Splunk Enterprise Security

convert alerts to correlation searches

acadea
Engager

Hello,

Having defined multiple alerts before starting  to use Enterprise Security, is there a way to convert the existing alerts to correlation searches ?

Instead of sending emails as action, they will add some risk score, notable event etc

How can I accomplish this without creating manually all the correlation searches from scratch.

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There is no UI trick to convert an alert into a correlation search.  The best option, IMO, is to copy the search text from alert to CS using separate browser tabs.

You may be able to edit the savedsearches.conf file and add CS attributes

action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.correlationsearch.label = "foo"

but then you'd also have to add a bunch of action.notable settings, making sure to get them just right.  It's less error-prone to use the UI.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There is no UI trick to convert an alert into a correlation search.  The best option, IMO, is to copy the search text from alert to CS using separate browser tabs.

You may be able to edit the savedsearches.conf file and add CS attributes

action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.correlationsearch.label = "foo"

but then you'd also have to add a bunch of action.notable settings, making sure to get them just right.  It's less error-prone to use the UI.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!