...searches which are being run. Correlationsearches like " OT Sec- Execution Process Spawning cmd.exe" are enabled in our network, which are getting triggered when SOC team opens any chrome, e...
...ours I get results, however no notable events are created. Does the correlationsearch syntax need to be in a certain format to generate the notable event?
I have enabled several correlationsearches in ES. Those search run normally and return result as expected if I search them manually However, those searches are not running as schedule and never s...
...rc_ip$ , and it works fine. The notable event will pop into the Incident Review dashboard with the expected title of, "Excessive failed logins from 123.456.789.0"
However, some of my searches have renames a...
...uricata Alert Signature Title) Description: A medium severity alert ($signature_id$) was triggered on $src$ Notes: - Search runs every 5minutes. - I save and enable the Correlationsearch and I see t...
...ed index=notable and found 4 events for this correlationsearch in the last 30 days! Then I checked the same index for another correlationsearch that DOES generate notables in t...
If I create a correlationsearch that returns multiple results, each result creates a separate notable event. However, in some cases, we only want a single notable event to be created containing t...
Hi,
This question relates to:
- Splunk Enterprise 6.4.1
- Splunk Enterprise Security 4.1.1
I am trying to generate a list of existing correlationsearches which includes the following d...