Skip to main content

LogPoint SIEM Integration

This Integration is part of the LogPoint SIEM Integration Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use this Content Pack to search logs, fetch incident logs from LogPoint, analyze them for underlying threats, and respond to these threats in real-time. This integration was integrated and tested with version 6.7.4 of LogPoint.

Use Cases#

  • Retrieve incidents using available filters.
  • Get data of particular incidents, their state, user, and user groups.
  • Resolve, Close, Re-open, Re-assign, and add comments to the incidents.
  • Act accordingly to the incidents using LogPoint provided or custom playbooks.
  • Use commands to get logs from LogPoint’s devices and repos

Configure LogPoint on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for LogPoint SIEM Integration.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    LogPoint URLTrue
    LogPoint UsernameTrue
    API KeyUser's secret keyTrue
    Trust any certificate (not secure)Whether to allow connections without verifying SSL certificates validity.False
    Use system proxy settingsWhether to use XSOAR’s system proxy settings to connect to the APIFalse
    First fetch timestamp (<number> <time unit>, e.g., 6 hours, 1 day)If it is not provided, incidents from past 24 hours will be fetched by default.False
    Incident typeFalse
    Fetch incidentsFalse
    Fetch limit (Max value is 200, Recommended value is 50 or less)If this is left blank, maximum 50 incidents will be fetched at a time.False
    Incidents Fetch IntervalFalse

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

lp-get-incidents#

Displays incidents between the provided two Timestamps ts_from and ts_to. By default, this command will display first 50 incidents of the past 24 hours but limit can be set to get desired number of incidents.

Base Command#

lp-get-incidents

Input#

Argument NameDescriptionRequired
ts_fromFrom Timestamp.Optional
ts_toTo Timestamp.Optional
limitNumber of incidents to fetch. Accepts integer value.Optional

Context Output#

PathTypeDescription
LogPoint.Incidents.nameStringLogPoint Incident Name
LogPoint.Incidents.typeStringLogPoint Incident Type
LogPoint.Incidents.incident_idStringLogPoint Incident ID
LogPoint.Incidents.assigned_toStringLogPoint Incidents Assigned To
LogPoint.Incidents.statusStringLogPoint Incidents Status
LogPoint.Incidents.idStringLogPoint Incident Object ID
LogPoint.Incidents.detection_timestampNumberLogPoint Incidents Detection Timestamp
LogPoint.Incidents.usernameStringLogPoint Incident Username
LogPoint.Incidents.user_idStringLogPoint Incidents User ID
LogPoint.Incidents.assigned_toStringLogPoint Incidents Assigned To
LogPoint.Incidents.visible_toStringLogPoint Incidents Visible To
LogPoint.Incidents.tidStringLogPoint Incidents Tid
LogPoint.Incidents.rows_countStringLogPoint Incidents Rows Count
LogPoint.Incidents.risk_levelStringLogPoint Incidents Risk Level
LogPoint.Incidents.detection_timestampStringLogPoint Incidents Detection Timestamp
LogPoint.Incidents.loginspect_ip_dnsStringLogPoint Incidents Loginspect IP DNS
LogPoint.Incidents.statusStringLogPoint Incidents Status
LogPoint.Incidents.commentsStringLogPoint Incidents Comments
LogPoint.Incidents.commentscountNumberLogPoint Incidents Comments Count
LogPoint.Incidents.queryStringLogPoint Incidents Query
LogPoint.Incidents.reposStringLogPoint Incidents Repos
LogPoint.Incidents.time_rangeStringLogPoint Incidents Time Range
LogPoint.Incidents.alert_obj_idStringLogPoint Incidents Alert Obj Id
LogPoint.Incidents.throttle_enabledBooleanLogPoint Incidents Throttle Enabled
LogPoint.Incidents.lastactionStringLogPoint Incidents Last Action
LogPoint.Incidents.descriptionStringLogPoint Incidents Description

Command Example#

!lp-get-incidents ts_from=1610700720 ts_to=1610700900 limit=5

Context Example#

{
"LogPoint": {
"Incidents": [
{
"alert_obj_id": "5fc8b1743dee69827459bc70",
"assigned_to": "5bebd9fdd8aaa42840edc853",
"comments": [],
"commentscount": 0,
"description": "",
"detection_timestamp": 1610700740.2248185,
"id": "600157c44a2018070b627f6a",
"incident_id": "8a676c39450e099b3512961d71ec4f7d",
"loginspect_ip_dns": "127.0.0.1",
"logpoint_name": "LogPoint",
"name": "Memory usages is greater than 50 percent",
"query": "\"col_type\"=\"filesystem\" use>=50",
"repos": [
"127.0.0.1:5504"
],
"risk_level": "medium",
"rows_count": 5,
"status": "unresolved",
"throttle_enabled": false,
"tid": "",
"time_range": [
1610700000,
1610700600
],
"type": "Alert",
"user_id": null,
"username": "5bebd9fdd8aaa42840edc853",
"visible_to": []
},
{
"alert_obj_id": "5fc8b1743dee69827459bc70",
"assigned_to": "5bebd9fdd8aaa42840edc853",
"comments": [
{
"comment": "Example Incident",
"time": 1610700910,
"title": "admin"
}
],
"commentscount": 0,
"description": "",
"detection_timestamp": 1610700860.245085,
"id": "6001583c4a2018070b627f6b",
"incident_id": "8a676c39450e099b3512961d71ec4f7d",
"lastaction": {
"action": "Commented",
"time": 1610700910,
"title": "admin"
},
"loginspect_ip_dns": "127.0.0.1",
"logpoint_name": "LogPoint",
"name": "Memory usages is greater than 50 percent",
"query": "\"col_type\"=\"filesystem\" use>=50",
"repos": [
"127.0.0.1:5504"
],
"risk_level": "medium",
"rows_count": 5,
"status": "unresolved",
"throttle_enabled": false,
"tid": "",
"time_range": [
1610700120,
1610700720
],
"type": "Alert",
"user_id": null,
"username": "5bebd9fdd8aaa42840edc853",
"visible_to": []
}
]
}
}

Human Readable Output#

Displaying all 2 incidents between 1610700720 and 1610700900#

TypeIncident IdNameDescriptionUsernameUser IdAssigned ToVisible ToTidRows CountRisk LevelDetection TimestampLoginspect Ip DnsLogpoint NameStatusCommentsCommentscountQueryReposTime RangeAlert Obj IdThrottle EnabledId
Alert8a676c39450e099b3512961d71ec4f7dMemory usages is greater than 50 percent5bebd9fdd8aaa42840edc8535bebd9fdd8aaa42840edc8535medium1610700740.2248185127.0.0.1LogPointunresolved0"col_type"="filesystem" use>=50127.0.0.1:55041610700000,
1610700600		5fc8b1743dee69827459bc70false600157c44a2018070b627f6a
Alert8a676c39450e099b3512961d71ec4f7dMemory usages is greater than 50 percent5bebd9fdd8aaa42840edc8535bebd9fdd8aaa42840edc8535medium1610700860.245085127.0.0.1LogPointunresolved{'title': 'admin', 'comment': 'Example Incident', 'time': 1610700910}0"col_type"="filesystem" use>=50127.0.0.1:55041610700120,
1610700720		5fc8b1743dee69827459bc70false6001583c4a2018070b627f6b

lp-get-incident-data#

Retrieves a Particular Incident's Data

Base Command#

lp-get-incident-data

Input#

Argument NameDescriptionRequired
incident_obj_idObject ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command.Required
incident_idIncident Id of a particular incident. It is the value contained in 'incident_id' key of the incidents obtained from 'lp-get-incidents' command.Required
dateIncident Detection TImestamp. It is the value contained in 'detection_timestamp' key of the incidents obtained from 'lp-get-incidents' command.Required

Context Output#

PathTypeDescription
LogPoint.Incidents.data.useStringLogPoint Incidents Data Use
LogPoint.Incidents.data.usedStringLogPoint Incidents Data Used
LogPoint.Incidents.data.log_tsNumberLogPoint Incidents Data Log Ts
LogPoint.Incidents.data._type_strStringLogPoint Incidents Data Type Str
LogPoint.Incidents.data.msgStringLogPoint Incidents Data Msg
LogPoint.Incidents.data.totalStringLogPoint Incidents Data Total
LogPoint.Incidents.data.device_nameStringLogPoint Incidents Data Device Name
LogPoint.Incidents.data._offsetStringLogPoint Incidents Data Offset
LogPoint.Incidents.data.logpoint_nameStringLogPoint Incidents Data LogPoint Name
LogPoint.Incidents.data.repo_nameStringLogPoint Incidents Data Repo Name
LogPoint.Incidents.data.freeStringLogPoint Incidents Data Free
LogPoint.Incidents.data.source_nameStringLogPoint Incidents Data Source Name
LogPoint.Incidents.data.col_tsNumberLogPoint Incidents Data Col Ts
LogPoint.Incidents.data._tzStringLogPoint Incidents Data Tz
LogPoint.Incidents.data.norm_idStringLogPoint Incidents Data Norm Id
LogPoint.Incidents.data._identifierStringLogPoint Incidents Data Identifier
LogPoint.Incidents.data.collected_atStringLogPoint Incidents Data Collected At
LogPoint.Incidents.data.device_ipStringLogPoint Incidents Data Device IP
LogPoint.Incidents.data._fromV550StringLogPoint Incidents Data From V550
LogPoint.Incidents.data._enrich_policyStringLogPoint Incidents Data Enrich Policy
LogPoint.Incidents.data._type_numStringLogPoint Incidents Data Type Num
LogPoint.Incidents.data._type_ipStringLogPoint Incidents Data Type IP
LogPoint.Incidents.data.sig_idStringLogPoint Incidents Data Sig Id
LogPoint.Incidents.data.col_typeStringLogPoint Incidents Data Col Type
LogPoint.Incidents.data.objectStringLogPoint Incidents Data Object
LogPoint.Incidents.data._labelsStringLogPoint Incidents Data Labels
LogPoint.Incidents.data.source_addressStringSource Address
LogPoint.Incidents.data.destination_addressStringDestination Address
LogPoint.Incidents.data.workstationStringWorkstation
LogPoint.Incidents.data.domainStringDomain
LogPoint.Incidents.data.userStringUser
LogPoint.Incidents.data.caller_userStringCaller User
LogPoint.Incidents.data.target_userStringTarget User
LogPoint.Incidents.data.source_machine_idStringSource Machie Id
LogPoint.Incidents.data.destination_machine_idStringDestination Machine Id
LogPoint.Incidents.data.destination_portStringDestination Port
LogPoint.Incidents.data.event_typeStringEvent Type
LogPoint.Incidents.data.share_pathStringShare Path
LogPoint.Incidents.data.object_nameStringObject Name
LogPoint.Incidents.data.sub_status_codeStringSub Status Code
LogPoint.Incidents.data.object_typeStringObject Type
LogPoint.Incidents.data.request_methodStringRequest Method
LogPoint.Incidents.data.status_codeStringStatus Code
LogPoint.Incidents.data.received_datasizeStringReceived Datasize
LogPoint.Incidents.data.received_packetStringReceived Packet
LogPoint.Incidents.data.user_agentStringUser Agent
LogPoint.Incidents.data.sent_datasizeStringSent Datasize
LogPoint.Incidents.data.senderStringSender
LogPoint.Incidents.data.receiverStringReceiver
LogPoint.Incidents.data.datasizeStringDatasize
LogPoint.Incidents.data.fileStringFile
LogPoint.Incidents.data.subjectStringSubject
LogPoint.Incidents.data.statusStringStatus
LogPoint.Incidents.data.file_countStringFile Count
LogPoint.Incidents.data.protocol_idStringProtocol Id
LogPoint.Incidents.data.sent_packetStringSent Packet
LogPoint.Incidents.data.serviceStringService
LogPoint.Incidents.data.printerStringPrinter
LogPoint.Incidents.data.print_countStringPrint Count
LogPoint.Incidents.data.event_idStringEvent Id
LogPoint.Incidents.data.country_nameStringCountry Name
LogPoint.Incidents.data.hostStringHost
LogPoint.Incidents.data.hashStringHash
LogPoint.Incidents.data.hash_sha1StringHash SHA1
LogPoint.Incidents.data.agent_addressStringAgent Address
LogPoint.Incidents.data.attacker_addressStringAttacker Address
LogPoint.Incidents.data.broadcast_addressStringBroadcast Address
LogPoint.Incidents.data.client_addressStringClient Address
LogPoint.Incidents.data.client_hardware_addressStringClient Hardware Address
LogPoint.Incidents.data.destination_hardware_addressStringDestination Hardware Address
LogPoint.Incidents.data.destination_nat_addressStringDestination NAT Address
LogPoint.Incidents.data.device_addressStringDevice Address
LogPoint.Incidents.data.external_addressStringExternal Address
LogPoint.Incidents.data.gateway_addressStringGateway Address
LogPoint.Incidents.data.hardware_addressStringHardware Address
LogPoint.Incidents.data.host_addressStringHost Address
LogPoint.Incidents.data.interface_addressStringInterface Address
LogPoint.Incidents.data.lease_addressStringLease Address
LogPoint.Incidents.data.local_addressStringLocal Address
LogPoint.Incidents.data.nas_addressStringNas ddress
LogPoint.Incidents.data.nas_ipv6_addressStringNas_IPV6 Address
LogPoint.Incidents.data.nat_addressStringNAT Address
LogPoint.Incidents.data.nat_source_addressStringNAT Source Address
LogPoint.Incidents.data.network_addressStringNetwork Address
LogPoint.Incidents.data.new_hardware_addressStringNew Hardware Address
LogPoint.Incidents.data.old_hardware_addressStringOld Hardware Address
LogPoint.Incidents.data.original_addressStringOriginal Address
LogPoint.Incidents.data.original_client_addressStringOriginal Client Address
LogPoint.Incidents.data.original_destination_addressStringOriginal Destination Address
LogPoint.Incidents.data.original_server_addressStringOriginal Server Address
LogPoint.Incidents.data.original_source_addressStringOriginal Source Address
LogPoint.Incidents.data.originating_addressStringOriginating Address
LogPoint.Incidents.data.peer_addressStringPeer Address
LogPoint.Incidents.data.private_addressStringPrivate Address
LogPoint.Incidents.data.proxy_addressStringProxy Address
LogPoint.Incidents.data.proxy_source_addressStringProxy Source Address
LogPoint.Incidents.data.relay_addressStringRelay Address
LogPoint.Incidents.data.remote_addressStringRemote Address
LogPoint.Incidents.data.resolved_addressStringResolved Address
LogPoint.Incidents.data.route_addressStringRoute Address
LogPoint.Incidents.data.scanner_addressStringScanner Address
LogPoint.Incidents.data.server_addressStringServer Address
LogPoint.Incidents.data.server_hardware_addressStringServer Hardware Address
LogPoint.Incidents.data.source_hardware_addressStringSource Hardware Address
LogPoint.Incidents.data.start_addressStringStart Address
LogPoint.Incidents.data.supplier_addressStringSupplier Address
LogPoint.Incidents.data.switch_addressStringSwitch Address
LogPoint.Incidents.data.translated_addressStringTranslated Address
LogPoint.Incidents.data.virtual_addressStringVirtual Address
LogPoint.Incidents.data.virtual_server_addressStringVirtual Server Address
LogPoint.Incidents.data.vpn_addressStringVPN Address
LogPoint.Incidents.data.hash_lengthStringHash Length
LogPoint.Incidents.data.hash_sha256StringHash SHA256
LogPoint.Incidents.data.alternate_userStringAlternate User
LogPoint.Incidents.data.authenticated_userStringAuthenticated User
LogPoint.Incidents.data.authorized_userStringAuthorized User
LogPoint.Incidents.data.certificate_userStringCertificate User
LogPoint.Incidents.data.current_userStringCurrent User
LogPoint.Incidents.data.database_userStringDatabase User
LogPoint.Incidents.data.destination_userStringDestination User
LogPoint.Incidents.data.logon_userStringLogon User
LogPoint.Incidents.data.new_max_userStringNew Max User
LogPoint.Incidents.data.new_userStringNew User
LogPoint.Incidents.data.old_max_userStringOld Max User
LogPoint.Incidents.data.os_userStringOS User
LogPoint.Incidents.data.remote_userStringRemote User
LogPoint.Incidents.data.source_userStringSource User
LogPoint.Incidents.data.system_userStringSystem User
LogPoint.Incidents.data.target_logon_userStringTarget Logon User
LogPoint.Incidents.data.zone_userStringZone User

Command Example#

!lp-get-incident-data date=1610700740.2248185 incident_id=8a676c39450e099b3512961d71ec4f7d incident_obj_id=600157c44a2018070b627f6a

Context Example#

{
"LogPoint": {
"Incidents": {
"data": [
{
"_enrich_policy": "None",
"_fromV550": "t",
"_identifier": "0",
"_labels": [
"Metrics",
"Usage",
"Memory",
"LogPoint"
],
"_offset": 195673,
"_type_ip": "device_ip",
"_type_num": "log_ts col_ts free total use used sig_id _offset _identifier",
"_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy label norm_id object _fromV550 repo_name logpoint_name",
"_tz": "UTC",
"col_ts": 1610700549,
"col_type": "filesystem",
"collected_at": "LogPoint",
"device_ip": "127.0.0.1",
"device_name": "localhost",
"free": "1963",
"log_ts": 1610700541,
"logpoint_name": "LogPoint",
"msg": "2021-01-15_08:49:01 Metrics; Physical Memory; total=7977 MB; use=71.0%; used=5664 MB; free=1963 MB",
"norm_id": "LogPoint",
"object": "Physical Memory",
"repo_name": "_logpoint",
"sig_id": "10507",
"source_name": "/opt/immune/var/log/system_metrics/system_metrics.log",
"total": "7977",
"use": "71.0",
"used": "5664"
},
{
"_enrich_policy": "None",
"_fromV550": "t",
"_identifier": "0",
"_labels": [
"Metrics",
"Usage",
"Memory",
"LogPoint"
],
"_offset": 101372,
"_type_ip": "device_ip",
"_type_num": "log_ts col_ts free total use used sig_id _offset _identifier",
"_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy label norm_id object _fromV550 repo_name logpoint_name",
"_tz": "UTC",
"col_ts": 1610700428,
"col_type": "filesystem",
"collected_at": "LogPoint",
"device_ip": "127.0.0.1",
"device_name": "localhost",
"free": "1965",
"log_ts": 1610700421,
"logpoint_name": "LogPoint",
"msg": "2021-01-15_08:47:01 Metrics; Physical Memory; total=7977 MB; use=71.0%; used=5662 MB; free=1965 MB",
"norm_id": "LogPoint",
"object": "Physical Memory",
"repo_name": "_logpoint",
"sig_id": "10507",
"source_name": "/opt/immune/var/log/system_metrics/system_metrics.log",
"total": "7977",
"use": "71.0",
"used": "5662"
}
]
}
}
}

Human Readable Output#

Incident Data#

MsgUseUsedLog TsType StrTotalDevice NameOffsetLogpoint NameRepo NameFreesource Namecol TsTzNorm IdIdentifierCollected AtDevice IpFromV550Enrich PolicyType NumType IpSig IdCol TypeObjectLabels
2021-01-15_08:49:01 Metrics; Physical Memory; total=7977 MB; use=71.0%; used=5664 MB; free=1963 MB71.056641610700541msg col_type device_name collected_at device_ip source_name_tz _enrich_policy label norm_id object_fromV550 repo_name logpoint_name7977localhost195673LogPoint_logpoint1963/opt/immune/var/log/system_metrics/system_metrics.log1610700549UTCLogPoint0LogPoint127.0.0.1tNonelog_ts col_ts free total use used sig_id_offset _identifierdevice_ip10507filesystemPhysical MemoryMetrics,
Usage,
Memory,
LogPoint
2021-01-15_08:47:01 Metrics; Physical Memory; total=7977 MB; use=71.0%; used=5662 MB; free=1965 MB71.056621610700421msg col_type device_name collected_at device_ip source_name_tz _enrich_policy label norm_id object_fromV550 repo_name logpoint_name7977localhost101372LogPoint_logpoint1965/opt/immune/var/log/system_metrics/system_metrics.log1610700428UTCLogPoint0LogPoint127.0.0.1tNonelog_ts col_ts free total use used sig_id_offset _identifierdevice_ip10507filesystemPhysical MemoryMetrics,
Usage,
Memory,
LogPoint

lp-get-incident-states#

Displays incident states data between the provided two Timestamps ts_from and ts_to. By default, this command will display first 50 data of the past 24 hours but limit can be set to get desired number of incident states data.

Base Command#

lp-get-incident-states

Input#

Argument NameDescriptionRequired
ts_fromFrom Timestamp.Optional
ts_toTo Timestamp.Optional
limitNumber of incident states data to fetch. Accepts integer value.Optional

Context Output#

PathTypeDescription
LogPoint.Incidents.states.idStringLogPoint Incidents States Id
LogPoint.Incidents.states.statusStringLogPoint Incidents States Status
LogPoint.Incidents.states.assigned_toStringLogPoint Incidents States Assigned To
LogPoint.Incidents.states.commentsStringLogPoint Incidents States Comments

Command Example#

!lp-get-incident-states ts_from="1610700720" ts_to="1610700900" limit=5

Context Example#

{
"LogPoint": {
"Incidents": {
"states": [
{
"assigned_to": "5fd9d95769d3a4ea5684fccf",
"comments": [
{
"comment": "Example comment",
"time": 1610700740,
"title": "admin"
},
{
"comment": "Reassigned",
"time": 1610700745,
"title": "admin"
}
],
"id": "5fdc788ecf35d7ae0f6b791b",
"name": "Greater than 60",
"status": "unresolved"
},
{
"assigned_to": "5fd9d95769d3a4ea5684fccf",
"comments": [
{
"comment": "Reassigned",
"time": 1610700745,
"title": "admin"
}
],
"id": "5fdc788ecf35d7ae0f6b791c",
"name": "Memory use greater than 50",
"status": "unresolved"
}
]
}
}
}

Human Readable Output#

Displaying all 2 incident states data#

IdNameAssigned ToStatusComments
5fdc788ecf35d7ae0f6b791bGreater than 605fd9d95769d3a4ea5684fccfunresolved{'title': 'admin', 'comment': 'Example comment', 'time': 1610700740},
{'title': 'admin', 'comment': 'Reassigned', 'time': 1610700745}
5fdc788ecf35d7ae0f6b791cMemory use greater than 505fd9d95769d3a4ea5684fccfunresolved{'title': 'admin', 'comment': 'Reassigned', 'time': 1610700745}

lp-add-incident-comment#

Add comments to the incidents

Base Command#

lp-add-incident-comment

Input#

Argument NameDescriptionRequired
incident_obj_idObject ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command.Required
commentComment to be added to the incidents.Required

Context Output#

PathTypeDescription
LogPoint.Incidents.commentStringLogPoint Incidents Comment

Command Example#

!lp-add-incident-comment comment="Example comment" incident_obj_id=600157c44a2018070b627f6a

Context Example#

{
"LogPoint": {
"Incidents": {
"comment": "Comments added"
}
}
}

Human Readable Output#

Comments added#

lp-assign-incidents#

Assigning/Re-assigning Incidents

Base Command#

lp-assign-incidents

Input#

Argument NameDescriptionRequired
incident_obj_idsObject ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma.Required
new_assigneeId of the user whom the incidents are assigned. It can be displayed using 'lp-get-users' command.Required

Context Output#

PathTypeDescription
LogPoint.Incidents.assignStringLogPoint Incidents Assign

Command Example#

!lp-assign-incidents incident_obj_ids="600157c44a2018070b627f6a,6001583c4a2018070b627f6b" new_assignee=5bebd9fdd8aaa42840edc853

Context Example#

{
"LogPoint": {
"Incidents": {
"assign": "Incidents re-assigned"
}
}
}

Human Readable Output#

Incidents re-assigned#

lp-resolve-incidents#

Resolves the Incidents.

Base Command#

lp-resolve-incidents

Input#

Argument NameDescriptionRequired
incident_obj_idsObject ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma.Required

Context Output#

PathTypeDescription
LogPoint.Incidents.resolveStringLogPoint Incidents Resolve

Command Example#

!lp-resolve-incidents incident_obj_ids="600157c44a2018070b627f6a,6001583c4a2018070b627f6b"

Context Example#

{
"LogPoint": {
"Incidents": {
"resolve": "Incidents resolved"
}
}
}

Human Readable Output#

Incidents resolved#

lp-close-incidents#

Closes the Incidents.

Base Command#

lp-close-incidents

Input#

Argument NameDescriptionRequired
incident_obj_idsObject ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma.Required

Context Output#

PathTypeDescription
LogPoint.Incidents.closeStringLogPoint Incidents Close

Command Example#

!lp-close-incidents incident_obj_ids="600157c44a2018070b627f6a,6001583c4a2018070b627f6b"

Context Example#

{
"LogPoint": {
"Incidents": {
"close": "Incidents closed"
}
}
}

Human Readable Output#

Incidents closed#

lp-reopen-incidents#

Re-opens the closed incidents

Base Command#

lp-reopen-incidents

Input#

Argument NameDescriptionRequired
incident_obj_idsObject ID of a particular incident. It is the value contained in 'id' key of the incidents obtained from 'lp-get-incidents' command. Multiple id can be provided by separating them using comma.Required

Context Output#

PathTypeDescription
LogPoint.Incidents.reopenStringLogPoint Incidents Reopen

Command Example#

!lp-reopen-incidents incident_obj_ids="600157c44a2018070b627f6a,6001583c4a2018070b627f6b"

Context Example#

{
"LogPoint": {
"Incidents": {
"reopen": "Incidents reopened"
}
}
}

Human Readable Output#

Incidents reopened#

lp-get-users#

Gets Incident users and user groups.

Base Command#

lp-get-users

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
LogPoint.Incidents.users.idStringLogPoint Incidents Users Id
LogPoint.Incidents.users.nameStringLogPoint Incidents Users Name
LogPoint.Incidents.users.usergroupsStringLogPoint Incidents Users Usergroups

Command Example#

!lp-get-users

Context Example#

{
"LogPoint": {
"Incidents": {
"users": [
{
"id": "5bebd9fdd8aaa42840edc853",
"name": "admin",
"usergroups": [
{
"id": "5bebd9fdd8aaa42840edc84f",
"name": "LogPoint Administrator"
}
]
},
{
"id": "5fd9d95769d3a4ea5684fccf",
"name": "sbs",
"usergroups": [
{
"id": "5bebd9fdd8aaa42840edc850",
"name": "User Account Administrator"
},
{
"id": "5bebd9fdd8aaa42840edc84f",
"name": "LogPoint Administrator"
}
]
}
]
}
}
}

Human Readable Output#

Incident Users#

IdNameUsergroups
5bebd9fdd8aaa42840edc853admin{'id': '5bebd9fdd8aaa42840edc84f', 'name': 'LogPoint Administrator'}
5fd9d95769d3a4ea5684fccfsbs{'id': '5bebd9fdd8aaa42840edc850', 'name': 'User Account Administrator'},
{'id': '5bebd9fdd8aaa42840edc84f', 'name': 'LogPoint Administrator'}

lp-get-users-preference#

Gets LogPoint user's preference such as timezone, date format, etc.

Base Command#

lp-get-users-preference

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
LogPoint.User.Preference.timezoneStringLogPoint user's timezone.
LogPoint.User.Preference.date_formatStringLogPoint user's date format.
LogPoint.User.Preference.hour_formatStringLogPoint user's hour format.

Command Example#

!lp-get-users-preference

Context Example#

{
"LogPoint": {
"User": {
"Preference": {
"date_format": "%Y/%m/%d",
"hour_format": "24 Hour",
"timezone": "UTC"
}
}
}
}

Human Readable Output#

User's Preference#

TimezoneDate FormatHour Format
UTC%Y/%m/%d24 Hour

lp-get-logpoints#

Gets user's LogPoints.

Base Command#

lp-get-logpoints

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
LogPoint.LogPoints.nameStringLogPoint name.
LogPoint.LogPoints.ipStringLogPoint's IP address.

Command Example#

!lp-get-logpoints

Context Example#

{
"LogPoint": {
"LogPoints": {
"ip": "127.0.0.1",
"name": "LogPoint"
}
}
}

Human Readable Output#

LogPoints#

NameIp
LogPoint127.0.0.1

lp-get-repos#

Gets the list of LogPoint repos that can be accessed by the user.

Base Command#

lp-get-repos

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
LogPoint.Repos.repoStringLogPoint repo name.
LogPoint.Repos.addressStringLogPoint repo address.

Command Example#

!lp-get-repos

Context Example#

{
"LogPoint": {
"Repos": [
{
"address": "127.0.0.1:5504/default",
"repo": "default"
},
{
"address": "127.0.0.1:5504/_logpoint",
"repo": "_logpoint"
}
]
}
}

Human Readable Output#

LogPoint Repos#

RepoAddress
default127.0.0.1:5504/default
_logpoint127.0.0.1:5504/_logpoint

lp-get-devices#

Gets devices associated with LogPoint.

Base Command#

lp-get-devices

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
LogPoint.Devices.nameStringDevice name.
LogPoint.Devices.addressStringDevice IP address.

Command Example#

!lp-get-devices

Context Example#

{
"LogPoint": {
"Devices": [
{
"address": "127.0.0.1/127.0.0.1",
"name": "localhost"
},
{
"address": "127.0.0.1/::1",
"name": "localhost"
},
{
"address": "127.0.0.1/192.168.1.20",
"name": "Windows Server"
}
]
}
}

Human Readable Output#

Devices#

NameAddress
localhost127.0.0.1/127.0.0.1
localhost127.0.0.1/::1
Windows Server127.0.0.1/192.168.1.20

lp-get-livesearches#

Gets live search results of the alerts and dashboards.

Base Command#

lp-get-livesearches

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
LogPoint.LiveSearches.generated_byStringWho generated the live search.
LogPoint.LiveSearches.searchnameStringThe name of the live search.
LogPoint.LiveSearches.descriptionStringA description of the live search.
LogPoint.LiveSearches.queryStringThe live search query.

Command Example#

!lp-get-livesearches

Context Example#

{
"LogPoint": {
"LiveSearches": [
{
"description": "",
"flush_on_trigger": false,
"generated_by": "alert",
"life_id": "c4e38a6fe8226ec0975ee5ed935a733003bd1f11",
"limit": 25,
"query": "\"use\"> 86 col_type=filesystem ",
"query_info": {
"aliases": [],
"columns": [],
"fieldsToExtract": [
"use",
"col_type"
],
"grouping": [],
"lucene_query": "(_num_use:{86 TO *} AND col_type:filesystem)",
"query_filter": "\"use\"> 86 col_type=filesystem",
"query_type": "simple",
"success": true
},
"searchname": "Memory greater than 86",
"tid": "",
"timerange_day": 0,
"timerange_hour": 1,
"timerange_minute": 0,
"timerange_second": 0,
"vid": ""
}
]
}
}

Human Readable Output#

Live Searches#

DescriptionFlush On TriggerGenerated ByLife IdLimitQueryQuery InfoSearchnameTidTimerange DayTimerange HourTimerange MinuteTimerange SecondVid
falsealertc4e38a6fe8226ec0975ee5ed935a733003bd1f1125"use"> 86 col_type=filesystemfieldsToExtract: use,
col_type
aliases:
success: true
query_filter: "use"> 86 col_type=filesystem
columns:
query_type: simple
lucene_query: (_num_use:{86 TO *} AND col_type:filesystem)
grouping:		Memory greater than 860100

lp-get-searchid#

Gets the search ID based on the provided search parameters.

Base Command#

lp-get-searchid

Input#

Argument NameDescriptionRequired
queryLogPoint search query.Required
time_rangeTime range. For example: Last 30 minutes, Last 7 days, etc. If not provided, it will use 'Last 5 minutes' as the time range by default. Default is "Last 5 minutes".Optional
limitNumber of logs to fetch. If not provided, the first 100 logs will be displayed. Default is 100.Optional
reposA comma-separated list of LogPoint repos from which logs are to be fetched. If not provided, it will display logs from all repos.Optional
timeoutLogPoint search timeout in seconds. Default is 60.Optional

Context Output#

PathTypeDescription
LogPoint.search_idStringSearch ID. Use this ID in the lp-search-logs command to get the search result.

Command Example#

!lp-get-searchid query="| chart count() by col_type" limit=5 time_range="Last 30 minutes"

Context Example#

{
"LogPoint": {
"search_id": "97df79d3-b2b8-4260-bd12-805b69434591"
}
}

Human Readable Output#

Search Id: 97df79d3-b2b8-4260-bd12-805b69434591#

lp-search-logs#

Gets LogPoint search result. Uses the value of search_id as an argument.

Base Command#

lp-search-logs

Input#

Argument NameDescriptionRequired
search_idSearch ID obtained from the lp-get-searchid command.Required

Context Output#

PathTypeDescription
LogPoint.SearchLogsStringSearch results

Command Example#

!lp-search-logs search_id=29023c62-12f4-4771-b988-067284a0e0c5

Context Example#

{
"LogPoint": {
"SearchLogs": [
{
"_group": [
"office365"
],
"_type_ip": "",
"_type_num": " count()",
"_type_str": " col_type count()",
"col_type": "office365",
"count()": 312
},
{
"_group": [
"filesystem"
],
"_type_ip": "",
"_type_num": " count()",
"_type_str": " col_type count()",
"col_type": "filesystem",
"count()": 3658
}
]
}
}

Human Readable Output#

Found 2 logs#

GroupType IpType NumType StrCol TypeCount()
office365count()col_type count()office365312
filesystemcount()col_type count()filesystem3658
Edit this page
Report an Issue