By: Owen Dubiel
March 29, 2021
Sumo Logic Daily Checks For Success
By: Owen Dubiel
March 29, 2021
Working within a SIEM solution doesn't have to be an overwhelming task. Furthermore, Sumo Logic makes it easy and streamlined for security teams to manage, triage, and respond to daily events without too much overhead work. This article will cover some of the daily tasks that a security analyst should be doing and some of the Sumo Logic features you might not be aware of. Integrating these tasks and built-in features into the overall security operations will enable the security teams to work efficiently and provide a more profound environment for threat hunting enablement.
1. App Catalog
The app catalog contains tons of pre-built dashboards based on use cases or data sources within the Sumo Logic Core management platform. Enabling these dashboards is easy; point them at your data source by category name, and the dashboard will start to populate. Some examples of awesome dashboards include:
- Cisco (include visibility around ASA, Meraki, and Firepower events)
- Azure (Birdseye view into SQL, Web Apps, Audits, AD, and Network logs)
- Crowdstrike (Detections, EDR overview, Host breakdown)
- Authentication (Okta and Duo)
These are just a few of the great options provided with your base subscription. The app catalog dashboards allow you to get visibility into your data without manually creating searches quickly. If you want to tweak or customize these dashboards to meet your needs, Sumo will enable you to export the backend searches and reupload them as needed.
2. Compliance and Management
The core platform also provides various solutions to ease compliance efforts and management workloads on the Sumo Logic SIEM. The following are some of the features within the core platform that should be utilized daily.
3. Enterprise Audit Suite
Within the app catalog, there is a suite of dashboards created by Sumo Logic called Enterprise Audit. The searches included in these dashboards are a great starting point for any security team or CISO to get a sense of the environment at a particular point in time. Topics included in this suite are as follows:
- Content Management
- Security Management
- User & Role Management
- Search Audit
- Collector & Data Forwarding Management
As the names suggest, each is tailored towards its specific category and provides a plethora of data, including a management overview, admin actions, and user/role activity. Whether you are a security engineer troubleshooting an issue or a CISO trying to get a sense of the security state for an audit, These dashboards are the best place to start.
4. PCI compliance suite
There is another suite of dashboards pertaining to PCI compliance. The idea behind these is to streamline your evidence-gathering process for PCI audits. These dashboards give you all the requirements by revision number. These are easy to configure as long as you have the appropriate data source ingesting into the core platform.
5. Account Overview Tab
There will be excellent options to get a good idea of your Sumo instance's current status within the Core platform. The overview tab gives outstanding insight into overall credit usage details. These include what your ingestion credits are being used on. These categories include:
- Continuous ingest
- Frequent ingest
- CSE (Cloud SIEM Enterprise) ingest
Insightful graphs and charts provide the required visibility to ensure daily thresholds are met and not exceeding.
The CSE (Cloud SIEM Enterprise) portion of the Sumo platform is essentially their SIEM. This is where alerts and detections will trigger and be presented for review. The following are two important aspects of the CSE platform that security analyst should focus on:
6. Reviewing Insights
Insights are a combination of individual signals that have triggered to meet certain criteria within a specific timeframe. Every Insight should be a review, and one of the following actions taken; either address the concern laid out or mark it as false positive and tune the insights signals to prevent it from firing again.
The best approach to reviewing an Insight is as follows:
- Open the Insight & take note of the asset in question.
- Scroll to the bottom right of the page and check the latest signals to confirm the triggering event.
- Utilize the tagging option to ensure you keep accurate tags on specific assets
- Make comments in the comments section on your findings to ensure event recollection later.
- Use the artifacts tab to view associated and related files, hosts, and accounts to this Insight.
- View the enhancements tab to get additional information on public IPs.
Each Insight will require some business knowledge of how certain processes are handled at each specific company. Overall, everything an analyst would need is right at their fingertips.
7. Signal Anomalies
Within the CSE platform, some rules are explicitly created to detect anomalies in specific subsets of logs. These signals, when fired, are marked with a green bubble and say anomaly next to them. Reviewing these first is a great way to investigate possible events that are most prevalent. Types of events may include authentications, privilege escalation, and unnormal account activity.
In conclusion, creating a daily checklist including these features and tasks will help streamline overall security detection and response capabilities. Thus empowering employees to be curious and think, "what if." It's not "if," but 'when' a security breach will occur… will you be prepared to respond?