Page Contents

Label Packages

Label Packages¶

Label Packages are the collection of labelling rules. Labels are tags applied to each log message, used to characterize logs and group similar logs. For example, you can label all the login failed logs as failed. Using the label failed, you can group all the logs where the user failed to log in successfully. Labels can also be used to identify logs related to a specific threat technique or potential security attack.

Labels¶

In Logpoint, there are two types of Label Packages.

Vendor Packages: The label packages bundled with the Logpoint installation.
My Packages: The label packages that you add.

You can switch between My Packages and Vendor Packages by clicking the drop-down menu at the top-left corner.

Adding a Label Package¶

Go to Settings >> Knowledge Base and click Label Packages.
Click Add.

Label Packages¶

Enter Name and Description in Package Information.

Adding a Label Package¶

Enter a Name and a Description in Package Information.
Click Submit. Search Labels opens, containing all the existing search labels.
Click Add to add a new label.

../_images/LP_KB_LaP_Add_LabelPak_SearchLabel.png

Search Labels Panel¶

In Label Information, enter Search Query, select Package and enter List of Labels. Labels can contain only alphanumeric characters.

../_images/LP_KB_LaP_Add_LabelPak_SearchLabel_Add.png

Adding Search Label Information¶

In Label Information, enter a Search Query, select a Package and enter a List of Labels.
Click Submit.

In this example, all the log messages satisfying the search query device_ip = 127.0.0.1 are labeled with ip and device_ip.

Applying Labels with Label Package¶

Go to Settings >> Knowledge Base and click Label Packages.
Click Manage Labels icon in Actions for the respective label.

../_images/LP_LabelPack_WithRules_List_Manage.png

Click Add to open Search Label.

Switch between the My Packages and the Vendor Packages by clicking the dropdown at the top-left corner of the panel.

Applying Labels from the Search Interface¶

Go to Search and enter the query to which you want to add the labels.
Click Search.
Click Add Search To.

../_images/LP_LabelPack_AddFromSearch.png

Select Labelling Rule to open the Search Label.

../_images/LP_LabelPack_AddFromSearch_Add.png

Select a Package, and enter a List of labels.
Click Submit.

Applying Labels using Normalization Signatures¶

You may need to add a label to particular types of logs or the logs collected by a specific device. For example, to add a label printer to all the logs collected from the printer, you can add a label to the signature of the normalization package that is used to normalize printer logs. This will add the label to all the logs processed by that normalization package.

Go to Settings >> Knowledge Base and click Normalization Packages.
Click Signatures in Actions.
Click Edit Signature icon in Actions.

../_images/LP_LabelPack_FromNormSig_List_Edit.png

Type label in the first textbox for Key Values.
Enter a list of labels in the second textbox.

../_images/LP_LabelPack_FromNormSig_Add.png

Type label in the first textbox for Key Value.
Enter a list of labels in the second textbox and click Submit.

Note

You can also add labels while adding a normalization signature.

Applying Labels with Labeling Rules¶

Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.

Click the Manage Labels icon in Actions for the respective label.
Click Add to open Search Label.

Enter a suitable Query, a Package Name, and a List of Labels.
Click Submit.

In this example, all the log messages satisfying the search query device_name = localhost are labelled with Localhost and 127.0.0.1.

Exporting Label Packages¶

Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.

Label Packages¶

Select the label packages you want to export.
Click Export.

The selected label package will be downloaded.

Importing Label Packages¶

Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.

Label Packages¶

Click Import.
Browse to the label package.
Click Submit.

Editing a Label Package¶

Go to Settings >> Knowledge Base from the navigation bar and click Label Packages.
Click the Name of the package that to edit and update the information.

Label Packages¶

Click Submit.

Activating Label Packages¶

Go to Settings >> Knowledge Base and click Label Packages.
Click Activate label package icon under Actions.

Label Packages¶
1. To activate multiple Label Packages, select all the packages you want to activate. Click More and choose Activate Selected Packages.
Label Packages¶
1. To activate all the Label Packages, click More and choose Activate All Packages.
Label Packages¶

De-activating Label Packages¶

Go to Settings >> Knowledge Base and click Label Packages.
Click De-activate label package icon under Actions.

Label Packages¶
1. To deactivate multiple label packages, select all the packages you want to deactivate. Click More and choose Deactivate Selected Packages.
Label Packages¶
1. To deactivate all the label packages, click More and choose Deactivate All Packages.
Label Packages¶

Cloning Label Packages¶

Go to Settings >> Knowledge Base and click Label Packages.
Click the Clone icon under Actions.

Label Packages¶
1. To clone multiple label packages, select all the packages you want to clone. Click More and select Clone Selected Packages.
Label Packages¶
1. To clone all label packages, click More and select Clone All Packages.
Label Packages¶
Enter new names for the cloned packages.
Select Replace Existing? to replace an existing package with the same name.

Clone Label Package Panel¶

Click Clone.

Deleting Label Packages¶

Go to Settings >> Knowledge Base and click Label Packages.
Click Delete icon under Actions.

Deleting a Label Package¶
1. To delete multiple Label Packages, select all the packages you want to delete. Click More and choose Delete Selected Packages.
Label Packages¶
1. To delete all the Label Packages, click More and choose Delete All Packages.
Label Packages¶
Click Yes to confirm deletion.

Helpful?