Welcome to Logpoint Community

Hello, this is Yoshihiro.

I want to expand/sell Logpoint here in Japan.

But the splunk is very strong competitor here.

So I want to know any idea to sell/expand the Logpoint.

Like what is the strong point compared with it ?

Or If you were sales person kindly tell me about your experience when you won.

I got the answer about the license model in another portal like below.

～

You can beat the splunk easily by comparing the device-based Logpoint licencing/pricing to the splunk traffic-based licencing/pricing. A Splunk customer has to adjust its cost calculation when log traffic increases: https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Aboutlicenseviolations#What_happens_during_a_license_violation.3F

～

I appreciated with him and  I agree with it.

But honestly  I need more idea about the function advantage.

For example I am not sure that the BCS for SAP would be important advantage.

Any idea?

regards,

Yoshihiro

Is there a way to get or change the configuration password for a Pool?

When I try to create a report it says “”Invalid number of fields used in process command, expected 7 field(s) but found 8” Why?

Good Day Everyone

When trying to delete a device asset I get hit with this error “ Random hostname (Not the host name of the device I am trying to delete) does not appear to be an IPv4 or IPv6 network “
And it won´t let me delete the device,

I am not sure what to do about this, help would be greatly appreciated.

Hi,

I would like to know if is it possible to receive one alert for the same action? For, example : for the following example if the same action is repeated several times I want to recive just one alert not more.

action=Login source_address=1.1.1.1 user=titi | chart count() by user

Is it possible ? If yes could you please tell me how do I do ?

Best regards,

SA

The following query put the result of processing function as “null” :
| chart max(log_ts) as maxlogts  | process format_date(maxlogts,'YYYY/MM/dd') as endDate | fields maxlogts, endDate

I think the field “maxlogts” is not retrieved/recognized by function format_date().

There is a way to obtain the field “endDate” not null ?

I have uploaded the logpoint 7.3.0 and 7.3.1 pak on logpoint server 7.2.4.

I have started the 7.3.0 pak installation but after some hours is still in “installing” state

Checking the status I see that is blocked on SOAR Plugin upgrade

………

…………...

Checking package status ...
install; giving etc/, storage/ and var/ to loginspect only in changed files
install; removing old files
install; copying files
Update; updating plugins....
Upgrading SOAR plugin

I tried to install the 7.3.1 pak that fails because the 7.3.0 is not installed.

I have restarted the server but nothing change.

Could you please help me to understand the cause?

Hi,

I Would like to use the joinner method in my template LogPoint. Whowever, I can’t use the “{{}}” for search parameter. Could you please tell me how should I do ?

Here is an exemple of this tamplate :

[ source_address=* display_name=* user=*] as s1 join [ user=* source_host=* source_address=*  ] as s2 on s1.user  = s2.user {{source_host}} | rename  s2.source_host  as source_host  |  process geoip(s1.source_address) as country|  rename user as User |  chart count() by User, country, source_host

Note => I would like to search by this parameter {{source_host}}

Thank you in advance.

Siawash,

We would like to send log files from a directory such as C:\Logs to our logpoint server.
What needs to be entered in nxlog.conf?

🔐 Goodbyes can harbor unforeseen risks, especially when departing employees possess crucial access and knowledge. Meet the "Lord Darths" of the corporate world—ex-employees with potent technical admin privileges, driven by motives to harm or exploit. Insider threats are real, and their impact can be substantial.

Consider the alarming history of insider threat cases; these individuals, armed with expertise and access, pose a considerable risk. Managing the employee lifecycle is pivotal and include everything from onboarding, retention, development, recognition, and exit. Our latest blog uncovers the critical stages of onboarding and exit - Check out the blog by Logpoint Security Analyst, Roshan Bhandari, on our website here or read key insights below:

Insights into Insider Threats

• Staggeringly, 74% of respondents to a survey feel moderate to extremely vulnerable to insider threats.

• The most critical impacts of insider attacks were loss of critical data ( 45% ), brand damage ( 43% ), and operational disruption or outage ( 41% )

• Insider threats can be costly, 59% of the insider threat motivation was monetary gains while 50% was reputation damage .

• The time to contain an insider threat incident increased from 77 days to 85 days , leading organizations to spend the most on containment .

Notable Insider Threat Incidents

• The FBI arrests 21-year-old Air Force guardsman in Pentagon leak case.

• A Yahoo lawsuit alleged an employee stole trade secrets upon receiving a Trade Desk job offer.

• Proofpoint alleged an ex-exec took trade secrets to abnormal security .

• A fired healthcare exec stalls critical PPE shipment for months .

• An Apple lawsuit says 'stealth' startup Rivos poached engineers to steal secrets .

Hi,

what is LogPoint's recommended way to get logs from Azure AD / EntraID and any other Azure applications into LogPoint?

We have noticed that the Azure EventHubs sometimes provide their logs several days late via the message queue. We were able to verify this independently of LogPoint using a fetcher developed in Python.

How does this work with the " Azure Log Analytics Workspace" module? Can the logs be expected in the SIEM in a timely manner?

A delay of several hours and days is not possible with the current alert rule concept of searching on already indexed timeranges without running the alert rules on utopian high timeranges.

Hello

We want to see a statistic of outgoing mails/which domain sends how many.

Filtering by source user is easy, however what I would need is the domain, not the precise E-Mail address.
Is there a way to filter by only what comes after the @, so I can make a chart with only that information.
Or is there a way to get the more precise Domain.

cheers, and happy holidays

Mike

Hi guys,

I wrote a query that monitors for abnormal computer names joining my organization network. I had some success with those queries, but they still returns some false positives for me. How can I improve it?

| process eval("is_abnormal_computer_name = (machine != like('Computer_Name') AND machine != like('Computer_Name') AND machine != like('Computer_Name') AND machine != like('Computer_Name'))")

| process eval("is_abnormal_computer_name !=  like(machine, '^(name|name|name|name).*')")

I want the query to returns the computer names that are abnormal.

I want to implement FIM use cases in logpoint. please share any document or implementation guide to achieve the below.

hello guys, good day

newbie here and I am taking overed from our previous employee. correct me if I’m wrong since it is still in final design

I need to deploy distributed LP in customer environment, we provide them 2 ESXi and this is our 1st customer migrated from Microfocus. The components are: (current)

• search head x1
• distributed logpoint x1
• log collector x2 (collect log for on-prem x1, collect log for cloud but sitting on prem)

for windows, planning to use LPA and the rest syslog

Issue 1:

I do some testing and I realized all the API or Cloud Trail configuration directly into DLP. Reason I am thinking, we do not need the LC on this case and the pros is we have the opportunity to turn on SOAR features also increase the specification/storage for DLP.

Do I need to turn on this DLP as collector also?

Issue 2:

license: 325 nodes (300 servers/security/network and 5 API: sophos, office365 and 1: AWS cloud trail)

I believed 325 nodes will be installed inside the DLP and but not sure about SH and LC, I think I need to purchase another 3 licenses for the rest so new licenses are 328 nodes. Any advise?

Issue: 3

based on my study/reading info, the LC is a collector also function as normalizer log.
in my case, when the LC act a normalizer? because:

1. after turn on collector, there is no dashboard etc
2. eg: LPA, the configuration for normalizer at the DLP not inside the LC

Thanks for your response.

Regards,

Mohamed

Hi,

I’m intressted in implementing the SMS feature through LogPoint. However, to activate this functionality, I need an SMS hosting service. Could you tell me if LogPoint offers an SMS hosting service ? If so, what is the procedure to set up this feature ? If LogPoint doesn’t provide SMS hosting, could you recommend a good SMS hosting service, compatible with LogPoint ?

Thank you in advance.

Siawash,

Hi,

I had added a device into the logpoint and I have done all the steps of this documentation Devices — Data Integration latest documentation (logpoint.com) .

However, the logpoint didn’t collect any log from this host. In addition I checked in this host and I didn’t find lpagent. Could you please tell why it not works ? And what should I do ?

Regads,

Siawash

Email has become an indispensable part of our lives, and the need for heightened cybersecurity awareness has never been more critical. Phishing attacks are among the most common and insidious threats to our online security.

Here are some eye-opening facts that underscore the extent of this global issue.

💰 Shockingly, cybercriminals invest significant sums daily, ranging from $200 to $1000, to orchestrate intricate phishing campaigns, underscoring the immense resources allocated to compromising your security.

🔐 Disturbingly, statistics reveal that over the past six months, users reported phishing attempts only 11.3% of the time. This alarming figure highlights the need for proactive measures against these threats, as a significant number of malicious attempts go unreported.

🚫 The good news is that tech giants like Google are at the forefront of the fight against phishing. They actively thwart around 100 million phishing emails daily, providing a robust defense against these nefarious attacks.

Protect your organization's integrity and safeguard your personal information by delving into our comprehensive guide on how to investigate and respond to email threats effectively 📩

Read the full article here: https://www.logpoint.com/en/blog/emerging-threat/email-investigation-and-response-using-logpoint/

Warning ! Detect, respond, and manage this active ransomware with Converegd SIEM, AgentX, and SOAR automation playbooks.

Emerging Threats Protection Report
Not Too Cozy: Cozy Bear

What you get:

• Introduction to Cozy Bear
• Free download report from our Security Research team.
• Playbooks: Automate your way to protecting against Cozy Bear.
• How can you leverage your Converged SIEM against Cozy Bear? Download the report.

Here is why this is important. Some Cozy Bear background info:

Fast Facts:

🔍 Aliases : The Dukes, APT-29, Cozy Bear, or Nobelium - whatever you call them, they're the same. We'll use these aliases interchangeably throughout the blog and report.

🌐 A Notorious Background : The Dukes, believed to be linked to Russia's Foreign Intelligence Service (SVR), are a formidable cyber espionage group. Their targets? Governments, NGOs, businesses, think tanks, and other high-profile entities through sophisticated spear-phishing campaigns.

🤺 Unconventional Tactics : The Dukes are known for their unconventional techniques, employing HTML Smuggling and malicious ISO images to deliver malware while slipping past security measures.

🇺🇸 Political Intrigue : APT-29 made headlines by targeting political entities, gaining notoriety for hacking the Democratic National Committee during the 2016 U.S. presidential election.

🌌 SolarWinds Shockwave : APT-29's most significant operation was its involvement in the 2020 SolarWinds supply-chain attack, which compromised multiple sectors of the U.S. government. This event showcased their capabilities and sophistication, making them a force to be reckoned with.

Knowledge is your shield in the ever-evolving world of cybersecurity. With Logpoint's expert analysis, you're not just informed; you're equipped to face the challenges of the digital age head-on.

Join us in the quest for cyber resilience. Dive into the report and fortify your defenses against APT29 and its aliases and read the full report below 🌐

Hi there

We have Created a ODBC enrichment Source to use a SQL Database for enrichment.
It is all setup on the source side and seems to be working.
But when I then go onto the Director console to add said source in a Enrichment Policy, the source is not there to select, all the other sources are but this one is not.

Has anyone experienced this before?

Hello all,

I am looking for a way to publish a dashboard to the public API. Does anyone know if this is possible?

As it stands I have managed to publish individual dashboard widgets to the public API but I would prefer to share the whole dashboard with 1 URL.

Thanks

Hi All,

We do have different clients and we want to create a real time monitoring system.

Is it possible to integrate it on Grafana, if yes do you have any idea how?

i know that monitoring through email is possible but we want a centralized monitoring system

Thanks

I need to create a query to export the results with the following criteria, but unsure how to write the query.

I want to list every end device by hostname (including all end devices fed by Windows event collectors, not reported as the WEC) and then all the event codes (unique) collected from that device in ascending order.

Can someone please point me in the right direction

Hello,

I have an archive server were I store some syslog/json logs on. I wonder If It’s possible to send over som of  these to LogPoint?

Is It possible manually to transfer over some of the logs from the archive → Logpoint AIO? Like use scp or something else.

I dont find any related documentation related to this.

Hi,

I would like to know if it is possible to find the log that show the expiration date of Microsoft office 365 account ? If yes, could you please tell me how can I find it ?

Regards,

Siawash

Hi.

We have implemented Agent X into our systems, and we are observing Applocker Events with Agent X.
Now our customer would like a dashboard for these Event.
And I was not sure how to go about creating these Dashboards.
How can I make a dashboard specifically for the Eventviewer logs.

Cheers Mike

Hello,

I would like to search a query to know the volume of data per day collected in my Logpoint.

Thanks a lot

Hello everyone,
Being searching LP blogs and community to see if we have any detection rules for P2P network connections. Came out there is a rule to finding P2P applications but nothing of useful to find the network connection. Any tips or suggestions in building a P2P detection will be much appreciated.

Thanks

I’m thinking of onboarding internal DHCP logs. But I don’t quit know yet If it’s a good way to go.

I’m also in the progress of onboarding ISE logs, for authentication monitorering. Is It possible to correlate DHCP logs with ISE logs?

How about use-case related to DHCP logs? Looking at the built in alert rules there was only few use-cases related to DHCP.
I think more about rouge DHCP server and so on.

Does anyone have experience about DHCP logs and the the ability to correlate these with other logsources to get MAX out of It.

Thanks!

Fast Facts

• With over 500 million users worldwide, WinRAR is the world’s most popular compression tool!

• CVE-2023-38831 , named ‘RARLAB WinRAR Code Execution Vulnerability is an arbitrary code execution vulnerability on WinRAR, with a CVSS score of 7.8

• CVE-2023-38831 vulnerability has been patched in the latest version of WinRAR and the vulnerability resides on versions prior to 6.23.

• Threat Actors have been targeting this vulnerability to deliver malware such as Agent Tesla, GuLoader , Remcos , and Darkme .

Curious to read more and understand how Logpoint’s platform can assists analysts in detecting and responding to security issues? Read the full article on Logpoint’s blog here: WinRAR – Decompression or Arbitrary Code Execution