Log Monitoring and Management Service:
Advanced Intelligence (AI) Engine

Powered by LogRhythm

Collect, correlate, analyze and store log data.

Automated, continuous analysis and correlation of all activity.

The ControlScan Log Monitoring and Management Service incorporates LogRhythm’s Advanced Intelligence (AI) Engine to deliver automated, continuous analysis and correlation of all activity observed within the environment in a uniquely intuitive fashion.

With a practical combination of flexibility, usability and comprehensive data analysis, AI Engine delivers real-time visibility to risks, threats and critical operations issues that are otherwise undetectable in any practical way. AI Engine is correlation that works!

The Advanced Intelligence Engine enables organizations to predict, detect and swiftly respond to:

  • Sophisticated intrusions
  • Compliance violations
  • Disruptions to IT Services
  • Network behavior anomalies
  • Insider threats
  • Fraud
  • And many other critical actionable events

Comprehensive, Advanced Correlation
AI Engine rules draw from over 70 different metadata fields that provide highly relevant data for analysis and correlation. This metadata includes the dynamic Risk Based Prioritization (RBP) value assigned to all machine data, enabling the AI Engine to build trends and expose statistical anomalies based on the risk level associated with specific activity on the network.

ControlScan writes rules into AI Engine that identify and alert on actionable events for security, compliance and operations assurance. AI Engine can also be used to cast a wide net through generalized correlation rules for broader visibility that accommodates changes in event behavior.

Multi-Dimensional Analytics
The ControlScan Log Monitoring and Management Service leverages AI Engine to combine enterprise-wide advanced correlation and pattern recognition with automated behavioral and statistical analysis, for multi-dimensional analytics.

By combining advanced statistical and heuristic analysis with behavioral white listing, AI Engine automates the process of learning what constitutes “normal” behavior on any combination of attributes tied to users, hosts, applications or devices.

AI Engine delivers:

  • Advanced correlation against all log and machine data.
  • Generalized and targeted security analytics.
  • Behavioral and statistical baselining.
  • Immediate access to underlying forensic data.
  • Guaranteed data collection

A single event is not always enough to indicate a breach or show the true reach of a security incident. The AI Engine rules that ControlScan writes generate behavioral whitelists of "normal" activity to help identify suspicious behavior patterns to automatically identify and alert on potential threats and breaches.

For example, malware can invade and spread through an organization quickly, exposing data and weakening security faster than administrators can react. In many cases, the extent of damage is unknown


  • Malware is detected on one host followed by attacks from that affected host.
  • Suspicious communication from an external IP Address is followed by data being transferred to the same IP Address.
  • A user logs in from one location, does not log out, but logs in from another city or country in a short timeframe.
  • RBP score assigned to firewall logs steadily increases from 50 to 90 over the course of an hour.

The AI Engine rules ControlScan writes also deliver continuous compliance by generating events when specific policy violations occur. These include protecting cardholder data or Protected Health Information (PHI) from unauthorized access and actively monitoring privileged user behavior.


  • Five failed authentication attempts followed by a successful login to a database containing ePHI followed by a large data transfer to the user's machine all within 30 minutes.
  • A file containing credit card data is accessed, followed by an attempt to transfer information from the same host to a USB thumb drive within 10 minutes.
  • Creating one or multiple accounts and escalating their privileges in a short period of time.

Advanced correlation offers substantial value for operationalinsight and IT services assurance. Slight variations in specific activities or a particular sequence of typically common operations events may indicate critical operations issues.


  • A backup process is started, but no log for backup completed is generated.
  • A critical process stops and doesn't start back up within a specific timeframe.
  • A large group of servers shuts down followed by a smaller group of servers starting back up.
  • High I/O rates on a critical server usually only observed during backup procedures are observed during normal business hours.