Analysis of information security incidents | UserGate Log Analyzer

UserGate Log Analyzer event and incident analysis system

UserGate Log Analyzer is a comprehensive system for analyzing data. The system aggregates data from various devices, performs event monitoring, and generates reports. The emergence of new threats and the ever increasing volume of information that must be processed impose increased demands on the speed of analytics systems. UserGate Log Analyzer is deployed separately from the Security Gateway. The separation between traffic handling features and data analysis provides for a system that is highly reliable and easily scalable. Received and processed data can be aggregated from several servers. Using a separate server for log analysis reduces the load on firewalls and allows you to process more data.

Basic capabilities

UserGate Log Analyzer collects and preprocesses data from NGFW UserGate firewalls. Based on the data that is obtained, a deep analysis is performed on the security events that have occurred, and any suspicious activities of individual users or hosts are identified and tracked. These functions are also necessary in order to comply with the modern SOAR (Security Automation, Orchestration and Response) concept. When configuring UserGate, the administrator may specify what event types are submitted for analysis to the Log Analyzer. The options that they can select from include event logs, intrusion detection system logs, traffic logs, computer-aided process control system events, and web access log events.

The report preparation system contains ready-made report templates and rules for their processing. Reports that are executed at the request of the administrator are available in the same section.

Preparing reports using ready-made templates in UserGate Log Analyzer

UserGate Log Analyzer offers ready-made report templates for the following categories: captive portal, system events, intrusion detection system (IDS), network activity, web portal, traffic, and web activity.

Thanks to the set of web activity reports, the administrator can get a detailed list of all visited websites, top blocked domains, and top users by URL category and by blocked sites.

The traffic reports section provides detailed information on user traffic per day/week/month, top applications by users, and top countries by traffic source and destination. Network activity can be tracked by analyzing DoS events by time of day, day of the month and week, and month. The administrator can also review information about blocked applications by user, top blocked applications, and top triggered rules.

IDS category reports provide detailed information about attacks. The system also determines the top IP addresses of attack sources, the targets of attackers (host IP addresses), and the top protocols used in attacks. You can also get information on used devices and top device signatures. If the company has a captive portal, the reports will provide information on users that logged in via the captive-portal by time of day, day of the week and month, as well as an information summary for the month.

The event reporting section includes information about users that logged in via the console, a summary report of administrator actions, configuration changes by component, and a system event report by severity level.

The generated reports may be automatically submitted by e-mail to the administrator and other authorized persons. Reports can be submitted according to a schedule, at a desired time, or on a particular day of the week.

By using reports from various categories, the administrator can identify potential threats based on an analysis of the events that have occurred. The UserGate Log Analyzer module allows you to compare the results of reports with the set parameters and ensure that the infrastructure meets the requirements of the corporate security policy.

For large enterprise networks and telecom providers

The UserGate Log Analyzer E collects and performs the initial processing of data from UserGate firewalls. The product is deployed separately from UserGate Security Gateway and is a full-fledged network server solution capable of protecting against all kinds of Internet threats on networks with up to a thousand or more users.

For large enterprise networks and data centers

UserGate Log Analyzer F25 is intended for use at major companies and data centers. This hardware and software system has great information storage capabilities and allows data received from UserGate servers to be processed as quickly as possible

Virtual Firewall

For organizations that prefer a virtual platform

Virtual UserGate Log Analyzer can be deployed on the customer's virtual infrastructure. All hypervisors are supported, including VMware, Hyper-V, Xen, KVM, OpensStack, and VirtualBox. The functionality of our virtual solution is completely equivalent to that of the UserGate hardware system.

Rewards

More info

Fully functional 30-day trial version is available for testing

Request trial   Online demo