Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the criteria for the correlation rules present in the Splunk Enterprise Security app?

krish3
Contributor
‎11-10-2015 02:00 AM

Hi,

I was looking at the logic behind the correlation rules that are built-in to the Splunk Enterprise Security app, but it was not so clear. For example, I would like to know the criteria for triggering the bruteforcing rule.

By editing the rule, I am able to see it runs every five min, but on what basis does this rule match the events to trigger as bruteforcing? (example :Number of login failure more than 10 times in a minute. etc.)

Similarly, I would like to know the criteria for the rules present in the ES App.

Thanks

Reply

spayneort
Contributor
‎11-15-2015 12:25 PM

Have you read about extreme search? The example goes over the brute force correlation search.

http://docs.splunk.com/Documentation/ES/4.0.0/User/ExtremeSearchExample

http://docs.splunk.com/Documentation/ES/4.0.0/User/ExtremeSearch

There was a presentation about extreme search at .conf 2015. It also goes over the brute force search.

Learn How to Build Powerful Correlation Searches in Splunk Enterprise with Extreme Search

Reply

krish3
Contributor
‎11-14-2015 11:26 PM

Guys?? please let me know any docs that specify the criteria or the threshold for these correlation rules in ES App. ;(

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-15-2015 04:06 AM

Look at the search string in the Correlation rules. These are what decides the rule and how it is triggered. The thresholds and alerting is tunable by you, the user / Splunk Admin / Security Expert.

Each rule is different. I recommend you go through the rules.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...