While we make an effort to support a wide variety of Integrations and different types of log sources, it is always possible that there may be a type of log source that you would like to ingest into Samurai XDR, which we are not able to parse and analyze to generate Alerts. This is especially true for events generated via syslog log sources.
The fact that we are not able to use a log source for detections doesn't mean that it won't still be useful to ingest it into Samurai XDR. We will ingest any event data, provided via syslog, into our data lake and you will still be able to analyze that event data using Advanced Query. This allows you to include events from generic log sources when you are performing threat hunts.
If a log source, ingested via syslog, does not match one of our supported integrations, we will ingest the log events, which will still contain, amongst others, the following fields:
- timestamp: the time at which the log message was ingested
- collector: the id of the collector which ingested the event
- host: the source host from which the event was received
- raw: the complete raw log message
You can then proceed to query these events using Advanced Query. For example, the following KQL query finds all the attempts to connect to a host using invalid user ids and then counts the attempts by source IPv4 or IPv6 address:
events | where host == "10.1.1.1" and (raw contains "Invalid" or raw contains "failed") and raw !contains "connect" | project timestamp, user = extract("user ([a-zA-Z0-9\\-]+) from ", 1, raw), ipaddr = extract(".+ ([0-9a-f]+[\\:\\.][0-9a-f\\.\\:]+) ", 1, raw) | summarize num_attempts = count() by ipaddr | order by num_attempts
The output is ordered by the number of attempts from each IP address, producing a table like the following:
