Discover complex attack patterns with event log correlation
Logs are the breadcrumbs of network activity and contain highly-detailed information about all user and system activity on your network. Basic log analysis helps you easily sort through millions of logs, and pick out the logs that indicate suspicious activity, as well as identify anomalous logs that don't align with normal network activity.
Often, a single log viewed on its own may seem completely normal, but when viewed with a group of other related logs, could form a potential attack pattern. SIEM solutions, which collect event data from various sources in your network, can detect any suspicious incidents in your environment.
EventLog Analyzer's log correlation engine discovers sequences of logs—coming from devices across your network—that indicate possible attacks, and quickly alerts you about the threat. Building strong event log correlation and analysis capabilities empowers you to start taking proactive steps against network attacks.
Log correlation with EventLog Analyzer
EventLog Analyzer's powerful event correlation engine efficiently identifies defined attack patterns within your logs. Its correlation module offers many useful features, including:
- Predefined rules: Utilize over 30 predefined SIEM correlation rules that come packaged with the product.
- Overview dashboard: Navigate the easy-to-use correlation dashboard, which provides detailed reports for each attack pattern as well as an overview report of all discovered attacks, facilitating in-depth analysis.
- Timeline view: View a timeline diagram showing the chronological sequence of logs for every identified attack pattern.
- Threat detection: Identify suspicious network activity perpetrated by known malicious actors.
- Intuitive rule builder: Define new attack patterns with the easy-to-use rule builder, which provides a categorical list of network actions and allows you to drag and drop them into your desired order.
- Field-based filters: Set constraints on log fields for fine-grained control over the defined attack patterns.
- Instant alerts: Set up email or SMS notifications so you're immediately alerted whenever the system picks up a suspicious pattern.
- Rule management: Enable, disable, remove, or edit rules and their notifications from a single page.
- Column selector: Control the information shown in each report by selecting the columns needed and renaming them as required.
- Scheduled reports: Set up schedules to generate and distribute the correlation reports you need.
Create custom correlation rules with an intuitive interface
With EventLog Analyzer's rule builder interface, this event correlation software makes the process of creating new attack patterns easy:
- Define new attack patterns using over one hundred network events.
- Drag and drop rules to rearrange which actions comprise a pattern, and in what order.
- Restrict certain log field values with filters.
- Specify threshold values for triggering alerts, like how many times an event has to occur or the time frame between events.
- Add a name, category, and description for each rule.
- Edit existing rules to fine-tune your alerts. If you notice a specific rule is generating too many false positives or fails to identify an attack, you can easily adjust the rule definition as needed.
Event correlation reports
EventLog Analyzer comes with predefined correlation reports that cover several well-known types of attacks, such as:
- User account threats: Protect user accounts from being compromised by checking for suspicious activity patterns, such as brute force attempts, failed login or password change attempts, and more.
- Web server threats: Analyze incoming web traffic for hacking attempts such as malicious URL requests or SQL injections.
- Database threats: Prevent data breaches by detecting anomalous activity in your databases, such as mass data deletion or unauthorized backup activity.
- Ransomware: Detect ransomware-like activities by checking for multiple file modifications being made by the same process.
- File integrity threats: Protect critical files and folders from unauthorized access or modification with reports on suspicious file permission changes and file access attempts.
- Windows and Unix threats: Identify anomalous activity in your Windows and Unix systems like potential worm activity, malware installations, unauthorized registry change attempts, unexpected sudo command executions, and more.
- Cryptocurrency-related threats: Safeguard network resources from being used for unauthorized cryptomining by checking for anomalous spikes in machine temperature or CPU usage.
Related infographic: Detect unauthorized cryptomining or cryptojacking with EventLog Analyzer.
Cryptocurrency wallet software started | Cryptocurrency mining software started | Cryptomining: High CPU usage for a long time | Cryptomining: High machine temperature alerts | New systems added in network | Suspicious SQL backup activity | Suspicious service installed | Suspicious software installation | Syslog service restarts | Repeated failed SUDO commands | Unexpected shutdowns | Notable account lockouts | Event logs cleared | Windows backup repeated failures | Excessive application crashes | Possible worm activity | Multiple system audit policy changes | Repeated registry entry failures | Failed file access attempts | Repeated object audit policy changes | Multiple file permission changes | Excessive file removal | Suspicious file access | Possible ransomware activities | Ransomware detections | Repeated SQL injection attempts in DB | Multiple tables dropped | Repeated SQL injection attempts | Malicious URL requests | Anomalous user account change | Excessive password change failure | Excessive logon failures | Brute force
Prevent attacks with event correlation
EventLog Analyzer's predefined correlation rules help you detect various indicators of attack. One such example is the detection of potential malware hiding as background services in your network. Watch the video to understand how EventLog Analyzer helps you detect suspicious software being installed.
EventLog Analyzer offers log management, file integrity monitoring, and real-time event correlation capabilities in a single console that help meeting SIEM needs, combat security attacks, and prevent data breaches.
Comply with the stringent requirements of regulatory mandates viz., PCI DSS, FISMA, HIPAA, and more with predefined reports & alerts. Customize existing reports or build new reports to meet internal security needs.
Monitor critical changes to confidential files/folders with real-time alerts. Get detailed information such as 'who made the change, what was changed, when and from where' with predefined reports.
Centrally collect log data from Windows servers or workstations, Linux/Unix servers, network devices viz., routers, switches, & firewalls, and applications using agent less or agent based methods.
Analyze log data from sources across the network. Detect anomalies, track critical security events, and monitor user behaviors with predefined reports, intuitive dashboards, and instant alerts.
Perform in-depth forensic analysis to backtrack attacks and identify the root cause of incidents. Save search queries as alert profile to mitigate future threats.
Need Features? Tell Us
If you want to see additional features implemented in EventLog Analyzer, we would love to hear. Click here to continue