Converged SIEM Operations Service Catalog
Summary
Under the terms of the Converged SIEM agreement, LogPoint is providing services designated to cover all the operational aspects of hosting and delivery of the LogPoint platform to the Customer.
- Converged SIEM Operations Service Catalog.
- Introduction.
- Service Description.
- Monitoring Scope.
- Operations Model
- Organization.
- Operations Procedure.
- Escalation.
- Responsibility and compliance.
- Service Requests Catalog.
- Maintenance and Reporting.
Introduction
This document outlines the process for Operations Monitoring which is included into Converged SIEM product.
The guidance addresses the value, the services that can be provided, operations model, monitoring and deliverables, team, incident handling and escalation procedure.
Service Description
Monitoring services is the process of observing the status of a system which helps to detect and prevent failures. Operations Monitoring refers to collecting key system performance metrics at periodic intervals which helps the customers to analyze the delivered record and take necessary actions. The goal is focused to avail the customers with a quality monitoring service to ensure high uptimes and reliability.
Monitoring Scope
Regular checks proactively covered by the LogPoint Operations team:
| Subject | Monitor/Check |
| System | Resource shortage/queueing check on CPU, Memory, Disk and Network (swapping, disk queue, queues on networks, dropped packets etc.) |
| Cloud Hardware Status | Check management system logs |
| LogPoint Service Health | Service log check like Service crash/restarts, GC frequency, Performance… |
| LogPoint Component Connectivity |
Cloud Connector Appliance Connection status Queueing due to connection, configuration or resource issues |
| Dashboard widgets & alerts | Status, connectivity, capacity, queueing – verifying functionality of underlying LogPoint components and system |
| Report | Status on scheduled reports – verifying functionality of underlying LogPoint components and system |
| Log Collection and Storage | Status on collection – verifying functionality of verifying functionality of underlying LogPoint components and system |
| Backup | Status of scheduled backups |
| Storage capacity | Disk usage monitoring |
| License Monitoring | Notify the customer when it is time to renew the license |
Based on the internal continuous improvements schedule, the team will be occasionally delivering review and suggestions of the following service aspects:
| Subject | Review |
| Live search query review | Review all queries used in live searches (dashboard widgets & alerts); Suggest optimizations/improvements |
| Report search query review | Review all queries used in reports; Suggest optimizations and improvements |
| LogPoint Service Health Check |
Check memory and thread configuration of JVM and other technology components; application metrics like number of logs per repo, normalizer performance (policy configs etc); Suggest optimizations and improvements |
| Capacity Review/Planning |
Check current capacity of system; Suggest immediate capacity requirements based on current status; Suggest future capacity requirements based on observations of growth in number of logs/storage etc. |
| Architecture review/planning * | Check if the system is configured to meet the demands (fx LPC, DLP scaleout, loadbalancer, search head, isolating or distributing log sources etc); |
[*] The Operations team may from time to time recommend a deeper review to be performed by the Customer Success team and/or Technical Account Manager (if applicable) in close collaboration with the customer’s security team. This service is not included within normal scope of service and subject to separate invoicing. Such a review goes on a dedicated scope, and is usually a deeper dive into the review points provided as part of Operations service, includes suggestion of significant architecture adjustments if deemed necessary
Operations Model
Below is the model summary that we provide for LogPoint Operations Monitoring for Converged SIEM product:
- Monitoring Hours: 24x7x365
- Monitoring Method:
- Health probs – every 5-10 min.
- Automated alert to incident escalation – every 30 min.
- Manual check/validation of the system several times during a week
- Service artifacts
- Proactive alerting & further incident management
- Assisted upgrades and patching
Organization
The monitoring and operations tasks will be handled by a Dedicated Operations Team at LogPoint. All alerts promoted to incidents are managed as regular support tickets fully visible to customer.
The tickets are handled by the Operations Team together with the Global Support team, allowing to extend resource allocation flexibly as needed in accordance to the Customer’s chosen Support tier.
In its turn, LogPoint Support team may work closely with Product Engineering as needed to address any possible issue with the product in the most efficient way.
The monitoring and operations team will use the monitoring metrics, tickets and gained knowledge about the customers system to make recommendations in the monthly reporting, as well as the periodical capacity planning reports.
Customer Onboarding Requirement
During customer onboarding into Converged SIEM product, the following information must be supplied by Customer to LogPoint in order to ensure delivery of the monitoring service:
- Single Point of Contact (Email and Phone)
- Customer’s escalation path
- Network Architecture Diagram
- LogPoint UI Credentials with Admin Privileges
- Always on Monitoring and Operations Connection (Support Connection) on Cloud Connector Appliance nodes
Operations Procedure
Regardless of incident nature – being it a question of product usage, issue with application or infrastructure – all of the incidents are reported with unified support channels described in LogPoint Service Level Agreement.
Incident Workflow – Detection by LogPoint Monitoring
LogPoint Dedicated Operations team runs System Health Checks with a help of bespoke LogPoint Monitoring Solution.
The regular proactive monitoring includes:
- Health probs – every 5-10 min.
- Automated alert to incident escalation – every 30 min.
- Several manual validation checks / week
Any alert detected by the Operations team is promoted to incident, so that it is picked up by the common Incident Management process according to the identified alert severity. Any incident is also immediately visible to LogPoint Global Support Team and to customer (proactive notification) – with subsequent status updates, in accordance with Customer’s chosen Support tier. In case immediate action is required from the customer, a support engineer will take direct contact via phone.
Incident Workflow – Resolution by LogPoint
Incident management is triggered either for an incident detected by monitoring – or issue reported by customer. The process then is focused on resolving identified solution issue down to the root cause identification and elimination.
Escalation
Escalation procedures for the monitoring service are the same as for normal ticket handling – please see general description at https://servicedesk.logpoint.com/hc/en-us/articles/4406113854097-Support-Overview and also via LogPoint Service Level Agreement document.
Responsibility and compliance
During operation the customer may be notified by the operations team about issues that must be solved by the customer. This could be performance or capacity issues that arise from configurations, available capacity or workload. The customer is responsible to participate in the solution of such issues either by allowing the configuration to be changed, adding necessary capacity to the system, or reducing the load as directed – and must accept the impact on the service until corrective measures have been carried out.
The operations team cannot be held responsible and asked to compensate for:
- lack of features and functionality in the LogPoint product or changes that is a result of the product strategy etc.
- problems that result from issues that the operations team cannot control – issues in the infrastructure at the customer’s data centers, issues related to operation of one/multiple log sources etc.
Service Requests Catalog
For specific on-demand hosting management and application management related operations, Customer is expected to reach out to LogPoint Support Team as defined in LogPoint Support SLA, but always with an explicit clarification on the type of request (should be “service request”).
The scope is defined as following items:
| # | Service Item | Description |
| 1 | Tenant Provision | Provision necessary resources and configurations in the cloud and supply information for customer to finalize configuration of Cloud Connector Appliance and, therefore, Converged SIEM product. |
| 2 | Tenant Deletion/Reset | Wipe out existing tenant to re-create from scratch |
| 3 | Re-Size Tenant | If there’s significant change in the logs data volume beyond original sizing, upscaling of the underlaying cloud has to be requested via this service request |
| 4 | Attach new storage/repo | If there’s new requirement for the disk partition, repositories/data tiering, the related changes have to be requested via this service request |
| 5 | Update backup schedule (system level) | Application-level backups schedule is managed and monitored by Customer. |
| 6 | Restore system component from backup | If restore from backup has to be requested due to any reason driven from Customer, this service request should be used |
| 7 | One-time export logs snapshot | Use for one-time raw data export |
Scope clarification: on-demand hosting and application operations can be requested only for the purpose of delivering LogPoint solution as defined by the Converged SIEM product functionality. Any on-demand requests which are not listed in the service catalog above are not guaranteed to be provided. LogPoint is working continuously to automate all the service operations and deliver those as part of the product functionality.
Maintenance and Reporting
Extra procedures executed regularly within Operations & Monitoring Services are listed below:
- Major & Minor Application Upgrades in coordination with customer – suggested occasionally via routine monitoring activities as part of Maintenance and Upgrades schedule, executed by LogPoint Operations team with a notice and communication with customer.
- SA Packages Review & Assisted Upgrades with Customer’s Security Analysts team – LogPoint Operations team provides an overview of extra packages to update; customer’s security analysts team is responsible to run SA packages update and verify dependent dashboards integrity after update.