Tuning Enterprise Security correlation searches

Here’s a nifty ES tuning tip that you might enjoy. We’ll be using some handy macros that are documented at Working_with_Notable_Events_from_Search, if you’d like to read up on the background.

What’s the most expensive, valuable, and constrained resource in a security team?

Human attention.

How many security analysts are there?

| `notable_owners` | stats count | eval sec_analysts=(count-1)

How long does it take them to forensically analyse an incident? We can get some hints by looking at the amount of review activity… Audit > Incident Review Audit and Audit > Suppression Audit are of course useful, but you can also do this sort of thing:

| `incident_review` | search status_default=false | timechart span=1day count by reviewer usenull=f

“Forensically analyze” is a loaded phrase though… it takes 3 seconds to suppress or close yet another administratively overridden known issue, but it can take hours or days to trace, resolve, and prevent the real thing. So let’s put a finger in the wind and say “one hour” is the target for an analyst to spend on an incident.

How many hours are there in the work day?

8-12, realistically.

If you look at notable events, are there any rules that are generating more events than your analysts are capable of looking at?

| `notable_owners` | stats count | eval sec_analysts=(count-1) | eval analyst_capacity=(sec_analysts*12) | map search="search `notable`| stats count by source | where count>$analyst_capacity$"

There’s the correlation searches that need to be tuned.

Jack Coates

Posted by