I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf/mp4. If you’re looking for the source code for the things you have seen in the demos, you’re in the right place.
I have put everything together in a small app that is now on splunkbase: ES-Choreographer.
DISCLAIMER: This will not quite work out of the box. You’ll need to look under the hood and figure out how to make it work for you. You should consider this as inspiration or a head start for your own journey, not as a finished product for the masses. Everything in the app integrates together: the peer reviews, with the TODOs and the Best Practices… so if you want one and not the others, you’ll have to disentangle things.
You can also get a feel for the various topics in the following posts:
You will also find other little useful nuggets here and there in the app.
You might also want to add the following to the menu in SplunkEnterpriseSecuritySuite:
<collection label="ES Choreographer">
<view name="morning_checks_checks"/>
<view name="correlation_searches_best_practices"/>
<view name="correlation_searches_best_practices_evolution"/>
<view name="status_of_correlation_searches"/>
<divider/>
<view name="incident_review_fields"/>
<view name="workflow_actions"/>
</collection>Note: recently ES has vastly improved its UI for the Incident Review fields, so the dashboard I made to make them searchable is now redundant. The one for workflow actions is still extremely useful though.