The latest version (7.3) expands/improves the offering in areas of file integrity monitoring, change audit, configuration assessment, cloud integration, event correlation and writeable media monitoring and management. Some of the other new features include built-in ticketing system (with acknowledgement, search, notes and email), support for log4j and related standards, such as log4cxx, log4net, log4php, scheduled discovery of applications and systems, configurable behavior rules to detect new and out-of-the-ordinary behavior by user-specified thresholds, frequency or learned-behavior thresholds, and risk-based prioritization for incident identification and automatic or manual remediation solutions.
The product ships as either a virtual appliance or as software. EventTracker uses a flat file database that is fully indexed for performanceand a standard compression function that flattens the data 90 percent or more for excellent retrieval and shortage management. The archive data is striped with a SHA-1 checksum to ensure data integrity. The checksums are validated before use and detection of tampering triggers an alert. Another strong feature is the integration of Microsoft's Specialized Security - Limited Functionality (SSLF) hardening option to the EventTracker system. The SSLF was designed to help protect information in hostile environments.
EventTracker provided a number of excellent documents to aid in its installation, configuration and use. Most useful were the EventTracker-Enterprise-v7.3-Install-Guide, Hardening-Guide-For-EventTracker-Server and the EventTracker v7.3 Enterprise User Guide.
The product provided features to filter unwanted activity. In addition to the items already noted, after a brief agent enrollment process, the following features were available for viewing and processing: email alerting, remediation, behavior analysis, forensic search, change activity reporting, compliance reports and more. The system provides a risk-based prioritization facility for assets that we found pleasing. One of the most powerful set of features were found under the "Reports" tab, then selecting the "Compliance" tab. Equally rich functionality was found under the "Config Assessment" tab. Once this was selected, the "Report" tab was selected. Here, under the "Benchmark" tab, there were a large number of report options. The benchmarks were categorized by publisher and system platforms, and systems were tagged and assessment launched. Once completed, the system reported the Config Assessment results. The Open Vulnerability and Assessment Language (OVA) results provided excellent references.
EventTracker support is a 24/7 fee-based service, which includes phone and email assistance, a portal via the website, a knowledge base and FAQ. The cost is 20 percent of the software list price. EventTracker also offers product support, design, planning, implementation services and training. This tool hits all of the benchmarks for a top-tier SIEM and is money well spent.
Version 7.3 of EventTracker Enterprise is a big leap forward in SIEM technology. Recommended.