Skip to main content
Sumo Logic

Lab 13 - Correlation using Transactionize

Compile details in the raw message results from different data sources with key fields using the Transactionize operator.

 

Different from the transaction operator which aggregates results, the transactionize operator correlates and provides detail, allowing you to display more fields/detail in your results. In this lab, use the transactionize operator to identify source IP addresses for which you've had normal traffic (type="TRAFFIC" and action="allow), " but also received traffic that has been flagged as a THREAT. To ensure you don't reach a memory limit, restrict the timeframe to the last 5 minutes.

((_sourceCategory=Labs/PaloAltoNetworks ",THREAT,") or (_sourceCategory=Labs/PaloAltoNetworks ",TRAFFIC," action=allow))

| concat(dest_ip,":", dest_port) as destination

| transactionize src_ip (merge type, destination, src_ip takeFirst)

| where type matches "*TRAFFIC*" and type matches "*THREAT*"

// Optionally, you can use these last 2 lines to clean up your results

//| count src_ip, type, destination

//| fields - _count