Discover complex attack patterns
with event log correlation

Discover complex attack patterns with event log correlation

Logs are the breadcrumbs of network activity and contain highly-detailed information about all user and system activity on your network. Basic log analysis helps you easily sort through millions of logs, and pick out the logs that indicate suspicious activity, as well as identify anomalous logs that don't align with normal network activity.

EventLog Analyzer's log correlation engine discovers sequences of logs—coming from devices across your network—that indicate possible attacks, and quickly alerts you about the threat. Building strong event log correlation and analysis capabilities empowers you to start taking proactive steps against network attacks.

• Predefined rules: Utilize over 30 predefined SIEM correlation rules that come packaged with the product.
• Overview dashboard: Navigate the easy-to-use correlation dashboard, which provides detailed reports for each attack pattern as well as an overview report of all discovered attacks, facilitating in-depth analysis.
• Timeline view: View a timeline diagram showing the chronological sequence of logs for every identified attack pattern.
• Threat detection: Identify suspicious network activity perpetrated by known malicious actors.
• Intuitive rule builder: Define new attack patterns with the easy-to-use rule builder, which provides a categorical list of network actions and allows you to drag and drop them into your desired order.
• Field-based filters: Set constraints on log fields for fine-grained control over the defined attack patterns.
• Instant alerts: Set up email or SMS notifications so you're immediately alerted whenever the system picks up a suspicious pattern.
• Rule management: Enable, disable, remove, or edit rules and their notifications from a single page.
• Column selector: Control the information shown in each report by selecting the columns needed and renaming them as required.
• Scheduled reports: Set up schedules to generate and distribute the correlation reports you need.

• Define new attack patterns using over one hundred network events.
• Drag and drop rules to rearrange which actions comprise a pattern, and in what order.
• Restrict certain log field values with filters.
• Specify threshold values for triggering alerts, like how many times an event has to occur or the time frame between events.
• Add a name, category, and description for each rule.
• Edit existing rules to fine-tune your alerts. If you notice a specific rule is generating too many false positives or fails to identify an attack, you can easily adjust the rule definition as needed.

Event correlation reports

EventLog Analyzer comes with predefined correlation reports that cover several well-known types of attacks, such as:

• User account threats: Protect user accounts from being compromised by checking for suspicious activity patterns, such as brute force attempts, failed login or password change attempts, and more.
• Web server threats: Analyze incoming web traffic for hacking attempts such as malicious URL requests or SQL injections.
• Database threats: Prevent data breaches by detecting anomalous activity in your databases, such as mass data deletion or unauthorized backup activity.
• Ransomware: Detect ransomware-like activities by checking for multiple file modifications being made by the same process.
• File integrity threats: Protect critical files and folders from unauthorized access or modification with reports on suspicious file permission changes and file access attempts.
• Windows and Unix threats: Identify anomalous activity in your Windows and Unix systems like potential worm activity, malware installations, unauthorized registry change attempts, unexpected sudo command executions, and more.
• Cryptocurrency-related threats: Safeguard network resources from being used for unauthorized cryptomining by checking for anomalous spikes in machine temperature or CPU usage.

Related infographic: Detect unauthorized cryptomining or cryptojacking with EventLog Analyzer.

Available Reports

Cryptocurrency wallet software started | Cryptocurrency mining software started | Cryptomining: High CPU usage for a long time | Cryptomining: High machine temperature alerts | New systems added in network | Suspicious SQL backup activity | Suspicious service installed | Suspicious software installation | Syslog service restarts | Repeated failed SUDO commands | Unexpected shutdowns | Notable account lockouts | Event logs cleared | Windows backup repeated failures | Excessive application crashes | Possible worm activity | Multiple system audit policy changes | Repeated registry entry failures | Failed file access attempts | Repeated object audit policy changes | Multiple file permission changes | Excessive file removal | Suspicious file access | Possible ransomware activities | Ransomware detections | Repeated SQL injection attempts in DB | Multiple tables dropped | Repeated SQL injection attempts | Malicious URL requests | Anomalous user account change | Excessive password change failure | Excessive logon failures | Brute force

Need Features? Tell Us
If you want to see additional features implemented in EventLog Analyzer, we would love to hear. Click here to continue