Skip to main content
Sumo Logic

Lab 3 - Geolocation of console logins

Screen Shot 2020-08-05 at 4.39.55 PM.pngTo see where your users are logging in from across the world, you will learn and apply the GEO Lookup mapping functionality. You can quickly identify where users are logging in and ensure they are from expected locations. In this lab we will detect potential login threats. We will query our AWS CloudTrail data for console logins coming in from multiple IP addresses.

    Lab Activity

    Scope and parse

    1. Create a new log search query,  looking at log data for the last 24 hours and select the AWS CloudTrail as your source category.  Your query will look like this:

    _sourceCategory="Labs/AWS/CloudTrail"

    1.   Using what you learned in the first lab regarding JSON parsing, add the 4 parsing lines of code. Your query should look like this: 

    _sourceCategory="Labs/AWS/CloudTrail"
    | json field=_raw "userIdentity.userName" as actor
    | json field=_raw "eventType" as event_type
    | json field=_raw "sourceIPAddress" as src_ip
    | json field=_raw "responseElements.ConsoleLogin" as result

    1. The results are that you have actor, event_type, result and src_ip parsed from the incoming CloudTrail logs.

    Screen Shot 2020-07-29 at 1.36.45 PM.png

    Filtering and create parameters

    1. To view only those results where actor and event_type are not empty, at the bottom add the below two where filters.

    | where !isEmpty(actor)
    | where !isEmpty(event_type)

    1. Similar to the last lab, you can create a parameter for event_type and actor, at the bottom add the below two where filters with variables.

    | where event_type matches {{event_type}}
    | where actor matches {{actor}}

     

    1. In the parameter window, type an asterisk * in each field. This will provide the wildcard as a default for each parameter's value.

    Screen Shot 2020-07-29 at 1.55.10 PM.png

    Geo Lookup tables and aggregating data

    1. Now you want to use the lookup command to view the latitude, longitude, country_name, city and region.  The lookup command requires the src_ip value as a reference. The lookup command will lookup the ip address in geo://default data and then return the latitude, longitude, country name, city, and region. Your query should now look like this:

      _sourceCategory="Labs/AWS/CloudTrail"
      | json field=_raw "userIdentity.userName" as actor
      | json field=_raw "eventType" as event_type
      | json field=_raw "sourceIPAddress" as src_ip
      | json field=_raw "responseElements.ConsoleLogin" as result

      | where !isEmpty(actor)
      | where !isEmpty(event_type)
      | where event_type matches {{event_type}}
      | where actor matches {{actor}}| lookup latitude,longitude,country_name,city,region from geo://default on ip=src_ip

    2. You will count by actor, caller IP address, latitude, longitude, country_name, and event type.  Your final query should look like this: 

      _sourceCategory=Labs/AWS/CloudTrail
      | json field=_raw "userIdentity.userName" as actor
      | json field=_raw "eventType" as event_type
      | json field=_raw "sourceIPAddress" as src_ip
      | json field=_raw "responseElements.ConsoleLogin" as result

      | where !isEmpty(actor)
      | where !isEmpty(event_type)
      | where event_type matches {{event_type}}
      | where actor matches {{actor}}| lookup latitude,longitude,country_name,city,region from geo://default on ip=src_ip| count by actor,src_ip,latitude,longitude,country_name,event_type

    Create the map and insert into the dashboard

    1. You are currently looking at the table view. You can change the aggregate data to display a Map.  At the top right of the aggregates tab, click the Map icon Screen Shot 2020-07-29 at 2.14.17 PM.pngon the toolbar. You will see the below results.

    Screen Shot 2020-07-29 at 2.13.15 PM.png

    1. Now you have the data you want  to add to our existing dashboard.  Let's add this to the dashboard you created to your SOC_<your intials###> dashboard, by clicking Add to Dashboard button in the aggregates tab. Use the following panel name, CloudTrail Geo of SignInActivity in the popup window.

    Screen Shot 2020-07-29 at 2.21.09 PM.png

    1. Since we are adding to an existing dashboard that already has the parameters from the previous lab, this popup appears to confirm you want to merge parameters, click Add Panel.

      Screen Shot 2020-07-29 at 2.21.09 PM.png

       
    2. Now you have created two panels for your starter SOC_<yourinitials###> dashboard. Your dashboard should look like the one below.clipboard_e9bbfdc0ff22bac05ea3256035dee4268.png

     

    Quiz (True or False?)

    1. Lookup uses the Crowdstrike data to provide latitude and longitude. 
    2. I can display a map without aggregating data.
    3. I can use Add Panel to add to an existing dashboard.

    Summary

    Congratulations! You’ve completed the following tasks:

    1. Learned how to use lookup for mapping.
    2. Reviewed how to create a parameter in a query.
    3. Added a second panel to an existing dashboard.