LogPoint Technology Demo Lecture

[Music] hello my name is Tim Stratton ballpoint and I&#39;m going to give you a demo today of our long point technology I&#39;m going to show you both the ueb a and the sim aspects of log point I&#39;m going to do the first one slide for you my cover one slide just to give you a little bit of background what we&#39;re doing behind the scenes and then I&#39;m going to jump into the web interface so one point can collect logs from any type of devices you have out there databases endpoints applications printers IOT things firewalls basically if it generates a log we can collect it once we collect that log we&#39;re going to do a number of things with it the first thing we&#39;re going to do is normalize that log data making it so that you don&#39;t have to be a subject matter expert in log data to use log point we&#39;re going to parse that log out into all sorts of various normalized fields like source address destination address source port destination port a user just a application a wide variety of fields there and we&#39;re also going to identify with a label the type of log that it is so a label might be that it&#39;s a network traffic message so that you can very very easily identify those on the enrichment source we&#39;re going to integrate with other things one prime example of a data enrichment would be threat intelligence feeds we can pull in threat intelligence feeds data and we can use that to tell you if is that the threat speed has been found against that source address or that destination address just as one simple example of enrichment and then we also have routing policies that we can have and that kind of takes us into our next section on storage with routing policies we can take data and put it into different storage repositories and you can you can be very customizable with that so an example you can take you know all firewall data and put it in one repository where because that&#39;s a very noisy you store that for 30 days or maybe you sort for 90 days on you know different pure desks things like that and then you can do other things like you know Windows Server data I want to store that for you know 30 days on SSDs and then 90 days out on some you know other less expensive discs beyond that and then a whole year on even see four desks beyond that so you have a very good level of flexibility there another thing you can do with routing policies is you can map key value pairs and things so let&#39;s say you want to you want to look for a certain list of sensitive users you can say if the user equals a sensitive person we&#39;re going to change where we store their data to another repository so maybe your policy is to store 90 days overall for logs but if you&#39;re part of a sensitive user group now we want to store those logs for 365 days so that&#39;s just an example of what we could do with routing and stored for posit or ease over on the analytics side of course we have searching built-in will show you that inside the web interface and correlation rules as well we have a Ueda engine that&#39;s doing machine learning for you so I will be I&#39;ll be sure to talk about and show you that as well but the really beautiful thing about you EBA is that it is a rule less approach where you don&#39;t have to go in tweak things manually yourself the system just sort of baselines what&#39;s normal and gives you what we&#39;re studying that deviates from that normal activity and then the final thing we have is automated response so we have the ability to take corrective action by executing any SSH command when an alert triggers so it&#39;s a pretty powerful tool so with that slide I&#39;m on it over with I&#39;ll go ahead and jump in and show you the web interface there the first thing I&#39;m going to talk about with you today is the ueb a portion of our web interface then I&#39;ll jump into the other sim dashboards that are built in I&#39;ll go over to searches talk about searching then paper based reporting and then I&#39;ll wrap up with alerts and incident management so long the unity a page again this is a completely machine learning tool there&#39;s nothing for you to have to build or tweed with rules or anything like that systems in a baseline and to try to detect anomalies on its own things down the overall risk page just shows us a very high level of our environment the different types of activities that were found in our environment over various points of time and we can see that we&#39;ve had 114 million events analyzed but only 2500 on this 2600 of them were anomaly only 22 were from active risky entities there I&#39;m going to give it over to the explore tab which is going to give me just a little bit more information on that on this explore tab I can tell very quickly that I have out of the different risk ratings we have find we have six extremely risky items for high-risk items near a medium risk and to low risk just below that I&#39;ve got a time frame showing me all of the different activity across the environment and then over to the left I&#39;ve got my top risk users this is the chart I really like to talk about because this is a color-coded numeric value between 1 and 120 health threatening each of those users are so I can see Joshua here has that 98 risk score associated with any of these fields I can click on to drill into that data so if I click on Josh wall it&#39;s very interactive the rest of the fields will switch to that Josh will by itself has 6 extremely risky events if I go over here to the right I can see those color-coded events here as far as what&#39;s risky and what&#39;s not when I look at some of the things in red I can see the Joshua sent 1.31 gigabytes in an hour using the post command where as Joshua typically only sends 821 kilobytes in and out so that is pretty suspicious behavior if you ask me we can see that the system has the ueb age has applied this as a potential data set and we can see just before that what really makes us suspicious to me is that we have potential data staging just before that so again it&#39;s a nice engine to pick up one of those needles in a haystack but you never otherwise normally look for so moving on from that I&#39;m going to jump into the sim dashboards you can hit the plus button and create your own dashboard from scratch just by giving it a name but we also have a vendor dashboard section in the vendor dashboard section we take the whole build with same approach out of everything so we go up we go and take all the time necessary to build dashboards based off of particular products we do that our way to build dashboards based on compliance objectives around particular use cases as you can see here some PCI dashboards that are available to check and use as needed so we really take that up ran out of having to build a lot of the content yourself and then give you all you&#39;ll give you all that stuff that stuff is all included in the licensing model there is no additional cost for compliance base for dashboards or reporting or alerts or anything like that I&#39;m going to go over and show you just a couple of these out-of-the-box ones that I&#39;ve already got imported here one of the round threat intelligence we do integrate with any kind of threat intelligence on third-party feed just as a simple example I have proof point in here as already and when I get when I go through this data I can see all all sorts of data around that threat intelligence save itself when I look down here at the very bottom I can see threat maps around that information as well top ten al found attacks by country top tendon bound attacks by country we are doing GUI P look up on any public facing IP address that you have so we can we can do that as part of our part of our search capability and populate these charts with you know where in the world is this data coming from and going to you will notice that these dashboards do update they are working off of live data so they are continuously updating on their own no refresh button required for that another one I always like to show is the active directory tab the active directory tab I enjoy showing because it gives you a lot of stuff that is just a generally good security practice to follow but it&#39;s also used in a list think of so we have things like accounts being created and deleted and lockouts and password resets and all sorts of other activity like that these charts are highly customizable as you can see here I&#39;ve got a couple donut are at the column chart a radar chart if I want to adjust those or change those charts I can just hit this drop-down arrow and select the other type of chart that I want so I can then that one into a donut chart if I want to and this one into one of those radar charts I like that so very simple to click on and use lastly I want to talk about file access and that&#39;s more about a discussion of a feature that we have but one of the features at Long Point has is file integrity monitoring file integrity monitoring and registry integrity monitoring are built into the law point agent unlike some of our competitors you do not have to pay extra for that agent license that is just again included in the base cost so now that I&#39;ve done that I&#39;m going to go over the to the searching side cover a little bit about our search query for you are the same query language that we use for searching is the same query language used to build Dashboard widgets to create your own custom reports to create alerts that you want to do all of this works off of the same query language that we use for searching so it really does help simplify that whole process what I&#39;m going to do here is I&#39;m going to talk about the two different types of search methods that we have we have a structured search method and an unstructured search method the structured search method would be things like the source address equal that the user equals this support equal that that kind of one thing so it&#39;s very a key value pair base the other type of search that we have of an unstructured search the unstructured search is a google-like search against the raw log data so I&#39;m going to start with that unstructured search I&#39;m going to pipe the word drop-off home here which is just going to search for anywhere that key phrase is found and then over here on the right I&#39;m going to pick my time frame so I&#39;ve got anywhere from minutes hours days I thought last custom picker here I can even choose years worth of time and then I&#39;ve got a custom crumb to date and time picker where I can get very granular with the hour in the minute of the day I&#39;m going to go ahead 24 hours for this search here this will go back to find any logs where that phrase Dropbox is found when I look at these log messages I&#39;ve really got three sections here this is the when I was talking in the PowerPoint slide about the label this is an example of label where we have a connection traffic message going out this comes off of a networking device whereas down here we have object access attempt or you got people accessing files or our folders and have Dropbox in the names potentially the Dropbox client could be installed on that host just below that though each of those labels we have the the key value pairs that are pulled out of that log message just below that one step further we have the raw log data there as well so what I&#39;m going to do from here is I&#39;m going to go in and show you more of a structure search I&#39;m going to start by changing this keyword search there from Dropbox to application equals Dropbox you use one a minor analyze field and then with the structure searching I have the ability to manipulate that data and presented the way I want rather than seeing just a whole bunch of logs so the first thing I&#39;m going to do is hit the pipe symbol and that&#39;s going to present me with a list of choices of what to choose what to do to manipulate that in this case I&#39;m going to create a chart off of it to show you today it&#39;s all select art from that list as you can see when I hit space again I then get a list the suggestions average count minimum maximum so what I want to make that chart on this making very easy to learn this query language because everything makes suggestions and comes up for you with that I&#39;m going to go ahead and do this on the some of the data size field that is one of the fields as in some of those network log messages of how much data is being sent out to that Dropbox so inside of those parentheses I&#39;m going to put that field name data size so then I&#39;m just going to sort that by user again as I type things are being populated I&#39;m going to go ahead and hit that search button there and now I&#39;ve got a chart with all of my users and how much data they&#39;re sending out the Dropbox I can then interact with this chart so if I want to sort that by the data size now I can click on that I can see that Zana is my largest user sending data out to Dropbox very easily looking at this table I&#39;ve got a column chart just above that if I want to change that column chart to a different chart type just like I showed you in the dashboard before I can do that here I can make it a donut chart I can make it a radar chart or a heat map chart whatever works for me there I can pick that and then I can take that chart and I can add that over to the dashboard as a widget so I can click Add search to dashboard and it will add that over there I also have the capability to add that search to an alert role so if I want an alert anytime someone goes to Dropbox and tells me how much data they&#39;re sending I can easily create an alert we&#39;ll walk with that and I got a few other options there as well under the more section here I&#39;ve got the ability to export that out as a report so I can run that as a paper-based reported I want to and that which leads us over to our next topic which is paper-based reporting so for reporting we have a horse just a lot of same same thing as dashboards a lot of out-of-the-box reports you don&#39;t to build them they are built around particular device types they are built around compliance objectives that you may have use cases things like that the one I&#39;m going to show you here is the PCI compliance report I&#39;m just going to use this PDF the logos and everything here is completely customizable so you can set them to whatever you&#39;d like and then when we go through any compliance based report there&#39;s typically a section that tells you what there&#39;s what this part of the report is mapping to so this was looking for failed logins gives you a brief paragraph to describe that just below that we&#39;ve got tables worth of data and then we&#39;ve got of course of a few charts worth of data as well representing this information for this particular PCI report I&#39;m going to go back over here to my settings on those reports and I&#39;m going to configure let&#39;s say this ISO user account management report when I go into the configuration side of this you&#39;ll notice that these search strings that we have here are the same search language that we use under searches so it&#39;s very easy to run those searches you need to see the different type of charts that I have configured I have some bar charts and pie charts things like that over here on the right we&#39;ve got scheduling of information so under scheduling we have scheduled is to run hourly daily weekly or monthly we can have them run you know on that any schedule that you want with that and then we can have them export in PDF HTML Excel or document or CSV file they will automatically show up under the generated reports under this inbox section in the web UI but you can also have an email those reports out the people directly if you want those just a little bit about reporting the last section here I&#39;m going to show you today is our alerts and I&#39;m going to go ahead into our alert roles again we have vendor ones which are pretty built out of a box ready to go same concept as before with reports and dashboards but I&#39;m going to go over here and look for a brute-force attack one where it&#39;s been successful this is looking for five failed logins followed by a successful login for the same user within a five minute period when I open that up I&#39;ve got again the same query language here this is an example of a correlation rule where we&#39;re looking for two different searches to happen and then we&#39;re going to tie those together by the username so we do have correlation capability built in that query language to us that we can pull that up you can then assign risk ratings to those alerts and so we have a risk set this this one in particular set to high that will come into our incidents tab that I&#39;m going to show you shortly after I&#39;m covered alerts will be and then you can set up notifications for those alerts so you just hit this bell icon to set up the notifications and the most common form of notification is email notification so we can send a custom email off the people you can customize the subject and the body of theirs email you can use these variables in this case we&#39;re printing the user for each one for this particular alert but you can customize the users as you want to include there we have SSH notification so this is our ability to execute as I mentioned earlier in the PowerPoint file execute and SSH to man whenever an alert triggers this opens up an unlimited possibility of doors for you as far as executing scripts out scripts out there just to take action whenever your alerts trigger some examples of things you could do would be killing a process starting or stopping a service you could watch your backup jobs to fail and start them you can see like a painful service dies on you every so often without a real bribe or reason you can have long coin monitor for that service to stop and automatically start it back up blocking IP addresses on firewalls more from the security side - you&#39;ve got a lot of capability that this unlocks just five you know execute any script that you you write we can run by an SSH command we have HTTP notification so it&#39;s great for integration with other applications just log notification also integration with other applications but this also allows us to create a feedback loop into log point so what we can say is okay I see this alert I did not want to send a message back in the log point so that I can look for you know five alarms triggering within a short time period for the same user for the same host or 1/2 SNMP notification again we can send an S&amp;P alphas great for integration with other applications once those alerts trigger they will cause an incident to occur incidents are color-coded and our risk risk-based the risk ratings are critical high medium and low for these I can see that I don&#39;t have any red ones I don&#39;t have any critical ones showing there on the screen so I&#39;m going to put a filter in place for that so take a look at the critical ones you can put a filter in place a wall along a lot of different lines here like I mentioned earlier there&#39;s alerts will trigger incidents but anything you find in searching you can add those logs that you found to an incident and then that would just be the search type here right there if I look at some of these critical ones I can choose to add comments to this I can view the wall data behind it if I do at a comment it will add the user who added that comment the comment that they made in the date and timestamp I can choose to resolve it all of those kind of status things will be included in that same trail so it&#39;s just a great way to review your data anyway that was a very high-level overview of the log points in I hope you found that really useful and we will go ahead and open the floor to any questions [Music]

[Music] hello my name is Tim Stratton ballpoint and I&amp;#39;m going to give you a demo today of our long point technology I&amp;#39;m going to show you both the ueb a and the sim aspects of log point I&amp;#39;m going to do the first one slide for you my cover one slide just to give you a little bit of background what we&amp;#39;re doing behind the scenes and then I&amp;#39;m going to jump into the web interface so one point can collect logs from any type of devices you have out there databases endpoints applications printers IOT things firewalls basically if it generates a log we can collect it once we collect that log we&amp;#39;re going to do a number of things with it the first thing we&amp;#39;re going to do is normalize that log data making it so that you don&amp;#39;t have to be a subject matter expert in log data to use log point we&amp;#39;re going to parse that log out into all sorts of various normalized fields like source address destination address source port destination port a user just a application a wide variety of fields there and we&amp;#39;re also going to identify with a label the type of log that it is so a label might be that it&amp;#39;s a network traffic message so that you can very very easily identify those on the enrichment source we&amp;#39;re going to integrate with other things one prime example of a data enrichment would be threat intelligence feeds we can pull in threat intelligence feeds data and we can use that to tell you if is that the threat speed has been found against that source address or that destination address just as one simple example of enrichment and then we also have routing policies that we can have and that kind of takes us into our next section on storage with routing policies we can take data and put it into different storage repositories and you can you can be very customizable with that so an example you can take you know all firewall data and put it in one repository where because that&amp;#39;s a very noisy you store that for 30 days or maybe you sort for 90 days on you know different pure desks things like that and then you can do other things like you know Windows Server data I want to store that for you know 30 days on SSDs and then 90 days out on some you know other less expensive discs beyond that and then a whole year on even see four desks beyond that so you have a very good level of flexibility there another thing you can do with routing policies is you can map key value pairs and things so let&amp;#39;s say you want to you want to look for a certain list of sensitive users you can say if the user equals a sensitive person we&amp;#39;re going to change where we store their data to another repository so maybe your policy is to store 90 days overall for logs but if you&amp;#39;re part of a sensitive user group now we want to store those logs for 365 days so that&amp;#39;s just an example of what we could do with routing and stored for posit or ease over on the analytics side of course we have searching built-in will show you that inside the web interface and correlation rules as well we have a Ueda engine that&amp;#39;s doing machine learning for you so I will be I&amp;#39;ll be sure to talk about and show you that as well but the really beautiful thing about you EBA is that it is a rule less approach where you don&amp;#39;t have to go in tweak things manually yourself the system just sort of baselines what&amp;#39;s normal and gives you what we&amp;#39;re studying that deviates from that normal activity and then the final thing we have is automated response so we have the ability to take corrective action by executing any SSH command when an alert triggers so it&amp;#39;s a pretty powerful tool so with that slide I&amp;#39;m on it over with I&amp;#39;ll go ahead and jump in and show you the web interface there the first thing I&amp;#39;m going to talk about with you today is the ueb a portion of our web interface then I&amp;#39;ll jump into the other sim dashboards that are built in I&amp;#39;ll go over to searches talk about searching then paper based reporting and then I&amp;#39;ll wrap up with alerts and incident management so long the unity a page again this is a completely machine learning tool there&amp;#39;s nothing for you to have to build or tweed with rules or anything like that systems in a baseline and to try to detect anomalies on its own things down the overall risk page just shows us a very high level of our environment the different types of activities that were found in our environment over various points of time and we can see that we&amp;#39;ve had 114 million events analyzed but only 2500 on this 2600 of them were anomaly only 22 were from active risky entities there I&amp;#39;m going to give it over to the explore tab which is going to give me just a little bit more information on that on this explore tab I can tell very quickly that I have out of the different risk ratings we have find we have six extremely risky items for high-risk items near a medium risk and to low risk just below that I&amp;#39;ve got a time frame showing me all of the different activity across the environment and then over to the left I&amp;#39;ve got my top risk users this is the chart I really like to talk about because this is a color-coded numeric value between 1 and 120 health threatening each of those users are so I can see Joshua here has that 98 risk score associated with any of these fields I can click on to drill into that data so if I click on Josh wall it&amp;#39;s very interactive the rest of the fields will switch to that Josh will by itself has 6 extremely risky events if I go over here to the right I can see those color-coded events here as far as what&amp;#39;s risky and what&amp;#39;s not when I look at some of the things in red I can see the Joshua sent 1.31 gigabytes in an hour using the post command where as Joshua typically only sends 821 kilobytes in and out so that is pretty suspicious behavior if you ask me we can see that the system has the ueb age has applied this as a potential data set and we can see just before that what really makes us suspicious to me is that we have potential data staging just before that so again it&amp;#39;s a nice engine to pick up one of those needles in a haystack but you never otherwise normally look for so moving on from that I&amp;#39;m going to jump into the sim dashboards you can hit the plus button and create your own dashboard from scratch just by giving it a name but we also have a vendor dashboard section in the vendor dashboard section we take the whole build with same approach out of everything so we go up we go and take all the time necessary to build dashboards based off of particular products we do that our way to build dashboards based on compliance objectives around particular use cases as you can see here some PCI dashboards that are available to check and use as needed so we really take that up ran out of having to build a lot of the content yourself and then give you all you&amp;#39;ll give you all that stuff that stuff is all included in the licensing model there is no additional cost for compliance base for dashboards or reporting or alerts or anything like that I&amp;#39;m going to go over and show you just a couple of these out-of-the-box ones that I&amp;#39;ve already got imported here one of the round threat intelligence we do integrate with any kind of threat intelligence on third-party feed just as a simple example I have proof point in here as already and when I get when I go through this data I can see all all sorts of data around that threat intelligence save itself when I look down here at the very bottom I can see threat maps around that information as well top ten al found attacks by country top tendon bound attacks by country we are doing GUI P look up on any public facing IP address that you have so we can we can do that as part of our part of our search capability and populate these charts with you know where in the world is this data coming from and going to you will notice that these dashboards do update they are working off of live data so they are continuously updating on their own no refresh button required for that another one I always like to show is the active directory tab the active directory tab I enjoy showing because it gives you a lot of stuff that is just a generally good security practice to follow but it&amp;#39;s also used in a list think of so we have things like accounts being created and deleted and lockouts and password resets and all sorts of other activity like that these charts are highly customizable as you can see here I&amp;#39;ve got a couple donut are at the column chart a radar chart if I want to adjust those or change those charts I can just hit this drop-down arrow and select the other type of chart that I want so I can then that one into a donut chart if I want to and this one into one of those radar charts I like that so very simple to click on and use lastly I want to talk about file access and that&amp;#39;s more about a discussion of a feature that we have but one of the features at Long Point has is file integrity monitoring file integrity monitoring and registry integrity monitoring are built into the law point agent unlike some of our competitors you do not have to pay extra for that agent license that is just again included in the base cost so now that I&amp;#39;ve done that I&amp;#39;m going to go over the to the searching side cover a little bit about our search query for you are the same query language that we use for searching is the same query language used to build Dashboard widgets to create your own custom reports to create alerts that you want to do all of this works off of the same query language that we use for searching so it really does help simplify that whole process what I&amp;#39;m going to do here is I&amp;#39;m going to talk about the two different types of search methods that we have we have a structured search method and an unstructured search method the structured search method would be things like the source address equal that the user equals this support equal that that kind of one thing so it&amp;#39;s very a key value pair base the other type of search that we have of an unstructured search the unstructured search is a google-like search against the raw log data so I&amp;#39;m going to start with that unstructured search I&amp;#39;m going to pipe the word drop-off home here which is just going to search for anywhere that key phrase is found and then over here on the right I&amp;#39;m going to pick my time frame so I&amp;#39;ve got anywhere from minutes hours days I thought last custom picker here I can even choose years worth of time and then I&amp;#39;ve got a custom crumb to date and time picker where I can get very granular with the hour in the minute of the day I&amp;#39;m going to go ahead 24 hours for this search here this will go back to find any logs where that phrase Dropbox is found when I look at these log messages I&amp;#39;ve really got three sections here this is the when I was talking in the PowerPoint slide about the label this is an example of label where we have a connection traffic message going out this comes off of a networking device whereas down here we have object access attempt or you got people accessing files or our folders and have Dropbox in the names potentially the Dropbox client could be installed on that host just below that though each of those labels we have the the key value pairs that are pulled out of that log message just below that one step further we have the raw log data there as well so what I&amp;#39;m going to do from here is I&amp;#39;m going to go in and show you more of a structure search I&amp;#39;m going to start by changing this keyword search there from Dropbox to application equals Dropbox you use one a minor analyze field and then with the structure searching I have the ability to manipulate that data and presented the way I want rather than seeing just a whole bunch of logs so the first thing I&amp;#39;m going to do is hit the pipe symbol and that&amp;#39;s going to present me with a list of choices of what to choose what to do to manipulate that in this case I&amp;#39;m going to create a chart off of it to show you today it&amp;#39;s all select art from that list as you can see when I hit space again I then get a list the suggestions average count minimum maximum so what I want to make that chart on this making very easy to learn this query language because everything makes suggestions and comes up for you with that I&amp;#39;m going to go ahead and do this on the some of the data size field that is one of the fields as in some of those network log messages of how much data is being sent out to that Dropbox so inside of those parentheses I&amp;#39;m going to put that field name data size so then I&amp;#39;m just going to sort that by user again as I type things are being populated I&amp;#39;m going to go ahead and hit that search button there and now I&amp;#39;ve got a chart with all of my users and how much data they&amp;#39;re sending out the Dropbox I can then interact with this chart so if I want to sort that by the data size now I can click on that I can see that Zana is my largest user sending data out to Dropbox very easily looking at this table I&amp;#39;ve got a column chart just above that if I want to change that column chart to a different chart type just like I showed you in the dashboard before I can do that here I can make it a donut chart I can make it a radar chart or a heat map chart whatever works for me there I can pick that and then I can take that chart and I can add that over to the dashboard as a widget so I can click Add search to dashboard and it will add that over there I also have the capability to add that search to an alert role so if I want an alert anytime someone goes to Dropbox and tells me how much data they&amp;#39;re sending I can easily create an alert we&amp;#39;ll walk with that and I got a few other options there as well under the more section here I&amp;#39;ve got the ability to export that out as a report so I can run that as a paper-based reported I want to and that which leads us over to our next topic which is paper-based reporting so for reporting we have a horse just a lot of same same thing as dashboards a lot of out-of-the-box reports you don&amp;#39;t to build them they are built around particular device types they are built around compliance objectives that you may have use cases things like that the one I&amp;#39;m going to show you here is the PCI compliance report I&amp;#39;m just going to use this PDF the logos and everything here is completely customizable so you can set them to whatever you&amp;#39;d like and then when we go through any compliance based report there&amp;#39;s typically a section that tells you what there&amp;#39;s what this part of the report is mapping to so this was looking for failed logins gives you a brief paragraph to describe that just below that we&amp;#39;ve got tables worth of data and then we&amp;#39;ve got of course of a few charts worth of data as well representing this information for this particular PCI report I&amp;#39;m going to go back over here to my settings on those reports and I&amp;#39;m going to configure let&amp;#39;s say this ISO user account management report when I go into the configuration side of this you&amp;#39;ll notice that these search strings that we have here are the same search language that we use under searches so it&amp;#39;s very easy to run those searches you need to see the different type of charts that I have configured I have some bar charts and pie charts things like that over here on the right we&amp;#39;ve got scheduling of information so under scheduling we have scheduled is to run hourly daily weekly or monthly we can have them run you know on that any schedule that you want with that and then we can have them export in PDF HTML Excel or document or CSV file they will automatically show up under the generated reports under this inbox section in the web UI but you can also have an email those reports out the people directly if you want those just a little bit about reporting the last section here I&amp;#39;m going to show you today is our alerts and I&amp;#39;m going to go ahead into our alert roles again we have vendor ones which are pretty built out of a box ready to go same concept as before with reports and dashboards but I&amp;#39;m going to go over here and look for a brute-force attack one where it&amp;#39;s been successful this is looking for five failed logins followed by a successful login for the same user within a five minute period when I open that up I&amp;#39;ve got again the same query language here this is an example of a correlation rule where we&amp;#39;re looking for two different searches to happen and then we&amp;#39;re going to tie those together by the username so we do have correlation capability built in that query language to us that we can pull that up you can then assign risk ratings to those alerts and so we have a risk set this this one in particular set to high that will come into our incidents tab that I&amp;#39;m going to show you shortly after I&amp;#39;m covered alerts will be and then you can set up notifications for those alerts so you just hit this bell icon to set up the notifications and the most common form of notification is email notification so we can send a custom email off the people you can customize the subject and the body of theirs email you can use these variables in this case we&amp;#39;re printing the user for each one for this particular alert but you can customize the users as you want to include there we have SSH notification so this is our ability to execute as I mentioned earlier in the PowerPoint file execute and SSH to man whenever an alert triggers this opens up an unlimited possibility of doors for you as far as executing scripts out scripts out there just to take action whenever your alerts trigger some examples of things you could do would be killing a process starting or stopping a service you could watch your backup jobs to fail and start them you can see like a painful service dies on you every so often without a real bribe or reason you can have long coin monitor for that service to stop and automatically start it back up blocking IP addresses on firewalls more from the security side - you&amp;#39;ve got a lot of capability that this unlocks just five you know execute any script that you you write we can run by an SSH command we have HTTP notification so it&amp;#39;s great for integration with other applications just log notification also integration with other applications but this also allows us to create a feedback loop into log point so what we can say is okay I see this alert I did not want to send a message back in the log point so that I can look for you know five alarms triggering within a short time period for the same user for the same host or 1/2 SNMP notification again we can send an S&amp;amp;P alphas great for integration with other applications once those alerts trigger they will cause an incident to occur incidents are color-coded and our risk risk-based the risk ratings are critical high medium and low for these I can see that I don&amp;#39;t have any red ones I don&amp;#39;t have any critical ones showing there on the screen so I&amp;#39;m going to put a filter in place for that so take a look at the critical ones you can put a filter in place a wall along a lot of different lines here like I mentioned earlier there&amp;#39;s alerts will trigger incidents but anything you find in searching you can add those logs that you found to an incident and then that would just be the search type here right there if I look at some of these critical ones I can choose to add comments to this I can view the wall data behind it if I do at a comment it will add the user who added that comment the comment that they made in the date and timestamp I can choose to resolve it all of those kind of status things will be included in that same trail so it&amp;#39;s just a great way to review your data anyway that was a very high-level overview of the log points in I hope you found that really useful and we will go ahead and open the floor to any questions [Music]

Transcript for:LogPoint Technology Demo Lecture

Transcript for:
LogPoint Technology Demo Lecture