Skip to main content

Enterprise Audit - Cloud SIEM

The Enterprise Audit - Cloud SIEM app gives you visibility into what’s going on in Cloud SIEM. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by Cloud SIEM. You can also get insight in Cloud SIEM rules, including rule management activity, and which rules have fired.

Watch this micro lesson to learn more about the Enterprise Audit - Cloud SIEM app.

Log types

The Enterprise Audit - Cloud SIEM App relies on data that is already available in Sumo Logic, so you don’t need to configure data collection.

Cloud SIEM Records

Cloud SIEM Records are stored in the following Sumo Logic partitions:

  • sec_record_audit
  • sec_record_authentication
  • sec_record_email
  • sec_record_endpoint
  • sec_record_failure
  • sec_record_network
  • sec_record_notification

Cloud SIEM Signals

Cloud SIEM Signals are stored in the following partition:

  • sec_signal

Cloud SIEM Insights

Cloud SIEM Insight activity is written to these Audit Event Index partitions:

  • sumologic_audit_events. User actions performed on Insights
  • sumologic_system_events, System actions performed on Insights are logged

Logs written to either of the partitions above are assigned the source category cseinsight. Note that the Audit Event Index contains logs for a variety of Sumo Logic subsystems, so when searching either partition for Insights, include the source category in your search scope.

Install the Enterprise Audit - Cloud SIEM app

To install the app:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
  4. Click Next.
  5. Look for the dialog confirming that your app was installed successfully.
    app-success-sumo-apps.png

Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.

Viewing the Enterprise Audit - Cloud SIEM app dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Insight Trainer

The Cloud SIEM - Insight Trainer dashboard offers suggestions for making adjustments to rules, such as writing rule tuning expressions and changing severities. Implementing the recommendations causes rules to be more effective at creating high-fidelity Signals, resulting in generation of more meaningful Insights. For more information, see Improve Rules with Insight Trainer.

Cloud SIEM dashboard

Insights Closed

The Cloud SIEM - Insights Closed dashboard displays metrics on closed Insights, including breakdowns by severity, resolution status, assignee, Entity type, Rule ID and more.

Cloud SIEM dashboard

Insights Created

The Cloud SIEM - Insights Created dashboard presents metrics about Insight creation in your environment. You can see information like how many insights have been created, average time to detection, and Insight Confidence statistics. There are breakdowns of Insights created by severity, primary Entity, rule ID, Entity type, and more.

Cloud SIEM dashboard

Insights Overview

The Cloud SIEM - Insights Overview dashboard displays a high level view of Insight activity in your environment. You can see counts of Insights created and closed over time, and the top Insights by Confidence Level.

Cloud SIEM dashboard

Parsing and Mapping Troubleshooting

The Cloud SIEM - Parsing and Mapping Troubleshooting dashboard shows breakdowns of cloud SIEM parsing and mapping troubleshooting.

Cloud SIEM Parsing and Mapping Troubleshooting

Rules and Mapping Changes

The Cloud SIEM - Rules and Mapping Changes dashboard is useful for monitoring rule management activities. It has information about Cloud SIEM rules, including content management activities like rule creation, modification, and deletion. You can also see more detailed information about rule management events, such as the associated user, and the rule’s enablement and prototype status.

Cloud SIEM dashboard

Record Analysis Failed Records

The Cloud SIEM - Record Analysis Failed Records dashboard is useful for understanding if you have messages or data sources for which Cloud SIEM is unable to create normalized Records.

Cloud SIEM dashboard

Record Analysis Audit Records

The Cloud SIEM - Record Analysis Audit Records dashboard displays metrics about Records created by Cloud SIEM of the type Audit. Typically, this Record type is used for log sources that leave a basic audit trail.

Cloud SIEM dashboard

Record Analysis Authentication Records

The Cloud SIEM - Record Analysis Authentication Records dashboard displays metrics about Records created by Cloud SIEM of the type Authentication. Typically, this Record type is used for log sources that report successful or unsuccessful authentication events.

Cloud SIEM dashboard

Record Analysis Email Records

The Cloud SIEM - Record Analysis Email Records dashboard displays metrics about Records created by Cloud SIEM of the type Email. Typically, this Record type is used for log sources containing email information such as email protection applications and services.

Cloud SIEM dashboard

Record Analysis Endpoint Records

The Cloud SIEM - Record Analysis Endpoint Records dashboard displays metrics about Records created by Cloud SIEM of the type Endpoint. Typically, this Record type is used for messages from endpoint security services.

Cloud SIEM dashboard

Record Analysis Network Records

The Cloud SIEM - Record Analysis Network Records dashboard displays metrics about Records created by Cloud SIEM of the type Network. Typically, this Record type is used for messages from log sources that describe network events.

Cloud SIEM dashboard

Record Analysis Notification Records

The Cloud SIEM - Record Analysis Notification Records dashboard displays metrics about Records created by Cloud SIEM of the type Notification. Typically, this Record type is used for messages from services that issue notifications or alerts, like threat detection and response systems.

Cloud SIEM dashboard

Record Analysis Record Overview

The Cloud SIEM - Record Analysis Record Overview dashboard provides an overview of Cloud SIEM Records by source, destination, volume, and vendor and product.

Cloud SIEM dashboard

Signal Analysis

The Cloud SIEM - Signal Analysis dashboard presents metrics about Signals that have been fired, including breakdowns by rule, host, and IP address.

Cloud SIEM dashboard

Signal Analysis Rules

The Cloud SIEM - Signal Analysis Rules dashboard provides trend analysis of triggered rules, rules by match expression and top rules triggered.

Cloud SIEM dashboard

Signal Monitoring

The Cloud SIEM - Signal Monitoring dashboard provides times-based metrics for Cloud SIEM Signals, and Signal disappearance metrics.

Cloud SIEM dashboard

Signals Overview

The Cloud SIEM - Signal Overview dashboard provides an overview of Signal activity, including Signal count over time, and a table of summary information for generated Signals.

Cloud SIEM dashboard

Signals by Product

The Cloud SIEM - Signals by Product dashboard shows breakdowns of Signal by product and vendor.

Cloud SIEM dashboard

SIEM SOC Insights

The Cloud SIEM - Signal SOC Insights dashboard shows breakdowns of SOC insights.

Cloud SIEM SOC Insights

SOC Standup Overview

The Cloud SIEM - Signal Standup Overview dashboard provides an overview of total alerts, infrequent alerts breakdown, trending alerts breakdown, and detailed daily alerts breakdow.

Cloud SIEM SOC Standup Overview

User Telemetry

The Cloud SIEM - User Telemetry dashboard shows breakdowns of Cloud SIEM user telemetry.

Cloud SIEM User Telemetry

Upgrade/Downgrade the Enterprise Audit - Cloud SIEM app (Optional)

To update the app, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can identify apps that can be upgraded in the Upgrade available section.
  3. To upgrade the app, select Upgrade from the Manage dropdown.
    1. If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
    2. If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
      1. In the Configure section of your respective app, complete the following fields.
        • Key. Select either of these options for the data source.
          • Choose Source Category and select a source category from the list for Default Value.
          • Choose Custom and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Post-update

Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.

note

See our Release Notes changelog for new updates in the app.

To revert the app to a previous version, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. To version down the app, select Revert to < previous version of your app > from the Manage dropdown.

Uninstalling the Enterprise Audit - Cloud SIEM app (Optional)

To uninstall the app, do the following:

  1. Select App Catalog.
  2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
  3. Click Uninstall.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.