Press release

SGBox releases versions 5

The new release provides users with advanced analysis systems and a renewed back-end architecture.


SGBox, a leading Italian company in development and management of SIEM systems, announces the release of version 5 of its detect and response platform, with numerous and dedicated features, which allow you to make the most of the Security Information and Event Management platform.

This release integrates a completely redesigned back-end, to achieve an increase performance in the extraction and analysis of logs, even when operating on large databases.

An automatic recognition and configuration function of known data sources has also been introduced, to minimize the initial setup process and configuration update.

The new version of the SIEM SGBox solution offers numerous improvements in user interface, with optimizations and the ability to perform complex searches.

As for the multi-tenant mode, SGBox v5 introduces a series of new features aimed at making access to data more immediate. Among the main features, the ability to manage tenants in a single console and centrally in case of incidents.

We have proposed new features specifically designed for Microsoft environments to detect potential threats on endpoints, as well as monitoring changes to sensitive files, and we have improved support for third-party feeds to refine correlations and data collection, possible indices of compromise (IOC).

“To identify a targeted attack within your IT systems it is necessary to have maximum visibility of possible vulnerable points”

explains Massimo Turchetto, CEO and Founder of SGBox.

“We have decided to meet these needs by combining the telemetry generated by a software tool that Microsoft makes available for endpoints with the analysis capabilities typical of a SIEM platform”.

New Features introduced:  

  • Dashboard can now be derived from multiclass analysis templates, not just from events. In this way it is possible to carry out complex searches and use the results of these searches to feed dashboards in the same way used for viewing normal events.
  • You can create reports based on the dashboard contents. A print flag can be associated with each “Pattern analysis” widget. If dashboard widgets are also selected for printing, a new report category called “Dashboard” is presented in the report list. Like all reports, even those derived from dashboards can be generated in real time or scheduled to be sent at defined intervals.
  • The multi-tenant management console now allows you to obtain usage statistics (eps, volume and amount of logs collected, no. Of hosts) aggregated for all tenants or only for a subset in user-definable time intervals or in real time. The same functionality is also available for the single tenant belonging to the multi-tenant or for the version of SGBox on premises.
  • It is possible to centralize information on alarms and incidents, not only from local tenants but also from multi-tenant or single remote tenant installations, directly on the console, to obtain an overview of the alarms coming from all managed SGBoxes. From here it is then possible to go back to the triggering events to deepen the analysis.
  • Introduction of the ETL (Event Text Lookup) feature that allows you to search for an arbitrary field in all events. In this way, the user can search for a certain value backwards in time on all events that have that value. The search can be applied to both the original parameter type and another parameter. For example, it is possible to search for an IP address detected in an event both as source ip and destination ip.
  • Online log manager: it is now easier for the user to manage logs in online storage in order to allow more flexible management of raw data, while maintaining the integrity of the data itself. Raw data, always kept in compressed, encrypted and signed format, can be easily moved to online storage for immediate analysis.
  • Added cross-tenant pattern analysis and impersonation dashboard functionality in the multi-tenant console. Through this feature it is possible to obtain in a single point a view similar to the one obtained with the “Class / pattern analysis” view, but able to collect information simultaneously from all tenants.
  • Introduction of a new way of viewing events: incidents. It is now possible to have the correlation rules associate the resulting events in specific classes called “incident class”, dedicated to collecting the alarms generated by the rules. The multitenant version also allows the aggregations of alarms coming from all the tenant simplifying their analysis.
  • Root cause tool: It is possible, starting from an incident, to trace the events that triggered the rule, obtain the logs from which they were extracted and view the logs that preceded and followed the events in question over a configurable time interval. If the tool is applied to a generic event, it is still possible to obtain evidence of the log from which it was extracted and the flow of logs belonging to a time interval that precedes and follows the event
  • SM module: added summary report (with relative programming) of the results of the checks relating to: system availability, use of RAM, CPU and disk occupation
  • NVS module: addition of a new type of report linked to the detection of new vulnerabilities in an asset. The user can decide that the report is sent at the end of a scheduled vulnerability scan only if vulnerabilities not present in the previous scan are found on the asset being scanned.
  • Automatic recognition: a series of default profiles, vendors and classes have been added. By activating the automatic recognition from advanced options, and activating the profiles from the menu LM -> Configuration -> Profiles, the hosts that send logs are automatically recognized as belonging to a vendor, and placed in the classes. Thus sgbox collects events automatically.
  • Added “check-folder” command for file integrity monitoring with windows agent


Online newspapers

TechFromTheNet – Read the article

Il corriere della sicurezza – Read the article

EDGE9 – Read the article

EDP – Read the article