Correlation rules in Sumologic

Follow
Avatar
Cardinal Ops App
  • Edited

Hey.

I want to correlate between two different source categories,
But It didn't worked for me. Am i'm doing right?

I just want to correlate it on "EmailAccount" account field (when the same email account exists in both logs it will be appear.)

(_sourcecategory="*/Prod" OR _sourceCategory="/*/production") "Add owner to group" or "FileDownloaded"

| json field=_raw "SourceFileExtension" as A nodrop
| json field=_raw "UserId" as EmailAccount nodrop
| json field=_raw "ClientIP" as IP_Address nodrop
| where Workload="OneDrive"
| where Operation="FileDownloaded" OR operationName="Add owner to group"
| json field=_raw "properties.targetResources[0].modifiedProperties[1].newValue" as TargetGroup nodrop
| json field=_raw "properties.targetResources[0].userPrincipalName" as TargetUser nodrop
| json field=_raw "properties.initiatedBy.user.userPrincipalName" as EmailAccount nodrop

| transaction on EmailAccount with states IP_Address,EmailAccount,A,TargetGroup,TargetUser in step

Thanks.

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Rick Jury

    you could try something like this

    (_sourcecategory="*/Prod" OR _sourceCategory="/*/production") "Add owner to group" or "FileDownloaded"

    | json field=_raw "SourceFileExtension" as A nodrop
    | json field=_raw "UserId" as EmailAccount nodrop
    | json field=_raw "ClientIP" as IP_Address nodrop
    | where Workload="OneDrive"
    | where Operation="FileDownloaded" OR operationName="Add owner to group"
    | json field=_raw "properties.targetResources[0].modifiedProperties[1].newValue" as TargetGroup nodrop
    | json field=_raw "properties.targetResources[0].userPrincipalName" as TargetUser nodrop
    | json field=_raw "properties.initiatedBy.user.userPrincipalName" as EmailAccount nodrop

    | min(_messagetime) as start, max(_messagetime) as end,  values(ip_address) as ips,values(a) as a,values(targetgroup) as targetgroup,values(targetuser) as targetuser by emailaccount

     

    0
    Comment actions Permalink
  • Avatar
    Cardinal Ops App

    Hey Rick, thanks for your response.

    If I want to configure a time range between both queries, how do I do it?

    0
    Comment actions Permalink
  • Avatar
    Rick Jury

    It might be better to contact your sumo Customer success team about this one. It looks like a complex query that would need access to the source data and more info about your use case.
    You can run different time range queries with subquery but that won't work in every use case as it has limits. https://help.sumologic.com/05Search/Subqueries

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post