Skip to main content
Sumo Logic

Lab 7 - Investigating using search parameters

Compare IP addresses from your log messages to a database of known malicious IP addresses.

Now that you have a dashboard with several security panels you can enhance the functionality for deeper investigation. One approach is to apply search parameters which allow you to filter down the amount of information displayed. 

In this lab we are going to add look up tables to one of our previously created search parameters for easy investigation. You will create a lookup table and then change one of the previously created search parameters to use the lookup for a list of values.


Lab Activity

Add a lookup table to the Parameter

  1. To add a lookup table, you will first need to create the table by using this query. On the last line, you will need to replace <your_intitials###> with your initials in the query and run for Last 24 hours.

_sourceCategory=Labs/AWS/CloudTrail 

| json field=_raw "userIdentity.sessionContext.sessionIssuer.userName" as actor

| count by actor

| fields - _count /* this removes the count leaving only the actors */

| save shared/<your_intitials###>_aws_actor_list /* puts the actors into lookup table */

 

  1. You will get a confirmation popup to make sure you confirm that you are not overwriting existing data you may want to keep. Click Run.

 

Screen Shot 2020-07-17 at 1.19.04 PM.png

  1. Next you will want to verify the contents of your lookup table. Open a new Log Search query and display the contents using the following code. Again, you will need to replace <your_initials###> with your initials in the query.

    cat shared/<your_initials###>_aws_actor_list 

  2. The lookup table will look like this.

    Screen Shot 2020-09-09 at 10.20.14 PM.png
     

Note that your lookup table may not look exactly the same, but it will be similar.
 

  1. Now you will go and modify the actor parameter to use the lookup table. This will allow easy pivots to different actors for further investigation. In the SOC_<your_intials###> dashboard open up any of the five queries. In the upper right of the panel, click Show in Search.

    Screen Shot 2020-09-23 at 5.48.19 PM.png

     

  2. . In the Parameters window, go to actor and click on the details iconScreen Shot 2020-09-23 at 5.41.48 PM.png. Click Manage Parameter Settings.

    Screen Shot 2020-07-17 at 1.20.51 PM.png
     
  3. A popup called Manage Parameter Settings will appear. The upper part will already be filled out correctly. Verify that your Default Value equals *. By using the wildcard, this will allow you to see everything with no filters applied. Click Set Values for Parameter to expand, and then using the dropdown in Select a format click Lookup.

 

  1. Under Lookup file point to the lookup table you just created /shared/<your_intitials###_aws_actor_list and under Select a field for Values select actor.

Screen Shot 2020-07-17 at 1.24.43 PM.png

  1. Click Save. To observe the lookup table with this query, return to your query's Parameter window. In actor delete the wildcard asterisk. A lookup table will appear with a list of actors to choose from. Select one of the actors and watch the data pivot to supply data for the actor you chose. You now have a lookup filter which makes it very easy for any actor to be investigated.

    Screen Shot 2020-09-09 at 10.44.36 PM.png
     

  2. Ideally you would repeat this lab for all 5 panels in your started SOC_<your_intitials###> dashboard. For now pick one more dashboard panel query of your choice and repeat. This will help in the next lab where you will learn how to filter at the dashboard level.

Using Filters for panels or dashboards

If you add a filter to a specific panel by clicking the Filter icon for the panel and then clicking Add Filter, the filter you select is added to the dashboard and linked to that specific panel. If you change the value, it will affect only the panel that's linked to it. See Create a filter in this topic. To see which panels are linked to a filter, hover over the blue filter icon in the filter box. 

 

Quiz (True or False?)

  1. To display a lookup table I used the command cp.
  2. Search parameters allow me to pivot quickly to any metadata values.
  3. I use the save operator to create a lookup table.

Summary

Congratulations! You’ve completed these tasks:

  1. Created a lookup table.
  2. Verfied your lookup table.
  3. Created a lookup parameter.
  4. Displayed the parameters lookup table options to pivot on.