List all ES Correlation Searches 

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" 
| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" 
| rename
    action.correlationsearch.label as Search_Name
    title as Rule_Name
    eai:acl.app as Application_Context
    request.ui_dispatch_app as UI_Dispatch_Context
    description as Description
    Data_Model as Guided_Mode:Data_Model
    Dataset as Guided_Mode:Dataset
    action.customsearchbuilder.enabled as Guided_Mode
    action.customsearchbuilder.spec as Guided_Mode:Search_Logic
    search as Search
    dispatch.earliest_time as Earliest_Time
    dispatch.latest_time as Latest_Time
    cron_schedule as Cron_Schedule
    schedule_window as Schedule_Window
    schedule_priority as Schedule_Priority
    alert_type as Trigger_Conditions:Trigger_Alert_When
    alert_comparator as Trigger_Conditions:Alert_Comparator
    alert_threshold as Trigger_Conditions:Alert_Threshold
    alert.suppress.period as Throttling:Window_Duration
    alert.suppress.fields as Throttling:Fields_To_Group_By
    action.notable.param.rule_title as Notable:Title
    action.notable.param.rule_description as Notable:Description
    action.notable.param.security_domain as Notable:Security_Domain
    action.notable.param.severity as Notable:Severity
    action.notable.param.default_owner as Notable:Default_Owner
    action.notable.param.default_status as Notable:Default_Status
    action.notable.param.drilldown_name as Notable:Drill-down_Name
    action.notable.param.drilldown_search as Notable:Drill-down_Search
    action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset
    action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset
    action.notable.param.next_steps as Notable:Next_Steps
    action.risk.param._risk_score as Risk_Analysis:Risk_Score
    action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field
    action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type 
| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") 
| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") 
| table
    disabled 
    Search_Name,
    Rule_Name,
    Application_Context,
    UI_Dispatch_Context,
    Description,
    Guided_Mode:Enabled,
    Guided_Mode:Data_Model,
    Guided_Mode:Dataset,
    Guided_Mode:Search_Logic,
    Search,
    Earliest_Time,
    Latest_Time,
    Cron_Schedule,
    Real-time_Scheduling_Enabled,
    Schedule_Window,
    Schedule_Priority,
    Trigger_Conditions:Trigger_Alert_When,
    Trigger_Conditions:Alert_Comparator,
    Trigger_Conditions:Alert_Threshold,
    Throttling:Window_Duration,
    Throttling:Fields_To_Group_By,
    Notable:Title,
    Notable:Description,
    Notable:Security_Domain,
    Notable:Severity,
    Notable:Default_Owner,
    Notable:Default_Status,
    Notable:Drill-down_Name,
    Notable:Drill-down_Search,
    Notable:Drill-down_Earliest_Offset,
    Notable:drill-down_Latest_Offset,
    Notable:Next_Steps,
    Risk_Analysis:Risk_Score,
    Risk_Analysis:Risk_Object_Field,
    Risk_Analysis:Risk_Object_Type
Share This:
Tagged:

Leave A Comment?