From ab0761bd22c44309db3bbaa16af992690b6b283e Mon Sep 17 00:00:00 2001
From: David Rooney <91282834+droonee@users.noreply.github.com>
Date: Thu, 19 Sep 2024 14:57:34 -0400
Subject: [PATCH 1/4] Create CreatedInsights_Monitor.json
---
CloudSIEM/Alerts/CreatedInsights_Monitor.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 CloudSIEM/Alerts/CreatedInsights_Monitor.json
diff --git a/CloudSIEM/Alerts/CreatedInsights_Monitor.json b/CloudSIEM/Alerts/CreatedInsights_Monitor.json
new file mode 100644
index 0000000..e4a5900
--- /dev/null
+++ b/CloudSIEM/Alerts/CreatedInsights_Monitor.json
@@ -0,0 +1,68 @@
+{
+ "name": "Cloud SIEM Insight Alert",
+ "description": "",
+ "type": "MonitorsLibraryMonitorExport",
+ "monitorType": "Logs",
+ "evaluationDelay": "0m",
+ "alertName": null,
+ "runAs": null,
+ "notificationGroupFields":
+ [
+ "readableid"
+ ],
+ "queries":
+ [
+ {
+ "rowId": "A",
+ "query": "(_index=sumologic_system_events or _index=sumologic_audit_events) \"InsightCreated\"\n| json field=_raw \"insight.signals[*].name\" as signals\n| json field=_raw \"insight.severityName\" as sevname\n| json field=_raw \"insight.entityValue\" as entity\n| json field=_raw \"insight.entityType\" as entity_type\n| json field=_raw \"insight.description\" as insight_desc\n| json field=_raw \"insight.name\" as insight_name\n| json field=_raw \"insight.readableId\" as readableid\n| json field=_raw \"eventTime\" as eventtime\n| count by readableid, insight_name, insight_desc, eventtime, entity, entity_type, sevname, signals"
+ }
+ ],
+ "triggers":
+ [
+ {
+ "detectionMethod": "LogsStaticCondition",
+ "triggerType": "Warning",
+ "resolutionWindow": null,
+ "timeRange": "-1h",
+ "threshold": 0,
+ "thresholdType": "GreaterThan",
+ "field": null
+ },
+ {
+ "detectionMethod": "LogsStaticCondition",
+ "triggerType": "ResolvedWarning",
+ "resolutionWindow": "-1h",
+ "timeRange": "-1h",
+ "threshold": 0,
+ "thresholdType": "LessThanOrEqual",
+ "field": null
+ }
+ ],
+ "timeZone": "Etc/UTC",
+ "notifications":
+ [
+ {
+ "notification":
+ {
+ "connectionType": "Email",
+ "recipients":
+ [],
+ "subject": "Sumo Logic Security Alert - {{ResultsJson.readableid}} {{ResultsJson.insight_name}}",
+ "messageBody": "An Insight alert was generated from Sumo Logic's Cloud SIEM platform. \nGo to the Insight here /{{ResultsJson.readableid}}\n\n{{ResultsJson.readableid}} {{ResultsJson.insight_name}} with description of {{ResultsJson.insight_desc}} fired at {{ResultsJson.eventtime}}.\n\n{{ResultsJson.readableid}} fired on the entity type {{ResultsJson.entity_type}} for entity {{ResultsJson.entity}} with severity {{ResultsJson.sevname}}. \n\n{{ResultsJson.readableid}} contains the following Signals: \nNote: duplicates may exist when entity or Rules are not well tuned.\n{{ResultsJson.signals}}\n\n\n\n\n\n",
+ "timeZone": null
+ },
+ "runForTriggerTypes":
+ [
+ "Warning"
+ ]
+ }
+ ],
+ "isDisabled": false,
+ "groupNotifications": true,
+ "playbook": "",
+ "sloId": null,
+ "monitorTemplateId": null,
+ "tags": null,
+ "automatedPlaybookIds":
+ []
+}
From 3258f26f91984990af920ccd9cddc9551eee8cd0 Mon Sep 17 00:00:00 2001
From: David Rooney <91282834+droonee@users.noreply.github.com>
Date: Thu, 19 Sep 2024 15:02:00 -0400
Subject: [PATCH 2/4] Create README.md
---
CloudSIEM/Alerts/README.md | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 CloudSIEM/Alerts/README.md
diff --git a/CloudSIEM/Alerts/README.md b/CloudSIEM/Alerts/README.md
new file mode 100644
index 0000000..0c8ecad
--- /dev/null
+++ b/CloudSIEM/Alerts/README.md
@@ -0,0 +1,8 @@
+Cloud SIEM Monitor for Created Insights
+
+Sumo Logic Community Content built for Cloud SIEM products that are not yet out of the box.
+
+To use the content:
+Download the JSON file(s).
+Replace the Cloud SIEM service URL in the JSON with your own. ("Go to the Insight here /{{ResultsJson.readableid}}", i.e. Sumo Logic service URL might be "https://play.sumologic.com/sec/insight/").
+Import the content to your desired folder location in Sumo Logic Monitors.
From c95fd1febc4b7ba2cab06dde21c95d690c4df243 Mon Sep 17 00:00:00 2001
From: David Rooney <91282834+droonee@users.noreply.github.com>
Date: Thu, 19 Sep 2024 15:18:31 -0400
Subject: [PATCH 3/4] Update CreatedInsights_Monitor.json
---
CloudSIEM/Alerts/CreatedInsights_Monitor.json | 22 +++----------------
1 file changed, 3 insertions(+), 19 deletions(-)
diff --git a/CloudSIEM/Alerts/CreatedInsights_Monitor.json b/CloudSIEM/Alerts/CreatedInsights_Monitor.json
index e4a5900..9751429 100644
--- a/CloudSIEM/Alerts/CreatedInsights_Monitor.json
+++ b/CloudSIEM/Alerts/CreatedInsights_Monitor.json
@@ -38,28 +38,12 @@
"field": null
}
],
- "timeZone": "Etc/UTC",
+ "timeZone": "America/New_York",
"notifications":
- [
- {
- "notification":
- {
- "connectionType": "Email",
- "recipients":
- [],
- "subject": "Sumo Logic Security Alert - {{ResultsJson.readableid}} {{ResultsJson.insight_name}}",
- "messageBody": "An Insight alert was generated from Sumo Logic's Cloud SIEM platform. \nGo to the Insight here /{{ResultsJson.readableid}}\n\n{{ResultsJson.readableid}} {{ResultsJson.insight_name}} with description of {{ResultsJson.insight_desc}} fired at {{ResultsJson.eventtime}}.\n\n{{ResultsJson.readableid}} fired on the entity type {{ResultsJson.entity_type}} for entity {{ResultsJson.entity}} with severity {{ResultsJson.sevname}}. \n\n{{ResultsJson.readableid}} contains the following Signals: \nNote: duplicates may exist when entity or Rules are not well tuned.\n{{ResultsJson.signals}}\n\n\n\n\n\n",
- "timeZone": null
- },
- "runForTriggerTypes":
- [
- "Warning"
- ]
- }
- ],
+ [],
"isDisabled": false,
"groupNotifications": true,
- "playbook": "",
+ "playbook": "Example payload for Alert:\n\nFor email subject: Sumo Logic Security Alert - {{ResultsJson.readableid}} {{ResultsJson.insight_name}}\n \nFor body: \nAn Insight alert was generated from Sumo Logic's Cloud SIEM platform. \nGo to the Insight here https://service.us2.sumologic.com/sec/insight/{{ResultsJson.readableid}}\n\n{{ResultsJson.readableid}} {{ResultsJson.insight_name}} with description of {{ResultsJson.insight_desc}} fired at {{ResultsJson.eventtime}}.\n\n{{ResultsJson.readableid}} fired on the entity type {{ResultsJson.entity_type}} for entity {{ResultsJson.entity}} with severity {{ResultsJson.sevname}}.\n\n{{ResultsJson.readableid}} contains the following Signals: \nNote: duplicates may exist when entity or Rules are not well tuned.\n{{ResultsJson.signals}}",
"sloId": null,
"monitorTemplateId": null,
"tags": null,
From 3ec3cf4f14083d69569f2fa2f5ebd420c6e93245 Mon Sep 17 00:00:00 2001
From: Jake Lee
Date: Thu, 19 Sep 2024 14:18:22 -0700
Subject: [PATCH 4/4] Update README.md
---
CloudSIEM/Alerts/README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/CloudSIEM/Alerts/README.md b/CloudSIEM/Alerts/README.md
index 0c8ecad..8d507a2 100644
--- a/CloudSIEM/Alerts/README.md
+++ b/CloudSIEM/Alerts/README.md
@@ -1,8 +1,8 @@
-Cloud SIEM Monitor for Created Insights
+# Cloud SIEM Monitor for Created Insights
Sumo Logic Community Content built for Cloud SIEM products that are not yet out of the box.
-To use the content:
+### To use the content:
Download the JSON file(s).
Replace the Cloud SIEM service URL in the JSON with your own. ("Go to the Insight here /{{ResultsJson.readableid}}", i.e. Sumo Logic service URL might be "https://play.sumologic.com/sec/insight/").
Import the content to your desired folder location in Sumo Logic Monitors.