Welcome to Logpoint Community

Hi !

I would like to create a widget with all connexions from a black list counrty. But I don’t it si possible or not !

Would like to know if is that possible or not? if is this possible, please could you tell me how can I get a list like that?

Thanks in advance

Looking forward to reading you

For our customer we currently have several alerts implemented. The customer has a rather small security team only interested in receiving email notification whenever an incident is triggered. So, the build in management incident of LogPoint is not used and all and i delete all open cases on a regular basis.

However, for auditing reasons, for some incidents posing a major risk they would now like the security personal to use the incident management system by LogPoint and want them to resolve the cases there. All other incidents should, if possible, not be visible to them.

Right now, i would assign these high risk alerts to the security personal so that are able to read and resolve them within LogPoint. Incidents with a lower risk would be assigned to me or a dummy group, and i would continue to regularly delete them manually.

But i am wondering whether there is a better way: Does triggering an alert automatically have to create an incident, or is it possible to configure that only alerts with a specific risk level create incidents ?

Also, is there a way to automatically close and resolve open incidents so i do not have to do this manually anmore.

Regards

Andre

Hi All,

We are excited to share our latest blog written by Logpoint Security Researcher, Anish Bogati this time about Royal Ransomware, and the means to detect, investigate and respond to it with the help of Logpoint.

To read the full article, please follow the link below:

https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/

Is there a formula by which the first search timerange (from to) of a newly created alert rule could be calculated?

For example, if I create a new alert rule with 24 hours time range NOW (e.g. at 10:00 AM), the first search will run between yesterday 6:00 AM and today 5:00 AM. Naively, I would have expected the search to run from yesterday 10 AM to today 10 AM.

If I create an alert rule that has e.g. 5 minutes search time range, then the first search runs about 25 minutes to 20 minutes before the alert rule is activated.
So the search time range of the alert rule search varies depending on the alert rule time range.

Since I am developing an alert rule test environment that activates alert rules and ingests pre-made logs, it would be significant to set the timestamps in these pre-made logs so that they occur in the timerange in the first search run of the alert rule.

So the question is, if there is a formula for this, with which I can determine the time period in advance, in which the alert rule search will run.

Hi All,

We are excited to share the below article focusing on configuring the Universal REST API Fetcher with Atlassian Confluence. In the article, you can read about the start-to-end procedure of the configuration including some of the know limitations and considerations to keep in mind.

Read the full article below:

https://servicedesk.logpoint.com/hc/en-us/articles/8140063415325-Universal-REST-API-Fetcher-Configuration-with-Atlassian-Confluence

Has anyone of you seen errors during running a search over a larger timerange (+24 hours) from the indexsearchers reporting a missing “write.lock” file?

Here is an example log of such a case:

2022-12-11_00:00:45.94320 00:00:45.943 [pool-1-thread-3] WARN c.i.shared.lib.logging.util.LogUtil - Exception occurred during index closing;2022/08/11/1660176000
2022-12-11_00:00:45.94330 00:00:45.943 [pool-1-thread-3] WARN c.i.shared.lib.logging.util.LogUtil - Exception occurred during index closing;2022/08/09/1660003200
2022-12-11_00:00:45.97880 java.nio.file.NoSuchFileException: /opt/makalu/storage/indexes/M365/2022/08/11/1660176000/write.lock
2022-12-11_00:00:45.97888 at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
2022-12-11_00:00:45.97888 at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
2022-12-11_00:00:45.97888 at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
2022-12-11_00:00:45.97889 at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)
2022-12-11_00:00:45.97889 at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
2022-12-11_00:00:45.97890 at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99)
2022-12-11_00:00:45.97891 at java.nio.file.Files.readAttributes(Files.java:1737)
2022-12-11_00:00:45.97892 at org.apache.lucene.store.NativeFSLockFactory$NativeFSLock.ensureValid(NativeFSLockFactory.java:177)
2022-12-11_00:00:45.97892 at org.apache.lucene.store.LockValidatingDirectoryWrapper.createOutput(LockValidatingDirectoryWrapper.java:43)
2022-12-11_00:00:45.97892 at org.apache.lucene.index.SegmentInfos.write(SegmentInfos.java:516)
2022-12-11_00:00:45.97892 at org.apache.lucene.index.SegmentInfos.prepareCommit(SegmentInfos.java:809)
2022-12-11_00:00:45.97893 at org.apache.lucene.index.IndexWriter.startCommit(IndexWriter.java:4439)
2022-12-11_00:00:45.97893 at org.apache.lucene.index.IndexWriter.prepareCommitInternal(IndexWriter.java:2874)
2022-12-11_00:00:45.97893 at org.apache.lucene.index.IndexWriter.commitInternal(IndexWriter.java:2977)
2022-12-11_00:00:45.97893 at org.apache.lucene.index.IndexWriter.commit(IndexWriter.java:2944)
2022-12-11_00:00:45.97893 at com.logpoint.indexsearcher.indexer.ImmuneIndex.closeAll(ImmuneIndex.java:179)
2022-12-11_00:00:45.97894 at com.logpoint.indexsearcher.indexer.IndexManager.deleteExtraIndexer(IndexManager.java:1147)
2022-12-11_00:00:45.97894 at com.logpoint.indexsearcher.indexer.Indexer.checkPartition(Indexer.java:134)
2022-12-11_00:00:45.97894 at com.logpoint.indexsearcher.indexer.Indexer.createPartition(Indexer.java:347)
2022-12-11_00:00:45.97894 at com.logpoint.indexsearcher.indexer.Indexer.index(Indexer.java:266)
2022-12-11_00:00:45.97894 at com.logpoint.indexsearcher.indexer.MultiThreadedRunnableIndex.index(MultiThreadedRunnableIndex.java:148)
2022-12-11_00:00:45.97894 at com.logpoint.indexsearcher.indexer.MultiThreadedRunnableIndex$IndexingThread.run(MultiThreadedRunnableIndex.java:323)
2022-12-11_00:00:45.97895 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
2022-12-11_00:00:45.97895 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
2022-12-11_00:00:45.97895 at java.lang.Thread.run(Thread.java:748)
2022-12-11_00:00:45.97908 java.lang.RuntimeException: /opt/makalu/storage/indexes/M365/2022/08/11/1660176000/write.lock
2022-12-11_00:00:45.97910 at com.logpoint.indexsearcher.indexer.Indexer.createPartition(Indexer.java:378)
2022-12-11_00:00:45.97911 at com.logpoint.indexsearcher.indexer.Indexer.index(Indexer.java:266)
2022-12-11_00:00:45.97911 at com.logpoint.indexsearcher.indexer.MultiThreadedRunnableIndex.index(MultiThreadedRunnableIndex.java:148)
2022-12-11_00:00:45.97911 at com.logpoint.indexsearcher.indexer.MultiThreadedRunnableIndex$IndexingThread.run(MultiThreadedRunnableIndex.java:323)
2022-12-11_00:00:45.97911 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
2022-12-11_00:00:45.97911 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
2022-12-11_00:00:45.97912 at java.lang.Thread.run(Thread.java:748)
2022-12-11_00:00:45.97927 00:00:45.979 [pool-1-thread-3] ERROR c.i.shared.lib.logging.util.LogUtil - IndexingThread; indexingThread; /opt/makalu/storage/indexes/M365/2022/08/11/1660176000/write.lock
2022-12-11_00:00:48.00775 Exception in thread "Thread-1" java.lang.RuntimeException: java.nio.file.NoSuchFileException: /opt/makalu/storage/indexes/M365/2022/08/11/1660176000/write.lock
2022-12-11_00:00:48.00777 at com.logpoint.indexsearcher.indexer.SaveOnShutdown.run(SaveOnShutdown.java:21)
2022-12-11_00:00:48.00789 Caused by: java.nio.file.NoSuchFileException: /opt/makalu/storage/indexes/M365/2022/08/11/1660176000/write.lock
2022-12-11_00:00:48.00790 at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
2022-12-11_00:00:48.00790 at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
2022-12-11_00:00:48.00790 at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
2022-12-11_00:00:48.00790 at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)
2022-12-11_00:00:48.00791 at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
2022-12-11_00:00:48.00792 at sun.nio.fs.LinuxFileSystemProvider.readAttributes(LinuxFileSystemProvider.java:99)
2022-12-11_00:00:48.00792 at java.nio.file.Files.readAttributes(Files.java:1737)
2022-12-11_00:00:48.00792 at org.apache.lucene.store.NativeFSLockFactory$NativeFSLock.ensureValid(NativeFSLockFactory.java:177)
2022-12-11_00:00:48.00792 at org.apache.lucene.store.LockValidatingDirectoryWrapper.createOutput(LockValidatingDirectoryWrapper.java:43)
2022-12-11_00:00:48.00793 at org.apache.lucene.index.SegmentInfos.write(SegmentInfos.java:516)
2022-12-11_00:00:48.00793 at org.apache.lucene.index.SegmentInfos.prepareCommit(SegmentInfos.java:809)
2022-12-11_00:00:48.00793 at org.apache.lucene.index.IndexWriter.startCommit(IndexWriter.java:4439)
2022-12-11_00:00:48.00793 at org.apache.lucene.index.IndexWriter.prepareCommitInternal(IndexWriter.java:2874)
2022-12-11_00:00:48.00793 at org.apache.lucene.index.IndexWriter.commitInternal(IndexWriter.java:2977)
2022-12-11_00:00:48.00794 at org.apache.lucene.index.IndexWriter.commit(IndexWriter.java:2944)
2022-12-11_00:00:48.00794 at com.logpoint.indexsearcher.indexer.ImmuneIndex.closeAll(ImmuneIndex.java:179)
2022-12-11_00:00:48.00794 at com.logpoint.indexsearcher.indexer.IndexManager.close(IndexManager.java:145)
2022-12-11_00:00:48.00795 at com.logpoint.indexsearcher.indexer.Indexer.shutdownIndexer(Indexer.java:206)
2022-12-11_00:00:48.00796 at com.logpoint.indexsearcher.indexer.SaveOnShutdown.run(SaveOnShutdown.java:19)
2022-12-11_00:00:48.79674 Starting indexsearcher_M365
2022-12-11_00:01:10.64122 creating new msg retriever

We see this often (3-4 times per week) but irregularly. Sometimes (as in the error log above) the indexsearcher is crashing and restarting, which “solves” the problem temporarily for a few hours or days.

We excpect that this also causes alert rules to not run properly.

Hi all,

we started using LogPoint and created repos for every device type. Now that we have 20+ repos i want to optimize this process and group devices by functionality (e.g. email, remote access). So my intention is to create an new repo for every functionality and modify the routing policies. I think this should work but there is a great time span where i have to search in the “new” and the “old” repo because of retention times of 90 or more days.

Is there a smart way to copy the content from one repo to another so that i can get the optimizing done in a short time and this will not take 90+ days?

Best
edgar

Hi,

I come to you because I have an error when I execute folloing query. Could any one help me please ?

Here is my quary :

(MsWinEventLog OR norm_id=WinServer*) label=Object label=Access  (access_list=\"*4417*\" OR access=\"*WriteData*\") {{user},}, {{fileshare},}, {{path},},  -relative_target in SYSTEM_PATHS | rename relative_target as Object, share_path as Path |  chart count() by user, device_name, object_type,Path, Object | fields user, device_name, object_type, Path, Object

and when I execute this query I receive these error message :

Thanks in advance
Looking forward to reading you

Hi All,

The Logpoint Agent Collector v5.2.3 has been released publicly. For more information, please visit the links below.

Release notes: https://servicedesk.logpoint.com/hc/en-us/articles/360020035977

Documentation: https://docs.logpoint.com/docs/logpoint-agent/en/latest/

Known by many names, including ALPHV, AlphaV, ALPHVM, and Noberus, BlackCat ransomware made headlines for its successive attacks on high-profile targets. Like Black Basta and Lockbit , it also operates under the Ransomware-as-a-Service (RaaS) model and uses double and sometimes triple extortion techniques.

BlackCat uses its public leak site to intimidate victims, where anyone can search and access the leaked victim information easily. The highest ransom they have demanded so far is $14 million and it’s speculated that it has similarities with ransomware families like Darkside, Blackmatter, and REvil in regard to the tools, filenames, and techniques they use. To read more about means of protecting your organisation against Black Cat, read our blog on the link below.

https://www.logpoint.com/en/blog/hunting-and-remediating-blackcat-ransomware/#detecting-blackcat

Hi,

can anyone point me to terms & conditions describing compliance with GDPR regarding LogPoint support access using Support Connection functionality in LogPoint & Director? Or description what data can be accessible by support?

Best Regards,

Piotr

How can we count number in entries in dynamic list?

Hi,

I would like to add a new parameters templete. But when I add the new parameter it doesn't works (for exemple when I add the source_address it doesn't works) ? I would like to know why ?

Thank you in advance for your help.

If i have an event_category= User, Logon. I want to be able to create new fields (e.g. X, Y) and present data like X=User and Y=Logon. What would be the query to showcase this in result.

I have a table that is populated frequently using query scheduled in the report. I am trying to remove an entry from the table.

How can this be achieved.

Hi there,

i’m new using Logpoint. So i need some help for a search i would like to do. I would like to add some more information to the search “Top 10 User in Failed Kerberis Authentication” there i would like to add on which workstation the user have tryed to logon.

I have a requirement of creating cases from incident tabs. Can i get a reference to creating cases from incidents?

Hi Community,

We have a distributed collector in a remote location. We have established a Site-to-site VPN between locations. The scenario is that the IP Address of the collector is in NAT and mapped to a different IP than that of the actual host IP.

For E.g the system IP of collector is 172.29.20.80 and the IP of the collector as seen by the Remote Logpoint is 172.22.2.2.

We have made the necessary configuration and ensured the Collector is visible in the logpoint. However, the IP as recorded by Logpoint is the actual system IP (Not the IP Logpoint should recognize it as). The issue is the status is Inactive stage.

Is this due to the difference in host IP and NAT address?

Hi All,

AzureLogAnalytics is now released, enabling you to fetch and analyze Azure Log Analytics workspace logs.

For downloading instructions and documentation, please visit the links below:

Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/360017971858

Documentation: https://docs.logpoint.com/docs/azureloganalytics/en/latest/

Hi folks,

I was wondering if anybody could tell me what the use case is for the new ‘Add Global Parameters’ action added in SOAR 1.0.4? As far as I can see, any output parameter from an action is already accessible from any other?

From my quick tests it doesn’t look like they pass down to Sub-playbooks either, so are they just meant as a quicker way to access the values within a playbook?

I couldn’t find any documentation on this, so I was hoping someone else might know the answer.

It is possible to use the search query

Table TABLE_NAME

to list the content of the table “TABLE_NAME”.

But there seems to be no possibility to do the same with a list.

Or did I miss something?

Hi All,

We are excited to share the release of the new Universal REST API Fetcher.

The Universal REST API fetcher provides a generic interface to fetch logs from cloud sources via REST APIs. The cloud sources can have multiple endpoints, and every configured source consumes one device license.

For more details, please see the links below:

Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/6047943636253-Universal-REST-API-Fetcher

Documentation: https://docs.logpoint.com/docs/universal-rest-api/en/latest/

Hi friends,

I have the problem that the storage folder is now over 90% full.

Now I wanted to empty the folder using bash commands directly in the disk notification and have applied the following to "Command:": find /opt/makalu/storage/ -type f -mtime +30 -delete

Unfortunately without success, the folder grows and grows. Do you have a tip or a solution for this?

Thank you in advance and kind regards

Hi All,

In this second instalment of the Use Case catalogue series, we are focusing on Firewalls. Firewalls are a vital part of most organisations and enterprises today. In this Use case catalog you will find a collection of analytics available for firewalls in Logpoint SIEM for PaloAlto, Cisco, Fortinet and Check Point firewalls.

LockBit has been implicated as the most active ransomware and has been involved in the most attacks compared to others of its kind. Read our latest blog by Anish Bogati & Nilaa Maharjan from Logpoint Global Services & Security Research on how Logpoint can help you to strengthen your security posture when it comes to LockBit ransomware.

Link to the blog post:

https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/

We are delighted to announce the launch of our new Certified SOAR User Training.

Throughout the full day training session, a LogPoint Certified SOAR Expert will display and explain the features of the SOAR solution, look into real-world use cases, highlight best practices and how all the various blocks of Logpoint SOAR can be combined for maximum efficiency.

The first course debutes on October 24th, and will recur monthly. (For the other upcoming dates, please see below.)

For further inquiries about registration and pricing, please contact your local Logpoint representative or email to csz@logpoint.com

Course Schedule Q4 2022 / Q1 2023:

• Monday October 24th  9 AM-5 PM CET
• Monday November 28th 9 AM-5 PM CET
• Monday December 12th 9 AM-5 PM CET
• Monday January 23rd 9 AM-5 PM CET
• Monday February 20th 9 AM-5 PM CET
• Monday March 20th 9 AM-5 PM CET

For more information, please visit logpoint.com/LogpointAcademy

*All courses are held online

We are excited to announce the date for our ThinkIn 2023 conference for global Logpoint users and partners. Here’s some key info:

Copenhagen, March 7-8, 2023 @Crowne Plaza Copenhagen Towers

As we are currently working on the official agenda, we encourage you to share your ideas on what kind of workshops and keynotes you would like to participate in.

All ideas are welcome in the comment section below or via email to customersuccess@logpoint.com .

Participation is free of charge. So all you have to do is get to Copenhagen and find a place to stay. Simple!

We are looking forward to seeing you.

Click here for pre-registration

Focusing on one use case at a time, the Use Case Catalogue will guide you through the implementation of basic monitoring of specific log sources in a Logpoint SIEM platform. The first instalment of the Use Cases Catalog series, Active Directory Use Cases is now available  on the link below: https://community.logpoint.com/active-directory-13

Dear All,

We are happy to share that we have released CSV Enrichment Source v5.2.0 publicly.

The CSV Enrichment Source application enables you to use a CSV file as an enrichment source in LogPoint. The application fetches data feeds from a CSV file and enriches search results with the data.

For further information, please visit the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/115003786109

For detailed information about the implementation in Logpoint products, please refer to the articles below:

• Logpoint: https://docs.logpoint.com/docs/csvenrichmentsource/en/latest/
• Director API: https://docs.logpoint.com/docs/csvenrichmentsource-for-director-console-api/en/latest/
• Director Console: https://docs.logpoint.com/docs/csvenrichmentsource-for-director-console-ui/en/latest/

Hello,

We’re looking at integrating our Qualys VM scans into our Logpoint instance. I was hoping to pick someone's brain about this. Does this only work on singular Qualys accounts, or will it work on MSSP/Consultant editions?

Many thanks,