circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Terminology

A

  • Access Control Manages which users can view, edit or administer which data.

  • Action Block The individual actions you can add, modify or delete in a playbook.

  • Agents Used on Windows systems to send log data, collect log files and perform registry and file integrity monitoring. Logpoint uses two agents: Logpoint Agent, and AgentX. Agents are not only able to retrieve logs they also support encryption, buffering, file collection, file integrity monitoring and Windows Registry monitoring.

  • Alert Criteria The conditions in order to generate an Incident.

  • Alert Rule Criteria Specifies the exact conditions or thresholds that must be met for the alert to trigger an incident. It is the logic of when the alert should trigger, typically based on log count metrics from the query in the Alert Rule. The condition of the Alert Rule is the level of risk combined with the number of times risky behaviour is detected.

  • Alerts Rules that check log events as they occur and generate an incident if the conditions of the rule match a defined activity.

  • Anomalies User or entity behavior that deviates from the established baseline.

  • Attack Chain of events where somebody intentionally, successfully or unsuccessfully, tries to attain “Actions on Objectives”.

B

  • Baseline In UEBA, the starting point or condition where future behavior or action is measured against.

C

  • Case A sequence of one or more SIEM incidents, from different log sources, that contains all the data about a potential threat scenario and its investigation. This sequence of incidents potentially outlines an attack flow through the cyber kill chain.

  • Case Investigation Workflow on an incident level. Incidents are what make up a case.

  • Case Management Determines and documents the extent of a potential attack and establish a basis for remediation.

  • Case Workflow Consists of 5 phases: Ingest, Threat Detection, Triage, Investigate and Respond, and Recover and Report.

  • Category Grouping attackers’ or adversaries objectives according to what they want to achieve. Synonym for MITRE ATT&CK tactic.

  • Cloud Connector Sends logs to Logpoint SaaS. It manages local or cloud-based security event log collection, normalization, enrichment and forwarding to SaaS. A cloud connector is installed on your On-premise appliance and forwards log data through a dedicated API Endpoint.

  • Collection Policy Activates and configures how a group of collectors and fetchers work to collect log messages from a device.

  • Collector Retrieves log data and buffers it. A Collector listens on dedicated ports, retrieves logs and/or forwards them to a Logpoint Storage Node for storage.

  • Collector Node A collector node receives log files from devices, or log sources, and then forwards the logs to Logpoint via a VPN connected network. If there are network outages it performs buffering.

  • Correlation Compares one event to another during normalization when logs are translated into Logpoint taxonomy.

  • Cyber Kill Chain The flow or lifecycle of a cyber security threat, as organized in the MITRE ATT&CK framework. Attackers must progress through each stage to successfully complete an attack.

  • Cyber Kill Chain Stage or Step Mapped to a more granular MITRE tactic.

D

  • Data Privacy Module/Mode Encrypts specific clear-text fields so they are hidden from non-admin Logpoint users.

  • Definers Simplified regular expressions used to match log patterns either in a search or when building a custom normalizer.

  • Detections Created when events potentially correspond to one or several MITRE techniques or sub-techniques.

  • Detectors Identify log events with a potential security impact after messages are ingested and events are generated. They use alert rules and/or UEBA to look through log events and generate detections.

  • Device The source or where logs are collected or fetched. A device is designated through its IP address or addresses.

  • Device Group A logical grouping of two or more similar devices.

  • Director Enables Managed Servce Providers centralized management of multiple, independant Logpoint environments.

  • Director Fabric Used by Logpoint Director to synchronise multiple servers that make up a Director environment.

  • Distributed Collectors Collects logs only. They have no dashboards, search, and report generation capabilities.

  • Distributed Logpoint A full Logpoint server operating with another Logpoint server configured as a Search Head.

  • Dynamic Enrichment Enrichment processed at the query’s runtime.

  • Dynamic Table A type of table filled in “on the fly” from a query, by running the toTable process command.

E

  • Enrichment Adds domain and contextual information from other sources to log events.

  • Enrichment Criteria Defines which normalized, event log key-value pairs, in the message fields, are matched against an enrichment table.

  • Enrichment Policy Contains and specifies enrichment criteria.

  • Enrichment Source Where enrichment comes from or is obtained from.

  • Enrichment Subscriber Enables sharing enrichment sources between an On-prem and SaaS Logpoint.

  • Enrichment Table A table ingested from an Enrichment Source, whose content is used during a query.

  • Event A single action received from a log source. Events are often, but not always, synonymous with a log message depending on the integration itself and its granularity.

  • Extractor Accesses security data and logs in SAP systems and transforms the data so a SIEM can use them for threat detection.

F

  • Fabric-Enabled Logpoint Server A Logpoint server that is managed by Logpoint Director.

  • Fetcher Uses a query to retrieves logs from a remote location when a source does not send logs to Logpoint.

  • Fields Fields are synonymous with key in key value pair. They are the value identifier, or identifier names given to normalized values.

I

  • Incident Individual circumstances or conditions that indicate a potential security threat scenario that requires investigation and potential action, including the consideration of all related or involved objects. Contains information about the individual techniques used. You can use the incident to investigate whether there is a real threat or not.

  • Incident User Groups Logpoint taxonomy key value pairs are stored in index files When normalizing a log message, the normalizer identifies the essential patterns of the log message and creates key/value pairs for each component, according to Logpoint taxonomy.

  • Ingest When SIEM receives logs and converts them into events.

  • Integration Enables connection to log sources, external data and systems.

  • Investigation When a case is triaged and a true-positive is determined, the case is then under Investigation.

L

  • Label Packages A collection of labelling rules.

  • Labelling Rule Search for specific key/value pair in the incoming log message adds the relevant label when found.

  • Labels Additional cleartext descriptions applied to log messages after normalization and enrichment that give a clearer indication of what the log message is actually about than, for example, just the log event ID.

  • Lists Lists contain and manage values that filter search query result or enrich logs. Static lists contain values that aren't changed unless you edit them. Dynamic lists store values that are updated using the toList process command and are used to enrich logs.

  • Log Message The original parsed log entry saved as a string in the msg field. Synonymous with raw log. Afterwards the messages are normalized, enriched and labeled to generate Events.

  • Logpoint Collector A Logpoint node or server responsible for the processing of inbound log messages, in addition to oubound communication with log sources through the use of fetchers.

  • Logpoint Instance An instance of the Logpoint image running on physical or virtual hardware or in the cloud. Each Logpoint server instance is deployed from the same image, but can perform one or more of three Logpoint roles.

  • Logpoint Portal Gives you access to Logpoint SaaS related resources including Logpoint instances, Product Hub, Knowledge Center and Support from a centralized location.

  • Logpoint Search Head Responsible for providing the analytics GUI, distributing search queries to one or more Storage Nodes, aggregating the results for a single search result and presenting the results of these queries in Dashboards, Alert rules and Reports.

  • Logpoint Search Master (LPSM) Gives analysts a quick overview of all the activity and analytics across all Fabric-enabled (Director-Managed) Logpoint environments from a single interface. Using the LPSM, a user doesn’t have to log into each interface separately.

  • Logpoint Storage Node A Logpoint server responsible for the storage of log messages, including their indexes.

M

  • Macro A saved, uniquely named search query that you can reuse.

  • Message After Logpoint ingests a log, the log is split into separate messages and is normalized to a common taxonomy in the form of events.

  • MSSP Managed Security Service Provide. Use LP products to provide cybersecurity services to small and medium businesses.

N

  • Node Synonymous with Logpoint server.

  • Normalization Packages Contains one or more normalizers to normalize raw log messages.

  • Normalization Policies A combination of one or more normalization packages. It is one of the policies specified by the Processing Policy added to a device.

  • Normalizing Translates a raw log message into Logpoint taxonomy.

O

  • Open Door The communication gateway between Logpoint machines. You must enable Open Door on the main Logpoint or Search Head before adding a remote Logpoint to your environment. Then you can centrally mange all your logs.

P

  • Parser Adjusts granularity. When Logpoint ingests a log a parser splits the log into one or more individual log entries and saves it as messages in the form of strings.

  • Parsers Parsers analyze the incoming log data and extract individual logs from them. These logs are then broken into smaller elements so that each log can be further processed separately.

  • Permissions Groups Controls user access management. Permission Groups organize individual permissions that grant access to your users.

  • Playbook Actions A single, individual automated step within the incident response process. Actions are the foundation of a playbook. An action can retrieve the necessary data from a vendor product and bring it into Logpoint.

  • Playbook Input Parameters Correspond to Logpoint SIEM based data. These parameters are the data SOAR will retrieve and use from SIEM.

  • Playbook Prompt Action Sends a message to users that a manual action is required. The playbook stops running and only starts again after the prompt is responded to.

  • Playbooks Automates threat detection, investigation and response processes within SOAR.

  • Pool A complete Logpoint environment and can include one or more Search Heads, Storage Nodes and Collector Nodes.

  • Processing Policies Combines normalization, enrichment and routing policies into a single policy that is then assigned to a device.

R

  • Raw Syslog Forwarder Raw Syslog Forwarder collects and forwards raw logs from a Logpoint to a remote target. Unlike regular syslog forwarders, raw syslog forwarders do not normalize or process the logs. They forward the logs in their original form to designated Logpoints. They are useful when a lot of incoming log streams need to be aggregated and forwarded over the network without each source device directly connected to the destination Logpoint Collector node.

  • Repo - High Availability Let’s you access logs even when a server or repository is down or unresponsive.

  • Report Static, printable representation of Logpoint data often used to provide evidence or audit information to demonstrate compliance.

  • Repository (Repo) A log storage location where logs are routed to via a Routing Policy assigned to a device.

  • Routing Policy Determines or establishes which repository on which specific device incoming log data should be stored.

S

  • Search API Endpoint enabling log search and retrieval of search information from outside Logpoint.

  • Search Head Provides the GUI for Logpoint and runs all the analytics including dashboards and search templates. It aggregates search results, surfacing alerts and SOAR Playbook execution.

  • Search Package Search Packages are a collection of saved searches you can use perform the same search again, so you don't have to enter or type it again. Search Packages group individual searches, so you can use them to organize your searches and then run the search you want to use.

  • Search Template A GUI-driven data search and visualization, not unlike a dashboard.

  • Signature Defines the rules of extracting the key-value pairs from a raw log. Collectors apply signatures to logs in order to normalize them.

  • SOAR Security Orchestration, Automation, and Response.

  • Static Enrichment Static Enrichment is applied at data ingestion, either during collection or storage. Static Enrichment is faster and more efficient than Dynamic Enrichment. Because Static Enrichment is indexed, it performs well across large data sets.

  • Static Lists Static lists are a collection of pre-defined values that don't change unless you add or remove values from it.

  • Storage Node A Logpoint server responsible for the storage of log messages, including their indexes. Storage Node services query requests from one or more Search Heads, by returning the results for the log messages it holds that match the incoming query.

  • Syslog Collector Collects logs from the sources that follow the Syslog protocol. These logs are then forwarded to Logpoint for storage and analysis. Users can create syslog collector log sources from scratch or use templates tailored to specific devices or applications.

  • Syslog Forwarder The Syslog Forwarder collects and normalizes logs from different sources, including syslog collectors, and forwards them to via a TCP connection on port 514.

  • Syslog Forwarder File Fetcher Fetches logs from remote targets forwarded by the Syslog Forwarder.

T

  • Tables Tables store data used to enrich log files. You can create a table and then use the toTable process command to add data dynamically.

  • Targets Targets are the devices where raw syslog messages are forwarded.

  • Taxonomy The key value pairs that normalized logs are translated into.

  • Threat Intelligence An enrichment source that can be used to ingest Indicators of Compromise from a variety of third party Threat Intelligence providers, some free, some paid for.

  • Triage Determines whether an incident should be escalated to a case, kept as low priority until additional information helps the analyst decide, or be dismissed as a false positive.

U

  • UEBA Compares baseline behaviour with current user and entity behaviour to determine a potential risk.

V

  • Values Values are the terms extracted from the log message. A value can be either a definer or a regex.

  • Vendor Dashboard Dashboards give you log source data visualization updated in real-time. Out-of-the-box dashboards included with the integration are termed Vendor Dashboards.

  • Vendor Field Mapping Any normalized log message contains fields and values, or key/value pairs that are indexed. By searching for fields and values instead of a full text, search results can be returned much more quickly as the index can be used. You can use Vendor Field mapping tables to see which vendor or 3rd party log fields are mapped to which fields. How fields are mapped is determined according to which normalizer is used.

Last updated

Was this helpful?