By: Owen Dubiel
May 11, 2021
Sumo Logic Optimization Tip; Rule Tuning
By: Owen Dubiel
May 11, 2021
Keeping up with the latest attack trends and threat tactics can be challenging, not to mention the constant rule tuning involved with managing a SIEM solution. Wouldn't it be nice if there was a way to streamline rule tuning? Thanks to Sumo Logic, now there is. Sumo Logic has created a native way to set rule tuning, either on a file-level (apply to all rules) or just for a handful of data source-specific rules. This allows security teams to create the rule once and apply it to everything they need, all at once. This article will cover some ways this rule tuning enhancement will help manage threat detection and response.
Continued Support for Built-In Rules
Sumo Logic comes with a list of pre-defined, out-of-the-box rules that are mostly ready to be deployed. As the requirements for these rules change, Sumo Logic will push updates to them remotely to ensure they remain effective. Before Sumo Logic released their Rule Tuning feature to their customers, the process to tune your own rule was very tedious. It voided the custom rule from being remotely managed by Sumo Logic moving forward. Users had to duplicate each rule they wanted to be tuned and then disabled the Sumo Logic supported rule for their custom rule to take effect.
Now, with the rule tuning feature in place, users can add the criteria they want to be included with a rule to a centralized location outside of the rule's scope. This added criterion is then paired with whichever built-in rules you want it applied to directly. The best part is Sumo Logic can continue to manage its built-in rules as well.
Centrally Managed Custom Rules
As mentioned above, rule tuning is a central location where specific criteria are injected into a particular rule or group of rules. For example, a great use case can manage custom tuning on how data sources set rules. Let's take a real-life use case below as a basis for how to rule tuning can be optimized:
"Organization XYZ utilizes Okta for its authentication and 2FA, but the security team noticed that in the Okta logs, they kept getting failed logins from a large number of users all at once. This was flagged as strange activity. After further investigation, it was determined that users who chose an alternative method of 2FA (key fob instead of cell phone push notification) triggered a different event type within the logs. For some reason, Sumo Logic was treating that event type (Challenge) as a failed login. To correct this for all of the Okta rules in Sumo Logic, the security team had to use rule tuning to exclude the "Challenge" field for the time being until another use case could be discovered. The security team only has to type in the exception one time in the rule tuning section and apply it across all Okta rules. As a result, their logging has been cleared up, and false positives are removed."
In the example above, the security team managing Sumo Logic quickly identified the problem and swiftly tuned all the Okta rules with one change in the rule tuning section. In contrast, without Sumo Logic's rule tuning feature, these tasks would typically require an analyst to go through each rule and apply the fix individually.
SIEM solutions like Sumo Logic take time to monitor and customize to achieve optimal results continuously. Having the ability to manage rule tuning centrally is advantageous and increases productivity within your SOC teams. Rule tuning is a never-ending task and is vital to stay ahead of adversaries' tactics. To learn more information about Sumo Logic or SIEM rule tuning, check out Cybrary's website for more tips and tricks.