Unlike user attribution event sources, Raw Data is ingested in the product to contextualize other data. Using raw logs will enhance these specific features:
- Log search
- Dashboards and reporting
- Custom alerts
Raw data is intended for log searches and allows you to look for specific details. While it is best to have an Event Log in a specific format, ultimately InsightIDR will accept any text based log for the Event Log from your environment.
Data from raw logs may include some or all of the following information:
- Host Name
- Event Code
- Package Name
- Target User Name
InsightIDR is designed to ease Search and Analytics across your entire environment. To ensure you can perform all necessary investigative steps in one place, you should:
- Transmit security logs and deploy agents.
- Transmit any other potentially useful data for searching, such as custom application logs.
Additionally, you can enable Automatic Log Structuring to convert logs from known formats (such as CEF and JSON) into a human readable format, allowing you to write LEQL queries and search your logs easily.