Enterprise Audit - Cloud SIEM
The Enterprise Audit - Cloud SIEM app gives you visibility into what’s going on in Cloud SIEM. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by Cloud SIEM. You can also get insight in Cloud SIEM rules, including rule management activity, and which rules have fired.
Watch this micro lesson to learn more about the Enterprise Audit - Cloud SIEM app.
Log types
The Enterprise Audit - Cloud SIEM App relies on data that is already available in Sumo Logic, so you don’t need to configure data collection.
Cloud SIEM Records
Cloud SIEM Records are stored in the following Sumo Logic partitions:
- sec_record_audit
- sec_record_authentication
- sec_record_email
- sec_record_endpoint
- sec_record_failure
- sec_record_network
- sec_record_notification
Cloud SIEM Signals
Cloud SIEM Signals are stored in the following partition:
- sec_signal
Cloud SIEM Insights
Cloud SIEM Insight activity is written to these Audit Event Index partitions:
- sumologic_audit_events. User actions performed on Insights
- sumologic_system_events, System actions performed on Insights are logged
Logs written to either of the partitions above are assigned the source category cseinsight. Note that the Audit Event Index contains logs for a variety of Sumo Logic subsystems, so when searching either partition for Insights, include the source category in your search scope.
Install the Enterprise Audit - Cloud SIEM app
To install the app:
- Select App Catalog.
- In the Search Apps field, search for and then select your app.
- Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
- Click Next.
- Look for the dialog confirming that your app was installed successfully.
Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.
Viewing the Enterprise Audit - Cloud SIEM app dashboards
All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.
- You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
- You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
- Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (
_sourceCategory
by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.
Insight Trainer
The Cloud SIEM - Insight Trainer dashboard offers suggestions for making adjustments to rules, such as writing rule tuning expressions and changing severities. Implementing the recommendations causes rules to be more effective at creating high-fidelity Signals, resulting in generation of more meaningful Insights. For more information, see Improve Rules with Insight Trainer.
Insights Closed
The Cloud SIEM - Insights Closed dashboard displays metrics on closed Insights, including breakdowns by severity, resolution status, assignee, Entity type, Rule ID and more.
Insights Created
The Cloud SIEM - Insights Created dashboard presents metrics about Insight creation in your environment. You can see information like how many insights have been created, average time to detection, and Insight Confidence statistics. There are breakdowns of Insights created by severity, primary Entity, rule ID, Entity type, and more.
Insights Overview
The Cloud SIEM - Insights Overview dashboard displays a high level view of Insight activity in your environment. You can see counts of Insights created and closed over time, and the top Insights by Confidence Level.
Parsing and Mapping Troubleshooting
The Cloud SIEM - Parsing and Mapping Troubleshooting dashboard shows breakdowns of cloud SIEM parsing and mapping troubleshooting.
Rules and Mapping Changes
The Cloud SIEM - Rules and Mapping Changes dashboard is useful for monitoring rule management activities. It has information about Cloud SIEM rules, including content management activities like rule creation, modification, and deletion. You can also see more detailed information about rule management events, such as the associated user, and the rule’s enablement and prototype status.
Record Analysis Failed Records
The Cloud SIEM - Record Analysis Failed Records dashboard is useful for understanding if you have messages or data sources for which Cloud SIEM is unable to create normalized Records.
Record Analysis Audit Records
The Cloud SIEM - Record Analysis Audit Records dashboard displays metrics about Records created by Cloud SIEM of the type Audit. Typically, this Record type is used for log sources that leave a basic audit trail.
Record Analysis Authentication Records
The Cloud SIEM - Record Analysis Authentication Records dashboard displays metrics about Records created by Cloud SIEM of the type Authentication. Typically, this Record type is used for log sources that report successful or unsuccessful authentication events.
Record Analysis Email Records
The Cloud SIEM - Record Analysis Email Records dashboard displays metrics about Records created by Cloud SIEM of the type Email. Typically, this Record type is used for log sources containing email information such as email protection applications and services.
Record Analysis Endpoint Records
The Cloud SIEM - Record Analysis Endpoint Records dashboard displays metrics about Records created by Cloud SIEM of the type Endpoint. Typically, this Record type is used for messages from endpoint security services.
Record Analysis Network Records
The Cloud SIEM - Record Analysis Network Records dashboard displays metrics about Records created by Cloud SIEM of the type Network. Typically, this Record type is used for messages from log sources that describe network events.
Record Analysis Notification Records
The Cloud SIEM - Record Analysis Notification Records dashboard displays metrics about Records created by Cloud SIEM of the type Notification. Typically, this Record type is used for messages from services that issue notifications or alerts, like threat detection and response systems.
Record Analysis Record Overview
The Cloud SIEM - Record Analysis Record Overview dashboard provides an overview of Cloud SIEM Records by source, destination, volume, and vendor and product.
Signal Analysis
The Cloud SIEM - Signal Analysis dashboard presents metrics about Signals that have been fired, including breakdowns by rule, host, and IP address.
Signal Analysis Rules
The Cloud SIEM - Signal Analysis Rules dashboard provides trend analysis of triggered rules, rules by match expression and top rules triggered.
Signal Monitoring
The Cloud SIEM - Signal Monitoring dashboard provides times-based metrics for Cloud SIEM Signals, and Signal disappearance metrics.
Signals Overview
The Cloud SIEM - Signal Overview dashboard provides an overview of Signal activity, including Signal count over time, and a table of summary information for generated Signals.
Signals by Product
The Cloud SIEM - Signals by Product dashboard shows breakdowns of Signal by product and vendor.
SIEM SOC Insights
The Cloud SIEM - Signal SOC Insights dashboard shows breakdowns of SOC insights.
SOC Standup Overview
The Cloud SIEM - Signal Standup Overview dashboard provides an overview of total alerts, infrequent alerts breakdown, trending alerts breakdown, and detailed daily alerts breakdow.
User Telemetry
The Cloud SIEM - User Telemetry dashboard shows breakdowns of Cloud SIEM user telemetry.
Upgrade/Downgrade the Enterprise Audit - Cloud SIEM app (Optional)
To update the app, do the following:
- Select App Catalog.
- In the Search Apps field, search for and then select your app.
Optionally, you can identify apps that can be upgraded in the Upgrade available section. - To upgrade the app, select Upgrade from the Manage dropdown.
- If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
- If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
- In the Configure section of your respective app, complete the following fields.
- Key. Select either of these options for the data source.
- Choose Source Category and select a source category from the list for Default Value.
- Choose Custom and enter a custom metadata field. Insert its value in Default Value.
- Key. Select either of these options for the data source.
- Click Next. You will be redirected to the Preview & Done section.
- In the Configure section of your respective app, complete the following fields.
Post-update
Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.
See our Release Notes changelog for new updates in the app.
To revert the app to a previous version, do the following:
- Select App Catalog.
- In the Search Apps field, search for and then select your app.
- To version down the app, select Revert to < previous version of your app > from the Manage dropdown.
Uninstalling the Enterprise Audit - Cloud SIEM app (Optional)
To uninstall the app, do the following:
- Select App Catalog.
- In the 🔎 Search Apps field, run a search for your desired app, then select it.
- Click Uninstall.