LogCraft Manual

Appearance

Security Assets

A Security Asset is one piece of detection content imported into LogCraft from a connected Instance: a Splunk saved search, a macro, and other object types depending on the integration. Each Security Asset belongs to a workspace and carries its own change history, MITRE ATT&CK mapping, labels, and discussion.

A Security Asset is the building block of detection. One or more Security Assets can be grouped under a Use Case to describe the scenario they implement.

Where Security Assets come from

Security Assets are synced from instances, not created from scratch in LogCraft. After an instance is created or synced, every supported object on the remote system becomes a Security Asset in the workspace, and stays in sync from that point on.

For Splunk, the following object types are currently supported:

TypeDescription
Saved searchA Splunk saved search used for scheduled or ad-hoc detection.
MacroA reusable Splunk search fragment referenced by one or more saved searches.

To author a new Splunk saved search from inside LogCraft and push it to an instance in one step, see Edit Live.

Lifecycle

A Security Asset is in one of three states, shown as a chip on the list and on the detail header:

  • Active: at least one connected instance carries the asset and it is enabled.
  • Inactive: the asset is present in LogCraft but turned off on every connected instance.
  • Orphaned: no connected instance carries the asset anymore. LogCraft keeps it in the workspace for history and review.

The detail view

Open a Security Asset to land on its detail view, which contains:

  • A Documentation panel on the left, with a free-form rich-text editor (see Editor). Use it to capture the why, how, scope, false positives, and validation steps of the detection. Changes save automatically.
  • A sidebar on the right with three sections: Deployment (one row per connected instance, with the current revision state), Labels, and MITRE ATT&CK (the objects the asset is mapped to).
  • An Instances card listing every revision, grouped by instance.
  • An Activity card at the bottom: threaded discussion plus the change log.

Revisions

Every change to a Security Asset, whether triggered by a sync or by Edit Live, creates a new revision. The Instances card lists every revision in chronological order, grouped by the instance it comes from.

Each revision carries a state:

  • Enabled: the revision is active on the instance.
  • Disabled: the revision is present but turned off.
  • Outdated: a newer revision has replaced this one on the instance.
  • Gone: the revision was removed from the instance.

From the row action menu you can:

  • Inspect JSON: open the raw payload as seen on the instance.
  • Compare with…: diff two revisions side by side.
  • Set Version or Remove Version: tag a revision with a version string for reference.
  • Enable or Disable: turn the revision on or off on the instance (where supported by the type).

Sync

The Sync action on the Instances card refreshes a Security Asset from the connected instances on demand. Use it when you have just changed the content directly on the instance and want LogCraft to capture the new revision now, instead of waiting for the next scheduled run. For the recurring schedule, see Instances > Synchronization schedule.

Edit Live

For Splunk saved searches, Edit Live opens a built-in editor where you can modify the content and push it back to the instance in one step:

  1. Open the Security Asset.
  2. Click Edit Live in the Instances card.
  3. Pick the target instance (if more than one is connected) and the destination app.
  4. Edit the search in the editor.
  5. Click Deploy.

If the target instance is protected, LogCraft asks for an extra confirmation. The new revision is imported automatically as soon as the deploy completes.

Labels

Labels organize Security Assets by topic, owner, or any axis defined for the workspace. Set them from the Labels section of the sidebar. Labels are managed under Settings > Labels (see Labels).

MITRE ATT&CK mapping

A Security Asset can be mapped to any combination of MITRE ATT&CK objects: tactics, techniques, sub-techniques, detection strategies, analytics, and data components.

To edit the mapping, open the MITRE ATT&CK section of the sidebar and click the pencil icon.

The MITRE objects mapped on Security Assets are the raw material of Posture Management: they drive the coverage colors on the MITRE ATT&CK matrix, the actual-versus-target radar on Security Posture, and the prioritization of Detection Opportunities. They also feed the coverage analysis on every Use Case that links this Security Asset. The more accurate the mapping is, the better Posture Management can point the team to what to reinforce next.

Activity

Every Security Asset has an Activity card at the bottom of the detail view. It combines two streams:

  • Events: a chronological log of changes (description edited, Security Asset linked, MITRE mapping updated, label added, and so on), grouped to keep the timeline readable.
  • Comments: a threaded discussion where team members can reply, react with emoji, mention other members, and attach files.

Use the Activity card to capture decisions, ask questions, and keep the context next to the detection itself.

Copyright © 2023-present LogCraft, SAS