app?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?