Tagging devices - criticality

Satya Pathivada

December 13, 2021 11:13

Hi Team,

Can we tag the device criticality in logpoint,

We are looking to create notification for critical and high severity devices.

Date Votes

Nils Krumrey December 13, 2021 11:24

There are multiple ways in which you could do this:

Using Device Groups, and using those in the Alert queries - e.g. create the same alert several times, once for when the device is in a specific group, and again for when it isn’t, and then give the alert rule a different criticality
Using lists - similar to the above, but not specifically configured on the device itself, but instead in a list that contains the device names, IP addresses or other identifiers, and then using the lists in alert queries as above
Using enrichment and a lookup table - the information about a device’s criticality could be present in a lookup table and then used for enrichment, where this additional information is baked into the logs when it arrives. The enrichment source could even be an external database or CSV where this information is maintained. The enriched information could then again either be used for modified alert rules, or just shown alongside the other information from the logs (e.g. through the Jinja template on the alert).

There’s probably other ways of dealing with this but hopefully it has given some ideas.

Satya Pathivada December 13, 2021 11:28

thanks for the quick reply.Iam looking for option 2 and 3 .

For thats where should the lists /csv need to be uploaded? In the settings >>device groups

or any other place .

iam thinking to build a network or asset model in Logpoint.

If you have any documentation ,please provide .

Thanks

Satya

Nils Krumrey December 13, 2021 11:48

CSV is an enrichment source, so you find it under “Configuration”. You can either upload a CSV through the browser, or point LogPoint at a URL where a web server hosts the CSV file. There’s no specific documentation on device criticality, but enrichment sources of any kind are covered in the manual ( https://docs.logpoint.com/docs/data-integration-guide/en/latest/Configuration/Enrichment%20Sources.html ) together with enrichment policies ( https://docs.logpoint.com/docs/data-integration-guide/en/latest/Configuration/Enrichment%20Policies.html ), and also the User Training course.

Hans-Henrik Mørkholt December 27, 2021 12:04

Isn’t this related to availability?

If you use the Confidentiality, Intergrity & Availability option when creating devices in LogPoint, then if you set availability to major or critical, then when creating alertrules you can use that for the calculating the risk-value.

Creating an Alert Rule — Alerts and Incidents latest documentation (logpoint.com)

Regards

Hans

Please sign in to leave a comment.