Skip to main content
Sumo Logic

Lab 5 - Find the "needle in the haystack"

Use LogReduce to efficiently detect more prevalent or rarer security security events from many thousands of log messages.
Explore the functionality of LogReduce, which allows you to distil unique messages from the noise by identifying recurring Signatures in your data.

 

  1. Run LogReduce on your Snort security data to identify unusual activity (i.e. intrusions) in the last 60 minutes.

_sourceCategory=labs/snort

| logreduce

  1. Sort your results to identify those that happen only once by clicking on Count. Click on the 1 under the heading Count to view the unusual message. Screen Shot 2020-02-22 at 12.52.34 PM.png

  2.  Surrounding messages allow you to investigate events surrounding a message from the context of the host, name, or category identified enabling you to view the activity for the defined time period. Now click on the host to view Surrounding Messages to identify the context of the intrusion. From the drop down on the Host select +/- 5 Minutes.

Image of surrounding time selection prompt