Question

在catalina.out中跟踪登录事件。然后将该文件推送到SumoLogic。如何针对未授权用户（用户列表）的这些登录事件创建警报

Answer 1

有关SL搜索查询语言的基本概述，请查看https://help.sumologic.com/Search/Search-Query-Language 大多数查询都有作用域，标准化一些过滤器，然后进行聚合。

有关查找恶意登录的查询的示例，请参见下文：

_sourceCategory = O365/Azure

AND "\"UserLoginFailed\"" and !"UserDisabled"
| json field=_raw "UserId" as user_id
| json field=_raw "ClientIP" as src_ip
| lookup type, actor, raw, threatlevel as malicious_confidence from 
sumo://threat/cs on threat=src_ip
| lookup latitude,longitude,country_name from geo://location on ip=src_ip
| where (!(country_name="United States") or (malicious_confidence = 
"unverified" or malicious_confidence = "low" or malicious_confidence = 
"medium" or malicious_confidence = "high" )
| count by user_id, malicious_confidence, country_name
| sort by _count

有关在该查询上设置警报的信息，请参见 https://help.sumologic.com/Dashboards-and-Alerts/Alerts/02-Schedule-a-Search

如果您刚刚起步，我强烈建议您在youtube上观看SL基础视频（1和2）。 https://www.youtube.com/watch?v=FO8mfZojb1c

如何使用NQL在相扑逻辑中设置警报

1 个答案: