Skip to main content
Sumo Logic

Lab 1 - Search Basics: Metadata and Keywords

This lab give you practical experience to use metadata and keywords to narrow your search scope and improve performance for a security context.
In this lab, you will learn the use of metadata and keywords to narrow your search scope and improve performance.

 

  1. Search for all messages for the last 15 min with  _sourceCategory=Labs/AWS/CloudTrail that contain the word "root".

_sourceCategory=Labs/AWS/CloudTrail and root

  1. Search for messages across all your AWS data that contain the word "root".  To locate the keyword root in the log message, expand userIdentity by clicking on the drop down. You will see root highlighted

_sourceCategory=Labs/AWS/* and root

  1. For security reasons you may want to see incoming data as it is being ingested, run a Live Tail session for the same query as #1. Click Live Tail.

  2. Perhaps you want to scan all eventVersion coming in. Click on the A button in the upper right and type eventVersion.

  3. Click any where in the Live Tail window to observe the highlights clearly and the entry box will close.

  4. To disable the highlighted text, click the A button and click on the x.

 

QUIZ: True or False

  1. Keywords are case-sensitive  

  2. AND is implicit and OR is explicit

  3. Keywords and metadata can use wildcards

  4. Live Tail must contain at least one metadata tag