List all ES Correlation Searches

• Enterprise Security/ Fun Stuff & Helpful Hints
• akhamis
• 1 0

| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" | rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" | rename action.correlationsearch.label as Search_Name title as Rule_Name eai:acl.app as Application_Context request.ui_dispatch_app as UI_Dispatch_Context description as Description Data_Model as Guided_Mode:Data_Model Dataset as Guided_Mode:Dataset action.customsearchbuilder.enabled as Guided_Mode action.customsearchbuilder.spec as Guided_Mode:Search_Logic search as Search dispatch.earliest_time as Earliest_Time dispatch.latest_time as Latest_Time cron_schedule as Cron_Schedule schedule_window as Schedule_Window schedule_priority as Schedule_Priority alert_type as Trigger_Conditions:Trigger_Alert_When alert_comparator as Trigger_Conditions:Alert_Comparator alert_threshold as Trigger_Conditions:Alert_Threshold alert.suppress.period as Throttling:Window_Duration alert.suppress.fields as Throttling:Fields_To_Group_By action.notable.param.rule_title as Notable:Title action.notable.param.rule_description as Notable:Description action.notable.param.security_domain as Notable:Security_Domain action.notable.param.severity as Notable:Severity action.notable.param.default_owner as Notable:Default_Owner action.notable.param.default_status as Notable:Default_Status action.notable.param.drilldown_name as Notable:Drill-down_Name action.notable.param.drilldown_search as Notable:Drill-down_Search action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset action.notable.param.next_steps as Notable:Next_Steps action.risk.param._risk_score as Risk_Analysis:Risk_Score action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type | eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") | eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") | table disabled Search_Name, Rule_Name, Application_Context, UI_Dispatch_Context, Description, Guided_Mode:Enabled, Guided_Mode:Data_Model, Guided_Mode:Dataset, Guided_Mode:Search_Logic, Search, Earliest_Time, Latest_Time, Cron_Schedule, Real-time_Scheduling_Enabled, Schedule_Window, Schedule_Priority, Trigger_Conditions:Trigger_Alert_When, Trigger_Conditions:Alert_Comparator, Trigger_Conditions:Alert_Threshold, Throttling:Window_Duration, Throttling:Fields_To_Group_By, Notable:Title, Notable:Description, Notable:Security_Domain, Notable:Severity, Notable:Default_Owner, Notable:Default_Status, Notable:Drill-down_Name, Notable:Drill-down_Search, Notable:Drill-down_Earliest_Offset, Notable:drill-down_Latest_Offset, Notable:Next_Steps, Risk_Analysis:Risk_Score, Risk_Analysis:Risk_Object_Field, Risk_Analysis:Risk_Object_Type

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

| rest splunk_server=local count=0 /services/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" | rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" | rename     action.correlationsearch.label as Search_Name     title as Rule_Name     eai:acl.app as Application_Context     request.ui_dispatch_app as UI_Dispatch_Context     description as Description     Data_Model as Guided_Mode:Data_Model     Dataset as Guided_Mode:Dataset     action.customsearchbuilder.enabled as Guided_Mode     action.customsearchbuilder.spec as Guided_Mode:Search_Logic     search as Search     dispatch.earliest_time as Earliest_Time     dispatch.latest_time as Latest_Time     cron_schedule as Cron_Schedule     schedule_window as Schedule_Window     schedule_priority as Schedule_Priority     alert_type as Trigger_Conditions:Trigger_Alert_When     alert_comparator as Trigger_Conditions:Alert_Comparator     alert_threshold as Trigger_Conditions:Alert_Threshold     alert.suppress.period as Throttling:Window_Duration     alert.suppress.fields as Throttling:Fields_To_Group_By     action.notable.param.rule_title as Notable:Title     action.notable.param.rule_description as Notable:Description     action.notable.param.security_domain as Notable:Security_Domain     action.notable.param.severity as Notable:Severity     action.notable.param.default_owner as Notable:Default_Owner     action.notable.param.default_status as Notable:Default_Status     action.notable.param.drilldown_name as Notable:Drill-down_Name     action.notable.param.drilldown_search as Notable:Drill-down_Search     action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset     action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset     action.notable.param.next_steps as Notable:Next_Steps     action.risk.param._risk_score as Risk_Analysis:Risk_Score     action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field     action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type | eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") | eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") | table     disabled     Search_Name,     Rule_Name,     Application_Context,     UI_Dispatch_Context,     Description,     Guided_Mode:Enabled,     Guided_Mode:Data_Model,     Guided_Mode:Dataset,     Guided_Mode:Search_Logic,     Search,     Earliest_Time,     Latest_Time,     Cron_Schedule,     Real-time_Scheduling_Enabled,     Schedule_Window,     Schedule_Priority,     Trigger_Conditions:Trigger_Alert_When,     Trigger_Conditions:Alert_Comparator,     Trigger_Conditions:Alert_Threshold,     Throttling:Window_Duration,     Throttling:Fields_To_Group_By,     Notable:Title,     Notable:Description,     Notable:Security_Domain,     Notable:Severity,     Notable:Default_Owner,     Notable:Default_Status,     Notable:Drill-down_Name,     Notable:Drill-down_Search,     Notable:Drill-down_Earliest_Offset,     Notable:drill-down_Latest_Offset,     Notable:Next_Steps,     Risk_Analysis:Risk_Score,     Risk_Analysis:Risk_Object_Field,     Risk_Analysis:Risk_Object_Type

Continue Reading →