SIEM Event Type
An event type specifies a query that you run to bring data into LogicHub for analysis and scoring. Event types can draw from any of the following source types:
- Results of a query on an external source, such as Splunk, Opendistro, SumoLogic, or Elasticsearch.
- Results from a step in a LogicHub playbook.
- System events created by LogicHub to ingest data from activity in the LogicHub system. For more information, see System Event Types.
NOTE:
To view or set up event types, you must be in a group that has Event Type permission. For more information, see Manage Users.
Before you Begin
If you're setting up an event based on a query to an external source, you must first set up a connection to the source. For instructions, see Create Connections.
Create an Event Type
To create an event type:
- Select My Library > Event Types.
- Click New. A New Event Type form opens up.
Enter the following details in the new event type form:
- Name: Enter a name to identify the event type. The name can consist of alphanumeric characters and underscores ( _ ). The first character can't be a number.
- Source: Click Playbook/Node to based the event type on a playbook step or click Query to base the event type on a query to an external connection.
- Connection: Enter or choose a connection from the drop-down.
- Query: Enter a query for the connection.
- Key Columns (Optional): Enter a time range or manually add your custom date range. Based on the selected time range the list of available columns will load in the Selected Columns. Choose the columns and click Save.
A new event type is successfully created.
The Event Types page opens to show the list of event types. Click an entry to edit the settings, or click the trash can icon to delete an entry.
The event type is now available for use when creating a playbook. When using Easy Mode to create a playbook, you can search for the event type by name and add it. See Create Playbooks in Easy Mode. In Advanced Mode, a playbook typically starts with an event type. See Explore Playbooks in V1 mode (Advanced Mode).
Example: Elasticsearch
When you add an event type based on ElasticSearch 6 or ElasticSearch 7, the default query is filled in automatically:
select * from <index_name> where <timestamp_field> >= {{start_time}} and <timestamp_field> <= {{end_time}} *
where
<index_name>
is the Elasticsearch index
<timestamp_field>
is the timestamp field
start_time
and end_time
are the playbook or batch start and end time
Example:
select * from testindex where timestamp >= {{start_time}} and timestamp <= {{end_time}}
Alternatively, you can use the following Elasticsearch query:
NOTE:
Applicable for both ElasticSearch 6 and ElasticSearch 7).
{
"bool":{
"must":{
"terms":{
"_index":[
"testindex"
]
}
},
"filter":{
"range":{
"timestamp":{
"gte": {{ start_time }},
"lte": {{ end_time }}
}
}
}
}
}
Manage Event Types
To manage your event types, go to the My Library > Commands page. See Manage Content in your Library. For information on sharing event types with other users and groups, see User Management.
Updated 5 months ago