Local Tech Repair: How to create notable events via correlation search/manually in Splunk

Sunday, August 21, 2016

How to create notable events via correlation search/manually in Splunk

One of the main things that you can do with Splunk Enterprise Security is dealing around the Incident Review dashboard. You can customize this to be the most helpful to you when doing threat hunting. One of the ways is to automate your searches to create notable events automatically so that you don't have to continually look for them.



To be able to create a Correlation Search you will want to go to ES -> Configure -> Content Management


From there you will want to Create New Content -> Correlation Search




From this we need something to put in it.
Lets take a simple example of detecting brute forcing in the network that falls outside of normal activity in the network.
Lets say we searched Splunk to find out what our statistics would be over a 90 day period to give it a good baseline for our organization.
index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=* |bin _time span=1h | stats count by _time | stats perc80(count), perc95(count), perc99(count), perc99.9(count), avg(count)
The 99.9th percentile would be 12900 which is fairly anomalous happening so shouldn't trigger to often less something is actually happening being it a miss configuration or actual attack, both would be useful to know.
We then could create a correlation search with that information.
index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=* | stats count | where count > 12900 | `get_event_id` | `map_notable_fields`

With that information we can start filling out the correlation search details.
Name: excessive login failures
Description: Detected a high number of login failures
Search: index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=* | stats count | where count > 12900 | `get_event_id` | `map_notable_fields`
Start Time: -65m
End Time: -5m
Cron Schedule: 0 * * * *

Check Create Notable Event
Fill out the information there like you would want it to show up in IR.
Title: excessive login failures
Description: Detected a high number of login failures
Security Domain: Access
Severity: what ever you feel it should be
Drill Down Search: index=winevents* (EventCode=4625 Sub_Status=0xc000006a) OR EventCode=529 user=*

If you use the Risk Scoring you can fill out that information to further give more weighting to it.

Once this is saved Splunk will start to create IR events whenever the threshold of our where statement is passed.


Another thing you can do is creating Notable Events arbitrarily. You can do this in 2 different ways. First you can go to ES -> Configure -> Incident Management -> New notable Event
This will give you the raw information needed to create one.


Next would be to use an event from a search. Once you have your search and events back you can expand the event and click on the Event Actions -> Create Notable Event which will bring you to the same screen as before. This allows you to create IR events that can be feed into a investigation or just help spread the work around and keep track of things that may not currently have a correlation search built for it yet.

Hope this helps you with your Splunking.