Advanced Settings
Last updated
Last updated
The custom fields are available to you to add further information to your SIEM. Create new custom fields and use them in conjunction with extractors to tailor your SIEM to your needs.
Enter a name and a short description.
Under: “Field Name”, enter a unique name for the created field. This will then be displayed in your SIEM after activation with the prefix: “custom”.
Under: “Field type” you define the type and structure of the data to be saved in these fields. Make sure you select the correct field type, as this determines how the SIEM processes, saves and accesses the data.
If you are undecided about the choice of your field type, we recommend using StrField (string fields).
A newly created field is activated directly by default. If you do not want this or want to deactivate a field afterwards, please remove the tick from the activation field.
Save your configuration by clicking on: “Save changes”.
The export view in the SIEM Data Lake provides you with an overview of all exported data from the SIEM Data Lake. After you have created and exported streams, for example for analyses or reports, in the Data Lake, you will find these exports collected in the separate view. This view is only used to display your own exports, i.e. you only see the exports that you have created as a logged-in user.
This view allows you to retrieve all data exported from the SIEM in a central location at any time without the need for manual administration.
If an alert is received in your SIEM system that you would like to analyze in more detail at a later date, you can create a stream in the data lake that collects all relevant information about this incident. The created stream can then be exported and saved in the export view. It will also be available to you there at a later date so that you can easily find the data again and use it for more in-depth analyses if required.
Bad IPs are IP addresses that are classified as harmful or unwanted and potentially pose security risks. Use the Managed Bad IP Exceptions to enable the automatic detection and blocking of malicious IPs or to whitelist known bad IPs. These rules increase the security of your infrastructure and enable you to take proactive measures against unwanted access.
You can also easily define new bad IP rules to define specific addresses or even add legitimate IPs to the whitelist. This ensures that your security policies are optimally adapted to your requirements and that legitimate users are not blocked by mistake.
Enter a name and a short description.
Then specify which IPs should be entered on the whitelist and which you would like to blacklist. To do this, enter the IPs in the relevant fields and add more by clicking on the plus sign.
Finally, save your settings with the button: “Add BadIP exception”.
In the overview you will find a list of all BadIP exceptions. Unfold entries to quickly see which IPs are on the blacklist or whitelist. Activate or deactivate exceptions with just one click on the relevant button.
An input filter in your SIEM solution ensures that only relevant security-related data is processed, which significantly increases the efficiency of your system. By excluding irrelevant logs, you reduce the load on your infrastructure and improve the performance of your threat detection at the same time.
Switch to the “SIEM” view and open the “Advanced settings” item in the side menu. Here you will find the: “Input Filters”.
Click on the “Add Input Filter” button in the top right-hand corner.
Enter a name and description for your filter.
Your filter is active by default. If you do not want to activate it directly, please deactivate it by clicking on the box.
Now specify the source of your filter. The drop-down menu shows you all the available options. In our case via event relay.
Enter the relevant event relay(s) below. Here too, you can quickly find the relevant entries using the drop-down list and add them with a click.
Then create your own filter fields with RegEx. Under “Name”, select the desired field whose results are to be filtered and enter the corresponding pattern in the “Pattern” field. This tells your system what information a log must contain in order to be captured by the filter.
Common expressions here would be, for example:
\d any digit
\w any word charakter
[a-z] a charakter in the range: a-z
The following website can help you to check the functionality of your ReExs: https://regex101.com/
Finally, save your configuration with the “Save changes” button.
