Correlation rules in Sumologic

Comments

3 comments

  • Avatar
    Rick Jury

    you could try something like this

    (_sourcecategory="*/Prod" OR _sourceCategory="/*/production") "Add owner to group" or "FileDownloaded"

    | json field=_raw "SourceFileExtension" as A nodrop
    | json field=_raw "UserId" as EmailAccount nodrop
    | json field=_raw "ClientIP" as IP_Address nodrop
    | where Workload="OneDrive"
    | where Operation="FileDownloaded" OR operationName="Add owner to group"
    | json field=_raw "properties.targetResources[0].modifiedProperties[1].newValue" as TargetGroup nodrop
    | json field=_raw "properties.targetResources[0].userPrincipalName" as TargetUser nodrop
    | json field=_raw "properties.initiatedBy.user.userPrincipalName" as EmailAccount nodrop

    | min(_messagetime) as start, max(_messagetime) as end, values(ip_address) as ips,values(a) as a,values(targetgroup) as targetgroup,values(targetuser) as targetuser by emailaccount

     

    0
    Comment actions Permalink
  • Avatar
    Cardinal Ops App

    Hey Rick, thanks for your response.

    If I want to configure a time range between both queries, how do I do it?

    0
    Comment actions Permalink
  • Avatar
    Rick Jury

    It might be better to contact your sumo Customer success team about this one. It looks like a complex query that would need access to the source data and more info about your use case.
    You can run different time range queries with subquery but that won't work in every use case as it has limits. https://help.sumologic.com/05Search/Subqueries

    0
    Comment actions Permalink

Please sign in to leave a comment.