Welcome to the SIEM community space! Post a question about anything related to SIEM and engage with fellow customers about all things SIEM.
Hi Community, We have a distributed collector in a remote location. We have established a Site-to-site VPN between locations. The scenario is that the IP Address of the collector is in NAT and mapped to a different IP than that of the actual host IP. For E.g the system IP of collector is 172.29.20.80 and the IP of the collector as seen by the Remote Logpoint is 172.22.2.2. We have made the necessary configuration and ensured the Collector is visible in the logpoint. However, the IP as recorded by Logpoint is the actual system IP (Not the IP Logpoint should recognize it as). The issue is the status is Inactive stage. Is this due to the difference in host IP and NAT address?
Hi All,AzureLogAnalytics is now released, enabling you to fetch and analyze Azure Log Analytics workspace logs.For downloading instructions and documentation, please visit the links below:Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/360017971858Documentation: https://docs.logpoint.com/docs/azureloganalytics/en/latest/
Hello,I’m designing my backup. So far in the documentation, I’ve read two options: application snapshot and application backup, both are writing to the local disk.Let’s put aside the configuration backup as it’s less than 1 GB. The real challenge comes with backing up repos.In an on-prem infrastructure, backups are stored in the backup infrastructure, with VTL and so on. There’s no way I can request to double the size of the repo disk just to store a consistent backup that I will have, then, to transfer to the backup infrastructure.In a cloud infrastructure, the backup would go directly to the object storage such as S3 Glacier. Neither would we rent a disk space used only during backup, though it might be easier to do in a cloud environment.In addition to the backup and snapshot methods from the documentation, I should add the option of disk snapshot, either from the guest OS or from the disk array (only for on-prem infrastructure). These would provide a stable file system onto which t
Hi All,We are excited to share the release of the new Universal REST API Fetcher. The Universal REST API fetcher provides a generic interface to fetch logs from cloud sources via REST APIs. The cloud sources can have multiple endpoints, and every configured source consumes one device license.For more details, please see the links below:Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/6047943636253-Universal-REST-API-FetcherDocumentation: https://docs.logpoint.com/docs/universal-rest-api/en/latest/
Hi friends,I have the problem that the storage folder is now over 90% full.Now I wanted to empty the folder using bash commands directly in the disk notification and have applied the following to "Command:": find /opt/makalu/storage/ -type f -mtime +30 -deleteUnfortunately without success, the folder grows and grows. Do you have a tip or a solution for this?Thank you in advance and kind regards
When searching for special characters in field values in Logpoint just pasting them in a regular Key = valueexpression, can often result in searches not working as intended from the users perspective as the Logpoint search language will interpret the character differently from the intention.For instance searching for fields with a star “*” character results in getting all results that has a value in that specific key, as Logpoint uses the star “*” as a wildcard character, which basically means “anything”. key = * will result in all logs with a field called keyInstead of using they kay value pairs to search we can use the builtin command match to find any occurrences of the value that we are looking for. In this example we will search for the star “*” frequently referred to as wildcard. We have some logs that have a field called policy in which we would like to find all occurrences of the character star “*” . To do this we first ensure that the policy field exists in the logs that we s
LockBit has been implicated as the most active ransomware and has been involved in the most attacks compared to others of its kind. Read our latest blog by Anish Bogati & Nilaa Maharjan from Logpoint Global Services & Security Research on how Logpoint can help you to strengthen your security posture when it comes to LockBit ransomware.Link to the blog post:https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/
Focusing on one use case at a time, the Use Case Catalogue will guide you through the implementation of basic monitoring of specific log sources in a Logpoint SIEM platform. The first instalment of the Use Cases Catalog series, Active Directory Use Cases is now available on the link below: https://community.logpoint.com/active-directory-13
Hi there.So we Have a Alert rule, that alerts us when a Unknown and New Device, leases a DHCP Adress, to prevent unwanted Physical Access.Now We wanted to Enrich said DHCP log, by adding Information of our ISE/Switch Logs, so that when we get the Incident from the Alert rule, we also see what Switch and Switchport, this Unknown device is Hanging at.We are Pretty sure that should be Possible, but I haven’t figured out how yet.Cheers Mike Furrer
Dear All, We are happy to share that we have released CSV Enrichment Source v5.2.0 publicly.The CSV Enrichment Source application enables you to use a CSV file as an enrichment source in LogPoint. The application fetches data feeds from a CSV file and enriches search results with the data. For further information, please visit the link below:https://servicedesk.logpoint.com/hc/en-us/articles/115003786109For detailed information about the implementation in Logpoint products, please refer to the articles below:Logpoint: https://docs.logpoint.com/docs/csvenrichmentsource/en/latest/ Director API: https://docs.logpoint.com/docs/csvenrichmentsource-for-director-console-api/en/latest/ Director Console: https://docs.logpoint.com/docs/csvenrichmentsource-for-director-console-ui/en/latest/
Hi,I have been looking into how to get an overview over actions taken by an Security Analyst whilst using the Incidents view on Logpoint.Therefore i have created this Search Query to get an overview over Incdents and Actions.Repository to be searched on is _LogPointincident_id = * | chart count() by incident_id, log_ts, alert_id, status, action, user, alert_name, comment order by incident_id, log_ts asc Hope this could be useful.Best Regards,Gustav
Receiving logs is one of the cure features of having a SIEM solution but in some cases logs are not received as required. In our newest KB article, we are diving into how to monitor log sources using Logpoint alerts to detect no logs being received on Logpoint within a certain time range.To read the full article, please see the link below: https://servicedesk.logpoint.com/hc/en-us/articles/5734141307933-Detecting-devices-that-are-not-sending-logs-
Hi folks, I’m trying to set up a Playbook Trigger, but wanted to potentially pass through parameters for it.The setup is as follows:Alert is triggered Playbook Trigger runs based on matching alert_id Playbook generates case data and runs additional actions/playbooks.I would (ideally) like the Playbook Trigger to pass details from the incident to the Playbook it is linked to.Is this something that’s possible from the Trigger directly, or do I need to use a Query/another action within the Playbook to try and extract the info I need?On that note, is there an easy way to get data from the incident that triggered the alert within the playbook itself?
The `file_keeper` service, primarily used for storing raw logs and then forwarding them to be indexed by the `indexsearcher` is often used in its default configuration. However in some real life situations this might not be sufficient to deal with the type, and volume of logs being ingested into LogPoint, hence tuning is required. In our newest KB article, we´re gonna guide you through how exactly to do it.For more details, please read the full article on the link below: https://servicedesk.logpoint.com/hc/en-us/articles/5794306067101-Understanding-file-keeper-Working-and-Configuration
Hello, just wanted to “pick the brains” of my fellow LP community member regarding TI. Is anyone here actively using the Threat Intelligence feature of the LogPoint and \ or has any recommendations and experiences on the matter. Personally i think it could be a very valuable part in a LogPoint environment to increase the detection capabilities, but have not be able to set it up in a way that would really beneficial. This is mainly due to the fact that i haven’t been able to find a decent (free) TI feed, and to my mind, the value of TI stands and falls with the quality of the feed data.Most of my customers have their firewalls, spam and web filter devices and mostly even their centralized AV solution sending their logs to LP. Setting up monitoring DNS request wouldn’t be a problem either. So i think we have enough visibility into the network traffic. Having a decent TI feed could allow us to compare these logs for known IoC (IP, hostnames, email addresses) and take a look at endpoints w
HiToday I have a Python script for exporting devices in to a csv-file with the following fields:device_name,device_ips,device_groups,log_collection_policies,distributed_collector,confidentiality,integrity,availability,timezoneDoes a script exist that also extract the additional fiels:uses_proxy, proxy_ip, hostnameThis will make moving devices from LogPoint 5 to LogPoint 6 considerably more easy. RegardsHans
Already have an account? Login
Login to the community
Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.LOGIN AS PARTNER OR CUSTOMER Login with LinkedIn
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.