This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Generic Log Sources

    While we make an effort to support a wide variety of Integrations and different types of log sources, it is possible that there may be a log source that you would like to ingest into the Samurai platform which we are not able to parse and analyze. This is especially true for events generated via syslog log sources.

    The fact that we are not able to use a log source for detections doesn’t mean that it won’t still be useful to ingest into the Samurai platform. We will ingest any event data, provided via syslog (sent to a Samurai local collector), into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing queries.

    highlight.png If you configure an unsupported log source to send syslog to a Samurai local collector it will be displayed in the Samurai MDR portal under Vendor and Product as unknown. However you can provide a description to allow you to keep track of them. Refer to Integration Actions for providing a description.

    If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:

    • timestamp: the time at which the log message was ingested
    • collector: the id of the collector which ingested the event
    • host: the source host from which the event was received
    • raw: the complete raw log message

    You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:

    events | where host == "10.1.1.1" and i(raw contains "Invalid" or raw contains "failed") and raw !contains "connect" | project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr| order by num_attempts
    

    The output is ordered by the number of attempts from each IP address, producing a table like the following:

    mceclip0.png