Login events are tracked in catalina.out. This file then gets pushed to SumoLogic. How to create an alert on these login events for unauthorized users(list of users)
Asked
Active
Viewed 81 times
1 Answers
1
For a basic outline of SL Search Query Language check out https://help.sumologic.com/Search/Search-Query-Language most queries have a scope, normalization some filter and then aggregation.
for an example of a query that looks for malicious logins see below:
_sourceCategory = O365/Azure
AND "\"UserLoginFailed\"" and !"UserDisabled"
| json field=_raw "UserId" as user_id
| json field=_raw "ClientIP" as src_ip
| lookup type, actor, raw, threatlevel as malicious_confidence from
sumo://threat/cs on threat=src_ip
| lookup latitude,longitude,country_name from geo://location on ip=src_ip
| where (!(country_name="United States") or (malicious_confidence =
"unverified" or malicious_confidence = "low" or malicious_confidence =
"medium" or malicious_confidence = "high" )
| count by user_id, malicious_confidence, country_name
| sort by _count
For setting up alerts on that query see https://help.sumologic.com/Dashboards-and-Alerts/Alerts/02-Schedule-a-Search
If you are just getting started I would highly recommend you watch the SL basics videos (1 and 2) on youtube. https://www.youtube.com/watch?v=FO8mfZojb1c
DarkMatter
- 175
- 6