How are analytics delivered in LogPoint?

The Analysis tier in LogPoint is delivered in a hybrid model. The analysis-node of LogPoint is a component that consumes data from many LogPoint Backends. The backends stream data in real-time towards the analytics node, where data is processed for real-time correlations and alerting. Whenever an analyst requires forensics data or conducts long-term analysis, queries are executed against the data stores.

More information:

How does LogPoint analytics work?

LogPoint’s analytical capabilities include both rule-based correlation and machine learning approaches. A rule-based correlation is performed using rules that identify a pattern within the log data, between the log data and the responded incident, and also between the log data and behavior reporting. Advanced analytics can be performed by cascading rules to correlate the sequential occurrence of events distributed over time. Correlation is enhanced by integrating threat feeds and non-time-series data like SQL, LDAP, etc.

More information:

Does LogPoint have built-in Machine Learning?

Yes. Machine learning is built into the LogPoint solution. Analysts benefit from all alerts and incidents are prioritized by machine learning. The output from rules as well as advanced analytics and UEBA (if installed), all gets funneled through a prioritization engine. With the prioritization engine, every alert or incident is evaluated against other observations from the involved entities. Ultimately the Alert Prioritization Engine ensures a substantial (90%) reduction of false positives and “irrelevant” alerts.

More information:

Whats the advantage of built-in Machine Learning?

LogPoint customers report that the ML-prioritization of everything generated in the SIEM increases the efficiency of the SOC and increases situational awareness. LogPoint is not aware of competitors implementing similar methods. The ML-driven alert prioritization is vital in aiding analysts with rapid detection of threats and in achieving situational awareness, by using ML to piece together all the different pieces of information on the incident. One customer tells of a reduction in the incident investigation from an average of 63 to 2 minutes.

Are LogPoint analytics performed in real-time?

Yes. Real time analytics in LogPoint is utilized for dashboards, alerts, and reports. The output of the streaming analytics framework is used to build dashboard widgets with historical data. The streaming framework is also used to trigger classical SIEM alerts. Also, the streaming layer is utlized when users are submitting or scheduling reports.

How does LogPoint analyze historical data?

LogPoint can stream historical data through the real-time streaming framework for forensics and investigative purposes, something that many of the competing solutions struggle to support.

Consequently LogPoint really dosen’t make a distinction between historical and real-time data. For LogPoint customers the ability to search through 3 year’s worth of data is a given thing.