Skip to main content
Sumo Logic

Generate CSE Signals With a Scheduled Search

You can generate a CSE Signal with a scheduled search.

This page has information about creating a scheduled search that will trigger a Cloud SIEM Enterprise (CSE) Signal. Before you start using scheduled searches to create CSE Signals, it is helpful to understand what Signals are, and how they relate to the generation of CSE Insights. For information about how it all works see Insight Generation Process

Requirements for the search query

This section describes the requirements for your scheduled search, which include a minimum set of fields to be returned, and renaming message fields as necessary to match attribute names in the selected CSE Record type schema.  

Required fields

There are several fields that your scheduled search must return to enable Signal generation:

  • normalizedseverity. This field must contain a value between (and including) 0 and 10. Signals generated by the scheduled search will have this severity value. SIgnal severity values are used by CSE’s Insight generation algorithm, as described above. 
  • stage. This field must contain a Tactic in the MITRE ATT&CK framework, one of the following:
    • Collection
    • Command and Control
    • Credential Access
    • Defense Evasion
    • Discovery
    • Execution
    • Exfiltration
    • Impact
    • Initial Access
    • Lateral Movement
    • Persistence
    • Privilege Escalation
    • Reconnaissance
    • Resource Development
  • At least one entity field:
    • device_ip
    • device_mac
    • device_natIp
    • dns_replyIp
    • dstDevice_hostname
    • dstDevice_ip
    • dstDevice_mac
    • dstDevice_natIp
    • fromUser_username
    • srcDevice_hostname
    • srcDevice_ip
    • srcDevice_mac
    • srcDevice_natIp
    • user_username

Renaming message fields

When you configure a Scheduled Search to create CSE Signals, you are prompted to select a CSE Record type. The fields returned by your search must match an attribute in the Record type you select. A field whose name does not match a CSE attribute will not be populated in the Record created from the Schedule Search results. For more about CSE attribute names, see Attributes You Can Map to Records

Scheduling the search

  1. After creating and saving your search, click Save As below the search query area.
    save-as.png
  2. The Save Item popup appears.
    save-item.png
  3. Click Schedule this search.
  4. The Save Item popup prompts you to select a run frequency.
    run-frequency.png
  5. Select a frequency from the pull-down list and click Save
  6. The popup refreshes.
    options.png
  7. Timezone for scheduled search. Select the time zone you would like your scheduled search to use. The schedule's time is based on this time zone. This time zone is not related to the time zone of your data. If you don't make a selection, the scheduled search will use the time zone from your browser, which is the default selection
  8. Send notification. Select If the following condition is met, and enter an alert condition and the number of results that should trigger the alert.
  9. Alert Type. Select CSE Signal.
  10. The popup refreshes.
    alert-type-selected.png
  11. Record Type. Select a Record Type.
  12. Click Save.

View Signals in CSE

To view Signals that were created from a scheduled search, run a keyword search on “CIP Scheduled Search” on the Signals page in the CSE UI.

Below is a screenshot of a Signal that was created from a scheduled search. Note that:

  • The Mapping section at the bottom of the page shows that the Signal was the result of a scheduled search.
  • If the Signal is not part of an Insight, there’s a Create Insight link you can use to create an Insight for the Signal. For more information, see Create an Insight from Signal.
  • You can click the Full Details link for more information about the Signal. See View Signal details below for a screenshot.

ss-signal.png

View Signal details

The Full Details tab displays details about the Signal.full-details.png
Create an Insight from Signal

To create an Insight from a Signal generated from a scheduled search

  1. Navigate to a Signal that was generated from a scheduled search.
  2. Click Create Insight
  3. Click Yes, Create Insight when prompted whether you want to proceed.
    confirm-create.png
  4. The new Insight is created and appears as a Related Insight.
    new-related-insight.png