Splunk ES Correlation Searches (Rules) Best & Cool Practices

Alex Teixeira
1 min readJan 15, 2024

The following document is by far the top accessed resource from my solo business website. Since its first release in late 2020 I’ve received lots of feedback and suggestions.

https://github.com/inodee/threathunting-spl/blob/master/Splunk%20ES%20Correlation%20Searches%20Best%20Practices%20v1.3.pdf

What's it about?

It's a 15-page PDF covering the challenges you encounter when writing or maintaining correlation searches in Splunk's Enterprise Security App (ES).

Topics include:

  • Defining dynamic drilldown searches
  • Leveraging advanced Incident Review features
  • How to deal with alert exception scenarios
  • How to use Workflow Actions (use cases)
  • Many SPL tricks for Detection Engineers

Version v1.3 is packed with revised practical SPL tips for Splunk users, especially the ones using Splunk ES.

Workshops & Training

Just recently, I have started delivering live/in-person workshops for enterprise SOC and Detection Engineering teams but started to get interest from Splunk partners as well.

In case you are interested, feel free to reach out so that I can send you a comprehensive list of the topics (syllabus) and more info.

Happy Splunking!

--

--

Alex Teixeira
Alex Teixeira

Written by Alex Teixeira

I design and build detection and SIEM/EDR/XDR content for Enterprise #SecOps teams #DetectionEngineering http://opstune.com

Responses (1)