Skip to main content
Sumo Logic

Threat Intel Optimization

Further optimize and enhance your Threat Intel Quick Analysis App queries depending on your log and events types you are scanning for threats.

Threat Intel Quick Analysis App comes with baseline queries. You can further optimize and enhance these queries depending on your log/events types you are scanning for threats. Use the following guidelines to customize your Threat Intel queries:

  • Filter out unwanted logs before you use Threat Intel lookup operator
  • Use keywords
  • Use thewhereoperator
  • Use general search optimization rules

For example:

_sourceCategory=cylance "IP Address"

| parse regex "(?<ip_address>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| where !isNull(ip_address)

| where ip_address != "0.0.0.0" and ip_address != "127.0.0.1"

| lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=ip_address

Field Extraction Rule

Use Field Extraction Rules (FER) to parse fields from your log messages at the time the messages are ingested, which eliminates the need to parse fields at the query level. Use these parsed fields along with Threat Intel Lookup operator.

  1. Create the FER For example, for Cylance Security Events, create and use the following FER:

    parse "Event Type: *, Event Name: *, Device Name: *, IP Address: (*, *), File Name: *, Path: *, Drive Type: *, SHA256: *, MD5: *, Status: *, Cylance Score: *, Found Date: *, File Type: *, Is Running: *, Auto Run: *, Detected By: *" as event_type,event_name,device_name,src_ip,dest_ip,file_name,path,drive_type,sha,md5,status,score,found,file_type,isRunning,autoRun,detected

  2. Customize your query so you can use parsed fields from FER with the Threat Intel Lookup operator. For example:

    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip

    | json field=raw "labels[*].name" as label_name

    | replace(label_name, "\\/","->") as label_name

    | replace(label_name, "\""," ") as label_name

    | where  type="ip_address" and !isNull(malicious_confidence)

    | if (isEmpty(actor), "Unassigned", actor) as Actor

    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name

    | sort by threat_count

    Where src_ip is the parsed field from FER (see step # 1)

Scheduled View

Use scheduled views with the Threat Lookup operator to find threats. Scheduled View reduces aggregate data down to the bare minimum, so they contain only the raw results that you need to generate your data. Queries that run against Scheduled Views return search results much faster because the data is pre-aggregated before the query is run. And a Scheduled View query runs continuously, once per minute.

  1. Create a scheduled view. For example, for Cylance, create a scheduled view, cylance_threat:

    Threat Intel FER

    Example:

    _sourceCategory=cylance

    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=src_ip

    | json field=raw "labels[*].name" as label_name

    | replace(label_name, "\\/","->") as label_name

    | replace(label_name, "\""," ") as label_name

    | where  type="ip_address" and !isNull(malicious_confidence)

    | if (isEmpty(actor), "Unassigned", actor) as Actor

    | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip

    | count as threat_count by src_ip, malicious_confidence, Actor,  _source, label_name, city, country_name, raw

  2. Now, you can run your Threat Intel query on top of this view:

    _view=cylance_threat

    | count by src_ip