• Gabriel

Maintaining your correlation searches with ES Choreographer

Updated: Feb 28

I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf/mp4. If you’re looking for the source code for the things you have seen in the demos, you’re in the right place.


I have put everything together in a small app that is now on splunkbase: ES-Choreographer.


DISCLAIMER: This will not quite work out of the box. You’ll need to look under the hood and figure out how to make it work for you. You should consider this as inspiration or a head start for your own journey, not as a finished product for the masses. Everything in the app integrates together: the peer reviews, with the TODOs and the Best Practices… so if you want one and not the others, you’ll have to disentangle things.


You can also get a feel for the various topics in the following posts:

You will also find other little useful nuggets here and there in the app.


You might also want to add the following to the menu in SplunkEnterpriseSecuritySuite:

 <collection label="ES Choreographer">
    <view name="morning_checks_checks"/>
    <view name="correlation_searches_best_practices"/>
    <view name="correlation_searches_best_practices_evolution"/>
    <view name="status_of_correlation_searches"/>
    <divider/>
    <view name="incident_review_fields"/>
    <view name="workflow_actions"/>
  </collection>

Note: recently ES has vastly improved its UI for the Incident Review fields, so the dashboard I made to make them searchable is now redundant. The one for workflow actions is still extremely useful though.

326 views0 comments

Recent Posts

See All

This for the most part isn't splunk-specific, but if you do any amount of administration on the linux command line, you might find it helpful. .bashrc A better prompt In your .bashrc: PS1='\t \[\033[0