Skip to main content

Log SourcesLog Sources

Table of Contents

Create a Log Source Policy

You can configure a log source policy that defines criteria for monitoring log sources and set up notifications for log sources that go silent. Based on the configured policy, you can easily monitor log sources and generate real-time alerts for any anomalies, ensuring timely threat detection and proactive incident response. With the help of log source policies you can identify unique log sources and detect the silent log sources.

  1. Log in to the New-Scale Security Operations Platform with your registered credentials as an administrator.

  2. On the New-Scale Security Operations Platform home page, click the Log Sources tile to view Log Source details. Alternatively, in the left pane, navigate to the Log Sources section.

  3. Click New Policy.

  4. On the New Policy page, enter the following information.

    Log_source_policy.png

    • Policy Name – Specify a name for the log source policy.

    • Condition – Define criteria to discover log sources using conditions.

      • Add Condition – Specify the values for Field and operator based on which you want to discover various log sources.

        Log_source_policy2.png

        You can use any CIM field as a Filter field. For example, to apply the filter for all Microsoft logs, configure the filter vendor contains 'Microsoft'.

        Note

        A log source is always matched to the same policy consistently. After a log source is matched to a specific policy, it will remain associated with that policy unless the policy is disabled or deleted. As for policy conditions, expressions like HasContextKey, GetContextAttribute, and GetDynamicContextAttribute are not supported. Although these expressions are available when configuring enrichment rules, you cannot use them in log source policy conditions.

      • Add Group – Click Add Group to configure complex filters based on multiple conditions.

    • Log Source Identifier – Select up to two identifiers to serve as unique identifiers to discover log sources.

      Log_Source_Identifier.png

      Most commonly, you can use a single identifier. For example, to identify Windows hosts, you can select the host option as the Log Source Identifier. In more complex cases, such as monitoring individual applications within each host, two Log Source Identifiers can be configured—host and product.

    • Silent Notification Preferences – In the Warn After Silent for field, select a duration between 1 - 24 hours to set a condition for detecting a silent log source. You can define a period of inactivity after which a log source is considered silent. For example, if a certain log source remains inactive for the specified duration, it will be classified as silent.