Skip to main content
Sumo Logic

Lab 10 - Azure using CrowdStrike to lookup malicious IP addresses

Explore the functionality of using location data and use the Lookup command to lookup geographical information based on an IP Address.

You discovered that Sumo Logic has the ability to access Crowd Strike information from within your queries. This can provide valuable insight into malicious actors trying to access your corporate network. 

Use the CrowdStrike lookup functionality.

 

  1. Create a new log search query,  looking at log data for the last 24 hours and select the Azure Active Directory (AD) as your source category.  Your query will look like this:

_sourceCategory="Labs/Azure/AD"

  1. Parse the following fields identity and callerIpAddress as user and IP from the json. You will want to filter the ip so there are no nulls.  Your query should look like this: 
    _sourceCategory=Labs/Azure/AD
    | json "identity","callerIpAddress" as user, ip nodrop 
    | where ip != "<null>"
  2. You are now ready to use the lookup command for CrowdStrike.  You will need to pass in the ip address to your lookup  Your code should look like this:
    _sourceCategory=Labs/Azure/AD
    | json "identity","callerIpAddress" as user, ip nodrop 
    | where ip != "<null>"
    | lookup type, actor, raw, threatlevel from sumo://threat/cs on threat=ip

  3. Now you want to filter where threatlevel="high" to focus on major threats and you want to count by user, ip and actor  Your code will look like this: 
    _sourceCategory=Labs/Azure/AD
    | json "identity","callerIpAddress" as user, ip nodrop 
    | where ip != "<null>"
    | lookup type, actor, raw, threatlevel from sumo://threat/cs on threat=ip
    | where threatlevel="high"
    | count by user, ip, actor

Your results will look like this. 
clipboard_e4220ba4be7142cfc639368875c00fb84.png

You now have a query that provides you user id, their IP address and actor based on count.  You can then investigate this further using what you have learned in previous exercises.