Introduction
This article will discuss understanding the aggregated data in the search section, how to filter the data and reach desired information easily, and how to perform analysis.
Understanding Aggregated Data and Analyzing with Search Techniques
Event Mapping Columns
The relevant columns are not actually found in the data from sources, but are enriched and addressed on Logsign, allowing the end user to search and filter data in a simpler and more understandable way.
EventMap.Type: Type of the data. For example, an attempt by a user to log into a system.
EventMap.SubType: Subtype of the data. For example, whether a user's attempt to log into a system was successful.
EventMap.Context: Information about which category the data belongs to. For example, Network, Security, User activity.
EventMap.ID: An ID has been defined and standardized on Logsign for each action taken in the incoming data. This information is included in this column.
EventMap.Info: Generally, information contained in the data is included in this column. For example, "Web Access Allow", "Network Connection Deny", "User Login Deny".
Source Columns
These are columns containing information about the source in the incoming data. Below are a few examples of these columns:
Source.IP: Source IP address.
Source.Port: Source port number.
Source.UserName: Source username.
Destination Columns
These are columns containing information about the destination in the incoming data. Below are a few examples of these columns:
Destination.UserName: Destination username.
Destination.GroupName: Destination group name.
Destination.Country: Name of the country where the destination IP address is located.
The left side of the screen contains the smart filtering section. In this section, the most common columns in the data are sorted for display.
To access the desired column easily, the column name is written in the search bar at the top. In the example shown in the screenshot below, the search term "source IP" has been entered, and all columns containing the source IP are displayed.
Afterwards, if the values within a certain column are to be viewed, clicking on that column displays the most frequent values in order in the search bar that opens below. In this section, if desired, the search bar can be used to filter values by entering the desired term.
In the example given in the screenshot below, an example search is performed for the activities carried out using the target port 443 on the security device with the IP address 10.10.100.100.
If it is also desired to check which user names carried out these activities, this can be easily done in the smart filtering section by checking the relevant column.
In the examples given in the screenshots below, it is shown separately which resources 10.10.100.100 IP address and "ismail" user moved on. Analysis related to which resources specific IP addresses or user names made movements on can be easily performed in this way.