Analysis of Cybersecurity Incidents | UserGate Log Analyzer

UserGate Log Analyzer Event and Incident Analysis System

UserGate Log Analyzer is a comprehensive system for analyzing data. The system aggregates data from various devices, performs event monitoring, and generates reports. The emergence of new threats and the ever increasing volume of information to be processed impose increased demands on the speed of analytics systems. UserGate Log Analyzer is deployed separately from the Security Gateway. The separation between traffic handling features and data analysis provides for a system that is highly reliable and easily scalable. Received and processed data can be aggregated from several servers. Using a separate server for log analysis reduces the load on firewalls and allows you to process more data.

Basic Capabilities

UserGate Log Analyzer collects and preprocesses data from UserGate NGFW firewalls. Based on the received data, a deep analysis is performed on the security events that have occurred, and any suspicious activities of individual users or hosts are identified and tracked. These functions are also necessary in order to comply with the modern SOAR (Security Orchestration, Automation and Response) concept. When configuring UserGate, the administrator can specify what event types are submitted for analysis to Log Analyzer. Options to select from include event logs, intrusion detection system logs, traffic logs, SCADA events, and web access log events.

The report preparation section contains ready-made report templates and rules for their processing. Reports executed at the request of the administrator are available in the same section.

Preparing Reports Using Ready-Made Templates in UserGate Log Analyzer

UserGate Log Analyzer offers ready-made report templates for the following categories: captive portal, system events, intrusion detection system (IDS), network activity, web portal, traffic, and web activity.

Thanks to the set of web activity reports, the administrator can get a detailed list of all visited websites, top blocked domains, and top users by URL category and by blocked sites.

The traffic reports section provides detailed information on user traffic per day/week/month, top applications by users, and top countries by traffic source and destination.

Network activity can be tracked by analyzing DoS events by time of day, day of week and month, and by month. The administrator can also review information about blocked applications by user, top blocked applications, and top triggered rules.

IDS category reports provide detailed information about attacks. The system also determines the top IP addresses of attack sources, the targets of attackers (host IP addresses), and the top protocols used in attacks. You can also get information on used devices and top device signatures. If the company has a captive portal, the reports will provide information on user authorizations through the captive portal by time of day, day of week and month, as well as summary information for the month.

The event reporting section includes information about user authorizations through the console, a summary report of administrator actions, configuration changes by component, and a report on system events by severity.

Generated reports can be automatically sent by e-mail to the administrator and other authorized persons. Reports can be submitted according to a schedule, at a desired time, or on a particular day of the week.

By using reports from various categories, the administrator can identify potential threats based on an analysis of the events that have occurred. The UserGate Log Analyzer module allows you to compare the results of reports with the set parameters and ensure that the infrastructure meets the requirements of the corporate security policy.

For large enterprise networks and telecom providers

The UserGate Log Analyzer collects and performs the initial processing of data from UserGate firewalls. The product is deployed separately from UserGate Security Gateway and is a full-fledged network server solution capable of protecting against all kinds of Internet threats on networks with up to a thousand or more users.

For large enterprise networks and data centers

UserGate Log Analyzer F25 is intended for use at major companies and data centers. This hardware and software system has great information storage capabilities and allows data received from UserGate servers to be processed as quickly as possible.

Virtual Firewall

For organizations that prefer a virtual platform

Virtual UserGate Log Analyzer can be deployed on the customer's virtual infrastructure. All hypervisors are supported, including VMware, Hyper-V, Xen, KVM, OpensStack, and VirtualBox. The functionality of our virtual solution is completely equivalent to that of the UserGate hardware system.

How to set up a virtual image?