Grouping in Securonix is a two-fold process:
-
Create Data Sources (DS) correctly — Syslog and API logs must be separated into their own DS so that grouping is clean and meaningful.
-
Use functionality and Spotter searches — Once DS are created properly, Securonix automatically groups the logs and allows you to search, drill down, and correlate them easily.
Both steps together form the basis of how grouping works end-to-end.
Creating Data Sources Correctly (Foundation of Grouping)
A. Syslog
When onboarding syslog data, for example Palo Alto firewall data, we can use separate Data Sources to maintain zone-based segmentation such as Trust, Untrust, DMZ.
Example using different ports:
- Palo_Untrust → TCP 514
- Palo_Trust → TCP 515
If using multiple ports is not an option, we can use Syslog filters to split the data into unique Data Sources, even when all logs arrive on a single port such as TCP 514. Filters can be based on hostname, IP range, or message patterns. This maintains zone-based segmentation even when using a single syslog collection port. Securonix provides flexibility based on how the customer’s network is architected.
B. API
For API-based logs too, we can use individual endpoints to create unique Data Sources as needed. Taking Azure as an example, we can create a separate Data Source for each of these endpoints and more:
- Azure_SignIn_Logs – Cloud Application Audit
- Azure_AD_Audit – Cloud Authentication / SSO / Single Sign-On
Once data is available in Spotter for these Data Sources, we can search across all Azure-related Data Sources by using:
resourcegroupname contains Azure
All Data Sources created using the name Azure will appear in the results.
How Grouping Works in Spotter
Once Data Sources are created correctly, grouping behavior becomes automatic in Spotter.
We can view Data Sources:
rg_functionality = "Next Generation Firewall" | stats resourcegroupname devicehostname
This provides a list of all Data Sources that have the functionality Next Generation Firewall. In our example, this will list both Palo_Trust and Palo_Untrust.
We can search across Data Sources:
ipaddress = | stats resourcegroupname accountname
This returns a list of all Data Sources and any associated user information for events that match the searched IP address.
We can search across Data Sources:
accountname = <email/user> and ip = <xx.xx.xx.xx> and (resourcegroupname = Palo_Trust or resourcegroupname = Azure_SignIn_Logs)
This returns a list of events from both Azure and Palo Alto Data Sources for the searched IP and user.
We can further drill down into a specific Data Source:
resourcegroupname = Palo_Ext and devicehostname = Server1 | stats deviceaction
This returns a summary of the actions taken by Server1 within the Palo_Ext Data Source.
resourcegroupname = Azure_SignIn_Logs and accountname = <email/user> | stats eventtype
This returns a list of the sign-in event types recorded for the specified user in Azure_SignIn_Logs.