Good afternoon, I hope you are well. I am migrating my alert environment from TheHive to start using ES. I would like to know and learn if, in ES, when creating Correlations, I can configure a f...
A question,
When we talk about correlation, is it necessarily because a query is being made in 2 or more sources?
Or is it also considered correlation when certain criteria are searched in a s...
Hello,
I would like to request guidance on how to create a correlation search based on data provided by SANS Threat Intelligence from https://isc.sans.edu/block.txt
The malicious IPs f...
Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time r...
Hello,
Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.
Interesting fields in search are the hosts - as managed_host field and...
Hello peeps,
Does anyone know a better accelerator command that can help to correlate data? Im trying to correlate proxy server logs and AD logs. Please see my base search;
(index=p...
...essage and correlate between two. I am looking for numbers 272 and 1,856 from HERE and looking for sample1 and sample2 from THERE
both HERE and THERE will have 272 common and that is the only one....
I have an index A and another index B. logs in A have a correlation to logs in B. But the only common field between them is 'timestamp'. There is a field 'fa' in index A and field 'fb' in index B. t...
Hello, Our environment has this linux server that continually get's hit with Brute force attacks. I am trying to figure out where they are coming from. Since our servers are behind a nated firewall ...
Hi All,
There are few risk notable events getting generated in the Incident review page as part of correlation searches being run.
How can we exclude few users (who are from SOC team) from correl...