Skip to main content
Sumo Logic

Lab 17 - Alerting on New Security Attacks

Using LogCompare, which allows you to compare log activity from two different time periods, alert on log messages which exist in the last 60 minutes, but did not exist for the same 60 minutes time period, but 24 hours ago.

 

  1. Search your Snort data for the last 60 minutes. Click LogCompare to compare current signatures to signatures from 24 hours ago.

_sourceCategory=labs/snort

| logcompare timeshift -24h

  1. To view results where there are new Signatures in the current time period that did not exist 24 hours ago, add a where clause for _isNew:

_sourceCategory=labs/snort

| logcompare timeshift -24h

| where (_isNew)

  1. Using your email address, you can now create a Scheduled Search to Alert when this query has results.