Skip to main content
Sumo Logic

Configure a Custom Insight

Learn how to set up Custom Insight configurations, which you can use to automatically generate Insights on some basis other than Entity Activity Scores.

As described in the Insight Generation Process topic, CSE automatically generates an Insight based on an Entity’s Activity Score, which is the cumulative severity of the unique Signals that have fired on an Entity during a period of time. In some cases, you may want CSE to generate an Insight on some basis other than Entity Activity Scores. For example, you might want an Insight generated whenever a particular set of Signals are fired in a particular order. 

This topic has instructions for defining a Custom Insight, which is a configuration you set up that causes CSE to generate Insights based purely on one or more Signals being fired. There are two ways you can define a Custom Insight. You can specify that the Insight should be generated each time:

  • One or more selected rules fire a Signal.
  • Signals whose name matches a specified wildcard expression are fired. 

Which method should you use? The difference is whether we’re going to create an Insight based on the name of the rule that fired the Signal, or based on the name of the Signal that was fired. Typically, Signals that a rule generates have the same name as the Signal. That is not the case with CSE’s normalized rules. That’s because normalized rules, for example Normalized Threat rules, are written to work with multiple data sources. The names of the Signals that a normalized rule fires vary by data source. So, if you want your Custom Insight configuration to generate Insights for Signals fired by normalized rules, you should base it on Signal names, rather than rule names.

When the conditions of a Custom Insight configuration are met during the currently configured detection window, an Insight will be generated for each Entity involved. In other words, if each of the Signals in a Custom Insight configuration fired on a different Entity, an Insight will be created on each of those Entities.

This example Custom Insight configuration will generate an Insight as a result of the McAfee ePO - Virus Outbreak rule firing a Signal. 

custom-insight-example.png
 

To create a Custom Insight

  1. Choose Custom Insights on the Content menu.
  2. Click Create on the Custom Insights page.
    custom-insights-page.png
  3. The Configure the Custom Insight popup appears.
    configure-custom-insight.png
  4. In the Name field, enter a name for the Custom Insight.
  5. If you want the Custom Insight to be generated based on one or more rules firing Signals, jump to step 6, below. Otherwise: 
    1. Leave the When Signals are created from the following... clause set to signal names
    2. Enter an expression that matches the name(s) of the Signals of interest. For example:
      Critical Severity Intrusion Signature *
    3. Click Add.
    4. If you want to, you can enter one or more additional Signal expressions.
    5. If you’ve configured more than one Signal expression, use the in ... order clause to specify whether the Signals must occur in exact order, or whether the Signals can occur in any order. 
  6. If you want the Custom Insight to be generated based on one or more rules firing Signals:
    1. Change the When Signals are created from the following... clause to rule ids
    2. In the Type to add a Rule area, enter a string that the ID of the desired rule contains.
    3. In the list of rules that appears, scroll to the desired rule and click it.
    4. If you want to, you can search for and select one or more additional rules.
    5. If you’ve configured more than one rule, use the in ... order clause to specify whether the rules must fire Signals in exact order, or in any order. 
  7. On the right side of the configuration popup, enter a name, description, and Severity for the Custom Insight, and if desired, select Tags that you want assigned to the Custom Insight. 
  8. Click Submit to save your Custom Insight configuration.