Skip to main content
Sumo Logic

Introduction to Investigation Workflow

Introduction to Investigation Workflow functionality and an overview of using Investigation Workflow.

This page is a high-level introduction to Investigation Workflow. 

Investigation Workflow is a Sumo Logic component that enables security analysts to investigate potential security incidents detected from log data. 

Investigation Workflow is built on top of the Sumo analytics platform and leverages data already ingested by Sumo. Investigation Workflow provides automated and on-demand correlation of event data across multiple data feeds. Investigation Workflow is designed to automate and rapidly execute searches and analytics to help security analysts investigate and remediate incident within minutes instead of hours. Investigation Workflow also allows analysts to query external threat databases. During investigations, Investigation Workflow automatically captures the history of the steps taken and the results, which you can supplement with notes and evidence; these investigation reports can then be used for process reviews, analyst training, creation of best practices, and more. 

Investigation Workflow is a foundational element for Sumo Logic’s Security Analytics solution. Upcoming Security Analytics components  will be added to Investigation Workflow to provide a complete cloud-based SIEM alternative.  

The sections below describe key Investigation Workflow functionality and how you interact with Investigation Workflow to perform investigations.  

Log ingestion and parsing

This section describes how Investigation Workflow processes log message and creates a high-performance event database you can query rapidly to investigate potential problems.

Log data is transformed into an event dictionary

Upon ingesting a log message, Investigation Workflow derives a dictionary of name-value pairs that capture the facts conveyed by the message. 

For example, from a log message like this abbreviated one:

alert-raw-excerpt.png
Investigation Workflow creates a dictionary like this:

alert-details-excerpt.png
Investigation Workflow stores the dictionary and the raw log message in the Event database. 

Factors are derived from an event dictionary

Some, but not all of the information in the dictionary is crucial to understanding the event. Investigation Workflow identifies the subset of those name-value pairs from the dictionary that convey the meaning and purpose of the the event. Those key-value pairs constitute a factor. A factor tells you things like:

  • Who performed what action, on what resource, from what location. 
  • Where was malware detected and what services it affects. 
  • On what host was a virus detected, and who is the user associated with the host.

Investigation Workflow may derive multiple factors from a single log event. Each factor presents a particular aspect of an event, as indicated by the factor type Investigation Workflow assigned to it. Identity, Endpoint,  and Threat are examples of factor types.

For example user  "Bob" logs on from machine "Bob's machine", with IP address 1.2.3.4, to authentication server “4.3.2.1”. Based on the association of Bob with the machine, we create an factor of type Identity. Based on the association of Bob's machine with its IP address, we create a factor of type Endpoint. If the action is considered a threat, we create a factor of type Threat.

As you pursue an investigation, query results are presented as factors and organized by factor types so you can more easily interpret the information.  

Here is a factor derived from the event dictionary shown above, as it appears in the Investigation Workflow UI. Note that it contains a subset of the name-value pairs than the dictionary it was derived from—the ones that capture the essence of some aspect (which corresponds to a factor type) of the event, and those that will be useful in searching for related events. 

alert-column.png

Factors are indexed by link values

As part of the parsing process, Investigation Workflow identifies link values in a log message. Link values are data—like IP addresses, hostnames, usernames, and email addresses—that encapsulate key facts about the log event, and most importantly, are useful in relating that event to other events. For information about different types of link values, see Link Value Types.

When Investigation Workflow presents a factor in the UI, the link values it contains are shown in blue. In the factor shown above, username, email, and IP address are link values. 

In the Event Database, Investigation Workflow indexes each factor by the link values it contains, enabling rapid searches.

Investigations are created for alert events

When an log received by Investigation Workflow indicates a serious threat or operational issue, the Investigation Workflow parser marks is as an alert event, and creates an Alert factor for it.  

Investigation Workflow creates an Investigation object for each alert event. In the Burndown tab, the Burndown view presents a list of Investigations like the following.

burndown-queue.png

The Alert column contains the Alert factor for an event. Link values are shown in blue. For a detailed description of this page, see Burndown Tab.

You can also create an investigation from scratch, as described in Create a Freeform Investigation

Investigations and the investigation process

This section is an overview of how you conduct an investigation using Investigation Workflow, and how Investigation Workflow queries the Event Database and presents query results when you click a link value.

Claiming investigations 

In the Investigate tab, the Burndown view lists Investigations that have not been started. 

Here is one Investigation as presented in the Investigate tab.unclaimed-investigation.png
Note that there are link values shown in blue font in the Alert column in the screenshot above. You claim an investigation by clicking any link value. When you do that, Investigation Workflow removes the alert from the Burndown queue, sets its status to Open, and assigns it to you.

Viewing query results

When you claim an investigation by clicking a link value in the Alert column of the Burndown tab, the Investigation tab appears. The page presents a list of factors, organized by factor type, that contain or are related to the the link value you clicked to claim the investigation. The list includes the Alert factor for the event that triggered the Investigation.

Query results are presented as factors to make it easy to make sense of the underlying event. You can also view the underlying raw log message, or the dictionary of name-value pairs derived from the message.  

The screenshot below shows the results that appear if we click Brendan in the investigation above. The page lists a number of factors, organized by factor type: Alerts, Endpoint, and Identity.

Note that when a pivot returns multiple events that have the same factor, the Investigation tab displays the factor once, and in the Count column, shows the count of events which have the factor. This process is called aggregation. Aggregating multiple matching factors and presenting them in a condensed form makes a huge data set more manageable and understandable.   

For a detailed description of the page, see Investigation Tab.  

query-results.png

Queries are chained by default

When you click a link value—in an Investigation on the Burndown tab or in a factor on the Investigation tab—Investigation Workflow runs a primary query for factors that contain that link value. Then, by default, Investigation Workflow runs a set of secondary queries:  one for each of the unique link values in the factors returned by the primary search. This is referred to as a chained search. If you do not want Investigation Workflow to run the secondary queries, you can prevent that by modifying the pivot and unchecking the Chain option. For more information, see Modify a Pivot.

If a secondary query returns too many results, Investigation Workflow labels the link value “Hub” and does not present the results of that query. This prevents massive query results that might occur in some situations, for example if you run a query on the IP address of a firewall and that IP is mentioned in every firewall event.

Running more queries

Pursuing an investigation is a matter of using your judgment and following your nose. 

Each set of query results contains link values you can click to view event factors that contain or relate to the link value. Clicking a link value is referred to as pivoting. For example, if an IP address looks suspicious in an investigation, we might click  the IP address to pivot on that link key to see the activity for it.

Investigation history in the Investigation tab

The right pane of the Investigation tab presents the current status and history of the investigation. Any query you make looking for relevant events, any notes that you take, any event information you save as evidence is saved in the investigation.  For more information about the investigation history pane, see Investigation status and history.