LogSentinel SIEM Dashboard¶
The home dashboard is the main place for day-to-day usage of the product. It has several components:
- Statistics - general statistics about your organization as well as charts of certain attributes
- Main timeline chart - The main timeline of log entries
- Reports - Reporting functionality in various formats
- Custom charts - Additional custom, user-defined charts
- Exports - Exporting functionality in various formats
- Search query bar - A way to query the logs with detailed search queries
- Log entries list - A list of all entries that satisfy the current search criteria and period; by default it shows all the latest entries
- Time aggregations - Aggregated statistics over smaller time periods
- Numeric aggregations - Perform aggregation functions on numeric parameters
- Relationship graph - Visual representation of the relationship between the entries in the current result
The top row shows the current number of log entries per minute, the total number of log entries, distinct actors, actions and entities as well as the alerts recently triggered. Note that statistics is cached, so it's not real-time.
A little further down are the statistics charts which display the top actors, actions, entities and data sources by number of log entries. The charts can be expanded to show the actual values. There's also a link to the rankings pages to display the top actors/actions/entries for a selected period.
Both the statistics row and the charts are updated when the period of the main timeline is changed from the timepicker on the right.
The statistics row also contains information about the status of background log integrity verification. The green icon indicates that the log is intact. In exceptional cases of someone trying to manipulate the logs, the icon turns red.
Main timeline chart¶
The main timeline charts show the log activity over a selected period of time. The default period is three days.
The period can be changed in two ways: via the timepicker on the right or via slicing the chart with the mouse. Changing the period not only changes the visualized timeline but also the search period in the entries list below. That way you can visually inspect a certain period of time for the current search query. The currently sliced period can be reset via a button that appears ontop of the chart.
Additionally, you an click on a each point on the chart (points are placed at hourly intervals) which will select a 1-hour period starting from that point and apply it to the current search.
Custom charts that are defined in the "Charts" menu appears below the default statistics charts. Charts can be defined as aggregations on a specific field with or without an additional query. For example a chart can display the top actors that have performed one of particular set of actions.
Custom charts can be bar, pie, line, doughnut and can have custom or random colors defined. Charts can be created ontop of event data as well as alert data.
Custom dashboards can be defined by users for easier analysis and day-to-day activities. A dashboard is a combination of saved searches and charts.
Above the main timeline chart are reporting buttons. A high-level report for the currently selected period can be exported in either PDF, XLSX or HTML formats. Reports contain an overview of the log activity over the selected period of time.
Additionally, reports are generated periodically and sent via email. The reporting periods are defined from the "Charts" page and can be "daily", "weekly", "monthly" and "yearly". Multiple report recipients can also be configured.
For more information about reports, check the Reports section.
The currently displayed log entries can be exported to various formats - CSV, XLSX, TXT, JSON and protobuf. The export is done from the buttons right above the entries list.
Search (query bar)¶
The search query bar is the way to define detailed queries to search through the logs. The queries are in the format
field:value, where field is either one of the predefined fields or
params which are either automatically extracted or explicitly specified in the log requests. The
params.XYZ parameters are autocompleted for the currentl selected data source(s).
The query language is based on the Elasticsearch query string DSL, as documented here.
details field allows full-text search using
details:*value*, including regular expressions. The
details field contains the raw (unstructured) data for each entry.
Multiple query parts can be used with
OR or by using parentheses to wrap clauses.
There are buttons to help with query generation - each button appends additional part of the query. The additional params can be found in the "params" dropdown.
SQL queries are also supported:
SELECT * FROM logs WHERE action="delete". AND and OR WHERE clauses are also supported.
Queries are run over a search period. The period is defined from the timepicker on the right. This timepicker is usually in sync with the one for the main timeline chart, but does not have to be, i.e. you can display entries over 3 days and search only within the past 10 hours.
Queries can be performed over all data soruces or to one or more of them. You can select them via a data source dropdown. By default the query is performed on all data sources.
Common queries can be saved from the dropdown next to the search button and then executed without the need to retype them.
Finally, if log details have been encrypted before sending them, you can perform search in the encryped data by specifying the symmetric (AES, base64-encoded) key in the encryption key field on the right. The key is never transmitted to the server so the decryption are performed entirely client-side on the results that are fetched based on the the encrypted keywords.
Log entries list¶
The entries list contains all entries that satisfy the current search query. If there is no search query, the latest processed entries are displayed for all data sources.
The list has the following columns:
- Actor - the column contains the actor for the current entry. If there is an
actorDisplayNamespecified, it is shown instead of the actorId, which is assumed to not be human-readable. If there is no
actorIdis displayed. Additionally, if any roles have been specifed for the actor, they are displayed in parentheses
- Action - the action that has been performed. In case the actor is a non-person (e.g. a system actor), the action is the event that occurred.
- Entity - the entity about which the log is. The semantics depends on the type of logs, but usually an entity has an ID as well. Both are displayed in this column as "
# ". In case a database is monitored, for example, this would be "table#primary key".
- Details - this is the body of the log and can contain anything. It is trimmed in the table so clicking each cell is required to show the entire content. You can define a formatting function for standard formats (JSON and XML) that would allow displaying the values as a table rather than as a raw message.
- Timestamp - when did the even occur. The time is shown in the current user timezone. The clock icon opens a dialog that displays details about the cryptographic timestamp over a block of events. The base64-encoded token is in a RFC3161-specified format. The timestamp can be either the received timestamp or the original event timestamp (configurable from the arrow above the column)
- Params - any
paramsthat were specified as part of the requests or extracted dynamically. For each IP and domain/URL parameter, geolocation data is dispalyed. Additionally, in the same column, the following is displayed:
- Level - the log level, if one has been specified. Log levels can be: TRACE, DEBUG, INFO, WARN, ERROR, CRITICAL, FATAL.
- Hash - opens a dialog where a number of details are shown: the individual hash of the entry, the hash as part of the hash chain, the entry id as well as the previous entry id (previous in the hash chain). These values can be used for log verification, e.g. for obtaining merkle proofs.
- Tags - any tags that are automatically or manually assigned to the log entry are displayed here.
From the list you can generate simple queries by clicking on one of the fields (actorId, action, entity, param value).
The log entries list can be static or updated in real time. The period of update is specified through a dropdown.
All log entries that contain an IP address get geolocation information (visualized by a flag, with additional details on hover).
Time aggregations show charts spit by hour, day, week, month or year, as well as the number of entries for the last periods of the selected type. Charts can be show for all applications or for a paricular application.
Certain parameters (
params) can be numeric. If there are such parameters, users can perform aggregations on them. The supported aggregations are: average, sum, min and max.
The relationship graph is a visualization aid for the current search results. The graph displays the relationships between actors, actions and entities. It can be useful for analyzing actor behavior.