The Sumo Logic app for Security Analytics provides Dashboards that allow you to easily see and manage your system's status, including a security operations overview, network, system and change, user monitoring, and vulnerabilities on endpoints. This data is collected from your Collectors and Sources, and Sumo Logic Anomaly Detection is applied to it, for instant analysis of any events.

For complete details, see Sumo Logic App for Security Analytics

Getting Security Incident Details

In the Security Analytics App, on the Network Status Dashboard, the Incident Count or Incidents for Review Panels provide information on all security incidents. You can also drill down from these Panels to the Search page and see more details on those incidents in the Messages tab.  

To see incident details in the Messages tab:

  1. Click the Incidents for Review Panel to open the query in the Search page.
  2. Click the Messages tab.
  3. More details for the incident are included in the Message field.

Security Use Cases

The following table provides a list of security use cases, incidents covered, and relevant devices and sources.

Security Analytics Use Case Security Incidents Relevant Devices and Sources
User Monitoring
  • Login Failures followed by success from the same username
  • High amount of login failures for the same username
 Windows 2008 servers, Active Directory, Linux, Google Apps, Novell Access Manager, RSA, 
User Monitoring
  • Group Created
  • Group Deleted
  • Group Membership changed
 Windows, Active Directory, Google Apps 
User Monitoring
  • User Created on Domain or Application
  • User Created on Local Server
  • User Deleted
  • User Modified
 Windows, Active Directory, Google Apps, Linux 
Systems and Changes
  • Configuration Changes
  • OS Update
 Windows, Active Directory, Linux
Network Overview
  • Excessive firewall denies/accepts
  • Single local source scanning multiple destinations on well known database
  • FTP ports
  • Email ports
  • SSH and Web Server ports
 Checkpoint 
Vulnerabilities on Endpoints
  • Multiple vulnerabilities detected
  • Same vulnerability detected on multiple hosts
  • Vulnerability found
 Qualys 
Vulnerabilities on Endpoints
  • Same virus detected on multiple hosts
  • Virus found
  Forefront

Incident Messages and Searches

This table maps incident messages to the preconfigured Security Analytics App searches that report on them.

Incident Message Value Incident Search
Brute Force Login SA - Incident - Brute Force Login Attempt
Excessive firewall denies SA - Incident - Excessive Firewall Denies
High number of malware IDS alerts SA - Incident - High Number of Malware IDS Alerts
Large number of denied connections SA - Incident - High Volume of Denied Connections
Increased failed remote logins SA - Incident - Increase in Failed Remote Login Attempts
Multiple failed logins SA - Incident - Multiple Failed Logins by a User in Last 15mins
Potential DDos attacks SA - Incident - Potential DDos Attack
Potential scan or attack through multiple attack vectors SA - Incident - Potential Scan or Attack through Multiple Vectors
Potential web application scan or attack SA - Incident - Potential Web Application Attack
Potential successful brute force login SA - Incident - Successful Login after Multiple Failed Logins
Suspicious SSL Traffic Hike from ... SA - Incident - Suspicious SSL Traffic