Instances
An instance is a connection from LogCraft to a specific deployment of a supported technology. Each instance belongs to a single workspace and is associated with one integration.
For example:
splk-srv01-prd: a Splunk cluster in a production environment.ms-sentinel-prod: a Microsoft Sentinel workspace used for production detections.elk-watcher-staging: an Elastic deployment used for staging and testing.
Create an instance
Creating an instance is a three-step process:
- Select the integration: choose the technology to connect to (for example, Splunk).
- Name and protection: give the instance a display name and decide whether to mark it as protected.
- Connection details: enter the information required to reach the remote system. The fields depend on the integration (URL, port, credentials, apps, etc.).
After creation, LogCraft runs an initial synchronization automatically. This pulls detection content from the remote system and creates the corresponding Security Assets in the workspace.
Protected instances
Marking an instance as protected adds an extra confirmation step before any action that could affect the instance, such as deploying a Security Asset. Use this for production systems to reduce the risk of accidental changes.
Synchronization schedule
By default, synchronization runs once at creation. To keep Security Assets up to date over time, configure a recurring schedule from the instance settings:
| Mode | Behavior |
|---|---|
| Off | No automatic synchronization after the initial run. |
| Interval | Runs every 1 to 9 hours at the top of the hour. |
| Daily | Runs once a day at a specified time. |
The schedule, along with the last and next synchronization timestamps, is visible in the instance detail view.
Edit an instance
From Settings > Instances, select the instance to open its settings. The following can be modified:
- Name and protected status.
- Connection details: update the URL, credentials, or other integration-specific fields.
- Connected apps: for integrations that support it, add or remove the apps LogCraft synchronizes (for example, Splunk apps).
Test connectivity
LogCraft can test the connection to the remote system without triggering a synchronization. From the instance detail view, use the Test connection action to verify that the configured URL and credentials are reachable. This helps validate network connectivity (routing, DNS, firewall rules) before running a full synchronization.
Delete an instance
From Settings > Instances, select the instance and click Delete. Deleting an instance removes its configuration from LogCraft. The remote system itself is not affected.
Security Assets previously tracked by this instance are not deleted. They become orphaned if no other instance tracks them. See Security Assets Lifecycle for details.