TechQA.

How to setup alerts in sumo logic with NQL

132 views Asked by At

Login events are tracked in catalina.out. This file then gets pushed to SumoLogic. How to create an alert on these login events for unauthorized users(list of users)

sumologic
Original Q&A
1

There are 1 answers

0
DarkMatter On

For a basic outline of SL Search Query Language check out https://help.sumologic.com/Search/Search-Query-Language most queries have a scope, normalization some filter and then aggregation.

for an example of a query that looks for malicious logins see below:

_sourceCategory = O365/Azure

AND "\"UserLoginFailed\"" and !"UserDisabled"
| json field=_raw "UserId" as user_id
| json field=_raw "ClientIP" as src_ip
| lookup type, actor, raw, threatlevel as malicious_confidence from 
sumo://threat/cs on threat=src_ip
| lookup latitude,longitude,country_name from geo://location on ip=src_ip
| where (!(country_name="United States") or (malicious_confidence = 
"unverified" or malicious_confidence = "low" or malicious_confidence = 
"medium" or malicious_confidence = "high" )
| count by user_id, malicious_confidence, country_name
| sort by _count

For setting up alerts on that query see https://help.sumologic.com/Dashboards-and-Alerts/Alerts/02-Schedule-a-Search

If you are just getting started I would highly recommend you watch the SL basics videos (1 and 2) on youtube. https://www.youtube.com/watch?v=FO8mfZojb1c

Related Questions in SUMOLOGIC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Trending Questions