New to IDR Log Search?

InsightIDR Log Search
1

A very important step in learning to search through your IDR logs effectively and quickly is to familiarize yourself with the logs coming into each of the IDR Log Search Log Sets. Each of the log sets may have differentiating keywords that are only found in that particular log set and maybe one or two more.

For example, the keyword “action” is found in Active Directory Admin Activity, Cloud Service Activity, and Cloud Service Admin activity, but not in others, so building a query to search multiple log sets can be difficult.

Try simply going through each log set and finding a keyword(s) that is typically only found in that log set and perform a simple groupby() in order to visualize all the potential values for that keyword. You can perform the groupby function on any keyword in any log set.

groupby() - Helps visualize and organize the logs so you can better understand and see what you are looking at
calculate() - Helps show trends and other useful metrics via line graphs
where() - Helps zero in on your search by only showing you results based on the data in your where statement

All three can be used in the same query or you can mismatch in order to see what you want to see.

5 Likes
2

For performing multiple groupby functions there is great documentation that shows how to use them and increase/decrease the default 40 return for each group by:

https://docs.rapid7.com/insightidr/search-your-logs/#search-your-logs-using-the-groupby-function

Just a tip, on how it works, each limit you add applies to its corresponding groupby keyword:

groupby(key1, key2, key3)limit(10, 5, 5)

As stated this limits the results for the key1 to 10, key2 to 5, and key3 to 5. You don’t necessarily have to provide the limit for each key. If you have more keywords in your groupby than stated limits, IDR applies the last limit to the remaining groupby key names:

groupby(key1, key2, key3, key4)limit(10, 5)

IDR will then set the limits as follows: key1 will have a limit of 10 and key2 will have a limit of 5. But since there are two additional keys (key3 and key4), IDR will assign them the last limit stated, in this case, 5. So all the limits will look like the following:

Key1 - limit 10
Key2 - limit 5
Key3 - limit 5
Key 4 - limit 5

2 Likes