Solved: Search for Response Actions for Correlation Search...

gbam · ‎05-30-2024

Is there a way to run a search for all correlation searches and see their response actions? I want to see what correlation searches create notable events and which ones do not. For example, which ones only increase risk score. I had hoped to use /services/alerts/correlationsearches however it doesn't appear that endpoint exists anymore?

gcusello · ‎05-30-2024

Hi @gbam ,

I created this search (starting from a search from PS) to display active Correlation Searches with some information, as also Adaptive Responsa Actions:

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rename title as search_name, eai:acl.app as app, action.correlationsearch.annotations as frameworks action.correlationsearch.label AS label action.notable.param.security_domain AS security_domain action.notable.param.severity AS severity dispatch.earliest_time AS earliest_time dispatch.latest_time AS latest_time action.notable.param.drilldown_searches AS drilldown alert.suppress AS throttle alert.suppress.period AS throttle_period alert.suppress.fields AS throttle_fields
| table search_name, app, description, frameworks, disabled label security_domain actions cron_schedule earliest_time latest_time search drilldown throttle throttle_period throttle_fields
| spath input=frameworks
| rename mitre_attack{} as mitre_attack, nist{} as nist, cis20{} as cis20, kill_chain_phases{} as kill_chain_phases 
| table app, search_name, label, description, disabled, security_domain actions cron_schedule earliest_time latest_time throttle throttle_period throttle_fields
| sort label

You can create your own, starting from this adapting it to your requirements,

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-30-2024

Hi @gbam ,

I created this search (starting from a search from PS) to display active Correlation Searches with some information, as also Adaptive Responsa Actions:

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rename title as search_name, eai:acl.app as app, action.correlationsearch.annotations as frameworks action.correlationsearch.label AS label action.notable.param.security_domain AS security_domain action.notable.param.severity AS severity dispatch.earliest_time AS earliest_time dispatch.latest_time AS latest_time action.notable.param.drilldown_searches AS drilldown alert.suppress AS throttle alert.suppress.period AS throttle_period alert.suppress.fields AS throttle_fields
| table search_name, app, description, frameworks, disabled label security_domain actions cron_schedule earliest_time latest_time search drilldown throttle throttle_period throttle_fields
| spath input=frameworks
| rename mitre_attack{} as mitre_attack, nist{} as nist, cis20{} as cis20, kill_chain_phases{} as kill_chain_phases 
| table app, search_name, label, description, disabled, security_domain actions cron_schedule earliest_time latest_time throttle throttle_period throttle_fields
| sort label

You can create your own, starting from this adapting it to your requirements,

Ciao.

Giuseppe

gbam · ‎05-30-2024

Thank you very much!!!!

Search for Response Actions for Correlation Searches

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!