LogSentinel SIEM works by collecting data from multiple sources, detecting threats and allowing for an efficient incident response. The general flow looks as follows:
The steps that an organization would normally take when working with LogSentinel SIEM
Registering an account is easy and leads you to an empty dashboard. The registered user becomes the account administrator (this can be changed later). Registration is free, so this step can be done prior to purchasing subscription in order to test the service.
Connecting the first source¶
First, you need to define the data source in the LogSentinel SIEM UI form the "Data source" menu item. You can ignore most properties for now and just set a friendly name.
Then the actual source can be connected in several ways:
- LogSentinel Collector - check the documentation to connect an ActiveDirectory, an application text file or to set a firewall's syslog endpoint.
- Cloud integrations - just to to the "Integrations" page on the menu and connect to any of the supported SaaS and IaaS.
- Agent - install the endpoint agent locally and configure it to collect local logs. The agent is Wazuh/OSSEC compatible.
- LogSentinel SIEM API - send audit logs directly to LogSentinel SIEM by connecting applications via the LogSentinel API.
Queries can be written in two formats:
- Lucene - keys and values are separated by a colon, e.g.
- SQL - familiar SQL syntax, e.g.
SELECT * FROM logs WHERE params.sourceIP="220.127.116.11"