After you've created a playbook, you can apply it to new data going forward by creating a stream. Streams automate your playbook by executing it in batches at preset intervals. With streams, you can rank your alerts on a regular basis and drill down to understand why an individual alert was ranked in a particular way.
Note: To view or work with streams, you must be in a group that has Stream permission. For more information, see Manage users.
Streams include the following capabilities:
Ranking. The output of each batch in a stream includes only the events that meet a score threshold that you set. This approach allows you to create a critical alert list with only the alerts of most concern. You can also adjust the threshold as needed for higher or lower sensitivity.
Auto-forwarding of Results. You can specify a destination to automatically receive the output of each batch. The results become accessible from your SIEM system, but unlike the data that is reported directly from your SIEM system, the LogicHub stream output has been intelligently processed so that only the most important alerts are reported.
Drill-downs. For any alert in the stream output, you can drill down to see why the alert was scored in a particular way. The drill down process allows you to traverse the playbook tree to see the messages that contributed to each step in the playbook and what actions were involved.
Pinning. Pinning lets you zero in on the portion of the playbook that generates an entry in the stream output. Examining the relevant portion of the playbook can help you determine exactly why a particular score was applied.
Starred Results. You can highlight the alerts of most interest by starring them and filtering the list to see only the starred messages.
Updated about 2 years ago