SIEM - Searching & Analytics

Hi Team, currently, my customer could only join two streams of data at maximum using join queries from pattern-finding expressions. Are there any recommended queries we can use two join more than two streams of data?

I understand that creating tables and using process lookup commands is one way of doing this , but creating multiple tables and populating them one by one and then using it in the query is a hassle I would not want my customer to go through. So is there some native support in the query itself for performing these multiple joins at once?

Is there any way to export CSV enrichment sources? From time to time these files are lost and it is a hassle to recreate.

Hello!

I am receiving logs from SNMP, but the field names are incremental in nature, which have the same values as the incremental value. For an example:

oid_hierarchy_value_1 = 1

oid_hierarchy_value_2 = 2

oid_hierarchy_value_3 = 3

How can I go about extracting these fields from the logs so that I can do chart sum, average, and so on?

For now, I don’t see any native option which enables me to update a list at regular interval. Because of this, I need to always run the same query regularly to update the dynamic list with new data. Is there a better approach ?

A MSSP partner is planning is to run a lightweight LogPoint collector VM at each of their customers, and then setting up the main LogPoint servers with compute and storage at their end. They will have the Open Door tunnel open to the LogPoint Collectors, but won't be able to expose the customer's Domain Controller/LDAP publicly. Therefore, the LogPoint Collector needs to collect the LDAP enrichment data from the local DC, instead of the main LogPoint server.

Is there a way of making this happen without engineering changes, such as by redirecting the main server's LDAP query through the tunnel somehow, or by the collector fetching something to a file to then send across?