🛠️

LogPoint Technology Demo Lecture

May 30, 2024

Lecture: LogPoint Technology Demo by Tim Stratton

Overview

  • Purpose: Demonstration of LogPoint technology. Coverage of UEB and SIM aspects.
  • Agenda:
    • Collecting logs from various devices and normalizing them.
    • Enrichment with threat intelligence feeds.
    • Routing and storage policies.
    • Analytics and searching capabilities.
    • Automated responses, alerts, and incident management.
    • Paper-based reporting.

Log Collection and Normalization

  • Sources: Databases, endpoints, applications, printers, IoT, firewalls, etc.
  • Process:
    • Normalize log data (make it user-friendly).
    • Parse logs into fields: source/destination address, port, user, application, etc.
    • Label logs (e.g., network traffic message).

Enrichment and Routing Policies

  • Enrichment Example: Use of threat intelligence feeds to identify threats.
  • Routing Policies:
    • Store logs in different repositories based on type (e.g., firewall data versus Windows Server data).
    • Customizable storage durations (e.g., SSDs for 30 days, C4 disks for 1 year).
    • Mapping key-value pairs for storing sensitive user data longer.

Analytics and Machine Learning

  • Searching and Correlation Rules: Accessible via the web interface.
  • UEBA Engine:
    • Feature: Machine learning-driven, rule-less approach.
    • Function: Baselines normal activity and flags anomalies.
  • Automated Responses: Corrective actions using SSH commands upon alert triggers.

Web Interface Overview

  • Sections Covered:
    • UEBA page for risk assessment and anomaly detection.
    • Real-time updates and user-specific drill-downs.

SIM Dashboards and Customization

  • Dashboards: Pre-built templates for various products and compliance use cases.
    • Examples: PCI dashboards, threat intelligence data, Active Directory activities.
  • Customization: Different chart types available (donut, radar, column, pie).

File Integrity Monitoring

  • Feature: Monitors file and registry integrity without extra license costs.

Searching Capabilities

  • Search Methods:
    • Structured Search: Key-value pair based (e.g., source address = X).
    • Unstructured Search: Google-like search on raw log data.
  • Query Language: Same for dashboards, reports, alerts, and searches.

Reporting

  • Out-of-the-box Reports: Based on devices, compliance, and use cases.
    • Example: PCI compliance report.
  • Customization and Scheduling: Customizable charts, schedules (hourly, daily, weekly, monthly), and export formats (PDF, HTML, Excel, CSV).

Alerts and Incident Management

  • Preset Alert Roles: Vendor-specific, ready-to-use alerts (e.g., brute-force attacks).
    • Configuration: Use correlation rules to detect specific patterns.
    • Risk Ratings: Alerts can be assigned risk levels (high, medium, low).
    • Notifications: Email, SSH command execution, HTTP/SNMP notifications.
  • Incident Handling: Filter incidents, add comments, resolve statuses, and review data.

Conclusion

  • Summary: High-level overview of LogPoint SIM tools, web interface functionalities, and incident management.
  • Q&A Session: Open for questions.

Full transcript