Skip to main content
Sumo Logic

Lab 7 - Identify "out of the ordinary" Events

Explore the functionality of the outlier operator, which allows you to identify events outside of a threshold.
Explore the functionality of the outlier operator, which allows you to identify events outside of a threshold.

 

  1. Search your Labs/snort logs looking for anomalies in the frequency of denial of service attempts (indicators DDoS attacks). "Timeslicing" your results allow you to see a trend over time. Lastly, use the outlier operator to plot the frequency of attempts on a line graph with an acceptability range to spot outliers.

_sourceCategory=Labs/snort      
| parse "*[Classification: *] [Priority: *] {TCP} * -> *" as DateInfoandfile,Classification,Priority,SourceIP,DestinationIP
| where classification="Attempted Denial of Service"
| timeslice 5m
| count (Classification) by _timeslice
| sort by _timeslice
| outlier _count window=10, consecutive=1, threshold=2, direction=+-

  1. Bonus: Manipulate the parameters for window, consecutive, threshold, and direction to see the change in behavior. (Hint: There may not be a need to see if there's an outlier below the range of acceptability.)

Image of outlier charted results