Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Can I use correlation search to search for IoC?

kkkelvinkk
New Member
‎04-12-2017 10:05 AM

Hi all,

I am now researching Splunk Enterprise Security. From my understanding, it is an app with some dashboard, which integrate some pre-defined correlation query, CIM and other App. I would like to know if correlation search is actually a "search query" that I can use to search for IoC (Inversion of Control)?

Also, for the security posture dashboard, will it show all the correlation search that hits the condition? Let's say the enabled correlation search only has 5 results. Will these 5 results will all be shown in security posture dashboard?
Thanks all.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎04-12-2017 11:00 AM

Yes, Correlation searches are actually search queries which generates notable events. The security posture shows Notable events. Please note it's not necessary that all the results from your search are added to notable index. This depends on the configuration of suppression within correlation search. You can definately write your own correlation search.

The ES app has number of inbuilt framework such as Correlation Search, Risk Score, Extreme Search and Threat Analysis Framework.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kkkelvinkk
New Member
‎04-13-2017 02:35 AM

Thanks. Is "configuration of suppression within correlation search" means selected the option "Create notable event" ?

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎04-13-2017 04:37 AM

Throttlling under Trigger Conditions. There are two fields time window and fields to group by.

0 Karma
Reply
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎04-12-2017 11:00 AM

Yes, Correlation searches are actually search queries which generates notable events. The security posture shows Notable events. Please note it's not necessary that all the results from your search are added to notable index. This depends on the configuration of suppression within correlation search. You can definately write your own correlation search.

The ES app has number of inbuilt framework such as Correlation Search, Risk Score, Extreme Search and Threat Analysis Framework.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...