Log Search Glossary
Copy link

Familiarize yourself with the terms that are used in the Log Search documentation and UI.

ℹ️

Scope of this Glossary

The definitions provided in this topic are relevant exclusively to Log Search in SIEM (InsightIDR). However, the same or similar terms may be used in other product areas and might have different meanings.

Quickly navigate through the glossary by clicking the first letter of the term that you want to learn about.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A
Copy link

agent
Copy link

See Insight Agent.

application programming interface (API)
Copy link

A set of programming code that allows data transmission between one software product and another. For example, you can use the Log Search API to bulk query log sets, manage saved queries, and retrieve contextual log entries.

asset
Copy link

A single device on a network that can be identified by its IP address. In the Web interface and API, an asset may also be referred to as a device.

attribution
Copy link

The process of mapping user accounts (for example, from Active Directory) to the endpoints where users log in. This makes it easier for analysts to investigate alerts by searching for the user who is involved, rather than by searching for an IP address or a host name.

C
Copy link

clause
Copy link

In LEQL, clauses help you define your search criteria. Examples of popular clauses are select(), where(), and groupby().

collector
Copy link

Rapid7 software that either polls data or receives data from event sources and makes it available for SIEM (InsightIDR) analysis. An event source represents a single device that sends logs to the Collector. By default, the Collector filters logs to cut down on duplicate or unnecessary data. The Collector sends the log data to the Insight Cloud for analysis.

context menu
Copy link

In Log Search, the context menu allows you to build queries by selecting a clickable key or value from your search results. The context menu provides a set of contextually relevant operations so you can add to an existing query or create one from scratch.

E
Copy link

event
Copy link

Events provide insight about what is happening in your environment, such as user actions, system events, or errors. An event is typically recorded as a log entry—along with other events of the same type—in a log. Logs enter SIEM (InsightIDR) from one or more configured event sources.

event source
Copy link

Informational sources that you can connect to SIEM (InsightIDR) to provide visibility across your environment. Event sources can be networks, servers, firewalls, or anti-virus software. For example, if you have three firewalls in your environment, you will have one event source for each firewall.

event type
Copy link

A data structure that defines the data contained in an event. When event data comes into the SIEM (InsightIDR) system as logs, (such as from the Collector, event sources, sensors, or the Insight Agent) the application classes that event data as a particular type. For example, Firewall Activity.

F
Copy link

function
Copy link

LEQL functions help you perform operations on your log data to better understand your query results.

G
Copy link

groupby()
Copy link

A LEQL clause that helps visualize your log data by grouping it by specified keys.

I
Copy link

Insight Agent
Copy link

An Insight Agent is lightweight software installed on an endpoint to monitor the endpoint and report security-relevant events. The Insight Agent monitors specific event codes and collects endpoint telemetry data to provide an enhanced understanding of your endpoints’ activity and drive quicker response time to detections. The agent collects data only from the asset on which it is installed.

interval
Copy link

In Log Search, your query results are divided into intervals when you add a count, average, min, or max function to your query. You can specify the number of intervals with the timeslice(n) function, where n is a number between 1 and 200.

IP address
Copy link

An Internet Protocol (IP) address is the unique number that is assigned to either a physical or virtual machine.

K
Copy link

key
Copy link

Also referred to as a field, the key is a constant that defines the data in your logs. For example, the key could be geoip_country_name and a value that pertains to that category might be, United States. When logs are presented in the Table view in Log Search, the key names in the log become the column headings.

key-value pair
Copy link

You can search for data in your logs by entering a combination of a key and any corresponding value. This is known as a key-value pair. For example, geoip_country_name = United States. Note, that key-value searches support various operators, such as =, !=, IN, CONTAINS. The operators that are supported depend on the type of key. LEQL supports strings, numbers, IP addresses (CIDR), lists, and regular expressions.

A keyword search allows you to find a string in any log, regardless of its format. Keyword searches are case-sensitive by default and will match a full string until it is delimited by a non-letter character.

L
Copy link

label
Copy link

In Log Search, you can create basic detection rules that apply labels (also known as tags) to log entries to give a visual indication of the type of information they contain. For example, a warning label can be applied to log entries that contain one or more specific values that users should be warned about.

LEQL
Copy link

Log Entry Query Language (LEQL) is a powerful search language that allows you to construct queries to extract the hidden data in your logs.

log
Copy link

A collection of log entries that contain timestamped data about events. In SIEM (InsightIDR), logs are typically named based on the event source. For example, Firewall: New York Office.

log entry
Copy link

The data that is collected about an individual event, which is organized into keys and values. One log can contain hundreds or thousands of log entries.

log key
Copy link

A Universally Unique Identifier (UUID) that is used to identify and manage a log in the UI and API, such as for setting its name.

log set
Copy link

A log set is a collection of multiple logs. In SIEM (InsightIDR), a log set is defined (by default) by the type of event within the log stream, such as Firewall, DNS, Active Directory, and other event types. You can optionally create custom log sets in Data Collection or by using the API.

log sources
Copy link

The logs and log sets that act as the source of all of the data in Log Search.

log token
Copy link

A Universally Unique Identifier (UUID) that is used to identify a log when sending data to that log in the Log Search platform service.

A loose search provides case-insensitive and partially matched results. Loose searches are used to query data when you don’t know the case, or full string, of the value you’re searching for.

O
Copy link

operator
Copy link

SIEM (InsightIDR) supports both logical and comparison operators, which allow you to create more complex searches. Logical operators include AND, OR, and NOT. Comparison operators include =, !=, IN, CONTAINS.

order
Copy link

By default, Log Search orders your query results by newest ingestion time first. You can change the order of your logs by adding sort(asc) to your query, or selecting the up arrow next to the query bar.

P
Copy link

parseable logs
Copy link

Parseable logs contain relevant security information derived from the more verbose data stream. These logs are parsed into key-value pair format to streamline data correlation across disparate events during incident response.

parsed data
Copy link

Data parsing is the process of taking data in one format and transforming it to another format. See also, unparsed data.

pre-computed queries
Copy link

Pre-computed queries, a type of LEQL query, run continuously as log entries are received. They can be viewed immediately in either your Log Management settings or your custom dashboard cards. Pre-computed queries return results faster than a conventional query.

Q
Copy link

query
Copy link

A precise request to retrieve information from within database and information systems. In Log Search, you type a query into the search bar to retrieve data from log entries.

R
Copy link

regular expression
Copy link

A regular expression (regex) is a short-form query syntax that can be used along with LEQL to build queries in Log Search. Regular expressions use special characters as operators to allow you to search for more advanced patterns. SIEM (InsightIDR) supports the re2 version of regex.

raw data
Copy link

Unmodified or unparsed data that is collected from a non-standard event source, such as a custom script or web application. Raw data is not attributed by SIEM (InsightIDR). By default, raw data is stored in the Raw Log log set.

S
Copy link

schema
Copy link

A model or structure that organizes data into a specific format, so that the data can be read by the application.

search term
Copy link

A simple text or numerical value that can be used to search log data.

search pattern
Copy link

The partial or full contents of the where() clause in a query. The search pattern is what you use to filter your data.

structured logs
Copy link

Structured logs are formatted as LEQL key-value pairs and can be read by humans and interpreted by machines, for easy searching, visualizing, or exporting.

T
Copy link

time range
Copy link

In Log Search, the time range is the period of time your query results fall within.

timeslice
Copy link

In Log Search, the timeslice is the number of intervals your query results are divided into, or the unit of time they are divided by. SIEM (InsightIDR) calculates 10 equal time intervals when performing a query that uses a count, min, max, or average function. However, you can leverage the timeslice function to manually set the number of intervals using either units of time (seconds, minutes, hours, days) or whole numbers. View the timeslice documentation.

time span
Copy link

In Log Search, a time span is the duration of the intervals that your log data is divided into on timelines.

U
Copy link

unparsed data
Copy link

Data that is being collected by event sources is often parsed, but it can also enter the application as unparsed data. The Unparsed Data log set contains events that are collected from standard event sources that were not parsed as other types of activity. This behavior is enabled by selecting the Send Unparsed Data option when you configure an event source. You can view parsing information by going to the Event Source Health screen in SIEM (InsightIDR). See also, parsed data.

unstructured logs
Copy link

Unstructured logs are strings of unpredictable text that cannot be parsed into key-value pair form and can be difficult to interpret or search. For this reason, Rapid7 automatically structures logs from known formats, such as CEF and JSON.

user
Copy link

One of the preset roles in SIEM (InsightIDR). It can also be defined in log data to identify the individual who was involved in log entries. You can investigate users in the Log Search screen or in the User Details screen.

V
Copy link

value
Copy link

Logs contain both keys, which are like fields, and values, which are like entries in a field. A value is the identifying piece of data, pertaining to a key, that you can search by. For example, if the key is geoip_country_name, one of the possible values that pertains to that key might be United States.

variable
Copy link

A variable is a placeholder in a LEQL query that represents one or more values.