3. Configuring Logging in Blackpoint LogIC

Introduction

Powered by our proprietary SNAP-Defense technology, Blackpoint LogIC is a logging with integrated compliance MDR add-on built to be hyper-efficient and provide real-time data collection. With LogIC, collect the right data you need for future audits. LogIC auto-maps against hundreds of compliance requirements all at once, so you can understand where your current security products and services are covering you in terms of compliance. Trust LogIC to make your journey towards regulatory compliance easier.

Important. Blackpoint LogIC’s logging architecture bolsters your cybersecurity posture by supporting real-time collection of file integrity monitoring (FIM) events, device logs, and any other application or system that supports syslog. While LogIC collects key data to assist users in understanding where they are covered in terms of compliance, users must consult with a regulatory compliance authority and/or compliance auditor to guide them through the official assessment.

After you have added Blackpoint LogIC to your existing 24/7 MDR customers and logged into the platform, follow this article to configure the log settings in Blackpoint LogIC. We’ve broken down the process into the following sections:

Prerequisites

  • You must whitelist the following domains to ensure the SNAP Agent can communicate with our servers.
    • agent.sega.production.snap.bpcyber.com
    • agent.siem.production.snap.bpcyber.com

Logging in Blackpoint LogIC

Enabling logging

  1. In the Blackpoint Portal, click Blackpoint Add-Ons Portal in the left-hand menu.
  2. In the left-hand menu, click GO TO in the Customer section.
  3. Search for the customer you are setting up logging for.
  4. Click LogIC in the left-hand menu and then on Settings.
  5. Toggle the Enable Logging switch on. Each of the tabs below will allow you to start configuring either Syslog, Windows Events, or Windows FIM settings for the customer.

Configuring syslog

Important. Each configured syslog collector can collect up to a maximum of four (4) syslog sources and 680 events per second. Collecting more than these thresholds could cause performance issues. We recommend setting up additional syslog collectors if you need to collect more than these identified amounts.
  1. Click the Syslog tab, toggle the Enable Syslog Collector switch on, and then click Add Collector.
  2. In the Syslog Collector pop-up, select the device(s) from the list, or use the search function. Then, select the protocol from the drop-down menu and enter the port before clicking Save.
    3. Note: LogIC uses existing Blackpoint SNAP agents to collect syslog. If you do not see a device you expect or would like to use a specific device that is not running a Blackpoint SNAP agent, you will need to install a SNAP Agent on that device and then return to this configuration section.

The device(s) will now appear in the list of syslog collectors. To remove a device, click Remove next to that specific device in the Actions column. In the Hostname column, you will see a status icon representing how long ago the device was last active.

  • Green icon – Last seen 15 minutes ago
  • Yellow icon – Last seen between 15 minutes and 1 day ago
  • Red icon – Last seen 1 or more days ago
  • Grey icon – Pending set up

Configuring Windows Events

Click the Windows Events tab to configure which Windows Devices will collect Windows events. Toggle the Enable Windows Event Logging switch to on. To monitor ALL Windows devices running a SNAP Agent, select the checkbox.

To log only specific devices, leave the Monitor all Windows devices box unchecked. Select the device(s) from the list, or use the search function. After making the selections, you can perform bulk actions such as Select All, Enable, or Disable.

Configuring Windows FIM

Click the Windows FIM tab to choose which devices will collect FIM events. Toggle the Enable Windows File Integrity Monitoring (FIM) switch to on.

In the FIM Policies section, you can either edit the default policy or add new policies.

  • To edit the default policy:
    • Click Edit.
    • Scroll down to the editable paths. You can modify the paths, mark it for exclusion, or remove it from the policy.

      Note: Blackpoint LogIC supports the use of wildcard characters (*) in path names.

    • To add a path, click Add Path and give it a name.
    • Click Save.
  • To add new policy:
    • Click Add Policy.
    • Enter a name for your new policy.
    • Scroll down to the editable paths. You can modify the paths, mark it for exclusion, or remove it from the policy. Click Add Path if desired.
    • Click Save.

To collect FIM events from ALL Windows devices running a SNAP Agent, select the Monitor all Windows devices checkbox.

To monitor only specific devices, leave the Monitor all Windows devices box unchecked. Select the device(s) from the list, or use the search function. After making the selections, you can perform bulk actions such as Select All, Enable, Disable, or Set Policy.

Viewing usage summaries & statistics

You are able to view your usage by time in the Blackpoint Add-Ons Portal. Note that costs displayed are estimates based on current usage and contract(s).

  1. In the Blackpoint Add-Ons Portal, click Usage in the left-hand menu.
  2. In the Usage Breakdown section, select if you would like to see usage date from the last 30 days, last 24 hours, or the last billing period. You may also enter a customer date range.
  3. Based on the services you have with Blackpoint, you will see a breakdown of number of devices and users active for each service.
  4. In the Usage Per Device section, you can search for a device by hostname or IP address and choose to download your search items. 

Related Documentation

Please visit our Blackpoint LogIC FAQ here.