Splunk Enterprise Security

What is the criteria for the correlation rules present in the Splunk Enterprise Security app?

Contributor

Hi,

I was looking at the logic behind the correlation rules that are built-in to the Splunk Enterprise Security app, but it was not so clear. For example, I would like to know the criteria for triggering the bruteforcing rule.

By editing the rule, I am able to see it runs every five min, but on what basis does this rule match the events to trigger as bruteforcing? (example :Number of login failure more than 10 times in a minute. etc.)

Similarly, I would like to know the criteria for the rules present in the ES App.

Thanks

Contributor

Have you read about extreme search? The example goes over the brute force correlation search.

http://docs.splunk.com/Documentation/ES/4.0.0/User/ExtremeSearchExample

http://docs.splunk.com/Documentation/ES/4.0.0/User/ExtremeSearch

There was a presentation about extreme search at .conf 2015. It also goes over the brute force search.

Learn How to Build Powerful Correlation Searches in Splunk Enterprise with Extreme Search

Contributor

Guys?? please let me know any docs that specify the criteria or the threshold for these correlation rules in ES App. ;(

0 Karma

Splunk Employee
Splunk Employee

Look at the search string in the Correlation rules. These are what decides the rule and how it is triggered. The thresholds and alerting is tunable by you, the user / Splunk Admin / Security Expert.

Each rule is different. I recommend you go through the rules.

0 Karma