Hi @gbam , I created this search (starting from a search from PS) to display active Correlation Searches with some information, as also Adaptive Responsa Actions: | rest splunk_server=local coun...
See more...
Hi @gbam , I created this search (starting from a search from PS) to display active Correlation Searches with some information, as also Adaptive Responsa Actions: | rest splunk_server=local count=0 /servicesNS/-/-/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename title as search_name, eai:acl.app as app, action.correlationsearch.annotations as frameworks action.correlationsearch.label AS label action.notable.param.security_domain AS security_domain action.notable.param.severity AS severity dispatch.earliest_time AS earliest_time dispatch.latest_time AS latest_time action.notable.param.drilldown_searches AS drilldown alert.suppress AS throttle alert.suppress.period AS throttle_period alert.suppress.fields AS throttle_fields
| table search_name, app, description, frameworks, disabled label security_domain actions cron_schedule earliest_time latest_time search drilldown throttle throttle_period throttle_fields
| spath input=frameworks
| rename mitre_attack{} as mitre_attack, nist{} as nist, cis20{} as cis20, kill_chain_phases{} as kill_chain_phases
| table app, search_name, label, description, disabled, security_domain actions cron_schedule earliest_time latest_time throttle throttle_period throttle_fields
| sort label You can create your own, starting from this adapting it to your requirements, Ciao. Giuseppe