EventLog Analyzer provides more than 50+ pre-defined rules on various categories such as File Management, Group Management, User Management, Machine Management, Authentication, Windows Firewall rules, Authorization, Audit Policy and Software Management.
The Rules Overview window provides you with
To view the rules based on the above specified categories, click on the 'Category View' link at the top
To view the entire rule list without the category based classification, click on the 'Rule View' link
By default, all the predefined rules are enabled for all log data source added to EventLog Analyzer server. If the you want to disable a rule/set rules, then
Click on the Disable link. Similary to enable the disabled rule, the user can select the rule/set of rules and click on the Enable link to activate the rule(s)
To get the report of any correlation rule, click on that rule.
The Rules Report page provides you with the intuitive graphical dashboard on Event Count Vs Destination host
The detailed Rules report table lists you the Host type, Destination/Source host, Source user, Time of occurrence of the event, Message, Logon Type, Logon ID, and more depending on the correlation rule
EventLog Analyzer enables the users to perform search on the correlation rule raw log with its interactive Search window
Saving and Scheduling rules reports
At any time you can also directly export the report in PDF and CSV format by clicking on the appropriate icons
Scheduling rules report
With EventLog Analyzer, the users can apply filters and customize the existing correlation rules to meet their internal security policy. To configure the rule filter,click on the Configure icon Rule Filter corresponding to the rule for which you need to apply the filters
The Configure Rule Filter Window has the Rule Description and provides option to user to exclude user, source and destination hosts.
Source Host means the machine from which the event is originating
Destination Host means the machine at which the originated event is supposed to happen
EventLog Analyzer helps you to mitigate security threats proactively with its real-time alert notifications. EventLog Analyzer's Real-time Correlation Engine provides you with two alert notification mechanisms
Apart from these alert mechanisms, EventLog Analyzer also provides you with Automatic Alert Remediation method which triggers a script/program (which is specified by the user) that remediates alert condition
Each rule can have separate alert notification mechanism. You can also configure the alert mechanism for a specific rule or set of rules by,
Configuring Email Notification
To configure Email Notification settings, click on the Email icon Email Settings icon corresponding to the rule for which you need to configure Email Alert. You can also configure Email Settings by selecting the rule/group of rules from the Rules Overview window and selecting the Email Option from the Notification Settings link.
Configuring SMS Notification
To configure SMS Notification settings, click on the SMS Settings icon corresponding to the rule for which you need to configure the SMS Alert. You can also configure SMS Settings by selecting the rule/group of rules from the Rules Overview window and selecting the SMS Option from the Notification Settings link.
Configuring Automatic Alert Remediation
To configure automatic Alert Remediation with a script, click on the Automatic Alert Remediation icon corresponding to the rule for which you need to remediate the alert automatically. You can also configure Automatic Alert Remediation Settings by selecting the rule/group of rules from the Rules Overview window and selecting the Run Program Option from the Notification Settings link.
Alert notification can be enabled/disabled for a specific rules or a set of rules. To do this,
Deleting Rule Notification
To delete notification for a specific rule or a set of rules,