Splunk Enterprise Security

convert alerts to correlation searches

acadea
Explorer

Hello,

Having defined multiple alerts before starting  to use Enterprise Security, is there a way to convert the existing alerts to correlation searches ?

Instead of sending emails as action, they will add some risk score, notable event etc

How can I accomplish this without creating manually all the correlation searches from scratch.

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There is no UI trick to convert an alert into a correlation search.  The best option, IMO, is to copy the search text from alert to CS using separate browser tabs.

You may be able to edit the savedsearches.conf file and add CS attributes

action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.correlationsearch.label = "foo"

but then you'd also have to add a bunch of action.notable settings, making sure to get them just right.  It's less error-prone to use the UI.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There is no UI trick to convert an alert into a correlation search.  The best option, IMO, is to copy the search text from alert to CS using separate browser tabs.

You may be able to edit the savedsearches.conf file and add CS attributes

action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.correlationsearch.label = "foo"

but then you'd also have to add a bunch of action.notable settings, making sure to get them just right.  It's less error-prone to use the UI.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...