Welcome to Logpoint Community

Hi,

I have been looking into how to get an overview over actions taken by an Security Analyst whilst using the Incidents view on Logpoint.

Therefore i have created this Search Query to get an overview over Incdents and Actions.
Repository to be searched on is _LogPoint

incident_id = * | chart count() by incident_id, log_ts, alert_id, status, action, user, alert_name, comment order by incident_id, log_ts asc

Hope this could be useful.

Best Regards,
Gustav

Hi there.
So we Have a Alert rule, that alerts us when a Unknown and New Device, leases a DHCP Adress, to prevent unwanted Physical Access.
Now We wanted to Enrich said DHCP log, by adding Information of our ISE/Switch Logs, so that when we get the Incident from the Alert rule, we also see what Switch and Switchport, this Unknown device is Hanging at.
We are Pretty sure that should be Possible, but I haven’t figured out how yet.

Cheers Mike Furrer

Hi folks,

Another cases and playbooks question - is there a way to update the name of an existing case item from within a Playbook?

By default, we are generating cases with just the incident ID for identification, but we’d ideally like to be able to update the name of the case once some additional playbooks have run.

We already have a way to get the case ID etc, it’s just the renaming part we’re stuck on.

Is this possible?

We recently updated our Idea Portal to bring even more privacy and freedom of sharing ideas - for example, it’s no longer showing names of the users voted for the idea, even names of the users commenting it. That should help  to preserve anonymity even when ideas are created from the support ticket.

Our team plan to continue improving experience of all “ecosystem” resources like Idea Portal, Service Desk and so on - so we appreciate any feedback from the community about this change - or any other potential changes. Please feel free to comment there - or by any other channel.

NB: limited set of Logpoint employees, product managers with sufficient permissions, can still see names of the commentators in the back office of idea portal - to enable direct dialog on any specific feature scenario to be discussed outside idea portal.

Receiving logs is one of the cure features of having a SIEM solution but in some cases logs are not received as required. In our newest KB article, we are diving into how to monitor log sources using Logpoint alerts to detect no logs being received on Logpoint within a certain time range.

To read the full article, please see the link below: https://servicedesk.logpoint.com/hc/en-us/articles/5734141307933-Detecting-devices-that-are-not-sending-logs-

Hi folks,

Is there a way to update a case with the output of a Playbook?

For example, if I have a Playbook that checks an IP Reputation, is there any way I can get the Playbook to update the case to display the reputation response as an actual Case Annotation or something of the sort?

Hi folks, I’m trying to set up a Playbook Trigger, but wanted to potentially pass through parameters for it.

The setup is as follows:

• Alert is triggered
• Playbook Trigger runs based on matching alert_id
• Playbook generates case data and runs additional actions/playbooks.

I would (ideally) like the Playbook Trigger to pass details from the incident to the Playbook it is linked to.

Is this something that’s possible from the Trigger directly, or do I need to use a Query/another action within the Playbook to try and extract the info I need?

On that note, is there an easy way to get data from the incident that triggered the alert within the playbook itself?

Hi,

does Logpoint support HDFS do store data e.g. on an DELL ECS object storage?

If yes, how must this be configured in best practice?

Thanks.

Best Regards,

Johann

The `file_keeper` service,  primarily used for storing raw logs and then forwarding them to be indexed by the `indexsearcher` is often used in its default configuration. However in some real life situations this might not be sufficient to deal with the type, and volume of logs being ingested into LogPoint, hence tuning is required. In our newest KB article, we´re gonna guide you through how exactly to do it.

For more details, please read the full article on the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/5794306067101-Understanding-file-keeper-Working-and-Configuration

Hi,

I want to know the information about all the data/logs that will be captured by LOGPOINT SIEM from different devices such as Firewall the logpoint SIEM can captures is syslog. So how about the others supported device/sources such as workstation /switches ?  and where in Logpoint site/portal that we can to find this info?

Actually we want to list out detail for every device that can give us easy to forward log to logpoint siem.

we need to send the kapsersky logs into logpoint. we have configured the kapsersky to send events to logpoint machine through syslog port 514 and protocol is UDP, but it does not send the logs. need help.

is their a method or can their be method, where you can set your user accounts in log point as standard account, when someone need to complete any administrative task a ticket/token can be raised, with time frame limit.  where manager/third person can either approve or reject it request to escalate current of the user account from standard to admin. For account tracking and better account visibility.  Just as in Microsoft 365 security or MDE security portal.

Dear all,

We´re happy to share the public release of CloudTrailv5.1.0

Please see the details on the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/360000219549

Hi All,

We´re happy to share that we have released the following applications on the Help Center:

1. Experimental Median Quartile Quantile Plugin v5.0.0
   • Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/115003890489-Experimental-Median-Quartile-Quantile-Plugin
2. Vulnerability Management v6.1.1:
   • Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/360014082658
3. Lookup Process plugin v5.1.0:
   • Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/115005632749-Lookup-Process-Plugin
4. Logpoint Agent Collector V5.2.2
   • Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/360020035977
5. Universal REST API Fetcher v1.0.0
   • Help Center: https://servicedesk.logpoint.com/hc/en-us/articles/6047943636253-Universal-REST-API-v1-0-0

All applications have been bundled in Logpoint v7.1.0 and are available out of the box.

Hi All,

SpoolFool, also known as CVE-2022-21999, is a local privilege escalation flaw in Microsoft Windows’ print spooler service, which controls print operations. Read Logpoint´s take on it along with detailed steps to protect your organisation in the article below, written by Nilaa Maharjan.

https://www.logpoint.com/en/blog/a-spools-gold-cve-2022-21999-yet-another-windows-print-spooler-privilege-escalation-2/

Analysts are constantly swamped with alerts, and to deal with this, they have to rely on repetitive manual tasks. This is like putting water on an oil fire, making the situation much worse and more time-consuming.

SOCs need a solution that enables them to manage and prioritize their workflow efficiently by giving them the ability to collect security threat data and alerts from multiple sources. This is where Logpoint steps in.

Previously we identified top use cases for SIEM . This time here are five common SOAR use cases that every organization should implement to reduce alert fatigue, overload and subsequently increase productivity in your SOC team.

01 Automated alert triage and enrichment
02 Endpoint malware mitigation
03 Automated Phishing Investigation and Response
04 Automated Threat Intelligence management
05 Ransomware mitigation

To read the full story, read the link below: https://www.logpoint.com/en/blog/top-5-soar-use-cases/

Hi All,

Alerting is one of the core feature of Logpoint, in the article below we collected a compact list of the precautions that can be done to ensure that alerting runs smoothly and what to do if you realize the alerts weren't triggered.

To read the full article, please follow the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/6013024248093-Monitoring-Alerting-Service

Hi All,

Our latest KB article discusses common issues where logs seem normalized ( both norm_id and sig_id are present), but some problems prevent them from being used in analytics.

To read the full article, please follow the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/5830850414493-Common-Issues-in-Normalized-logs

Hi All,

Sometimes we face an issue like an alert not being triggered or a dashboard widget not being populated. There could be many possible reasons. Among them, one is a huge time gap between log_ts and col_ts . In this article, we will be discussing some of the possible causes and sharing tips and tricks to solve this.

Please see the link to the article below :)

https://servicedesk.logpoint.com/hc/en-us/articles/4791434110877-Resolving-timestamp-related-issues-in-Normalization

Hello Guys,

is it possible to use/create 16 repositories per LogPoint environment only?

What if I like to separate my data in 30 different repositories for managment and access right purposes, is there a way to do that and are there benefits or drawbacks for this situation?

Thanks in advance.

BR,

Sascha

Hi All,

I would like to draw your attention to a recently released KB article discussing things that need to be looked into if the connection from the collector to backend server isn't being created while working with distributed Logpoints.

To read the full article, please follow the link below:

https://servicedesk.logpoint.com/hc/en-us/articles/5139550813213-Connection-issues-with-distributed-collector-in-logpoint

Hello Guys,

Is there a possibility to show the “Alert Details” within a search, so we can execute filtering and combining with other searches to get a special reporting on this infomation?

Hey,

Iam searching for a possibility to return the configuration of defined alert rules in the logpoint search tab.

Background: I would like to report over icindents which are created by alert rules for a specific user group. We got several test alarms, which are “managed” by an other user and which should not appear in the report. So I have to combine the configuration of alert rules and the results with “repo_name="_logpoint" action="Alert received" | chart count () by alert_name, risk_level”.

Unfortunately I could not find a way to bring up the alert rule configuration with a search and combine the result with another search to narrow down the alert rules which I need to report. (I dont want to do that manually per hand by tyoing the names in the search)

I came over this idea because I have done such things with Splunk in the past. (was like an API-Call within the search bar to return internal configuration parameters)

Is it even possible to get the configuration of the XXX back as a json/xml (or other) string?

Thanks in advance.

BR,
Sascha

Hi All,

Have you ever found yourself asking the following questions while using /logpoint SOAR?

• What do i need to do to run a specific playbook?

• What playbooks can i run with my current set of integrations?

• What integrations should I get to run a specific playbook?

In case the answer is yes, we have exciting news. We are pleased to announce the  launch of /logpoint playbook explorer, a compact tool helping you to maximize the security value of your integrations and SOAR playbooks.

For your convenience, we have also created a short walk-through video attached below.

You can access /logpoint playbook explorer via the link below:

https://docs.logpoint.com/playbook-explorer

Should you have more questions, do not hesitate to reach out to us here or via customersuccess@logpoint.com

Hi All,

We are delighted to share our latest KB article addressing the difference between two fields, log_ts (event creation time) and col_ts (event ingestion time in log point) in logs and how they can alter the expected behavior of logpoint service. You can access the article via the below link:

https://servicedesk.logpoint.com/hc/en-us/articles/5348407972893-Delayed-Logs-and-its-uncertainity-with-LogPoint

Hi All,

We are excited to share a new knowledge base article guiding you through the steps on how to use NFS storage as backup directory. You can access through the following link. https://servicedesk.logpoint.com/hc/en-us/articles/5068106299805-How-to-use-NFS-storage-as-backup-directory-

Hello,

just wanted to “pick the brains” of my fellow LP community member regarding TI. Is anyone here actively using the Threat Intelligence feature of the LogPoint and \ or has any recommendations and experiences on the matter. Personally i think it could be a very valuable part in a LogPoint environment to increase the detection capabilities, but have not be able to set it up in a way that would really beneficial.

This is mainly due to the fact that i haven’t been able to find a decent (free) TI feed, and to my mind, the value of TI stands and falls with the quality of the feed data.

Most of my customers have their firewalls, spam and web filter devices and mostly even their centralized AV solution sending their logs to LP. Setting up monitoring DNS request wouldn’t be a problem either. So i think we have enough visibility into the network traffic. Having a decent TI feed could allow us to compare these logs for known IoC (IP, hostnames, email addresses) and take a look at endpoints who have visited known malware URLs (spreading malware, being C2C server etc) or have received emails from known bad hosts in the past. You could then take a closer look at these endpoints if these could have been compromised.

However, i have tried several freely available TI feeds, but none of them had the quality to be actually useful. Most had a lot of false positives as the feed are not updated regularly or have very outdated informationen. Additionally, these feeds also had a lot of false negatives (IP, URLs which were blocked by Google for days were not included yet). None of my customers has the manpower to sieve through hundreds of incidents a day just to find out the IoC is actually of a malware campaing from 2020.

How are your experiences with TI feeds, paid or unpaid ? I have to admit that, due to the rather poor experiences with free feeds, i did not look into any paid feeds (though i am trying to find the time to take Recorded Future for a test ride :-) i think they still have a demo offer)?

Does anyone of you have a recommendation for a feed ? Are paid feeds worth their money, and how much do they roughly cost ?

Regards

Andre

Hi, Is anyone using the VirusTotal integration into their SOAR?
I was all for getting it setup until I saw that you cannot use the free Public API in a commercial product.

“The Public API must not be used in commercial products or services.” ( https://developers.virustotal.com/reference/public-vs-premium-api )

So, is anyone using the Premium API? and is it really $10,000 per year?

Or are you sticking to the public API and hoping to not get blacklisted?

Cheers

Our research team have been taking an in depth look at ChromeLoader. An innocent looking malvertiser that masquerades as a cracked game or a pirated movie sometimes placed on social media.

Read here ⇉ https://bit.ly/3N2vHEo and download the report here ⇉ https://bit.ly/3tRZZDc to ensure you’re taking the best steps to remain protected.

#SIEM #SIEMSOAR #Cyberthreats #CyberSecurity #Malware

We recently added a FortiMail appliance as a log source to one of our logpoints and now see an issue during collection and normalization.

It seems that FortiMail is sending the log messages without separating the single messages with a newline or NULL-termination or something else. Thus the syslog_collector is reading from the socket until the maximum buffer length is exceeded.

So we get a maximum length raw log message (10k characters, which then breaks in between a log message), which contains up to 30 or 40 single log messages, which are written one after the other. The normalizer then normalizes only the first message and discards the rest.

Here a shortened example of how this looks like:

550 <6>date=2022-06-20 time=07:24:11.992 device_id=[...]553 <6>date=2022-06-20 time=07:24:11.992 device_id=[...]479 <6>date=2022-06-20 time=07:24:11.992 device_id=[...]324 <6>date=2022-06-20 time=07:24:12.279 device_id=[...]

Is there a way to resolve this issue?