Hi I have to create correlationsearches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time r...
Hello,
I would like to request guidance on how to create a correlationsearch based on data provided by SANS Threat Intelligence from https://isc.sans.edu/block.txt
The malicious IPs f...
Hello,
Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.
Interesting fields in search are the hosts - as managed_host field a...
Hi All,
There are few risk notable events getting generated in the Incident review page as part of correlationsearches being run.
How can we exclude few users (who are from SOC team) from correlation...
Hi Splunkers. I'm looking for a way to delete a correlationsearch that has been created with the wrong name (as ES doesn't let you rename them). The CS is currently disabled but I don't see a w...
Hello Splunkers,
I was wondering if there is a way to get the creation date of a correlationsearch.
If so, what is it, because I found nothing anywhere.
Thanks in a...
Here are the screenshots: In incident review setting, I have already labeled signature: Then in CorrelationSearch content setting, also I have setting the search query which could result in f...
Hello, Having defined multiple alerts before starting to use Enterprise Security, is there a way to convert the existing alerts to correlationsearches ? Instead of sending emails as a...
I'm looking at a sample correlationsearch called Abnormally High Number of HTTP Method Events By Src -
| tstats `summariesonly` count as web_event_count from datamodel=Web.Web by Web.src, W...
I want to create a scheduled search that will track the changes made in content under Splunk Enterprise security app. If someone modifies correlationsearches i want my query to capture it. Can t...