Splunk ES Correlation Searches (Rules) Best & Cool Practices
The following document is by far the top accessed resource from my solo business website. Since its first release in late 2020 I’ve received lots of feedback and suggestions.
What's it about?
It's a 15-page PDF covering the challenges you encounter when writing or maintaining correlation searches in Splunk's Enterprise Security App (ES).
Topics include:
- Defining dynamic drilldown searches
- Leveraging advanced Incident Review features
- How to deal with alert exception scenarios
- How to use Workflow Actions (use cases)
- Many SPL tricks for Detection Engineers
Version v1.3 is packed with revised practical SPL tips for Splunk users, especially the ones using Splunk ES.
Workshops & Training
Just recently, I have started delivering live/in-person workshops for enterprise SOC and Detection Engineering teams but started to get interest from Splunk partners as well.
In case you are interested, feel free to reach out so that I can send you a comprehensive list of the topics (syllabus) and more info.
Happy Splunking!