Merge pull request #172 from droonee/master

Cloud SIEM Insight Alert
SumoLogic · Sep 19, 2024 · 8088730 · 8088730
2 parents bec9028 + 3ec3cf4
commit 8088730
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/CloudSIEM/Alerts/CreatedInsights_Monitor.json b/CloudSIEM/Alerts/CreatedInsights_Monitor.json
@@ -0,0 +1,52 @@
+{
+    "name": "Cloud SIEM Insight Alert",
+    "description": "",
+    "type": "MonitorsLibraryMonitorExport",
+    "monitorType": "Logs",
+    "evaluationDelay": "0m",
+    "alertName": null,
+    "runAs": null,
+    "notificationGroupFields":
+    [
+        "readableid"
+    ],
+    "queries":
+    [
+        {
+            "rowId": "A",
+            "query": "(_index=sumologic_system_events or _index=sumologic_audit_events) \"InsightCreated\"\n| json field=_raw \"insight.signals[*].name\" as signals\n| json field=_raw \"insight.severityName\" as sevname\n| json field=_raw \"insight.entityValue\" as entity\n| json field=_raw \"insight.entityType\" as entity_type\n| json field=_raw \"insight.description\" as insight_desc\n| json field=_raw \"insight.name\" as insight_name\n| json field=_raw \"insight.readableId\" as readableid\n| json field=_raw \"eventTime\" as eventtime\n| count by readableid, insight_name, insight_desc, eventtime, entity, entity_type, sevname, signals"
+        }
+    ],
+    "triggers":
+    [
+        {
+            "detectionMethod": "LogsStaticCondition",
+            "triggerType": "Warning",
+            "resolutionWindow": null,
+            "timeRange": "-1h",
+            "threshold": 0,
+            "thresholdType": "GreaterThan",
+            "field": null
+        },
+        {
+            "detectionMethod": "LogsStaticCondition",
+            "triggerType": "ResolvedWarning",
+            "resolutionWindow": "-1h",
+            "timeRange": "-1h",
+            "threshold": 0,
+            "thresholdType": "LessThanOrEqual",
+            "field": null
+        }
+    ],
+    "timeZone": "America/New_York",
+    "notifications":
+    [],
+    "isDisabled": false,
+    "groupNotifications": true,
+    "playbook": "Example payload for Alert:\n\nFor email subject:  Sumo Logic Security Alert - {{ResultsJson.readableid}} {{ResultsJson.insight_name}}\n                \nFor body: \nAn Insight alert was generated from Sumo Logic's Cloud SIEM platform. \nGo to the Insight here https://service.us2.sumologic.com/sec/insight/{{ResultsJson.readableid}}\n\n{{ResultsJson.readableid}} {{ResultsJson.insight_name}} with description of {{ResultsJson.insight_desc}} fired at {{ResultsJson.eventtime}}.\n\n{{ResultsJson.readableid}} fired on the entity type {{ResultsJson.entity_type}} for entity {{ResultsJson.entity}} with severity {{ResultsJson.sevname}}.\n\n{{ResultsJson.readableid}} contains the following Signals: \nNote: duplicates may exist when entity or Rules are not well tuned.\n{{ResultsJson.signals}}",
+    "sloId": null,
+    "monitorTemplateId": null,
+    "tags": null,
+    "automatedPlaybookIds":
+    []
+}
diff --git a/CloudSIEM/Alerts/README.md b/CloudSIEM/Alerts/README.md
@@ -0,0 +1,8 @@
+# Cloud SIEM Monitor for Created Insights
+
+Sumo Logic Community Content built for Cloud SIEM products that are not yet out of the box.
+
+### To use the content:
+Download the JSON file(s).
+Replace the Cloud SIEM service URL in the JSON with your own. ("Go to the Insight here <input Sumo Logic service URL>/{{ResultsJson.readableid}}", i.e. Sumo Logic service URL might be "https://play.sumologic.com/sec/insight/").
+Import the content to your desired folder location in Sumo Logic Monitors.