Splunk Search

How would I know what "Applicatoin Context" to choose when creating a new correlation search?

shiftey
Path Finder

Hi Splunk Answers,

How would I know what 'Application Context' to choose when creating a new correlation search?
The only info I have found is that it's for "context for the search (for example, Access Protection) ".

Do I need to map the search datamodel to one of the security domains?
If I don't choose the right context, does that affect the search results?

Thanks

LukeMurphey
Champion

You can chose whichever Application Context you like; it won't affect how the search works and it doesn't need to match any particular data-model.

This setting affects where the search is stored. Keeping this in a particular application can be useful if you wrote your own app and want the correlation search to be stored within that app. That way, disabling or removing that app would also disable or remove the search.

shiftey
Path Finder

Thanks LukeMurphey

Ive been spending a long time trying to get 1 correlation search working. The search is to find non standard hostnames that have been assigned a dhcp address, this would cover a scenario where a rogue laptop is plugged into the network.

The search I am using is:

description=assign | search dest!=Prefix1* | search dest!=Prefix2* | search dest!=Prefix3* | search dest!=Prefix4* | dest_ip!=10.50.x.1/20 dest_ip!=10.51.x.1/21 dest_ip!=10.49.x.1/27 | rex mode=sed field=dest "s/.company.domain.com//g" | where dest!=dest_mac

Some VOI devices that use dhcp use a hostname that is the same as the mac address.

The notable event title is:
Suspicious Host Discovered - $dest$ at $time$ on $date$

The notable event description is:
The system $dest$ has been assigned an IP Address

Start time is: -3d (so I get some result)
End time is: now
cron: set to run every 5 mins (will adjust start time to -5m once notable events working ok)

The goal is to search the last 5 mins of dhcp logs every 5 mins using the search above.

However in Incident Review the title is displayed as:
Suspicious Host Discovered - unknown at unknown on unknown

It doesnt appear to read the field results correctly.

I've run this search manually with normal switch and I have 3-4 results when searching over the last week.

What is the best way so when this search runs, you can see the hostnames that match the search (ie the non standard hostnames)

Hope this makes sense..

0 Karma

LukeMurphey
Champion

Would you be so kind to accept this answer and convert that into a new question? That way, it will be easier for others to find that question if they run into the same problem. Meanwhile, I'll take a look and see if I can get you answer for that one too.

0 Karma

LukeMurphey
Champion
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...