Skip to main content
Sumo Logic

Lab 12 - Correlation using Transaction

Aggregate comparable messages from different data sources with similar key fields using the Transaction operator.

  1. The transaction operator allows you to analyze related sequences of messages based on a unique transaction identifier such as a SessionID or IP Address. Transaction uses the unique identifier you specify to group related messages together and arrange them based on states which you define. In this lab, use the transaction operator to identify source IPs in your web apache logs that correlate to IPs that Snort (network intrusion detection) has flagged as related to a Web Application Attack.

_sourceCategory=Labs/Apache/Access or (_sourceCategory=Labs/Snort and "[Classification: Web Application Attack]")

| parse "{TCP} *:* -> *:*" as src_ip, src_port, dest_ip, dest_port nodrop

| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| transaction on src_ip

 with states %"Labs/Snort", %"Labs/Apache/Access" in _sourceCategory

| where %"Labs/Snort">0 and %"Labs/Apache/Access">0

  1. Now that you have identified these IPs, use the Threat Intel lookup to see if these are IOCs. Keep in mind that no results simply means that they are not flagged as malicious IP addresses in the CrowdStrike database.

((_sourceCategory=Labs/Snort "[Classification: Web Application Attack]") or _sourceCategory=Labs/Apache/Access)

| parse "{TCP} *:* -> *:*" as src_ip, src_port, dest_ip, dest_port nodrop

| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| transaction on src_ip

 with states %"Labs/Snort", %"Labs/Apache/Access" in _sourceCategory

| where %"Labs/Snort">0 and %"Labs/Apache/Access">0

| lookup type, actor, raw, threatlevel as malicious_confidence

 from sumo://threat/cs on threat=src_ip

| where !isEmpty(type)