The Sumo Logic app for Security Analytics provides Dashboards that allow you to easily see and manage your system's status, including a security operations overview, network, system and change, user monitoring, and vulnerabilities on endpoints. This data is collected from your Collectors and Sources, and Sumo Logic Anomaly Detection is applied to it, for instant analysis of any events.
For complete details, see Sumo Logic App for Security Analytics.
Getting Security Incident Details
In the Security Analytics App, on the Network Status Dashboard, the Incident Count or Incidents for Review Panels provide information on all security incidents. You can also drill down from these Panels to the Search page and see more details on those incidents in the Messages tab.
To see incident details in the Messages tab:
- Click the Incidents for Review Panel to open the query in the Search page.
- Click the Messages tab.
- More details for the incident are included in the Message field.
Security Use Cases
The following table provides a list of security use cases, incidents covered, and relevant devices and sources.
Security Analytics Use Case | Security Incidents | Relevant Devices and Sources |
User Monitoring |
|
Windows 2008 servers, Active Directory, Linux, Google Apps, Novell Access Manager, RSA, |
User Monitoring |
|
Windows, Active Directory, Google Apps |
User Monitoring |
|
Windows, Active Directory, Google Apps, Linux |
Systems and Changes |
|
Windows, Active Directory, Linux |
Network Overview |
|
Checkpoint |
Vulnerabilities on Endpoints |
|
Qualys |
Vulnerabilities on Endpoints |
|
Forefront |
Incident Messages and Searches
This table maps incident messages to the preconfigured Security Analytics App searches that report on them.
Incident Message Value | Incident Search |
Brute Force Login | SA - Incident - Brute Force Login Attempt |
Excessive firewall denies | SA - Incident - Excessive Firewall Denies |
High number of malware IDS alerts | SA - Incident - High Number of Malware IDS Alerts |
Large number of denied connections | SA - Incident - High Volume of Denied Connections |
Increased failed remote logins | SA - Incident - Increase in Failed Remote Login Attempts |
Multiple failed logins | SA - Incident - Multiple Failed Logins by a User in Last 15mins |
Potential DDos attacks | SA - Incident - Potential DDos Attack |
Potential scan or attack through multiple attack vectors | SA - Incident - Potential Scan or Attack through Multiple Vectors |
Potential web application scan or attack | SA - Incident - Potential Web Application Attack |
Potential successful brute force login | SA - Incident - Successful Login after Multiple Failed Logins |
Suspicious SSL Traffic Hike from ... | SA - Incident - Suspicious SSL Traffic |