Why is search used?
While Search is the basis for everything in Graylog once your logs are normalized, parse enriched, and categorized into streams. Search can be used, for example, for threat hunting. Say I wanted to know, I have been given some information here and I’m going to use my Illuminate enterprise feature for Office 365 logs. I’m going to look up anything to do with one drive. Here you’ll see a variety of things, files being accessed. Say I’m looking up here and I see, file uploaded, document.X. I want to add that to a query and I’m going to add it so that anything with one drive and document X document.doc shows up here, it shows up multiple places. Perhaps I want to check where that document is being modified.
I’m going to scroll down here in the actual list, and I’m going to add the city name, and I’m going to say, show top values. Now, this document, there’s an indication that this document it’s been modified in these different cities. For example, if this was a shared document and you knew you had offices in Des Moines and Greenlee and Tampa, but all of a sudden there’s a modification of this document in Washington. Now you can look at going, what’s going on here, why is someone accessing this document, and further go into your search. In this case, I want to save this search. I’m going to call this a wild doc search just for now. Now, this is saved. You can load it back up with any other searches that are here. The next thing I want to go through is where saved searches can now become export to dashboards.
Let’s go to a dashboard really quick, and let’s go to our Office 365 Illuminate dashboard, which is part of our enterprise. I’m going to extend out some time on the dashboard. As you’ll see here, if we go to our overview, you’re going to see a variety of things that are being captured. This dashboard represents signing successes and failures and how many tenants reporting. It also shows the activity by application with office and it should utilize actually a geo IP lookup and maps it for us to know where everything’s coming from. There’s a variety of other options added to this dashboard. This dashboard could be useful in many instances in its support and exchange support with one drive, changing files, variety of things. Other dashboards can be utilized for different processes. You could be an IT director wanting to keep an eye on some of the processes and things in the organization. You could be a DevOps team who needs to watch the application logs to understand what’s going on with your code.
There’s a good way to actually visualize what’s going on and gives you the ability also to show you full access logs. The dashboard’s a really great tool to indicate what’s going on in your system and give you the ability to represent data for the target of the audience. For example, for the directors or for SOC analysts or SOC analysts managers or anything in the environment.