Understanding Aggregated Data

Introduction

This article will discuss understanding the aggregated data in the search section, how to filter the data and reach desired information easily, and how to perform analysis.

 

Understanding Aggregated Data and Analyzing with Search Techniques

Event Mapping Columns

The relevant columns are not actually found in the data from sources, but are enriched and addressed on Logsign, allowing the end user to search and filter data in a simpler and more understandable way.

EventMap.Type: Type of the data. For example, an attempt by a user to log into a system.

EventMap.SubType: Subtype of the data. For example, whether a user's attempt to log into a system was successful.

EventMap.Context: Information about which category the data belongs to. For example, Network, Security, User activity.

EventMap.ID: An ID has been defined and standardized on Logsign for each action taken in the incoming data. This information is included in this column.

EventMap.Info: Generally, information contained in the data is included in this column. For example, "Web Access Allow", "Network Connection Deny", "User Login Deny".

 

Source Columns

These are columns containing information about the source in the incoming data. Below are a few examples of these columns:

Source.IP: Source IP address.

Source.Port: Source port number.

Source.UserName: Source username.

 

Destination Columns

These are columns containing information about the destination in the incoming data. Below are a few examples of these columns:

Destination.UserName: Destination username.

Destination.GroupName: Destination group name.

Destination.Country: Name of the country where the destination IP address is located.

 

The left side of the screen contains the smart filtering section. In this section, the most common columns in the data are sorted for display.

Search14.png

 

To access the desired column easily, the column name is written in the search bar at the top. In the example shown in the screenshot below, the search term "source IP" has been entered, and all columns containing the source IP are displayed.

Search15.png

 

Afterwards, if the values within a certain column are to be viewed, clicking on that column displays the most frequent values in order in the search bar that opens below. In this section, if desired, the search bar can be used to filter values by entering the desired term.

Search16.png

 

In the example given in the screenshot below, an example search is performed for the activities carried out using the target port 443 on the security device with the IP address 10.10.100.100.

Search17.png

 

If it is also desired to check which user names carried out these activities, this can be easily done in the smart filtering section by checking the relevant column.

Search18.png

 

In the examples given in the screenshots below, it is shown separately which resources 10.10.100.100 IP address and "ismail" user moved on. Analysis related to which resources specific IP addresses or user names made movements on can be easily performed in this way.

 

Search19.png

Search20.png

 

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.