Asset Context is composed of “Behavior” and “Asset”, which are lists named in the Logsign infrastructure. In this context, we can use the pre-defined lists mentioned in the Asset and Behavior contents or create lists according to the logical structures we will determine.
The content of our “Behavior” lists is determined in a specific time period, with a threshold value and a query field. After this stage, the alert rules are formed by benefiting from the pre-defined lists or the lists we created.
The data on the logs are correlated with the pre-defined Assets & Behaviours lists. Logsign presents these data with the bucket name as upper context. If the relevant bucket conditions are met, the log is enriched. Therefore, the logs have an enriched content along with the suspicious incidents they were historically involved in and the static user/group/network definitions they are a part of.
You can access the pre-defined lists from the Alerts > Assets and Behaviours tab on Logsign web interface.