Skip to main content

Generate CSE Signals With a Scheduled Search

This page has information about creating a scheduled search that will trigger a Cloud SIEM Enterprise (CSE) Signal. Before you start using scheduled searches to create CSE Signals, it is helpful to understand what Signals are, and how they relate to the generation of CSE Insights. For information about how it all works see Insight Generation Process

note

For a more detailed description of the options you can configure for a scheduled search, see Schedule a Search.

Requirements for the search query

This section describes the requirements for your scheduled search, which include a minimum set of fields to be returned, and renaming message fields as necessary to match attribute names in the selected CSE Record type schema.  

Required fields

There are several fields that your scheduled search must return to enable Signal generation:

  • normalizedseverity. This field must contain a value between (and including) 0 and 10. Signals generated by the scheduled search will have this severity value. SIgnal severity values are used by CSE’s Insight generation algorithm, as described above. 

  • stage. This field must contain a Tactic in the MITRE ATT&CK framework, one of the following:

    • Collection
    • Command and Control
    • Credential Access
    • Defense Evasion
    • Discovery
    • Execution
    • Exfiltration
    • Impact
    • Initial Access
    • Lateral Movement
    • Persistence
    • Privilege Escalation
    • Reconnaissance
    • Resource Development
      info

      If the stage field contains a Tactic that isn't in the MITRE ATT&CK framework, a Signal will not be generated, but a Record will be. 

  • At least one entity field:

    • device_ip
    • device_mac
    • device_natIp
    • dns_replyIp
    • dstDevice_hostname
    • dstDevice_ip
    • dstDevice_mac
    • dstDevice_natIp
    • fromUser_username
    • srcDevice_hostname
    • srcDevice_ip
    • srcDevice_mac
    • srcDevice_natIp
    • user_username  

Renaming message fields

When you configure a Scheduled Search to create CSE Signals, you are prompted to select a CSE Record type. The fields returned by your search must match an attribute in the Record type you select. A field whose name does not match a CSE attribute will not be populated in the Record created from the Schedule Search results. For more about CSE attribute names, see Attributes You Can Map to Records.

  1. After creating and saving your search, click the save icon.
    save-as.png
    note

    The required fields (normalizedseverity, stage, and fields for entities) need to come after the where and count operators, otherwise an error will occur when saving the scheduled search.

  2. The Save Item popup appears.
    save-item.png
  3. Click Schedule this search.
  4. The Save Item popup prompts you to select a run frequency.
    run-frequency.png
  5. Select a frequency from the pull-down list and click Save.  Scheduling a run frequency that matches your query time range will reduce overlapping searches and duplicate alerts. When you have a search scheduled to run over the same results as a previously scheduled search you would trigger an alert on the same data. 
  6. The popup refreshes.
    options.png
  7. Time range for scheduled search. Indicates the time range your query will use to execute, which impacts the results generated by the query.
    note

    This setting is different than the Time Range option configured for the Saved Search. The first time range is only used when you run the Saved Search from the Library. This Time Range applies to your Scheduled Search.

  8. Timezone for scheduled search. Select the time zone you would like your scheduled search to use. The schedule's time is based on this time zone. This time zone is not related to the time zone of your data. If you don't make a selection, the scheduled search will use the time zone from your browser, which is the default selection.
  9. Send notification. Select If the following condition is met, and enter an alert condition and the number of results that should trigger the alert.
  10. Alert Type. Select CSE Signal.
  11. The popup refreshes.
    alert-type-selected.png
  12. Record Type. Select a Record Type.
  13. Click Save.

View Signals in CSE

To view Signals that were created from a scheduled search, run a keyword search on “CIP Scheduled Search” on the Signals page in the CSE UI.

Below is a screenshot of a Signal that was created from a scheduled search. Note that:

  • The Mapping section at the bottom of the page shows that the Signal was the result of a scheduled search.
  • If the Signal is not part of an Insight, there’s a Create Insight link you can use to create an Insight for the Signal. For more information, see Create an Insight from Signal.
  • You can click the Full Details link for more information about the Signal. See View Signal details below for a screenshot.

ss-signal.png

View Signal details

The Full Details tab displays details about the Signal.

full-details.png

Create an Insight from Signal

To create an Insight from a Signal generated from a scheduled search:

  1. Navigate to a Signal that was generated from a scheduled search.
  2. Click Create Insight
  3. Click Yes, Create Insight when prompted whether you want to proceed.
    confirm-create.png
  4. The new Insight is created and appears as a Related Insight.
    new-related-insight.png
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.