Skip to main content
Sumo Logic

Lab 14 - Correlation using Subqueries

Subqueries help you correlate events across different Sumo queries, by allowing one query to pass results back to another query to narrow down the set of messages that are searched in that query. In this lab, identify the web server traffic that has also been flagged as a Web Application Attack in your Snort data.

 

_sourceCategory=Labs/Apache/Access

[subquery:

_sourceCategory=labs/snort "[Classification: Web Application Attack]"

| parse "{TCP} *:* -> *:*" as src_ip, src_port, dest_ip, dest_port nodrop

| compose src_ip

]

| count src_ip, method, status_code, url

| sort _count

You have seen various ways to correlate your data. Here is a summary to help you know which operator to use:

Transaction

Transaction allows you to correlate messages (from a single source or multiple sources) based on one or more common keys (IP Addresses, Session ID's, etc). It performs an "outer join" and produces an aggregate result. Its main use case in the security space is to check the existence of a values across several data sources. For example, when various security tools alert on the same IP address.

Transactionize

Transactionize allows you to correlate messages (from a single source or multiple sources) based on one or more common keys (IP Addresses, Session ID's, etc).  It performs an "outer join", but operates on the raw messages. Combined with merge, you can merge raw messages or different extracted fields across messages into a single row in the result set.

Subquery

Subquery lets you filter data from one result set based on the result of another query (or multiple queries), within one or across several datasets. It performs an "inner join" and returns raw data. Its main use case is to find data in one dataset that can be found in another dataset. For example, show all Windows Event Logs for hosts that have been flagged by and Endpoint protection system.