![]() Identify a pattern of high numbers of authentication failures on a single host, followed by a successful authentication by correlating a list of identities and attempts to authenticate into a host or device.Identify a high number of hosts with a specific malware infection, or a single host with a high number of malware infections by correlating an asset list with events from an endpoint protection system.Identify an access attempt from an expired account by correlating a list of identities and an attempt to authenticate into a host or device.Upgrade to Splunk Enterprise Security version 7.0.2 or higher for better performance. This might cause minor performance issues on the Incident Review page. In Splunk Enterprise Security version 7.0.1 and higher, all available correlation searches are displayed on the Incident Review page whether they create notables or not. To set up or modify correlation searches in your environment, see Configuring correlation searches.To create a correlation search, see Create a correlation search in Splunk Enterprise Security Tutorials.The searches then aggregate the results of an initial search with functions in SPL, and take action in response to events that match the search conditions with an adaptive response action. When the search finds a pattern, it performs an adaptive response action.Ĭorrelation searches can search many types of data sources, including events from any security domain (access, identity, endpoint, network), asset lists, identity lists, threat intelligence, and other data in Splunk platform. Correlation search overview for Splunk Enterprise SecurityĪ correlation search scans multiple data sources for defined patterns.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |