Key Features:

Automated Threat Intelligence
ALM-SIEM ingests industry leading Threat Intelligence feeds, automatically enriching log and event data with key intelligence from these external watchlists and threat data.  ALM-SIEM also enriches the Threat Intelligence data feed with additional user-defined threat content, such as specific client context information, white lists etc., further enhancing threat hunting services.
Pre-configured Security Controls
ALM-SIEM is delivered with comprehensive out-of-the-box security controls, threat use cases and powerful alerting dashboards. Automated analytics using these built-in controls and threat intelligence feeds provides immediately enhanced security defences, visibility of security issues and mitigation support. Compliance failures also become evident.
Operational Dashboards
ALM-SIEM is delivered with comprehensive alerting and operational dashboards to support threat and audit reporting, security detection and response operations and analyst threat hunting services.  End user and operational dashboard configurations are  available. Multi format hard and soft copy alerting and reporting is also available (e.g. HTML, PDF, XLS, XML and CSV)
File Integrity Monitoring (FIM)
ALM-SIEM includes a built-in FIM service that alerts on potentially un-authorised changes to critical assets, outside of the scope of audit logs. FIM continuously and efficiently monitors the status of identified key assets such as critical system files, configuration files, packages, critical data files, system objects etc.
Enterprise Log Management
Enterprise wide, agent & agentless automated log management built-in. Secure and forensically sound collection of logs and machine data from almost any source. Ensures the security, continuity and integrity of all collected logs and allows alerting at the log source. Massively scalable. Resilience built-in.
Forensic Integrity Of Data
An RSA/SHA256 digital signature is calculated and the log digitally signed before transfer. Transfer is authenticated and encrypted using TLS. Log data are securely stored and retained in verifiably original and complete form, allowing multiple uses and deep forensic investigations.
Secure Data Storage
Log cataloguing, chain of custody records, archive creation and management. Essential meta data included. Fully searchable store. Archive to secure long term storage, complete with a digitally-signed manifest. Support for deep forensic investigation and re-investigation of all current and historic data.
Export to External Services
ALM-SIEM is an open platform solution which does not lock in user organisations, either through data format or technology platform. Automated data enrichment and flexible form or content normalisation, along with built-in data export features mean that data can be exported in original, form normalised or content normalised form to almost any external service.

ALM Log Sources

Event logs and machine data normally enter an ALM-SIEM system through an ALM agent or via a direct API connection, depending on the source of the data. For reasons of log data integrity, efficiency and resilience, the preferred option is to install small, unobtrusive ALM agents on the hosts that create the logs, but agentless deployment is also available in order to collect logs remotely and in cases where data integrity is not of primary concern.

ALM’s architecture allows collection and management of almost any log or data type (not just syslog streams as with many SIEM solutions). These can include binary logs, cloud data and many other types.

ALM-SIEM provides a huge range of data collection and processing features (known as Data Sources) out of the box and Assuria is constantly extending its portfolio of data sources based on the needs of our customers. But, with some training it is also possible for customers to add additional log sources to meet their own unique needs, via the optional Assuria Log Source SDK.

ALM Log Collection

Assuria’s ALM-SIEM solution uses agents to collect log data into a central store, although agentless collection is also available. ALM server-side components then process the collected logs from the store, e.g. to normalise and filter selected events into a database, or to export to external systems.

ALM’s collection architecture uses agents to collect data (typically logs, but ALM can collect anything, including screenshots and network packet captures) from a variety of sources. Data sources can be added at will, and include local log files, support for various remote protocols such as Syslog, WMI and OPSEC LEA, and querying of web/cloud services.

The agent collects data in their original format, unchanged, sequence numbered and digitally signed. It then transfers the data via a mutually-authenticated TLS channel to an ALM Collector, which writes the data into a Store. ALM agents can also be configured to generate alerts at source when specific events appear in the logs that it collects.