RuSIEM Analytics features


RuSIEM Analytics is a module for the commercial version that complements the AI (artificial intelligence), DL (data learning), asset management, and many other features to enhance the ability to detect various threats in a timely manner, solve many cases and visualize data.


  • installed as a module for the commercial version of RuSIEM
  • detection of anomalies and threats without the mandatory compilation of correlation rules by AI (Artificial Intelligence) / DL (Data Learning) in real time
  • possibility of using ML (Machine Learning) via PMML standard
  • baseline on the analyzed indicators through the rules of analytics
  • management of analytics rules by the user through a graphical interface
  • output to widgets of indicators for baseline analytics
  • registering incidents as a result of detection of anomalies and incidents
  • asset Management
  • dynamic asset formation (installed software, processes, services, patches, mac addresses, OS information) from real-time events, active and passive polling methods
  • creating static and dynamic groups in assets
  • audit of changes in assets in real time with the formation of events and the possibility of recording through the incident
  • Standard comliance (PCI DSS) and Policy compliance reporting of compliance
  • the ability to create a custom standard or policy (technical controls) and build a report on them
  • Tracking Application / OS Audit Authentication with History Attribute Comparison
  • formation of an incident when logging in from another IP / browser
  • rule management and the ability of an operator to add authentication tracking rules
  • feedlists containing IP / FQDN / URL / Hash threats lists
  • analysis of feeds in real time with the formation of incidents in case of detection
  • ability to add custom feeds
  • the possibility of organizing black and white lists through feeds
  • event generation of analytics and triggers
  • updating the conditions of triggering the output of the analytics module to reduce false positives through the correlation rules
  • Vulnerability management in real time by event active and passive polling methods
  • browse vulnerabilities by embedded database and search by them
  • display on assets of detected vulnerabilities
  • incident registration upon detection of a vulnerability


  • Scaled vertically (by branch)
  • Scaled horizontally (performance)
  • Unlimited in storage and EPS
  • Installing a node cluster for the databases
  • It is possible to separate the roles of components across different servers.