Enabling Log Explorer
Introduction
Follow this article to enable the Log Explorer feature within Blackpoint LogIC – our logging with integrated compliance MDR add-on solution. LogIC is powered by our proprietary SNAP-Defense technology to help you enhance the value of security logs and telemetry collected from your network.
Enabling Log Explorer allows you see raw data/log data from all devices and, if set up, syslog sources close to real-time over the previous 72 hour period. With Log Explorer, freely filter and search collected raw data to ensure that your LogIC service is operating as intended.
The filter capability is based on the following:
- Dataset (SYSLOG, FIM. WIN_EVENT)
- Hostname
- IP (IPv4, IPv6 CIDR notation)
- Windows username (FIM/WIN_EVENT only)
- Event code (FIM/WIN_EVENT only)
The search capability allows you enter a simple text-based search. Wildcards (*) are accepted.
Prerequisites
- You must have added Blackpoint LogIC to your existing 24/7 MDR customers. To do so, refer to our KB article here.
- You must have configured log settings within Blackpoint LogIC. To do so, refer to our KB article here.
- You must whitelist the following domains to ensure the SNAP Agent can communicate with our servers.
- agent.sega.production.snap.bpcyber.com
- agent.siem.production.snap.bpcyber.com
Instructions
Enabling & Using Log Explorer
- In the Blackpoint Portal, click Blackpoint Add-Ons Portal in the left-hand menu.
- In the left-hand menu, click GO TO in the Customer section.
- Search for the customer you are enabling Log Explorer for.
- Then, click LogIC in the left-hand menu and then on Log Explorer.
- On the Log Explorer page, you may take any of the following actions:
- Full-Text Search – Enter a simple text-based search for a known hostname. Use the wildcard (*) to search for partial matches.
- Date fields – For each date field, click the calendar icon to select a start/end date and the specific start/end time.
- Show/Hide Advanced Query Editor link – Click to show/hide the advanced query editor. Enter your search syntax. See the Canned Queries sections in this article for more details.
- Add Filter button – Click to add one of the following filters: event code, event dataset, host IP, hostname, or Windows username. Then enter a corresponding value and click Save.
- Full-Text Search – Enter a simple text-based search for a known hostname. Use the wildcard (*) to search for partial matches.
In the listed search results, you can click the down arrow next to each row to expand and view more details.
Canned Queries
DSL Type: Match Query
Use the following structure to search. Replace "xyz" with one of the Event IDs listed below: 
- Windows successful login (Event ID: 4624) – Returns results for successful login events
- Windows failed login (Event ID: 4625) – Returns results for failed login events
- Windows user account created (Event ID: 4720) – Returns results for all created user account events
- Windows user account added to a privileged group (Event ID: 4728) – Returns results for user accounts added to privileged groups
- Windows user account enabled (Event ID: 4722) – Returns results for user accounts which were enabled
- Windows user account disabled (Event ID: 4725) – Returns results for user accounts which were disabled
- Windows user account locked out (Event ID: 4740) – Returns results for user account locked out events
- Windows event log cleared (Event ID: 104 or 1102) – Returns results for event log cleared
DSL Type: Boolean Query
- Windows Failed login by Computer Name and Target User Name – Returns results for failed login events by computer and user
