Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlation Search does not fire an email or notable when it should

zpadams
New Member
‎05-25-2018 12:34 PM

I have this correction search we use to help detect common potential web attacks in IIS logs. The problem is that while the correlation is enabled, it does not fire off when a matching result is found. When we run the same search in a Search window for the same time frame, results are found that the correlation search missed. I cannot figure out why the Correlation Search does not fire.

This is the configuration of the correlation search we are running:

| tstats summariesonly=t count from datamodel=Web by _time, host, Web.uri_path, Web.uri_query, Web.http_user_agent, Web.src, Web.status 
| rename "Web.*" as * 
| makemv delim=";" attack_type 
| eval attack_type=(if(match(uri_path, "(?i)(javascript|vbscript|script|expression|applet|eval|phpinfo|iframe|frame|frameset)(?![a-z0-9\.]|$)"), mvappend(attack_type, "Script Inject"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i)(javascript|vbscript|script|expression|applet|eval|phpinfo|iframe|frame|frameset)(?![a-z0-9\.]|$)"), mvappend(attack_type, "Script Inject"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i)(select|union|insert|exec|replace|truncate)(?![a-z0-9]|$)"), mvappend(attack_type, "SQLi"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i).*[^a-z]xp_.*"), mvappend(attack_type, "XP Call"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i).*((\%3c)|<)((\%2f)|\/)*[a-z0-9\%]+((\%3e)|>).*"), mvappend(attack_type, "XSS"), attack_type)) 
| eval attack_type=(if(match(uri_query, "(?i).*(\/|\\|%2f|%5c)((\.|%2e)(?!\w)).*"), mvappend(attack_type, "Dir Traverse"), attack_type)) 
| eval attack_type=(if(match(uri_path, "(?i).*(\/|\\|%2f|%5c)((\.|%2e)(?!\w)).*"), mvappend(attack_type, "Dir Traverse"), attack_type)) 
| eval attack_type=(if(match(http_user_agent, "(?i)^\(\)(\+|\s)"), mvappend(attack_type, "Shellshock"), attack_type)) 
| search attack_type=* NOT uri_query="*&lt;br/&gt;*" NOT http_user_agent="*bingbot*" NOT 
[| inputlookup Security_IPs.csv 
 | table c_ip 
 | rename c_ip as src]

Earliest Time: 10m@m
Latest Time: @m
Cron Schedule: Run every 10 minutes
Scheduling: Real-Time
Schedule Window: 0
Schedule Priority: Default

Trigger alert when: Number of results is greater than 0

An email and a notable is set to generate. The email is set to go to my corporate mailbox.

0 Karma
Reply

zpadams
New Member
‎05-29-2018 07:56 AM

I was asked by a co-worker to set the correlation search to look at the last 24 hours, but set the inline search to limit the results from the last 10 minutes.

I used the "minutesago" and "earliest" time variables, and neither worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...