Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for Response Actions for Correlation Searches

gbam
Explorer
‎05-30-2024 07:39 AM

Is there a way to run a search for all correlation searches and see their response actions?  I want to see what correlation searches create notable events and which ones do not.  For example,  which ones only increase risk score.  I had hoped to use /services/alerts/correlationsearches however it doesn't appear that endpoint exists anymore?  

 

Labels (1)
Labels
0 Karma
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-30-2024 08:07 AM

Hi @gbam ,

I created this search (starting from a search from PS) to display active Correlation Searches with some information, as also Adaptive Responsa Actions:

 

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rename title as search_name, eai:acl.app as app, action.correlationsearch.annotations as frameworks action.correlationsearch.label AS label action.notable.param.security_domain AS security_domain action.notable.param.severity AS severity dispatch.earliest_time AS earliest_time dispatch.latest_time AS latest_time action.notable.param.drilldown_searches AS drilldown alert.suppress AS throttle alert.suppress.period AS throttle_period alert.suppress.fields AS throttle_fields
| table search_name, app, description, frameworks, disabled label security_domain actions cron_schedule earliest_time latest_time search drilldown throttle throttle_period throttle_fields
| spath input=frameworks
| rename mitre_attack{} as mitre_attack, nist{} as nist, cis20{} as cis20, kill_chain_phases{} as kill_chain_phases 
| table app, search_name, label, description, disabled, security_domain actions cron_schedule earliest_time latest_time throttle throttle_period throttle_fields
| sort label

 

You can create your own, starting from this adapting it to your requirements,

Ciao.

Giuseppe

View solution in original post

Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-30-2024 08:07 AM

Hi @gbam ,

I created this search (starting from a search from PS) to display active Correlation Searches with some information, as also Adaptive Responsa Actions:

 

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rename title as search_name, eai:acl.app as app, action.correlationsearch.annotations as frameworks action.correlationsearch.label AS label action.notable.param.security_domain AS security_domain action.notable.param.severity AS severity dispatch.earliest_time AS earliest_time dispatch.latest_time AS latest_time action.notable.param.drilldown_searches AS drilldown alert.suppress AS throttle alert.suppress.period AS throttle_period alert.suppress.fields AS throttle_fields
| table search_name, app, description, frameworks, disabled label security_domain actions cron_schedule earliest_time latest_time search drilldown throttle throttle_period throttle_fields
| spath input=frameworks
| rename mitre_attack{} as mitre_attack, nist{} as nist, cis20{} as cis20, kill_chain_phases{} as kill_chain_phases 
| table app, search_name, label, description, disabled, security_domain actions cron_schedule earliest_time latest_time throttle throttle_period throttle_fields
| sort label

 

You can create your own, starting from this adapting it to your requirements,

Ciao.

Giuseppe

Solved! Jump to solution

gbam
Explorer
‎05-30-2024 08:22 AM

Thank you very much!!!!

0 Karma
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 3)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top