Logpresso App

Based on a high-performance, schema-less big data engine, the Logpresso platform provides many features related to log collection, storage, detection, analysis, and visualization required for security operations. However, it takes a lot of effort to configure an actual operating environment using only the basic features.

Depending on the integration target, you may need to develop a dedicated collector, parse binary packets, or call a REST API to control the integration device. Even if you are able to fully configure your production environment using only basic platform features, you still need to write regular expressions, set up real-time or batch detection scenarios, or create dashboard widgets.

Instead of doing these tasks over and over again, Logpresso partners can develop fully packaged apps to maximize reusability. Logpresso apps provide the following features:

Logpresso App Features

ItemDescription
Log SchemaDefine a set of standardized log field names.
ParserDefine a parser that parses logs to extract a standardized set of fields.
Logger modelDefine a combination of ingestion types and normalization rules.
DatasetDefine a dataset to use as a data source in a dashboard widget or pivot.
ProcedureDefine a parameterized query.
Report templateDefine the report formatting.
Threat intelligence feedDefine a feed to automatically sync indicators from threat intelligence services.
Real-time detection scenarioDefine a real-time detection scenario that detects in milliseconds.
Batch detection scenarioDefine a batch detection scenario that runs at a specified interval.
Subnet groupDefine the network subnets referenced by the detection scenario.
Port groupDefine the port groups referenced by the detection scenario.
Pattern groupDefine a group of patterns referenced by a detection scenario.
Response modelDefine a response model that blocks or unblocks specified IP addresses from devices.
WidgetDefine reusable widgets that visualize information in a dashboard.
DashboardDefine the dashboards you need for threat detection or service monitoring.
Connect profileDefine the required connection properties. e.g. REST API endpoint or API key.
Query commandDefine a custom query command.
PlaybookDefine reusable playbooks.

This means that you can install multiple Logpresso apps on the Logpresso platform and configure your production environment with minimal setup. In the following sections, we'll explain how Logpresso apps run on the Logpresso platform.