Enhance Search with Asset Enrichment
Associate Assets in Search Results
When the Illuminate bundle is activated, the pack will automatically run the set_associated_assets pipeline rule for all messages.
However, you have the option to specifically apply the set_associated_assets pipeline rule for a subset of logs. In this case, you would not enable the Illuminate assets processing pack but rather would implement the set_associated_assets pipeline function by putting the set_associated_assets in a pipeline rule, adding it to a pipeline, setting filters, and/or assigning it to a selected stream(s).
This functionality is customizable to the extent that you can either apply it to all logs by enabling the Illuminate processing pack or to a subset of logs by manually configuring and applying the rule. Refer to our documentation on pipelines for more information on creating pipeline rules.
Once a message has been enriched with the associated_assets fields, those fields can be displayed in the expanded log view of an individual message. The details of each associated asset can then be expanded as well.
In addition to viewing the asset in search results, you also have the capability to add an asset to the search query and to pivot into any log message associated with that asset.
Pivot to an Asset Search
This capability allows you to view an asset in search results and transition to exploring additional logs related to that specific asset for further investigation. For instance, if a log message identifies a finance department's computer as an asset, you can pivot and access all logs associated with that machine, allowing for a deeper delve into its activities.
To pivot to an asset search, click the Add to query button for a particular asset to view all log messages for that asset. Note that the asset ID is then added to the search query for the associated_assets field.
Search for Assets
On the Assets page, you can search for assets. This functionality allows you to create a search query based on asset information. You can search for assets individually or in bulk.
To search for an individual asset, click the ellipsis for the selected asset and choose the Search for asset option.
To perform bulk searches, choose the assets you want to search, then click on the Bulk Actions button and search for the selected assets.
Asset Management Use Cases
Scenario 1: Searching for Users/Machines
Let's say a user has two different user accounts (bill.murray and bmurray) as well as two different emails (bmurray@gmail.com and big.ern@kingpin.com). If you want to search across all logs for that user:
-
Navigate to the Security/Assets menu header and click the User Assets tab. Then select the ellipsis next to the selected user asset.
-
Select Search for Asset from the menu options.
-
You will receive results for any message that contains any of the various user names or email addresses.
This same scenario applies to machine assets with multiple IP addresses, hostnames, etc.
Scenario 2: Searching for Additional Logs about a Machine after Spotting Suspicious Activity
While sifting through logs in Graylog, you see an unusual message and want to see other logs from that specific machine or user. As an example, in the screenshot below, you see failed logins heading to a particular machine and want to see other messages from that machine. To do this, you could select the asset on the left and then Add to Query:
This will add the asset to the query, so now we are looking at logins just for that asset.
