|
| 1 | +--- |
| 2 | +id: trust-login |
| 3 | +title: Trust Login |
| 4 | +sidebar_label: Trust Login |
| 5 | +description: The Trust Login app for Sumo Logic provides security analysts with insights into authentication events, user activities, and potential security threats. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/send-data/trust-login-icon.png')} alt="Trust-Login-icon" width="50" /> |
| 11 | + |
| 12 | +The Trust Login app for Sumo Logic helps security analysts monitor authentication events, user activities, and potential security threats. It provides real-time tracking of login attempts, account changes, and policy updates to detect anomalies. Dashboards offer event breakdowns, trends, and time-based comparisons for faster incident response and investigations. Geo-location tracking identifies login attempts from high-risk regions, improving threat detection, while the app's alert mechanism highlight unusual activities, like suspicious logins and geo-location events, enabling proactive threat mitigation. By centralizing security insights, the app improves visibility, streamlines investigations, and strengthens security. |
| 13 | + |
| 14 | +:::info |
| 15 | +This app includes [built-in monitors](#trust-login-alerts). For details on creating custom monitors, refer to the [Create monitors for Trust Login app](#create-monitors-for-the-trust-login-app). |
| 16 | +::: |
| 17 | + |
| 18 | +## Log types |
| 19 | + |
| 20 | +This app uses Sumo Logic’s [Trust Login Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trust-login-source/) to collect incidents and events logs from the Trust Login platform. |
| 21 | + |
| 22 | +## Sample log message |
| 23 | + |
| 24 | +```json title="Report Log" |
| 25 | +{ |
| 26 | + "id": "eb764e67-a338-481b-b57a-8f51461463ca", |
| 27 | + "created_at": "2024-07-23T01:14:11.376+09:00", |
| 28 | + "updated_at": "0001-01-01T00:00:00Z", |
| 29 | + "tenant_id": "a4992f54-808d-4959-8d31-52b20d415f51", |
| 30 | + "subject": { |
| 31 | + "id": "b1a4aec3-45d6-49dc-9e8f-c0954ebdffd9", |
| 32 | + "type": "user", |
| 33 | + "data": { |
| 34 | + |
| 35 | + "first_name": "", |
| 36 | + "full_name": "6 qa", |
| 37 | + "ip_address": null, |
| 38 | + "last_name": "" |
| 39 | + } |
| 40 | + }, |
| 41 | + "objects": [ |
| 42 | + { |
| 43 | + "id": "b1a4aec3-45d6-49dc-9e8f-c0954ebdffd9", |
| 44 | + "type": "Membership", |
| 45 | + "data": { |
| 46 | + |
| 47 | + "first_name": "qa", |
| 48 | + "last_name": "6" |
| 49 | + } |
| 50 | + } |
| 51 | + ], |
| 52 | + "event": { |
| 53 | + "type": "suspended", |
| 54 | + "context_data": { |
| 55 | + |
| 56 | + }, |
| 57 | + "category": "general", |
| 58 | + "producer": "portal" |
| 59 | + } |
| 60 | +} |
| 61 | +``` |
| 62 | + |
| 63 | +## Sample queries |
| 64 | + |
| 65 | +```sql title="Events by Category" |
| 66 | +_sourceCategory=TrustLoginAppTest |
| 67 | +| json "id", "event.type", "event.category", "event.producer", "subject.type", "objects", "subject.data.full_name", "subject.data.ip_address", "created_at", "event.context_data.log_msg", "subject.data.email", "subject.id", "subject.data.first_name", "subject.data.last_name" as event_id, event_type, event_category, event_producer, subject_type, objects, subject_full_name, subject_ip_address, created_at, event_msg, subject_email, subject_id, subject_first_name, subject_last_name nodrop |
| 68 | +| parse regex field=objects "(?<objects>\{(?:[^\{\}]|\{[^\{\}]*\})*\})" multi |
| 69 | +| json field=objects "type", "data.email" as object_type, object_email nodrop |
| 70 | + |
| 71 | +// global filters |
| 72 | +| where event_category matches "{{event_category}}" |
| 73 | +| where event_producer matches "{{event_producer}}" |
| 74 | +| where event_type matches "{{event_type}}" |
| 75 | +| where object_type matches "{{object_type}}" |
| 76 | +| where subject_type matches "{{subject_type}}" |
| 77 | + |
| 78 | +| count by event_id, event_category |
| 79 | +| count by event_category |
| 80 | +| sort by _count, event_category |
| 81 | +``` |
| 82 | + |
| 83 | +```sql title="Events Over Time by Type" |
| 84 | +_sourceCategory=TrustLoginAppTest |
| 85 | +| json "id", "event.type", "event.category", "event.producer", "subject.type", "objects", "subject.data.full_name" as event_id, event_type, event_category, event_producer, subject_type, objects, subject_full_name nodrop |
| 86 | +| parse regex field=objects "(?<objects>\{(?:[^\{\}]|\{[^\{\}]*\})*\})" multi |
| 87 | +| json field=objects "type" as object_type nodrop |
| 88 | + |
| 89 | +// global filters |
| 90 | +| where event_category matches "{{event_category}}" |
| 91 | +| where event_producer matches "{{event_producer}}" |
| 92 | +| where event_type matches "{{event_type}}" |
| 93 | +| where object_type matches "{{object_type}}" |
| 94 | +| where subject_type matches "{{subject_type}}" |
| 95 | + |
| 96 | +| timeslice 1d |
| 97 | +| count by event_id, event_type, _timeslice |
| 98 | +| count as frequency by _timeslice, event_type |
| 99 | +| fillmissing timeslice, values all in event_type |
| 100 | +| transpose row _timeslice column event_type |
| 101 | +``` |
| 102 | + |
| 103 | +```sql title="Top 10 User" |
| 104 | +_sourceCategory=TrustLoginAppTest |
| 105 | +| json "id", "event.type", "event.category", "event.producer", "subject.type", "objects", "subject.data.full_name" as event_id, event_type, event_category, event_producer, subject_type, objects, subject_full_name nodrop |
| 106 | +| parse regex field=objects "(?<objects>\{(?:[^\{\}]|\{[^\{\}]*\})*\})" multi |
| 107 | +| json field=objects "type" as object_type nodrop |
| 108 | + |
| 109 | +// global filters |
| 110 | +| where event_category matches "{{event_category}}" |
| 111 | +| where event_producer matches "{{event_producer}}" |
| 112 | +| where event_type matches "{{event_type}}" |
| 113 | +| where object_type matches "{{object_type}}" |
| 114 | +| where subject_type matches "{{subject_type}}" |
| 115 | + |
| 116 | +| where !isBlank(subject_full_name) |
| 117 | +| count by subject_full_name, event_id |
| 118 | +| count as frequency by subject_full_name |
| 119 | +| sort by frequency, subject_full_name |
| 120 | +| limit 10 |
| 121 | +``` |
| 122 | + |
| 123 | +## Collection configuration and app installation |
| 124 | + |
| 125 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 126 | + |
| 127 | +<CollectionConfiguration/> |
| 128 | + |
| 129 | +:::important |
| 130 | +Use the [Cloud-to-Cloud Integration for Trust Login](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/trust-login-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Trust Login app is properly integrated and configured to collect and analyze your Trust Login data. |
| 131 | +::: |
| 132 | + |
| 133 | +### Create a new collector and install the app |
| 134 | + |
| 135 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 136 | + |
| 137 | +<AppCollectionOPtion1/> |
| 138 | + |
| 139 | +### Use an existing collector and install the app |
| 140 | + |
| 141 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 142 | + |
| 143 | +<AppCollectionOPtion2/> |
| 144 | + |
| 145 | +### Use an existing source and install the app |
| 146 | + |
| 147 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 148 | + |
| 149 | +<AppCollectionOPtion3/> |
| 150 | + |
| 151 | +## Viewing the Trust Login dashboards |
| 152 | + |
| 153 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 154 | + |
| 155 | +<ViewDashboards/> |
| 156 | + |
| 157 | +### Events Overview |
| 158 | + |
| 159 | +The **Trust Login - Events Overview** dashboard provides security analysts an overview of authentication events, user activities, and system changes. It features visualizations like event breakdowns, trends, and geo-location tracking to help detect suspicious behavior.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Trust+Login/Trust+Login+-+Events+Overview.png' alt="Trust-Login-Events-Overview" /> |
| 160 | + |
| 161 | +## Create monitors for the Trust Login app |
| 162 | + |
| 163 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 164 | + |
| 165 | +<CreateMonitors/> |
| 166 | + |
| 167 | +### Trust Login alerts |
| 168 | + |
| 169 | +The Trend Micro Vision One monitors serve as a security tool, concentrating on observing essential operations and unusual occurrences within the Trend Micro Platform. These notifications offer instantaneous insight into significant events, allowing security personnel to swiftly react to deviations or breaches. |
| 170 | + |
| 171 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 172 | +|:--|:--|:--|:--| |
| 173 | +| `Unusual account status changes` | This alert is triggered when an unusual event is performed frequently. It can help detect potential security threats like account takeovers or insider threats. | Critical | Count > 3 | |
| 174 | +| `Embargoed Geo Location of Events` | This alert is triggered when an event is detected from a location identified as high-risk. This helps you to monitor activity from unusual or restricted geographic locations, enhancing your ability to identify suspicious activity. | Critical | Count > 0| |
| 175 | + |
| 176 | +## Upgrading/Downgrading the Trust Login app (Optional) |
| 177 | + |
| 178 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 179 | + |
| 180 | +<AppUpdate/> |
| 181 | + |
| 182 | +## Uninstalling the Trust Login app (Optional) |
| 183 | + |
| 184 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 185 | + |
| 186 | +<AppUninstall/> |
0 commit comments