Home

What is in this guide
Introduction
- Overview
- Release Notes
Setup the Product
- What’s in this section
- System Requirements
- Prerequisites
- Install and Uninstall
- Start and Shutdown
- Connect to Server
- Backing up database
- License Details
- Get Started
Add Log Sources
- What’s in this section
- Adding Windows Devices
- Adding Syslog Devices
- Adding CEF devices
- Adding Other Devices
- Adding IBM iseries(AS400) devices
- Adding VMware(Exsi) devices
- Adding vCenter
- Adding Application Sources
- Adding AWS EC2 Windows instance
Configuring, and enabling logging/auditing in sources
- Enabling Microsoft Windows Firewall logging
- Enabling Hyper V logging
- Enabling IBM iSeries audit logs
- Enabling Stackato Logging
- Configuring McAfee solutions for analysis
- Configuring External Applications
- Configuring Scaler NSS
Configuring Syslog Service
- On a UNIX device
- On a Mac OS device
- On a HP-UX/Solaris/AIX device
- On a VMware
- On Arista Switches
- On Cisco Switches
- On HP Switches
- On Cisco devices
- On Cisco Firepower devices
- On Sonicwall devices
- On Juniper devices
- On PaloAlto devices
- On Fortinet devices
- On CheckPoint devices
- On NetScreen devices
- On Watchguard devices
- On Sophos devices
- On Cyberoam devices
- On Barracuda devices
- On Barracuda Web Application Firewall
- On Barracuda Email Security Gateway
- On Huawei Firewall devices
- On Malwarebytes devices
- On Meraki devices
- On FireEye devices
- On pfSense devices
- On Symantec DLP devices
- On Symantec Endpoint Protection devices
- On H3C devices
- On StormShield devices
- On F5 devices
- On Trend Micro - Deep Security
- On Forcepoint devices
- On Dell devices
User Interface
- Tabs
- Dashboard Views
- Customize Dashboard Views
EventLog Analyzer Reports
- Reports - Overview
- Configuring out-of-the-box reports
- Managing Predefined Reports
- Managing Report Views
- Create Custom Reports
- Schedule Reports
- Mark report as favourite
- Available Reports
Threat Intelligence Data Analytics
- Overview
- FireEye Threat Solutions
- Symantec Endpoint Solutions
- Symantec DLP Applications
- Malwarebytes Solutions
- CEF format
Vulnerability Data Analytics
- Overview
- Vulnerability reports
Real-time Event Correlation
- Understanding Correlation
- Correlation Reports
- Last Ten Incidents Overview
- Activity Reports
- Creating Custom Correlation Rules
- Managing Correlation Rules
Compliance Reports
- Configuring, editing, and scheduling compliance reports
Search Logs
- Overview
- How to Search Logs
- How to Extract New Fields
- How to Tag Fields
Alerts
- Overview
- Create Alert Profile
- View Log Alerts
- Alert Notification & Remediation
- Ticketing Tools Integration
- Manage alert Profiles
Incident Management
- Create and assign workflow profiles
- Incident Workflow Management
Framework Integration
- MITRE ATT&CK TTP(S) Framework Integration
Configurations
- What’s in this section
- Device Management
- Applications
- Database Audit
- File Integrity Monitoring
- Manage security applications
- Adding custom threat sources
- Advanced Threat Analytics
- Threat Whitelisting
- Switching threat stores
- Manage Vulnerability Data
- Device Group Management
- VM Management
- Log Forwarder
Admin Settings
- Admin Settings
- Privacy Settings
- Agent Administration
- Archive
- Technicians and Roles
- Logon Settings
- Security hardening
- Reset Account Settings
- Domains and Workgroups
- Working Hour Settings
- Product Settings
- API Settings
- Retention Settings
- Log Collection Filter
- Log Collection Alerts
- Report Profiles
- Custom Log Parser
- Tags
- Dashboard Profiles
System Settings
- System Settings
- Notification Settings
- Manage Account TFA
- Install EventLog Analyzer as a service
- Connection Settings
- Re-branding
- System Diagnostics
- Database Access
- Reset Log Collector
- Log Level Settings
- Port Management
Help, Questions, and Tips
- Troubleshooting Tips
- Frequently Asked Questions
- EventLog Analyzer Help
Additional Utilities
- Additional Utilities
- Working with HTTPS
- Configure MS SQL Database
- Migrate data from PostgreSQL to MS SQL database
- Migrate data from MySQL to MS SQL database
- Move Database to Different Directory in the Same Server
- Move Installation to Another Machine
- Move Installation to Different Directory in the Same Server
- Log360 Cloud Configurations
- Configuring NAT Settings
Distributed Edition
- Introduction to Distributed Edition
- Converting standalone installation to Admin Server
- Converting standalone installation to Managed Server
- Frequently Asked Questions
- Centralized log archival
Technical Support
- Technical Support
- Create SIF offline
- Contact Support

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Click here to expand

Active Alerts

The Alerts tab lists details of all alerts triggered (if you have not set up any alert profiles, the tab directs you to do so). You can view the timestamp of the alert, the device which triggered it, the severity, the status of the alert, and the message.

alerts

Filtering Alert Profiles

filtering-alerts

By clicking on the filter icon in the top right corner, you can select the appropriate filter options.

You can select one or more options from the categories provided to customize your view of alerts. For instance, if you want to view your open, unassigned, and critical alerts, you can simply select the respective criteria by clicking on the check boxes. All you open, unassigned, and critical alerts will be displayed on the screen.

Additionally, clicking on Critcal Alerts, Trouble Alerts, Attention Alerts, and All Alerts will give you the respective alerts.

Creating Alert Views

EventLog Analyzer categorizes the alerts as views Active alerts, Critical alerts, Trouble alerts, Critical alerts, Attention alerts, and All alerts. You can select the required view from the Select view drop-down menu.

Creating Alert Views

You can also create custom views for alerts by configuring a filter for the alert and clicking Apply. Click the Save As View link to enter a name for the view and click Save.

The custom views can only be viewed by the respective users who created the views. Hover your mouse pointer over the created view in the Select View drop-down menu to edit and delete the created views.

Creating Alert Views

Alert Configurations

You can access the following options from the top right corner of the Alerts page:

The Export As drop-down menu allows you to export alert messages in the CSV and PDF formats.
The +Add Alert Profile link allows you to add a new alert profile.

Click the settings icon on the top right corner of the page to view the following options:

Manage Profiles: You can view, enable, disable, edit, and delete alert profiles using this option.
Workflow: This option allows you to assign workflows to alert profiles to execute a logical action in your network when an adversity is detected.
Ticketing tool Integration: This option allows you to configure an external help desk software (ServiceDesk Plus, ServiceNow, Jira Service Desk, Zendesk, Kayako, and BMC Remedy Service Desk) to forward the alerts to.

filtering-alerts

Whitelisting Threats

assign-status-delete

Click on the check boxes to select the required alerts. Once the alerts are selected, the options Assign, Status, Delete, and More will appear. You can assign the alert to an administrator, change the status, or delete the alerts by choosing the appropriate options.

Clicking on More will give you the option to Whitelist the Source. In case an alert is raised by Advanced Threat Analytics and you are convinced that the source is not malicious, you can whitelist it by choosing the option here.

Information on the alert

workflow-status

Hovering over the alert gives additional information such as what triggered the alert, the domain, the device involved and more.

Alert Format Message

Clicking on an alert opens a pop-up titled Alert Format Message.

Details such as SL Event ID, Logon Type and more can be obtained by clicking on More Details.

alert-format-message

Workflow status

In case a workflow is configured for the alert, the status of the workflow can be viewed in the Alert Format Message pop-up.

alert-message

Click the status of the workflow for more information. Once clicked, a pop-up will open.

incident-response-timeline

Threshold alerts

For Threshold based alerts, you can now view each instance by clicking on the alert. There will be a section called Threshold.

threshold-alerts

Clicking on the threshold number will give you a pop-up with more details.

threshold-alerts-threshold

Add / Remove Columns

Cloumns can be added or removed by clicking on the Add / Remove option in the top right corner. You have the option to choose and rearrange the columns as needed. A minimum of 3 and maximum of 7 can be selected.

Note: The default columns cannot be removed and rearranged. The default columns are Time, Notes, and Alert Format message.

add-remove-columns

Clicking on this will give you a pop-up. Choose the required options by clicking on the checkboxes.

select-colums

Advanced Threat Analytics Alerts

These alerts are raised when malicious domains, URLs, and IPs intrude into your network. Clicking on this alert will give you a reputation score, the number of times it had appeared on a threat list and more.

advanced-threat-analytics-alerts

advanced-threat-analytics-alerts-geo-info

On this page

Get download link