Data is essential to any SIEM. Generally, this data is collected from logs, endpoints, and networks. All of this data paints a holistic picture of your network so you have constant visibility into what’s going on, and where. When it comes to security data, log data is the primary driver. In InsightIDR, Rapid7’s SIEM tool, customers use log data to detect malicious activity, prove compliance, and gain a deep level of visibility across their network.
InsightIDR adds tremendous value by normalizing, attributing, and analyzing this log data by pulling out fields that are critical for security analytics. While our main focus is on parsing data out of logs that can be used for security analytics, customers are also interested in additional data within their logs.
Now, InsightIDR customers can easily analyze and visualize all of their data—regardless of whether it’s critical for security analytics—-by using the custom parser to create easily readable logs. Our new Custom Parsing Tool provides an easy-to-use, non-technical way for customers to define what they'd like to parse from their logs, so they can extract the log data that is most relevant to their organization. Want to rename your parser, add more logs, or tweak your extracted fields? With our Custom Parsing Tool, you can go back and edit existing parsers rather than starting from scratch.
What does this look like?
Let’s take a look at a use case that’s relevant to our current remote work climate. A customer—let’s say a university—has a large campus that’s now even more spread out from the shift to remote classrooms. The customer uses Access Points (APs) to correlate users with locations, and feeds AP logs into InsightIDR, but searching these logs is almost impossible and requires a lot of Regular Expression. This long process isn’t very conducive to critical incident investigations when there isn’t time to take this longer RegEx approach.
Now, with the Custom Parsing Tool the customer can parse out the following:
- AP name (which corresponds to location)
- User who is connecting
- MAC address connecting
- IP address assigned
Now easily accessible within log search, custom alerting, and dashboards, customers can leverage this information during critical incident investigations.
This university instance is only one example—the Custom Parsing Tool has various use cases, including:
- A hospital using Epic Software as their EHR management tool that needs to parse out information like EHR event-type, patient IDs, and department information.
- A customer using a next-gen AV system that needs to parse out extra fields that we do not pull out in our event source, like the name of the malware detected.
- Parsing out the traffic category from web proxy logs.
We’re excited about the new customization capabilities the Custom Parsing Tool enables for our customers. To learn more about getting started with the Custom Parsing Tool, check out our help docs here.