Question

Tagging devices - criticality

  • 13 December 2021
  • 4 replies
  • 32 views

Hi Team,

 

Can we tag the device criticality in logpoint,

 

We are looking to create notification for critical and high severity devices.

 

 


4 replies

Userlevel 3
Badge +7

There are multiple ways in which you could do this:

  • Using Device Groups, and using those in the Alert queries - e.g. create the same alert several times, once for when the device is in a specific group, and again for when it isn’t, and then give the alert rule a different criticality
  • Using lists - similar to the above, but not specifically configured on the device itself, but instead in a list that contains the device names, IP addresses or other identifiers, and then using the lists in alert queries as above
  • Using enrichment and a lookup table - the information about a device’s criticality could be present in a lookup table and then used for enrichment, where this additional information is baked into the logs when it arrives. The enrichment source could even be an external database or CSV where this information is maintained. The enriched information could then again either be used for modified alert rules, or just shown alongside the other information from the logs (e.g. through the Jinja template on the alert).

There’s probably other ways of dealing with this but hopefully it has given some ideas.

thanks for the quick reply.Iam looking for option 2 and 3 .

 

For thats where should the lists /csv need to be uploaded? In the settings >>device groups

or any other place .

iam thinking to build a network or asset model in Logpoint.

If you have any documentation ,please provide .

 

Thanks

Satya

 

Userlevel 3
Badge +7

CSV is an enrichment source, so you find it under “Configuration”. You can either upload a CSV through the browser, or point LogPoint at a URL where a web server hosts the CSV file. There’s no specific documentation on device criticality, but enrichment sources of any kind are covered in the manual (https://docs.logpoint.com/docs/data-integration-guide/en/latest/Configuration/Enrichment%20Sources.html) together with enrichment policies (https://docs.logpoint.com/docs/data-integration-guide/en/latest/Configuration/Enrichment%20Policies.html), and also the User Training course.

Userlevel 1
Badge

Isn’t this related to availability?

If you use the Confidentiality, Intergrity & Availability option when creating devices in LogPoint, then if you set availability to major or critical, then when creating alertrules you can use that for the calculating the risk-value.

Creating an Alert Rule — Alerts and Incidents latest documentation (logpoint.com)

Regards

Hans

Reply