Writing Splunk Enterprise Security Correlation Searches – Best Practices

This is an attempt to contribute back to the Splunk community with some simple, yet powerful ideas to help users and customers write more effective SPL detection code.

Splunk Enterprise Security (ES) App includes multiple Correlation Searches (rules, detections), but one hardly deploys them without some fine-tuning (customization).

This is particularly helpful for those continuously designing and delivering new detection content while also providing some directions for those starting in the field.

The latest 1.0 revision can be downloaded here.