Service Architecture

The process described below demonstrates how the ClearSkies SecaaS SIEM Platform service is facilitated with the use of Log Collector(s) deployed at your premises as follows:


Log data generated from a number of diverse security devices, systems, applications, network infrastructures and communication links, are collected


Log data collected are compressed at a ratio of up to 85%, digitally signed and optionally encrypted before archived. This way collected logs are maintained at a state which allows them to be also utilized for forensic investigation or legal evidence should the need arise.

Normalize :

Log data from different network, systems, applications and vendors are formatted in different ways, even if these events are semantically equivalent.  Copy of the log data collected are normalized and stored into a common schema at the time of data collection for further processing, Analysis and Correlation, and ad hoc search and reporting.


Analysis of normalized log data is performed for identifying Real-Threats, thus minimizing False-Positive Alerts, by utilizing IthacaLabs© Threat Intelligence feed and Vulnerability Information that might exist on your mission critical systems.

Based on these characteristics the Severity, Exploitability and Impact Factors for Real-Threats are calculated and fed into the Correlation process.


The Correlation of Real-Threats utilizes not only a number of statistical and behavioural heuristics models but also a number of intelligent correlation rules which are developed on an ongoing basis by taking into consideration the Threat Analysis & Security Intelligence provided through IthacaLabs®. This process facilitates the early identification of Real-Threats and/or misuse attempts that might affect the Confidentially, Integrity and Availability of your information


Sensitive information found within the log data, such as user credentials, could be masked before leaving your premises.

Incident Management:

You can escalate events which have been determined to impose a Real-Threat to your mission-critical systems and communication links to incident status and assign them internally for further investigation and resolution using the built-in incident management process workflow through Incident Escalation communication channels such as:

• Sending email, Push-Notifications* and/or SMS to those people that this incident is assigned to, accompanied with a brief summary of the incident including its severity level.

• Updating the built-in incident management dashboard with details regarding the raised incident, including course of action.