Skip to main content

Enterprise Audit - Cloud SIEM

The Enterprise Audit - Cloud SIEM app gives you visibility into what’s going on in Cloud SIEM. The app dashboards present high-level and detailed views into the Records that were created, the Signals that have fired, and the Insights generated by Cloud SIEM. You can also get insight in Cloud SIEM rules, including rule management activity, and which rules have fired.

Watch this micro lesson to learn more about the Enterprise Audit - Cloud SIEM app.

Log types

The Enterprise Audit - Cloud SIEM App relies on data that is already available in Sumo Logic, so you don’t need to configure data collection.

Cloud SIEM Records

Cloud SIEM Records are stored in the following Sumo Logic partitions:

  • sec_record_audit
  • sec_record_authentication
  • sec_record_email
  • sec_record_endpoint
  • sec_record_failure
  • sec_record_network
  • sec_record_notification

Cloud SIEM Signals

Cloud SIEM Signals are stored in the following partition:

  • sec_signal

Cloud SIEM Insights

Cloud SIEM Insight activity is written to these Audit Event Index partitions:

  • sumologic_audit_events. User actions performed on Insights
  • sumologic_system_events, System actions performed on Insights are logged

Logs written to either of the partitions above are assigned the source category cseinsight. Note that the Audit Event Index contains logs for a variety of Sumo Logic subsystems, so when searching either partition for Insights, include the source category in your search scope.

Install the App

  1. From the App Catalog, search for and select the app.
  2. Select the version of the service you're using and click Add to Library.
note

Version selection is not available for all apps.

  1. To install the app, complete the following fields.
    • App Name. You can retain the existing name, or enter a name of your choice for the app.
    • Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
  2. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.

View App Dashboards

Insight Trainer

This dashboard offers suggestions for making adjustments to rules, such as writing rule tuning expressions and changing severities. Implementing the recommendations causes rules to be more effective at creating high-fidelity Signals, resulting in generation of more meaningful Insights. For more information, see Improve Rules with Insight Trainer.

Cloud SIEM dashboard

Insights Closed

This dashboard displays metrics on closed Insights, including breakdowns by severity, resolution status, assignee, Entity type, Rule ID and more.

Cloud SIEM dashboard

Insights Created

This dashboard presents metrics about Insight creation in your environment. You can see information like how many insights have been created, average time to detection, and Insight Confidence statistics. There are breakdowns of Insights created by severity, primary Entity, rule ID, Entity type, and more.

Cloud SIEM dashboard

Insights Overview

This dashboard displays a high level view of Insight activity in your environment. You can see counts of Insights created and closed over time, and the top Insights by Confidence Level.

Cloud SIEM dashboard

Parsing and Mapping Troubleshooting

This dashboard shows breakdowns of cloud SIEM parsing and mapping troubleshooting.

Cloud SIEM Parsing and Mapping Troubleshooting

Rules and Mapping Changes

This dashboard is useful for monitoring rule management activities. It has information about Cloud SIEM rules, including content management activities like rule creation, modification, and deletion. You can also see more detailed information about rule management events, such as the associated user, and the rule’s enablement and prototype status.

Cloud SIEM dashboard

Record Analysis Failed Records

This dashboard is useful for understanding if you have messages or data sources for which Cloud SIEM is unable to create normalized Records.

Cloud SIEM dashboard

Record Analysis Audit Records

This dashboard displays metrics about Records created by Cloud SIEM of the type Audit. Typically, this Record type is used for log sources that leave a basic audit trail.

Cloud SIEM dashboard

Record Analysis Authentication Records

This dashboard displays metrics about Records created by Cloud SIEM of the type Authentication. Typically, this Record type is used for log sources that report successful or unsuccessful authentication events.

Cloud SIEM dashboard

Record Analysis Email Records

This dashboard displays metrics about Records created by Cloud SIEM of the type Email. Typically, this Record type is used for log sources containing email information such as email protection applications and services.

Cloud SIEM dashboard

Record Analysis Endpoint Records

This dashboard displays metrics about Records created by Cloud SIEM of the type Endpoint. Typically, this Record type is used for messages from endpoint security services.

Cloud SIEM dashboard

Record Analysis Network Records

This dashboard displays metrics about Records created by Cloud SIEM of the type Network. Typically, this Record type is used for messages from log sources that describe network events.

Cloud SIEM dashboard

Record Analysis Notification Records

This dashboard displays metrics about Records created by Cloud SIEM of the type Notification. Typically, this Record type is used for messages from services that issue notifications or alerts, like threat detection and response systems.

Cloud SIEM dashboard

Record Analysis Record Overview

This dashboard provides an overview of Cloud SIEM Records by source, destination, volume, and vendor and product.

Cloud SIEM dashboard

Signal Analysis

This dashboard presents metrics about Signals that have been fired, including breakdowns by rule, host, and IP address.

Cloud SIEM dashboard

Signal Analysis Rules

This dashboard provides trend analysis of triggered rules, rules by match expression and top rules triggered.

Cloud SIEM dashboard

Signal Monitoring

This dashboard provides times-based metrics for Cloud SIEM Signals, and Signal disappearance metrics.

Cloud SIEM dashboard

Signals Overview

This dashboard provides an overview of Signal activity, including Signal count over time, and a table of summary information for generated Signals.

Cloud SIEM dashboard

Signals by Product

This dashboard shows breakdowns of Signal by product and vendor.

Cloud SIEM dashboard

SIEM SOC Insights

This dashboard shows breakdowns of SOC insights.

Cloud SIEM SOC Insights

SOC Standup Overview

This dashboard provides an overview of total alerts, infrequent alerts breakdown, trending alerts breakdown, and detailed daily alerts breakdow.

Cloud SIEM SOC Standup Overview

User Telemetry

This dashboard shows breakdowns of Cloud SIEM user telemetry.

Cloud SIEM User Telemetry
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.