Log Process Example
The following is an example of decision process for choosing logs for Advanced Analytics. This includes general questions to ask, and answers based on this example data:
"Aug 14 22:13:03 10.130.168.57 vendor=Forcepoint product=Security product_version=8.3.0 action=permitted severity=1 category=1913 [email protected] src_host=10.130.164.49 src_port=49265 dst_host=host.com dst_ip=2.2.2.2 dst_port=443 bytes_out=0 bytes_in=4805 http_response=0 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows_NT_6.1;_WOW64)_AppleWebKit/537.36_(KHTML,_like_Gecko)_Chrome/59.0.3071.109_Safari/537.36 http_proxy_status_code=200 reason=%<reasonString> disposition=1028 policy=Exceptions_and_Filter_Updates**BasicBlocking role=1807 duration=4 url=https://exampledomain.com/download/virus.exe"
Determine whether the log has security significance. In this case, the log is from a web proxy product which shows access to websites, and therefore has security significance.
Answer the following questions to perform an initial analysis of the log:
Can the log be tied back to a user or device?
Yes, the log can be tied back to a user (
[email protected]
).Does the log have a complete time field?
No, the log time is missing the year. We will use exabeam_time (
Aug 14 22:13:03
).What product or vendor produced these logs?
(
vendor=Forcepoint)
It would also help to know the product, but it is not crucial in this case.
Perform the secondary analysis, asking whether the log can be mapped to an Exabeam Event Type.
The event type for this log is "web-activity-allowed". We expect "web-activity-allowed" logs to have "web_domain" and user information, which this log includes.
Based on these questions, we can conclude that Exabeam will provide value by ingesting this log.