Explore the functionality of LogReduce, which allows you to distil unique messages from the noise by identifying recurring Signatures in your data.
Run LogReduce on your Snort security data to identify unusual activity (i.e. intrusions) in the last 60 minutes.
Sort your results to identify those that happen only once by clicking on Count. Click on the 1 under the heading Count to view the unusual message.
Surrounding messages allow you to investigate events surrounding a message from the context of the host, name, or category identified enabling you to view the activity for the defined time period. Now click on the host to view Surrounding Messages to identify the context of the intrusion. From the drop down on the Host select +/- 5 Minutes.