Example of normalization for multiple data sources
Example from the Sumo Training!
(_sourceCategory=O365SharePoint or _sourcecategory=F5-VPN or _sourcecategory=Zscaler or _sourcecategory=ActiveDirectory ) ("bob" or "9b38968f" or "267ff6b3" or "c4b9c671")
| parse regex "\]: \d+:\d+:\s+.*?:(?.*?)from client IP" nodrop
| parse "Access policy result: *" as action nodrop
| parse "Following rule 'Full or Mobile Browser' from item 'Client Post-Check' to ending '*'" as action nodrop
| parse "Session statistics - bytes in: *, bytes out: *" as bytes_in,action nodrop
| parse "Username '*'" as userid nodrop
| parse ": Session * due to user inactivity or errors." as action nodrop
| parse ": Following rule 'fallback' from item 'SSO Credential Mapping' to terminalout '*'" as action nodrop
| parse "Received client info - Type: * Version: * Platform: * CPU: * UI Mode: *" as Ctype,client_version,CPlatform,client_CPU,Client_UI nodrop
| parse "InsertionStrings = {\"*\"," as userid nodrop
| parse "Type = \"*\";" as action nodrop
| parse "Logon Account:\t*\nSource Workstation:\t*\nError Code:\t*\";" as userid,system,errorcode nodrop
| parse "TimeWritten = \"*." as time nodrop
| parse "\"CreationTime\":\"*\"," as time nodrop
| parse "Operation\":\"*\"," as action nodrop
| parse "\"UserId\":\"*\"," as userid nodrop
| parse "srcBytes=*\tdstBytes=*\t" as srcbytes,dstbytes nodrop
| parse "usrName=*\t" as userid nodrop
| parse "hostname=*\t" as action nodrop
| extract "\]: \d+:\d+:\s+(?.*?):"
| if (session_id matches "*","Bob","") as userid
| where !(isBlank(action))
| where !(action matches "Audit Failure" or action matches "FileAccessed" or action matches "FileModified" or action matches "FileSync*" or action matches "FileUpload" or action matches "FileDeleted")
| count by _messagetime, time, _sourcecategory, userid, action
| sort by _messagetime asc
Please sign in to leave a comment.
Comments
0 comments