WebsiteLoginKostenloser TestzugangCommunity

Streams

This view displays all saved streams. Streams act as saved filters that can be used to display or further process specific log data. Existing streams can be edited directly in the overview or supplemented with new ones.

You can find this view under SIEM – Streams.

Add new stream

From the stream overview, click on “+Add stream” in the upper right corner. You will then be taken to the configuration view.

  1. Name Assign a meaningful name under which the stream will be displayed in the overview.

  2. Description Optional: Briefly describe the purpose or function of the stream.

  3. Tags Assign tags to group streams by topic or make them easier to find later.

  4. Severity Assign a severity level to your stream. You can choose between the following options: Low, Medium, High, or Critical.

  5. Search filter Click on “+Add search filter” to add a new filter to your stream. In this section, you can specify which fields should be included in the stream.

  6. Use the free text search to manually define specific filters or patterns. Click on “+ Add search filter” to add further conditions. A window will open. Fill in the fields as follows and save the settings by clicking on “Add filter”:

    1. Field name Click in the field or use the free text input to select a field.

    2. Operator Click in the field and select from the following operators:

      1. Equal Only logs are considered where the field exists and the values defined below match.

      2. Unequal Only logs are considered where the field does not exist or where the values in the field differ from those defined below.

      3. Exists Only logs where the field is present are taken into account.

      4. Not Exists Only logs where the field is not present are taken into account.

    3. Value Enter a value that you want to filter by in the field. Click on the + next to the line to add more values. If there is more than one value, define a logical link between the values:

      1. Or The log must contain at least one of the defined values in the field.

      2. And The log must contain all of the defined values in the field.

    4. Logical Link Define how the logs should be examined for values. To do this, select one of the following options by clicking on the check mark:

      1. Exact matches The values in the field must correspond exactly to the spelling in the filter. Upper and lower case letters are also taken into account.

      2. Case insensitive The values in the field must match exactly the spelling in the filter. Upper and lower case letters are ignored.

      3. Regular expression When you select this option, a new field appears above the “Value” field. Enter a matching logic as a regular expression here.

      4. Full-text search The values must correspond exactly to the notation in the filter. Additional values may be present.

  7. Stream combination Click “+Add stream combination” to combine your new stream with existing streams. This is useful for creating complex queries or merging data from multiple streams.

    1. Add event streams Use the free text input field to select existing event streams or select the desired event stream from the overview that opens. Add further event streams by clicking on “+Condition.” Use the “And” or “Or” fields to define the logical link between the event streams; this applies to all other conditions specified under Event Streams in relation to each other.

    2. Add Sub requirements Click on “+Add sub-condition” to add a sub-condition to a selected condition. Add further sub-conditions by clicking on “+Sub-condition.” Use the ‘And’ or “Or” fields to define deviations from the logical links within the conditions.

  8. Result Preview The results preview provides you with a live insight into the data lake based on the search filters you have set. Use the preview to check the functionality of your filters live.

  9. Final Data query This area displays the complete query resulting from the defined search filters and combinations. It serves as a preview to check whether the stream is configured as desired and can be transferred to the data lake exactly as it is to obtain an identical result.

  10. Save Stream Complete the creation process by clicking on “Add stream.” The new stream will then appear in the stream overview, where it can be further edited.

PreviousWorkflowsNextIncidents

Last updated

Was this helpful?