Welcome to Logpoint Community

We are excited to announce new platform for Logpoint community collaboration - Logpoint User Group! This new platform will give you an opportunity to talk with Logpoint Product team directly and share feedback with the entire community.

To read more about Logpoint User Group, as well as to sign up, please follow the link below:
https://logpoint.com/logpoint-user-group

Good morning, could anyone tell me if I can integrate a use case with its respective query in CSV or JSON so that I don't have to create them one by one in each of the client tenants? If so, could you tell me how to do it?

Thank you very much for everything.

Hello all,

I would like to visualize:

MPS sent by each log sources

MPS per repo_name

I have managed to create a timechart of MPS per repo_name:

repo_name=* | timechart count() by repo_name

Note : This is not really MPS per repos, but log volume per repo.

But I cannot find how to generate the equivalent for each log sources.

Thanks for your help!

I've done a little searching, but I haven't had any luck finding a Tableau plugin.

Does one exist, or have an integration with logs from Tableau coming to Logpoint?

Hello,

Hope all is well,

I have encountered a bug within LogPoint alert rule queries were all default and custom alert rules that utilise symbols ">" or "<" to finalise alert logic fails to use these symbols and all other data that was added after those symbols. If you run the alert rule query by copy pasting it to the search manually, it works as it should, but if you want that query to be used by an alert (alert query) it drops everything that is beyond and including the symbols "<" or ">".

Example of this bug:
Multiple default LogPoint alerts utilise end of alert logic with filtering command similar to this "| search Event>10" but once the query is executed by the alert itself this filtering command is being cut and is executed as "| search Event" that produce incorrect results.

This seams like a straight forward bug that LogPoint support should be aware of, is there a fix for it? any workarounds?

Appreciate the support,

I want to implement FIM use cases in logpoint. please share any document or implementation guide to achieve the below.

Hi All, 

Has anyone else experienced the same issue? I'm receiving AgentX logs, and everything seems to be working fine, but I can't see any data on the AgentX dashboard. I've also selected the correct repository.

Hi,

We are looking into setting up SNMP monitoring and are a bit confused of the values in the fetch.

For instance this SNMP value, is it in MB, MiB or anything else?
1.3.6.1.4.1.54322.1.13.2 Log size of repos in the previous day

It is not specified on the documentation side:
https://docs.logpoint.com/docs/system-configuration/en/latest/System/System%20Monitor.html#snmp-monitoring

Hi Everyone,

Was wondering if it's possible to search for an IP range among logs collected.
For example I might want to search for anything between 10.0.0.1 and 10.0.0.50 which would make investigations easier instead of searching for individual IP's.

Thanks in advance.

Is there a limitation on the number of LP Pools or LPs a Director setup can handle or some kind of benchmark?

Hello!

I am looking to upgrade the director components to the latest version.

I am aware that i have to follow the upgrade path. But could anyone please suggest me which component i have to upgrade in what order?

Hi, I’m about to install a new LP Director platform and I was wondering if I should use the minimum memory and CPU sizing recommandations to create VMs or up them a bit. Can you share your experience and recommandations ?

Hi

Is it possible to have two or more LogPoint servers with the same name in the same Director pool?

Hi

We are adding Director to our existing environment and I am wondering if I should include both Search Heads, Backend servers, and collectors in the Director pool? And should I devide them into different pools based on their function? e.g.

- pool_1: SH01, SH02
- pool_2: Backend_01, Backend02, Backend_03
- Pool_3: Collector_01

Or simply include all the servers in a single pool?
The collector is sending logs to all 3 backends, and the search heads are able to search in all 3 backends.

Hi

We are deploying Director to our existing environment to get a central control panel. Are there any preconditions I should be aware of?

• Does the Backend servers (I have 3) need to be exact same configuration with repos etc? or can they differ?
• Does the hardware specs need to be the exact same? one server was deployed later and thus has different hardware.

I was trying to upload a patch to my director console but I got an error saying that the version is invalid. I also tried to upload a hotfix but getting the same error. Any ideas what is wrong?

The files I am trying to upload:
ThreatIntelligence_5.1.0.1.pak
logpoint_6.9.2 (1).pak

Can I centrally control LogPoint Agents from my Director console?

Hello,

I lost my password GUI  , I can access to logpoint just via CLI ,

How I can reset my GUI password

thanks

we need to send the kapsersky logs into logpoint. we have configured the kapsersky to send events to logpoint machine through syslog port 514 and protocol is UDP, but it does not send the logs. need help.

we need to search hash in logpoint of our current endpoint and servers. how we can do that. is there any package we need to install for particular application or anything else

also we have edr kaspersky and imported its package in logpoint. we are getting teh windows logs only nott he hashes from kaspersky. we need to configure to recieve hashes from kasper sky

Hi All,

In this second instalment of the Use Case catalogue series, we are focusing on Firewalls. Firewalls are a vital part of most organisations and enterprises today. In this Use case catalog you will find a collection of analytics available for firewalls in Logpoint SIEM for PaloAlto, Cisco, Fortinet and Check Point firewalls.

The 8Base ransomware group initially surfaced on the cyber threat landscape in March 2022, and their activities significantly increased in June 2023. They notably target small and medium-scale industries. While their actions began in March 2022, it wasn't until May 2023 that a substantial increase in their activities became apparent. This placed them among the top 5 most active ransomware groups in both June and July 2023.

In the realm of ransomware activities, our focus has unwaveringly remained on various groups and their activities. As the calendar rolled into July, the emergence of the 8Base group took a significant turn as it secured the 3rd position among the top 5 ransomware groups. As it continues to widen its range of victims and expand its operations, the group poses a growing threat solidifying its position as a potent adversary in the ever-changing cyber threat landscape.

In the report you can read more about the Logpoint Emerging Threats Protection as well as recommendations to keep your environment more secure against various threats.

What you get:

• Introduction to Akira ransomware via blog.
• Free download report from our Security Research team.
• Playbooks: Automate your way to protecting against Akira.
• How can you leverage your Converged SIEM against Akira? Download the report.

Here is why this is important. Some Akira background info:

Emerging Threat: Akira, Not a CyberPunk Movie – A Very Real Ransomware Threat

Fast Facts

• Emerging in March 2023, Akira ransomware has been grabbing daily headlines with its relentless and perilous assaults, leaving a trail of mounting victims.

• Akira is actively targeting Cisco ASA VPNs without multi-factor authentication to exploit CVE-2023-20269 as an entry point for their ransomware.

• Akira was among the Top 10 Ransomware groups in August 2023, with no indication of slowing down.

• Not only Windows, but the Akira variant can also infect Linux systems

• As of September 6, 2023, they have successfully struck 110 victims , including big-name organizations such as Quality Assistance Leader, Intertek.

Akira has emerged as a tenacious and devastating adversary in an ever-changing field of cyber threats that has grabbed widespread notice in a short period of time. Organizations must adapt and improve their security procedures in this situation. The growing number of people falling victim to this expanding menace emphasizes the importance of the situation.

Logpoint's security operations platform, Converged SIEM, contains a range of extensive tools and capabilities for identifying, evaluating, and mitigating the impact of Akira Ransomware. With features like native endpoint solution AgentX and SOAR with pre-configured playbooks, it enables security teams to automate essential incident response procedures, gather vital logs and data, and expedite malware detection and removal operations.

In an ever-changing threat landscape, Logpoint gives organizations the tools and capabilities they need to monitor risks, build defenses, and protect against Ransomware activities like Akira.

SOAR is always included in your Logpoint subscription. Not set up to use SOAR? Reach out to your local Logpoint representative or customersuccess@logpoint.com to hear how we can get you started.

Did you download the report? If so we would like to hear from you. Send us a message below and let us know your thoughts. What did you like? How can we improve it?

Fast Facts

• With over 500 million users worldwide, WinRAR is the world’s most popular compression tool!

• CVE-2023-38831 , named ‘RARLAB WinRAR Code Execution Vulnerability is an arbitrary code execution vulnerability on WinRAR, with a CVSS score of 7.8

• CVE-2023-38831 vulnerability has been patched in the latest version of WinRAR and the vulnerability resides on versions prior to 6.23.

• Threat Actors have been targeting this vulnerability to deliver malware such as Agent Tesla, GuLoader , Remcos , and Darkme .

Curious to read more and understand how Logpoint’s platform can assists analysts in detecting and responding to security issues? Read the full article on Logpoint’s blog here: WinRAR – Decompression or Arbitrary Code Execution

Warning ! Detect, respond, and manage this active ransomware with Converegd SIEM, AgentX, and SOAR automation playbooks.

Emerging Threats Protection Report
Not Too Cozy: Cozy Bear

What you get:

• Introduction to Cozy Bear
• Free download report from our Security Research team.
• Playbooks: Automate your way to protecting against Cozy Bear.
• How can you leverage your Converged SIEM against Cozy Bear? Download the report.

Here is why this is important. Some Cozy Bear background info:

Fast Facts:

🔍 Aliases : The Dukes, APT-29, Cozy Bear, or Nobelium - whatever you call them, they're the same. We'll use these aliases interchangeably throughout the blog and report.

🌐 A Notorious Background : The Dukes, believed to be linked to Russia's Foreign Intelligence Service (SVR), are a formidable cyber espionage group. Their targets? Governments, NGOs, businesses, think tanks, and other high-profile entities through sophisticated spear-phishing campaigns.

🤺 Unconventional Tactics : The Dukes are known for their unconventional techniques, employing HTML Smuggling and malicious ISO images to deliver malware while slipping past security measures.

🇺🇸 Political Intrigue : APT-29 made headlines by targeting political entities, gaining notoriety for hacking the Democratic National Committee during the 2016 U.S. presidential election.

🌌 SolarWinds Shockwave : APT-29's most significant operation was its involvement in the 2020 SolarWinds supply-chain attack, which compromised multiple sectors of the U.S. government. This event showcased their capabilities and sophistication, making them a force to be reckoned with.

Knowledge is your shield in the ever-evolving world of cybersecurity. With Logpoint's expert analysis, you're not just informed; you're equipped to face the challenges of the digital age head-on.

Join us in the quest for cyber resilience. Dive into the report and fortify your defenses against APT29 and its aliases and read the full report below 🌐

Email has become an indispensable part of our lives, and the need for heightened cybersecurity awareness has never been more critical. Phishing attacks are among the most common and insidious threats to our online security.

Here are some eye-opening facts that underscore the extent of this global issue.

💰 Shockingly, cybercriminals invest significant sums daily, ranging from $200 to $1000, to orchestrate intricate phishing campaigns, underscoring the immense resources allocated to compromising your security.

🔐 Disturbingly, statistics reveal that over the past six months, users reported phishing attempts only 11.3% of the time. This alarming figure highlights the need for proactive measures against these threats, as a significant number of malicious attempts go unreported.

🚫 The good news is that tech giants like Google are at the forefront of the fight against phishing. They actively thwart around 100 million phishing emails daily, providing a robust defense against these nefarious attacks.

Protect your organization's integrity and safeguard your personal information by delving into our comprehensive guide on how to investigate and respond to email threats effectively 📩

Read the full article here: https://www.logpoint.com/en/blog/emerging-threat/email-investigation-and-response-using-logpoint/

🔐 Goodbyes can harbor unforeseen risks, especially when departing employees possess crucial access and knowledge. Meet the "Lord Darths" of the corporate world—ex-employees with potent technical admin privileges, driven by motives to harm or exploit. Insider threats are real, and their impact can be substantial.

Consider the alarming history of insider threat cases; these individuals, armed with expertise and access, pose a considerable risk. Managing the employee lifecycle is pivotal and include everything from onboarding, retention, development, recognition, and exit. Our latest blog uncovers the critical stages of onboarding and exit - Check out the blog by Logpoint Security Analyst, Roshan Bhandari, on our website here or read key insights below:

Insights into Insider Threats

• Staggeringly, 74% of respondents to a survey feel moderate to extremely vulnerable to insider threats.

• The most critical impacts of insider attacks were loss of critical data ( 45% ), brand damage ( 43% ), and operational disruption or outage ( 41% )

• Insider threats can be costly, 59% of the insider threat motivation was monetary gains while 50% was reputation damage .

• The time to contain an insider threat incident increased from 77 days to 85 days , leading organizations to spend the most on containment .

Notable Insider Threat Incidents

• The FBI arrests 21-year-old Air Force guardsman in Pentagon leak case.

• A Yahoo lawsuit alleged an employee stole trade secrets upon receiving a Trade Desk job offer.

• Proofpoint alleged an ex-exec took trade secrets to abnormal security .

• A fired healthcare exec stalls critical PPE shipment for months .

• An Apple lawsuit says 'stealth' startup Rivos poached engineers to steal secrets .

Im trying to integrate chatgpt with logpoint and the chatgpt plug in files that i found on the logpoint website are json files. When I tried upladoing them it says that logpoint plugins font support json files. Has anyone been in a similar situation and/or know what to do.

Thankyou

Please see our community guidelines below. The rules of the community can be updated as necessary. By registering as a LogPoint Community member, you accept the general terms and conditions LogPoint Terms of service and Community Guidelines.

R-E-S-P-E-C-T
LogPoint Community is a meeting place where everyone can give and get help. So let’s be nice to each other! We don’t use rude language, speak disrespectfully of others, or behave inappropriately in general.

This is a place for relaxed conversation and mutual support – all in good spirit! We don't judge, criticize or bad-mouth anyone.

Thank you goes a long way
If you bump into a helpful answer, good thinking, or just something nice, you can give a simple thank-you by clicking the Thank you / Like-button. By liking comments you can help other users to find useful advice and good conversation later.

Keep it private
LogPoint Community is an open space and anyone can join even if they are not LogPoint Employees, Customers, or Partners, so please be careful about your personal information. Do not, under any circumstances post or share (not even via private messages) any account numbers, license keys, phone numbers, physical addresses, email addresses, or any other sensitive personal information related to you and/or your organization and/or to your customers to any of the forum threads (not even via private messages). As a LogPoint Partner or Customer, you should always discuss account-specific issues, questions, tickets, and the likes containing any sensitive personal information related to you and/or your organization and/or to your customers with LogPoint Support on the LogPoint Service Desk. We advise you to always keep your posts general and excluding any sensitive personal information related to you and/or your organization and/or to your customers on the LogPoint Community. LogPoint A/S will not be liable to you or anyone else for any financial loss, loss of business, injury, or any other loss resulting directly or indirectly from the use of LogPoint Community or the services we offer, caused in whole or part by its negligence or compiling, interpreting, reporting, or delivering this site and any content through this site. In no event will LogPoint A/S or any of its employees and partners, be liable to you or anyone else for any decision made or action taken by you in reliance on such content. Should you fail to read or comply with our guidelines and suffer any losses being physical/financial/intellectual, loss of business or any other losses, in no event will LogPoint A/S or any of its employees and partners, be liable to you or anyone else for any decision made or action taken by you.

No spam
LogPoint Community is about customers helping each other out, not for promotion. Please don’t post any advertising, spam, junk mail, chain letters, or any other kind of solicitation.

Behave
You shouldn't in any situation post anything obscene, unlawful, harassing, threatening, harmful, abusive, or otherwise objectionable. Any post made in the forums is subject to moderation and can be edited or deleted if it violates these guidelines. It is furthermore strictly forbidden to discuss, disclose, dispute, or publish private discussions with our Moderators.

Relax, you're in good hands
If you spot a post that is against the rules, don’t respond to it. Just flag the post and our moderators will check the situation as soon as possible.

LogPoint Community is here for you!

Moderators can edit messages afterward or even delete messages. Moderators can delete messages with inappropriate content, personal insults, personal information, or other content that breaches the rules of LogPoint Community without warning.

Compliance with our rules is supervised by LogPoint moderators and any violation of these rules leads to a warning. We reserve the right to permanently lock your user codes after three warnings. LogPoint Community moderators are LogPoint employees.