Understanding State Tracker List

A State Tracker list format is created to group and aggregate multiple columns, and to use enrichment methods such as modifiers.

57.png

58.png

61.png

In the example above, the IP and MAC information is gathering. IP columns is matching and Source.MacAddress column is creating in firewall logs. Thus, the firewall logs is automatically enriching with the MAC Address information is obtaining from the DHCP server.

 

Basic/Advanced Mode: For detailed usage of lists you click for “Advanced Mode” Description: In terms of definition, you need to specify a name for the list.

Type: State Tracker

Severity: The part you are going to specify is what importance it has.

Context: You can tag the object, which enters this list, as Suspicious, Victim or Attacker for future events.

Tag: You can determine from this section which groups will have the authority to view the list that you are creating. (Click for directing Tag Feature)

Entry Conditions: It is the entry condition which includes logs for enriching. (DHCP Source in example). 

Exit Conditions: It is the exit condition which excludes logs for enriching process.

Key Column: The column should match with the desired column you want to add.

Purge Period: The number of seconds after which the information to retrieve from the list will be given. By default, it is specified as three thousand (3000) seconds.

Index Events: If you tick the Index Events option, the list will be written to the Logsign Unified SecOps Platform Index system.

Match Conditions: In which specific objects you will make this enrichment.

Key Field: The column you desired to add the log and should be match Key Column.

Then you use the Save button to save settings.

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.