在 catalina.out 中跟踪登录事件。然后将该文件推送到 SumoLogic。如何为未经授权的用户创建有关这些登录事件的警报(用户列表)
问问题
62 次
1 回答
1
有关 SL 搜索查询语言的基本概述,请查看https://help.sumologic.com/Search/Search-Query-Language 大多数查询都有一个范围、规范化一些过滤器然后是聚合。
有关查找恶意登录的查询示例,请参见下文:
_sourceCategory = O365/Azure
AND "\"UserLoginFailed\"" and !"UserDisabled"
| json field=_raw "UserId" as user_id
| json field=_raw "ClientIP" as src_ip
| lookup type, actor, raw, threatlevel as malicious_confidence from
sumo://threat/cs on threat=src_ip
| lookup latitude,longitude,country_name from geo://location on ip=src_ip
| where (!(country_name="United States") or (malicious_confidence =
"unverified" or malicious_confidence = "low" or malicious_confidence =
"medium" or malicious_confidence = "high" )
| count by user_id, malicious_confidence, country_name
| sort by _count
要在该查询上设置警报,请参阅 https://help.sumologic.com/Dashboards-and-Alerts/Alerts/02-Schedule-a-Search
如果您刚刚开始,我强烈建议您在 youtube 上观看 SL 基础视频(1 和 2)。 https://www.youtube.com/watch?v=FO8mfZojb1c
于 2018-10-02T21:28:16.837 回答