Skip to main content
Sumo Logic

Lab 9 - Azure using outlier and creating alerts

Explore the functionality of using location data and use the Lookup command to lookup geographical information based on an IP Address.

You recently heard about an Outlier function that you can use in Sumo Logic.  You want to create a query and use this function to help investigate security activity on your network. Specifically, where you are seeing a great number of failed login attempts.

Use the outlier function.

 

  1. Create a new log search query,  looking at log data for the last 24 hours and select the Azure Active Directory (AD) as your source category.  Your query will look like this:

_sourceCategory="Labs/Azure/AD"

  1. Parse the following fields operationName and resultType from the json. You will want to filter the operationName for "Sign-in activity". Your query should look like this: 
    _sourceCategory="Labs/Azure/AD"
    | json field=_raw "operationName"
    | where operationName = "Sign-in activity"
    | json field=_raw "resultType
  2. The field resultType will indicate either a 0 or a 1 and we want to convert that to either a "success" or "failure" and store this as the field called result.  You also want to filter result to view only failures.  Your code should look like this:
    _sourceCategory="Labs/Azure/AD"
    | json field=_raw "operationName"
    | where operationName = "Sign-in activity"
    | json field=_raw "resultType"
    | if(resultType = 0,"Success","Failure") as result
    | where result = "Failure" 

  3. Now you want to add the timeslice operator to create timeslice intervals of 10 mins each, then count by your timeslices.  Your code will look like this: 
    _sourceCategory="Labs/Azure/AD"
    | json field=_raw "operationName"
    | where operationName = "Sign-in activity"
    | json field=_raw "resultType"
    | if(resultType = 0,"Success","Failure") as result
    | where result = "Failure"
    | timeslice 10m
    | count by _timeslice

     

A subset of your results will look like this. 
clipboard_e501181e6a8b2c12d1fb63b08487aab94.png

  1. Modify your query so you filter count  > 10.  This will show us where users have failed to login by various timeslices or windows.  Your query should look like this:
    _sourceCategory="Labs/Azure/AD"
    | json field=_raw "operationName"
    | where operationName = "Sign-in activity"
    | json field=_raw "resultType"
    | if(resultType = 0,"Success","Failure") as result
    | where result = "Failure"
    | timeslice 10m
    | count by _timeslice
    | where _count > 10

     

  2. You are now ready to use the outlier function.  You notice that the outlier has some parameters that it uses.  the first parameter is what value do you want to perform the outlier function on.  In this case we are going to use the values of count.  The second parameter is the window, in our case we are going to use a window=10, which means the function will use the current value and go back 10 values to calculate the mean and the standard deviation values for the outlier function.  The threshold value is used to determine the upper and lower boundaries for our function.  In this case we will use threshold= 3 which means our range will be plus or minus 3 standard deviations from the mean.  The other parameters will be discussed in the next step. Your query should look like this:
    _sourceCategory="Labs/Azure/AD"
    | json field=_raw "operationName"
    | where operationName = "Sign-in activity"
    | json field=_raw "resultType"
    | if(resultType = 0,"Success","Failure") as result
    | where result = "Failure"
    | timeslice 10m
    | count by _timeslice
    | where _count > 10
    | outlier _count window=10, threshold=3, consecutive=1, direction=+-

  3. Your results will look something like this:
    clipboard_e6a1e8232c322729486a8389bd7665f3e.png

  4. And if you click on the line chart icon clipboard_eda01f19ac59f7343d502f64a5e3ee5bb.png on the aggregates toolbar, you will see this: 
    clipboard_ef926c7ef3a8f603bc8b84d5360ceedce.png

What you are seeing, is the data line in darker blue with the data values plotted.  The light blue cloud around it indicates upper and lower boundaries calculated by the outlier function. The red triangles denote any values that fall outside of the upper and lower boundaries. The other two parameters direction=+- denotes whether to display values above the mean + or values below the mean - that are outside.  For example you can remove the minus and rerun the query and you would not see the triangle on the lower right of the screen above. The consecutive=1 denotes that any single value outside of the upper and lower boundaries will be indicated as an outlier.  If you changed the consecutive=2, then if two consecutive values are above or below the threshold, then outlier would be indicated. 

Create an Alert
  1. Now let's modify this query so we can be alerted if this outliers actually occur. To make this query more meaningful for alerts, lets add the following filter: 
    | where _count_violation > 0

  2.  Now you can click the Save As icon and then click the Schedule this search button to create the alert as shown below.
    clipboard_e835b26aef087221a675deecd75b2ddb0.png

  3. Under the run frequency, you should select Daily and in the Send Notification area, select If the following condition is met and choose greater than and for number of results select 0.  You can then choose to send yourself and email of this alert or choose some other mechanism to alert you of this occurrence. 
    clipboard_ed331e29b06068b5e9c3c96136078696d.png