Skip to main content
Splunk Lantern

Prescriptive Adoption Motion - Security monitoring with correlation and content


Security monitoring is the continuous observation and analysis of an organization's systems, networks, and digital assets to detect and respond to security incidents. It involves monitoring security events, logs, network traffic, and other data sources in real-time to identify threats and vulnerabilities. The main objective is to safeguard sensitive information, infrastructure, and resources by gaining visibility into the environment, detecting suspicious activities, and responding promptly. The Splunk platform enhances security monitoring by enabling real-time incident detection and response, improving investigation capabilities, and providing actionable insights for threat protection.

Splunk correlation involves analyzing relationships between different events or data points. This process searches through vast amounts of machine-generated data, such as logs, metrics, and events, from diverse sources. By identifying patterns and trends, correlation helps in detecting potential security threats, operational issues, or anomalies. Enhancing your security monitoring process with Splunk's correlation capabilities provides organizations with a comprehensive and scalable solution for managing security data, gaining actionable insights, and effectively protecting against threats.

The correlation process includes collecting and ingesting data, indexing it for search and analysis, and then applying various techniques such as statistical analysis, data visualization, and machine learning algorithms to identify correlations and anomalies. By correlating data from different sources, the Splunk platform can provide insights into complex and multi-dimensional events and trends that would otherwise be difficult to detect or understand.

Using the security content developed by the Splunk Threat Research Team that is available in the Splunk ES Content Updates (ESCU) and Splunk Security Essentials (SSE) apps brings additional power to your correlation searches. This content includes dashboards, reports, correlation searches, and other tools that help organizations detect, investigate, and respond to security threats. The primary purpose of Splunk Enterprise Security content updates is to ensure that organizations have access to the latest and most effective security content. This includes updates to existing content, such as new correlation searches or dashboards, as well as the addition of entirely new content to address emerging threats or new security challenges.

The benefits of using correlation and content include:

  • Improved threat detection. Identify threats that may be missed by traditional signature-based detection methods. By correlating data from multiple sources, security teams can uncover hidden relationships between events that might indicate malicious activity.
  • Faster incident response. By providing real-time alerts and automated responses, Splunk Enterprise Security can help reduce the time needed to detect and respond to security threats.
  • Customizable rules. Create custom correlation rules that are tailored to your specific environment and security needs. This enables you to detect threats that are unique to your organization and industry.
  • Comprehensive visibility. Achieve visibility into security events and threats across your organization's entire IT infrastructure. This allows security teams to identify and address security risks across all systems and applications.
  • Up-to-date threat intelligence. Get up-to-date information on the latest threats and vulnerabilities, including indicators of compromise (IOCs), attack methods, and malware families. This allows organizations to stay ahead of emerging threats and respond more effectively to security incidents.
  • Customizable content. Access content that suits your organization's specific needs and environment. This enables you to focus on the threats that are most relevant to you and to tailor your security strategy accordingly.
  • Comprehensive coverage. Review content that covers a wide range of threat categories, including malware, phishing, ransomware, and more. This provides you with comprehensive coverage of the threat landscape and helps ensure that you are well-prepared to defend against a variety of attacks.
  • Access to expert knowledge. Splunk threat research content is created by a team of experienced security researchers and analysts. This provides organizations with access to expert knowledge and insights that can help them better understand the threat landscape and develop more effective security strategies.

Aim and strategy

Enriching your Splunk correlation searches with security content can help you detect and respond to security threats more effectively. By enriching your Splunk correlation searches with relevant security content, you can improve your ability to detect and respond to security threats more effectively. This can help you stay ahead of emerging threats and protect your organization from potential cyber attacks.

Splunk correlation searches in Splunk Enterprise Security provide a powerful tool for your security team to improve their threat detection capabilities, reduce incident response times, and better protect your organization against cyber threats. It also provides a valuable resource for organizations looking to stay ahead of the latest threats and protect themselves against cyber attacks. By leveraging this content, organizations can improve their security posture and better defend themselves against the ever-evolving threat landscape.

Common use cases

There are over a thousand detections developed by Splunk to use in numerous use cases. Some of these include: 

  • Supply chain attacks
  • AWS cross-account activity
  • Active Directory Kerberos attacks
  • Windows and Linux privilege escalation
  • Suspicious emails

User roles

Role Responsibilities

Lead Security Analyst

Defines security use cases and analyst workflows, correlation searches, and content development strategy
SOC Analyst Conducts investigations and uses case management and collaboration to address threats and risks
Splunk Admin Applies configuration changes, app installation and maintenance, and user or permissions changes


1. Prerequisites

For the most up-to-date detections and content for your Splunk Enterprise Security environment, we recommend you have the latest versions of the ES Content Updates & Splunk Security Essentials apps.

4. Considerations

Implementing new use cases using content and correlations may require additional data sources. It is important to consider which data sources are required and follow the steps necessary to ingest the data correctly. Adding additional data sources for your correlations is an important step to adding context and gaining insights into security events.

Implementation guide

Here are some steps you can follow to use security content to enrich your correlation searches:

  • Identify your security use case. Start by identifying your specific security use case, such as detecting malware infections or identifying phishing attacks. This will help you determine which security content you need to enrich your correlation searches.
  • Search for relevant security content. Use Splunkbase to search for relevant security content, such as pre-built correlation searches or apps that provide threat intelligence feeds. You can also explore the Splunk Enterprise Security content library, which provides a wide range of pre-built security content.
  • Select relevant correlation searches. Use the Splunk Enterprise Security content library to search for relevant correlation searches that match your use case. You can filter by use case or search for specific terms.
  • Install and configure security content. After you have identified relevant security content, install and configure it to work with your Splunk instance. This might involve installing apps, configuring inputs, or setting up data feeds.
  • Configure correlation searches. After you have identified relevant correlation searches, configure them to work with your Splunk instance. This might involve adjusting search parameters, specifying search intervals, or setting up alerting thresholds.
  • Test correlation searches. Before deploying correlation searches in a production environment, test them in a non-production environment to ensure they are providing meaningful results and not generating excessive false positives.
  • Deploy correlation searches. After you are confident the correlation searches are working effectively, deploy them in your production environment. This might involve integrating them with other security content, such as threat intelligence feeds or pre-built dashboards.
  • Monitor and maintain correlation searches. After the correlation searches are deployed, it's important to monitor and maintain them to ensure they continue to work effectively. This might involve adjusting thresholds or fine-tuning search parameters to ensure the content provides meaningful results.

Implementing Splunk Enterprise Security content updates involves several steps, including configuring your Splunk instance to receive and install updates, reviewing the new content, and testing and validating the updates before deploying them. Follow the documentation for all detailed installation instructions.

Here's a general guide to implementing ES content updates:

  1. Configure your Splunk instance to receive updates. To receive ES content updates, you need to configure your Splunk instance to connect to the Splunk update server. You can do this by navigating to Settings > General > Software Updates and selecting "Splunk Enterprise Security Content Updates".
  2. Review available updates. After your Splunk instance is configured to receive updates, you can review the available updates by navigating to Settings > Update > Check for Updates. This displays a list of available updates, including new correlation searches, dashboards, and other security content.
  3. Test updates in a non-production environment. Before deploying updates to your production environment, it's a good idea to test them in a non-production environment to ensure they work as expected and don't cause any issues. You can create a separate instance of Splunk to test updates or use a sandbox environment.
  4. Validate and deploy updates. After you have tested the updates and are confident they will work in your production environment, you can validate and deploy them. This might involve updating correlation searches, dashboards, or other security content in your existing Splunk instance.
  5. Monitor and maintain updates. After the updates are deployed, it's important to monitor and maintain them to ensure they continue to work effectively. This might involve adjusting thresholds or fine-tuning search parameters to ensure the content is providing meaningful results.

By regularly updating your security content, you can stay ahead of the latest threats and vulnerabilities and improve your overall security posture.

Success measurement

When implementing this guidance, you should see improvements in the following:

  • Number of detections available. By increasing your content and available detection coverage, your ability to detect varying types of threats will increase. This can bring faster mean times to detect and remediate threats in your environment.
  • Data inventory. When your data inventory is conducted in Splunk Security Essentials, you gain visibility into the data types and associated detections you can perform with your data. It also provides you with the information on which data sources you may be missing in order to detect certain types of threats.
  • Number of correlation searches performed. Overall, the number of correlations may increase as you implement additional detections. This widens your coverage of emerging threats and allows you to gain additional insight into the activity on your network.