Create new correlation searches
You can create your own correlation searches to create notable events that you want to have stored in the notable index and to appear on the Incident Review dashboard.
Create a custom correlation search using the Content Management page. For this example, create a correlation search for Splunk_DA-ESS_PCICompliance.
- Select Configure > Content Management.
- Select Create new content > Correlation Search.
- Type a search name. Include a domain in the search name if you want.
- Set the Application Context as PCI Compliance.
- Create a search with the guided search wizard.
- Fill out the rest of the fields on the page.
- Click Save.
For assistance creating correlation searches, see Create a correlation search in Splunk Enterprise Security Tutorials.
Configure thresholds for correlation searches
Correlation searches use thresholds to set the number of security events of a specified type that must occur to trigger a notable event. You can configure the thresholds for these searches based on the typical number of events in your environment.
For example, the Malware Outbreak Detected correlation search triggers when the number of new infections within the last 24 hours exceeds the threshold, alerting you when an organization-wide issue is developing. However, this correlation search may need to be adjusted to reflect the size and load of your environment. A large enterprise might consider ten new infections within a 24-hour period an outbreak, whereas a small company might consider only 3 new infections an outbreak. The threshold sets the number of infections that correlation search considers noteworthy.
Threshold settings are best configured after developing a baseline of security events. Index two weeks of data before finalizing the baseline settings. Thresholds need to be adjusted over time as the network changes.
Add governance to a correlation search
Map new or existing correlation searches to the relevant PCI DSS controls by adding governance to the search.
Perform these steps in the same directory as the savedsearches.conf file where the search exists. For example, /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local.
- Create a
governance.conffile./Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local/governance.conf - Copy the stanza for the custom correlation search from the
savedsearches.conffile and paste it into thegovernance.conffile.[PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule] - Add a compliance control mapping by adding a governance and control line under the correlation search stanza. For example, this correlation search applies for all systems in your environment. compliance.0.governance = pcicompliance.0.control = 1.3.3
- (Optional) Add a tag value to specify a tag that must be present in the notable event in order for the governance and control mapping to be applied. For example, the results of this correlation search matter for PCI compliance only if the deleted account is related to PCI. compliance.0.governance = pci compliance.0.control = 8.5compliance.0.tag = pci
- (Optional) Add additional compliance control mappings, incrementing the number to indicate an additional mapping. For example, this results of this search are relevant for both the 1.3.3 control and the 1.3.2 control. compliance.0.governance = pcicompliance.0.control = 1.3.3compliance.1.governance = pcicompliance.1.control = 1.3.2
- Save the file. The results take effect the next time the correlation search matches and creates a notable event.
Notable events must contain a tag value for governance to be applied based on the tag field. Notable events can contain a tag value if:
- The correlation search results contain a tag field. For example,
values(Authentication.tag) as tagis contained in the correlation search syntax. - The correlation search results contain a field that is correlated with the asset and identity lookups, and the lookup contains a category value for the asset or identity.