PRODUCT INTRODUCTION
The LogEase Security Information and Event Management Platform is a security analytics platform with both correlation and anomaly analysis capabilities. It fully supports the detection, analysis and response of various types of threats (known threats, suspected threats and unknown threats). Based on the LogEase data searching engine, the platform deeply correlates enterprises'logs and network traffic in real time and near real time manner, and combines assets, vulnerabilities, threat intelligence information to carry out automatic threat response processes and improve users' decision-making ability in security operation.
FUNCTIONAL MODULES
Comprehensive Log Data Collection
Unified Threat Management
Log collection from various sources such as security devices, switches, load balancing, middleware, databases, operating systems, applications, and endpoints.
Provides million-level EPS (Event Per Second) log stream processing capabilities, and PB-level, second-level log traceability.
Supports terabyte-level of daily log processing and more than 100,000 data sources collection.
Over 2000 built-in complex security incidents detection rules, covering Network Security, Endpoint Security, Data Security, WEB Security, etc.
Providing a unified threat handling interface, automatically associates asset and vulnerability information, and directly configure cases and playbook for security incidents.
Network and Endpoint Forensics
Threat Investigation and Forensics
Network Forensic collects network traffic data and associates them with the security incidents to show abnormal activities on the network.
Endpoint Forensic uses Windows/Linux system logs (combined with Sysmon events on Windows) to analyze abnormal processes, abnormal logins, and abnormal account changes, etc.
Provides analytic tools that can map threat alerts and abnormal events to the time dimension, thereby providing the ability to analyze the relationship between context.
Taking a certain threat alert as the entry point to trace the source of the entire attack chain (Automatic Recursive Tracing). At the same time, the threat alerts of the entire link are analyzed in the threat phase progressively, the purpose is to discover the behavior of lateral movement.
In the form of a traceability map, the possible correlation between threat alerts and abnormal behaviors are analyzed, and the attack path is traced based on the threat alert.
Threat Intelligence Management
Asset Management
Provides unified interface to manage the threat intelligence information, it supports external intelligence sources and local intelligence construction.
Threat intelligence information is correlated with threat alerts to aid the analytic process.
Supports threat intelligence query.
Perceives the dynamic changes of assets in the entire network, and providing asset information for correlation.
Shows the risk posture of the assets such as alerts/vulnerabilities related to the asset.
Vulnerability Management
Case Management
Integrating with vulnerability scanners such as Nessus, RSAS, Sky Mirror, AWVS, OpenVAS, etc.
For vulnerabilities that are false positives and recurring a lot, you can add those vulnerabilities to a whitelist to reduce the alert noise caused by the vulnerabilities.
For some real but low-risk vulnerabilities that are still triggering the alerts, you can choose "Automatically Ignore" or "Automatically Repair".
Through the case management function, it promotes the closed loop of the security incident handling process, forms a multi-role and multi-user collaborative response, and supports the interfacing with user's internal ticketing system.
Security Orchestration, Automation, and Response
Auditing
Full interface playbook layout.
Selects the corresponding playbook for responses according to the data source and matching conditions, such as the event type of SIEM/Posture platform, etc.
Automatically perform actions such as intelligence querying, IP blocking, account locking, sending work order, sending email, etc.
Interfaces APIs of Firewall, WAF, EDR, AD and other devices with SOAR.
Allows administrator to perform action auditing, any action performed by user and the related information will be recorded, including time, username, client IP, functional module, operation page, description, operation type and action.
PRODUCT FEATURES
Proprietary high-performance Beaver Search Engine
The Beaver search engine is proprietary by LogEase.
Dozens of terabytes of logs can be processed daily.
Compared with mainstream open source solutions, it provides numerous functional and performance advantages in log analysis scenarios, and it also minimizes potential danger of vulnerabilities.
Flexible data collection and normalization capabilities
LogEase uses the rsyslog or syslog-ng agent that comes with the Linux system, or the LogEase agent, which can collect text log and binary log data from servers, network devices, operating systems, and application systems.
Supports various types of log: any text-based log, whether from server or client, such as Apache, Java, PHP, Tomcat, MySQL, syslog-ng, rsyslog, nxlog, routers and other network equipment logs, can be Upload to the platform.
Automatically extract key fields of log and convert unstructured logs into structured data. Standard log formats support Apache, Nginx, Syslog, Java, JSON, etc.
Log format customization provides wizard-based parsing rule configuration to achieve accurate parsing, and provides multiple extraction methods such as regular expression, KeyValue decomposition, URL decoding, timestamp identification, dictionary translation, IP address database, etc. Simple operation, easy to get started.
Real-Time/Historical data analytics and correlation
Through the Search Processing Language (SPL) and CEP-based (Complex Event Processing) rule engine, real-time and historical data can be aggregated, correlated, compared and analyzed to achieve threat modeling and real-time risk monitoring for the network and the endpoint.
Abundant out-of-the-box contents
LogEase SIEM comes with resource packages (APPs) that cover several aspects, including log parsing rules (400+), reports, dashboards, threat detection rules, and data model. These Apps allow users to flexibly feed in different systems or devices from different vendors.
Comprehensive contextual data sources correlated
Other than the log data, LogEase SIEM also adopts contextual data source like assets information, vulnerabilities information, and threat intelligences to aid the analysis process.
Various threat investigation tools
Threat investigation tools, including timeline, cyber kill chain, traceability analysis, allows users to perform investigation to verify the security incidents triggered by the threat models.
Security Orchestration, Automation and Response
SOAR provides function that can perform automatic or semi-automatic response to security incidents, it has the capability of correlating with IT systems and security devices to perform certain actions such as IP blocking, ticket/case issuing, or threat intelligence querying.
Machine Learning
More than 20 machine learning algorithms, including clustering, classification, regression analysis, time series forecasting and other types, to realize in-depth intelligent security analysis.
Multi-tenancy
LogEase provides a multi-tenant platform service model, and operates and maintains LogEase public cloud and private cloud services in the form of a multi-tenant platform. Third-party enterprise users, or subsidiaries of group users, can exist independently as a tenant on the platform.
Proprietary high-performance Beaver Search Engine
The Beaver search engine is proprietary by LogEase.
Dozens of terabytes of logs can be processed daily.
Compared with mainstream open source solutions, it provides numerous functional and performance advantages in log analysis scenarios, and it also minimizes potential danger of vulnerabilities.
BENEFITS
Unified Data Management
All purchased equipment data is integrated on the SIEM platform, and you only need the SIEM platform to understand the overall security posture and perform threat management.
Comprehensive Threat Investigation
Multiples tools and contextual data sources are leveraged to perform threat detection and investigation, it helps locate threats quickly and accurately, and reduces the MTTD (Mean Time To Detection). It can achieve hierarchical and classified handling of all levels of security incidents.
Alerts Noise Reduction
Through SIEM aggregation and correlation rules, the number of alerts is reduced to dozens or even less, and the accuracy rate of the alerts generated can reach over 90% after verification.
Security Operation Efficiency Improved
Analyze the alerts of all security devices based on threat intelligence, and use SOAR playbook to handle them within one minute. It helps reduce the MTTR (Mean Time To Response) efficiently.