One major question I get when tuning searches onsite with customers is: “How do we make sure that we are not overrun with notables within our Splunk Enterprise Security (ES) SIEM?” This is an important question, because if left unchecked, notifications become white noise to the security analysts overwhelmed by information overload.
In this blog, we will be discussing the art of tuning correlation searches within ES. We are going to target three out-of-the-box ES correlation searches today and how I would suggest tuning them to lower the frequency that the notables fire and, as a result, direct attention to more critical incidents.
Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.
Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.
Contact us directly to learn more.
- Splunk Assets and Identities - June 18, 2020
- Splunk Attack Range Setup Guide - May 4, 2020
- The Art of Tuning Correlation Searches within Enterprise Security - July 12, 2019