R-Vision SIEM

Main article: Security Information and Event Management (SIEM)

2025

Compatible with Deckhouse Kubernetes Platform Certified Security Edition

R-Vision and Flant on October 28, 225 announced the compatibility of the R-Vision SIEM security event management system and the Deckhouse Kubernetes Platform Certified Security Edition. Based on the results of joint testing, a compatibility certificate was signed certifying the correct operation of systems in a single technological circuit.

Testing has shown that R-Vision SIEM is correctly deployed and operates in the DKP environment, maintaining full functionality in terms of monitoring and processing information security events. With Deckhouse's container architecture, the solution is scalable and adaptable to the customer's infrastructure.

R-Vision SIEM compatibility with Deckhouse Kubernetes Platform confirms the readiness of our solutions to work in container infrastructures. This expands the ability of customers to build flexible, scalable and secure incident monitoring and response systems that meet regulatory and corporate security standards, "said Viktor Nikulichev, R-Vision SIEM Product Manager.

Deckhouse Kubernetes Platform provides predictable deployment, management and scaling of containerized applications to meet FSTEC requirements. Proven compatibility with R-Vision SIEM guarantees the correct integration of the components of the security event collection and analysis system in the Kubernetes environment, including stable operation under load and compliance with information protection requirements, "said Konstantin Aksyonov, director of the Deckhouse development department at Flant.

Proven compatibility of solutions opens up new opportunities for customers to build a flexible, scalable and certified IT infrastructure based on domestic technologies.

Red OS Compatibility 8

Red Software and R-Vision on October 22, 2025 announced the completion of compatibility tests for the operating system Red OS 8 with the solution for monitoring the security of the R-Vision SIEM infrastructure and the R-Vision VM vulnerability management system.

Sharing RED OS 8 with R-Vision SIEM and R-Vision VM provides the ability to build a state-of-the-art fault-tolerant infrastructure for key components of the company's cyber defenses. Customers get predictable system performance, simplified deployment and operations, optimized load on IT- and INFORMATION SECURITY- resources, and scalability and long-term solution support.

It is important for us not only to ensure a high level of protection of corporate systems, but also to make the transition to domestic software as comfortable as possible for business. Compatibility with RED OS 8 confirms that companies can build infrastructure on the basis of Russian solutions without compromises in security and performance, noted Vladimir Oralov, Head of Technology Partnership and Customer Experience at R-Vision.

For our part, as an operating system developer, we have provided the very stable and secure foundation that allows R-Vision products to unlock the full potential of their solutions. Together we offer the market a mature, ready to work in various infrastructures, said Victoria Kostina, Head of Technology Compatibility at RED SOFT.

The compatibility of RED OS 8 solutions with R-Vision SIEM and R-Vision VM is confirmed by official certificates.

R-Vision SIEM 2.5

On October 20, 2025, R-Vision introduced the next update of the information security event management system - R-Vision SIEM 2.5. Recent releases focus on expanding analytical capabilities, implementing active agent response, and enhancing user experience through the integrated MITRE ATT&CK coverage assessment right in the product interface.

R-Vision SIEM 2.5

According to the company, one of the key changes was the section "MITRE ATT&CK Coverage," which clearly shows which techniques and subtypes of the framework are detected by the established detection rules. This allows information security specialists to quickly assess the completeness of protection and plan the development of the detection system with a focus on the most critical attack vectors.

The vendor continues to develop the ability to centrally manage end devices. The product interface has the ability to perform active response actions for connected end stations:

• Delete suspicious files
• Perform self-isolation of the node
• Stop processes
• Send Files
• Add or remove records to hosts to lock or unlock domains and IP addresses using the DNS Sinkholing technique

This extends rapid response scenarios and helps SOC analysts stop threats faster.

The update optimizes the user experience of the analyst when working with events.

• Found events can now be added to Favorites to collect all key data. Such a tool helps the analyst collect all the artifacts of the investigation in one place and quickly return to them if necessary.
• The function "Event comparison" is implemented - the system highlights the differences between the reference and the current event with accuracy to the string/word/character.
• In the "Search" section, you can now form widgets in one click through the instant creation button and immediately visualize the resulting statistics.
• Data display management on dashboards and reports has become more flexible thanks to variable support. Variables for the dashboard allow you to centrally set parameterizable fields for each widget, so it is enough to change one value - and the entire dashboard is updated automatically, which optimizes data analysis and visualization settings.

The latest version of R-Vision SIEM introduces the Universal Event Model 2.0, built on the principle of subject-object description of events. This structure optimizes the process of normalizing events for the engineer and at the same time improves consistency and facilitates the interpretation of events for the analyst. With this, engineers create event processing rules faster, and analysts get clearer and more structured events for investigation and monitoring.

In addition, event models now support dynamic fields containing structured data of type JSON - you can access them both to the entire field and to nested objects and arrays through RQL queries.

Additional changes:

• Collecting events from files: Added FTP and SMB entry points to monitor changes and collect events from remote resources.
• Audit active list records: The system now captures all user operations and correlation rules on active list records, creating audit events that can be reused for correlation and further analysis.
• Identifying sources by mask: Source audit policies provide the ability to identify source groups by a set of event fields, without binding to entry points and pipelines. This allows a more granular identification of the source for observation.

The focus of the latest R-Vision SIEM releases is to create a unified environment in which an analyst can not only explore events, but also act instantly. narrated by Victor Nikulichev, R-Vision SIEM Product Manager

Garda DLP Compatibility

Development companies have confirmed the compatibility of the system data protection from leaks "" and Garda DLP INFORMATION SECURITY the event management system R-Vision SIEM. This integration allows you to expand the functionality of solutions. Events captured by DLP are combined with events SIEM in and create a visual picture, cyber attacks as well as increase the degree of integration of the product into the company's infrastructure. The company was informed about this on September 17, 2025. More. here

Updated detection rules for Microsoft Windows Linux, MySQL, Oracle DB, VMware vCenter and ESXi, Open VPN

On July 16, 2025, R-Vision announced that expertise packages have been added to the R-Vision SIEM infrastructure security monitoring system, which include 263 additional detection rules, normalization rules to support various event sources, as well as optimization of existing content. At the moment, the system provides out of the box more than 750 detection rules.

R-Vision SIEM

According to the company, among the updates are detection rules for, Microsoft Windows Linux,, and MySQL Oracle DB, VMware vCenter ESXi Open VPN. As well as a significant expansion of the coating for and. Microsoft SQL Server Kubernetes

Kubernetes is actively used to deploy microservice applications, including in cloud and hybrid infrastructure. This expands the attack surface, which attracts intruders. The most common methods are abuse of access control mechanisms (RBAC) and attempts to gain access to critical namespaces such as the kube-system. To better identify such threats, we have significantly expanded the set of detection rules in R-Vision SIEM. narrated by Diana Gulina, Head of R-Vision Cybersecurity Threat Analysis and Detection

In addition, as part of a technical partnership with Russian vendors, detection rules were added for systems such as Garda WAF, Infowatch TM, S-Terra Gate and Secret Net Studio.

The R-Vision team of researchers analyzes current hacker groups and attacks, identifies ways to exploit vulnerabilities and ways to detect them, on the basis of which it develops detection rules, and also optimizes existing rules taking into account introductory ones. Among them:

• Identify the use of the LocaltoNet utility, which is used by attackers to organize tunnels from the Internet to the internal network. This allows you to bypass network restrictions and secretly interact with infected machines. For example, the APT Morlock group used LocaltoNet in attacks on IT contractors to consolidate in the infrastructure and access main targets.
• Detection of exploitation of a CVE-2025-24071 vulnerability related to file processing in Windows Explorer. An attacker can provoke an NTLMv2 hash leak by forcing the system to open a specially prepared file with the.library-ms extension. This technique allows you to receive credentials without interacting with the user.
• Detection of abuse of the ssh.exe utility, including creation of hidden tunnels, interception of NTLM hashes and remote execution of commands without an explicit connection to the server. It is known that the ToddyCat grouping used ssh.exe to tunnel traffic.
• Detecting abuse of browser extensions is a common practice in which malicious code is injected into popular extensions, which can subsequently lead to theft of user data from the browser.

The infrastructure of companies is in constant development, so maintaining additional sources of events, writing and updating normalization rules is another important area that the R-Vision research team is engaged in. As of July 2025, R-Vision SIEM supports over 200 sources.

The updates included normalization rules for sources such as:, Huawei USG Continent 4, Garda Monitor (NDR), Garda, DLP Garda WAF, Garda DBF,,, NS,,, Aurora Center ViPNet TIAS ViPNet IDS Dallas Lock Kaspersky Secure Mail Gateway Kaspersky CyberTrace,,,, Linux PT ISIM Xello zVirt auth.log, Lighttpd,, Access NextCloud OpenVPN Server, Microsoft AD DS, Netgate pfSense,,, ProCurve. CyberPeak Suricata HP

The examination package also includes schemes of typical dashboards, which allow you to quickly configure SIEM for user tasks using ready-made components and immediately start working. These schemes define the structure of the dashboard, the rules for displaying and updating information, and the location of widgets.

The current expert review release is available to all users with current technical support. To use it, you need to update R-Vision SIEM to version 2.3.0 and higher and install the expertise update.

Multifactor Compatibility

and MULTIFACTOR R-Vision entered into an agreement on a technological partnership. As part of the cooperation, the vendors tested and confirmed the compatibility of R-Vision SIEM with the system two-factor authentication and access control. MULTIFACTOR Multifactor announced this on July 10, 2025.

According to the test results, the parties signed a certificate confirming compatibility.

The integration of R-Vision SIEM and MULTIFACTOR solutions allows you to achieve maximum account security, as well as more reliable protection of confidential data and corporate information of customers.

We are developing our own ecosystem of products in cooperation with domestic developers. The main task of the MULTIFACTOR system is to ensure secure connection to corporate data for Russian companies and eliminate the risks of unauthorized access. I am convinced that cooperation with R-Vision will strengthen our strategy to create a convenient and secure domestic IT ecosystem, "said Roman Korotun, Sales Director of MULTIFACTOR.

Technology partnerships allow us to build more holistic and sustainable cyber defense scenarios. Integration with MULTIFACTOR has increased control over access to critical resources and increased the ability to identify and respond to incidents. We are convinced that such integrations are necessary so that customers can make the most of their security systems, "commented Vladimir Oralov, Head of Technology Partnership and Customer Experience at R-Vision.

R-Vision SIEM 2.3 with Space and Service Support

R-Vision has introduced an updated version of its information security event management system - R-Vision SIEM 2.3. The update is aimed at simplifying operation in geographically distributed infrastructures, increasing the flexibility of data collection and increasing control over access to events. R-Vision (R-Vision) announced this on May 28, 2025.

Centralized management of the data collection architecture Version 2.3 introduced support for spaces and services: now you can centrally manage SIEM clusters and connect geographically remote segments. The built-in space manager allows you to connect external nodes directly from the SIEM interface and manage their configuration. In space, you can create collectors and configure the full cycle of event processing on them: collection, normalization, filtering, correlation and redirection of events. This is especially true for companies with a distributed infrastructure - for example, an organization with a central installation of the system in Moscow can quickly manage and control the operation of clusters in other regions without the need for local intervention.

Also, connectors of the Global Bus type have been added to the pipeline elements. These are special data buses for seamless data exchange between collectors, including those located in different spaces.

Agent Manager is integrated into the system - a special component for centralized management of the lifecycle of R-Vision Endpoint agents, policies, and event collection processes. This allows efficient data collection both from system logs and files, and directly from workstations and servers on all key platforms: Linux, Windows and macOS.

An important change also affected security aspects: in this version, the event access delimitation mechanism (ABAC) is implemented. This functionality allows you to configure event access policies in repositories based on event attributes using the RQL query language. This increases flexibility and ability to meet internal access control requirements. A single policy can apply to multiple roles and event stores and contain multiple rules.

Update 2.3 turned out to be saturated. We have significantly expanded the capabilities of the system to solve the problems of collecting and managing access in geographically distributed companies and holdings. In addition, we continue to expand the functionality of the system and improve the user experience. Our goal is to make SIEM a reliable and convenient assistant in the work of SOC analysts and engineers, said Viktor Nikulichev, R-Vision SIEM Product Manager.

One of the important changes is the addition of the Global Function, a new type of expertise element that allows you to set the reused VRL code block. Using the global function, you can create event logic templates for reuse in different scenarios, thereby making it easier to set up correlation and normalization rules.

Significant improvements also affected the correlation rule designer:

• There is a setting for filtering events based on active lists, enrichment tables and global functions;
• added comparison operators: In, Like,=null,!=null;
• The ability to revert to previous rule versions for normalization, correlation, aggregation, and segmentation is supported.
• added setting of restrictions on the intensity of generating events: SIEM automatically disables correlation rules that exceed the specified limits by the number of correlation windows or the frequency of triggers.

In R-Vision SIEM 2.3, mass operations with alerts are supported: selected alerts can be closed or their properties can be changed, such as threat level, status, responsible user.

To improve the convenience of working with the system in the cards of active lists and enrichment tables, the Related Elements tab has been added, which displays the normalization and correlation rules in which they are used.

Added advanced search mode that supports projection and result grouping. It replaced the functionality of the RQL sandbox section.

In event statistics, you can load values ​ ​ outside the top 10, which removes restrictions on the depth of analysis.

In addition, the R-Vision SIEM 2.3 release includes other improvements aimed at improving the user experience.

Integration with Aurora Center

R-Vision and Open Mobile Platform have completed the integration of the Aurora Center mobile device management solution with the R-Vision SIEM information security event monitoring system. Now companies can control security on mobile devices, increase transparency of access to IP and reduce the risks of incidents in the mobile segment. The update is already available in the release of the R-Vision SIEM rule normalization package from 20.02.2025. R-Vision announced this on April 28, 2025.

Integration closes the previously unattended segment - monitoring the activity of mobile devices from which employees gain access to internal systems. Events from Aurora Center - authorization, configuration change, administrator actions, security policy changes - are recorded in R-Vision SIEM. They enter the system along with logs from network screens, proxies, workstations, Active Directory and antiviruses.

For example, when trying to log into a corporate system from a mobile device with a changed security policy, the system initiates a correlation rule. At this point, the analyst is notified of the threat. By supporting the normalized event format, such cases are easily embedded in current response scenarios.

For information security specialists, this means:

• more context when investigating - you can track the chain of user actions, including mobile access;
• the ability to take into account the risks of the mobile environment in correlation rules;
• compliance with requirements for control of mobile devices in protected and critical segments.

The result of our cooperation is an indicator of the effective interaction of two professional teams aimed at improving corporate security by connecting mobile device security events to monitoring, from which access to corporate IP is provided, "said Andrey Makarenko, manager for technological development of Open Mobile Platform partners.

R-Vision SIEM is a key product in the R-Vision line. The system is built on a scalable architecture. It supports adaptive correlation, attack chain visualization, flexible event source management, and integration with SOAR, UEBA, TIP, and VM modules. This makes it possible to build a single monitoring and response center without process gaps and manual data transfer.

We are consistently expanding the coverage of event sources for R-Vision SIEM, focusing on real infrastructure protection objectives. Integration with Aurora Center is a logical step taking into account the growing role of mobile devices in the public sector and industry, "said Vladimir Oralov, Head of Technological Partnership and Customer Experience at R-Vision.

R-Vision SIEM 1.9.2 and 1.10.2 compatibility with Dallas Lock 8.0 (10.5.0.803) and TWE Dallas Lock 2.0.211.1

R-Vision and the Information Protection Center of the Confidential Group of Companies announced the start of a technological partnership on February 6, 2025. The agreement confirmed the compatibility of the R-Vision SIEM information security system with the Dallas Lock 8.0 information security system and the Dallas Lock Unified Cross-Platform Control Center.

R-Vision SIEM and Dallas Lock compatibility enhances the ability to centrally monitor and normalize security events. Integration allows you to collect and analyze data user access and actions, improving threat detection and accelerating incident detection for further response. This improves the effectiveness of security management and reduces the consequences of possible. attacks

The tests performed confirmed the compatibility of the R-Vision SIEM centralized event management system (versions 1.9.2 and 1.10.2) with the Dallas Lock 8.0 (version 10.5.0.803) and TWE Dallas Lock (version 2.0.211.1) anti-unauthorized access system to normalize the recorded events.

The technological partnership between R-Vision and the Confident Group of Companies opens up opportunities for both companies. Combining our resources and expertise will offer customers cybersecurity solutions. The interaction between R-Vision SIEM and Dallas Lock not only strengthens the level of security, but also expands security scenarios, improving availability and usability for end users, "said Vladimir Oralov, Head of Technology Partnership and Customer Experience at R-Vision. - We are confident that the further integration of our products and the expansion of the partnership will create even more powerful solutions that will meet the highest requirements of cyber defense.

{{quote "We are pleased to announce the conclusion of a strategic agreement with R-Vision, which is aimed at developing our technological partnership and combining resources. Cooperation will allow us to significantly increase the efficiency of departments information security in current and potential customers. We are confident that the introduction of enrichment processes data for centralized event management systems will enable our customers to better protect their data and systems from modern threats. The partnership with R-Vision will be an important step towards creating a safer digital space for all our customers and partners. As a result, we will be able not only to strengthen our position in the market, but also to offer our clients solutions that will help them successfully cope with the challenges associated with cyber threats, "commented Mihail Dmitriyev, Director of Business and Technological Partnership, to marketing Confidence Group of Companies. }}

2024

Certification tests of FSTEC of Russia on the 4th level of trust

R-Vision on January 14, 2025 announced that the information security monitoring system R-Vision SIEM passed all the necessary certification tests in the certification system of the Federal Service for Technical and Export Control (FSTEC of Russia).

The Certificate of Conformity of the FSTEC of Russia No. 4888, issued on December 10, 2024, confirms that R-Vision SIEM meets the 4th level of trust in accordance with the conditions and requirements described in the document "Information Security Requirements Establishing Levels of Trust in Information Security Tools and Information Technology Security Tools" (FSTEC of Russia, 2020).

The Russian FSTEC certificate allows the use of R-Vision SIEM:

• at significant facilities of the critical information infrastructure of the Russian Federation up to and including the 1st category of significance;
• in state information systems (GIS) of the 1st security class;
• in automated systems for control of production and technological processes of the 1st class of security;
• in personal data information systems (ISDS);
• in Class II public information systems.

Certification of R-Vision SIEM FSTEC of Russia confirms a high level of trust in R-Vision products by the regulator and opens up opportunities for companies that want to increase the security of information systems through the use of advanced protection technologies, - said Viktor Nikulichev, product manager of R-Vision SIEM. - R-Vision SIEM is native integrated to the technology Kubernetes and comes in a certified version that is fully deployable in an orchestration environment. This is especially important for companies that fall under the requirements of the regulator. In addition, each installation automatically receives all the advantages of Kubernetes, which significantly increases the reliability and fault tolerance of the system. At the moment, we have successfully implemented a number of projects for customers from, and industrial financial others. And industries economies thanks to certification, we plan to further expand cooperation with new organizations.

R-Vision SIEM 2.0 with Correlation Rule Designer

R-Vision released a major update for the R-Vision SIEM 2.0 product on December 19, 2024. The vendor expanded the detection functions and implemented a correlation rule constructor.

The developer added a correlation rule constructor to R-Vision SIEM 2.0. It creates and modifies correlation rules interactively without the use of a code editor. The visual interface and step-by-step visualization of the process make it easier for analysts to create the necessary rules.

The changes also affected the elements of the event processing pipeline. R-Vision experts added the main metrics: "number of errors," "received and sent events" to the pipeline interface. The key figures for each feature are now available immediately, with no additional transition to parts. This feature helps you identify potential errors faster and minimize the loss of incoming events.

In the updated version of the product, the vendor also added a WMI entry point, which collects Windows logs from endpoints, servers and WEC (Windows Event Collector). The function allows you to configure the collection of several system logs at one entry point at once, which facilitates the work of the source configuration engineer.

Also in R-Vision SIEM 2.0 added a section "Query Manager," which is designed to collect and store information about user requests in the event store in the sections "Search," "RQL sandbox" and "Dashboards." In this section, analysts can work with query history and manage resources. For example, view requests made in dashboards and alerts, and monitor which requests load the storage. In addition, resource management functionality has been introduced, with the help of which restrictions on memory consumption are set when performing RQL requests for different user roles. New features allow administrators to improve system resiliency.

Our experience with customers allows us to clearly define the vector of product development. By analyzing customer needs during projects, we are transforming R-Vision SIEM to meet the high demands of the market. As a result, we create solutions that meet current needs and anticipate future customer requests, providing them with a stable basis for improving the level of cybersecurity, "said Viktor Nikulichev, product manager of R-Vision SIEM. - This update is an important stage in the development of R-Vision SIEM. We will reorient the strategy from accumulating functionality to improving the quality of the user experience. Our team will focus on improving analytics and data visualization tools and reducing Time-to-Value so users can get the most out of the product faster.

In addition to reformatting, they added the ability to search for active lists in this section and in the RQL sandbox. Also, in the "Search" section, added highlighting of fields in events that satisfy the filter of the RQL request.

A mode appeared - "Statistics," which allows you to analyze data for all fields in the list of found records and events. The developer has worked in detail on the rating of values ​ ​ - the mode allows you to control the sorting and immediately prompts statistics by fields. Also, the "Statistics" mode allows you to work with statistics on several attributes at the same time, which increases the speed of immersion of the analyst.

Now notification widgets have appeared in the product and system metrics have been added. In addition, in R-Vision SIEM, the developer has built three-dimensional histograms and the ability to build widgets based on data from active lists.

Author's supervision: operation of R-Vision SIEM in real-world conditions

Implementing SIEM (Security Information and Event Management) is a key step to reduce security, compliance, and reporting risks. According to R-Vision, over the past year, the number of cyber threats has increased by one and a half times.

One of the main sources of these threats is the risk of hacking by contractors involved in the supply chain. In order for our customers not to encounter the risk of cyber attacks through the supplier, R-Vision must comply with security requirements, quickly identify and prevent such incidents. This will allow us to guarantee the safety and, as a result, ensure the integrity of our customers' business. Therefore, we decided to strengthen the level of security by monitoring information security events. To achieve this, we used our R-Vision SIEM tool. Read more here.

Add correlation rules to effectively detect threats

R-Vision continues to develop solutions in the field cyber security and expand expertise in the R-Vision product SIEM for customers. To do this, the developer formed two teams of researchers to track global trends cyber security and added correlation rules to effectively detect threats. The company announced this on December 3, 2024.

R-Vision SIEM researchers regularly search for new cybersecurity threats, analyzing attacks hackers and identifying their methods and techniques. To focus on in-depth threat studies, the vendor has formed two teams: Threat Analysis and Detection and Research Laboratory, which monitor global cybersecurity trends. These specialized analyst teams focus on a comprehensive threat study, allowing for expanded R-Vision SIEM expertise.

At Q4 2024, R-Vision SIEM supports over 200 sources to collect events. The vendor interacts with technology partners and participants of the Russian IT and information security market to expand the capabilities for working with data in R-Vision SIEM.

Developing correlation rules is a priority in improving the SIEM system. As of December 2024, R-Vision SIEM includes more than 500 correlation rules that cover over 70% of current attack vectors and are developed based on world best practices, including techniques and tactics that SIEM covers.

Шаблон:Quote 'author=said Diana Kozhushok, Head of R-Vision Cybersecurity Threat Analysis and Detection.

Based on current knowledge, R-Vision analysts update and expand the rule base every two weeks to more effectively detect modern threats. Improvements made include:

• FreeIPA (ALD Pro) package with 21 rules for detecting various MITRE ATT&CK tactics.
• Rules for detecting the use of tunneling and exploiting vulnerabilities in VSCode extensions.
• Detection of vulnerabilities actively exploited by attackers, such as CVE-2023-38831 (WinRAR), CVE-2023-22515, CVE-2023-22527 and CVE-2023-22518 (Confluence), CVE-2024-0507 (GitHub), as well as vulnerabilities in xz.
• Rules for identifying [[[frths|hacker]] utilities such as ngrok and gsocket, as well as tools for attacking RDPStrike.
• Detecting the use of Telegram as a control channel (C2).
• Rules for identifying DNS tunneling that can be used to organize management (C2) and exfiltration of data from victim devices.

In addition, basic rules have been added to the system for monitoring various business applications, such as Confluence, Jira and GitLab, as well as for monitoring systems virtualizations (), vCenter (databases for example, and) PostgreSQL and for ClickHouse network devices (,) and IPS Eltex(Cisco SolarWebProxy, "Continent").

Шаблон:Quote 'author=said Diana Kozhushok, Head of R-Vision Cybersecurity Threat Analysis and Detection.

R-Vision continues to actively develop and improve its SIEM system, providing a high level of protection and responsiveness in identifying incidents, which allows organizations to effectively combat modern cyber threats and minimize risks.

R-Vision SIEM 1.8 with advanced functionality

On September 26, 2024, R-Vision introduced an updated version of the flagship product R-Vision SIEM 1.8 with advanced functionality. In this version, the developer added an audit of information security event sources to quickly identify and fix problems, monitor the health of Kubernetes to minimize the risks of failures, and accelerate user authentication thanks to the implementation of the LDAP protocol.

{{quote 'We are actively deepening our expertise and developing R-Vision SIEM functionality according to market needs. As of September 2024, the examination package already supports more than 100 sources of events and contains more than 350 correlation rules. These tools allow us to effectively identify the main areas of attack and ensure that most of the infrastructure is covered without additional settings. Our goal is to offer customers a product that helps users to efficiently and safely solve everyday problems, "said Viktor Nikulichev, R-Vision product manager. }}

In this release of R-Vision SIEM 1.8, you can now track the status of the sources from which events arrive in the collectors. The state of the sources is assessed by the frequency and number of events, which allows detecting deviations in their operation.

To do this, the system provides custom source audit policies. They track changes in the event flow and send notifications when the specified thresholds are reached through configured integrations.

The timeliness and completeness of incoming events are critical aspects of SOC operation. That is why we have added source control metrics that help to quickly identify and eliminate possible problems, such as the loss of events from one of the sources.

To ensure uninterrupted operation of the SIEM system, it is necessary to carefully monitor the condition of all its components. In R-Vision SIEM 1.8, we apply modern approaches and technologies, including Kubernetes. A special Monitoring section has been added to the system, which allows us to monitor the state of the Kubernetes cluster.

In this section, you can find detailed information about containers, nodes, system modules, and other cluster components. The presence of visual monitoring tools allows analytics to carefully monitor the state of the cluster and resource utilization, as well as collect all the necessary metrics centrally using any convenient external means.

Starting with version 1.8, the system has the ability to use authorization in Active Directory, ALD Pro, FreeIPA and OpenLDAP domains via LDAP (Lightweight Directory Access Protocol) - an effective tool for centralized management of both individual domain users and domain groups. With its help, you can:

Synchronize data about users, including their logins, full names, positions, statuses, email addresses and phone numbers.

The implementation of LDAP connections significantly reduces the time required to authenticate users, and also opens up opportunities for configuring the role model in the system.

The developer has improved the basic functionality of the R-Vision SIEM 1.8 system by adding two new features:

• Export and import of dashboards.
  

Users can now download and unload dashboards in JSON format. This allows them to easily import ready-made dashboard templates and use them as content, which greatly simplifies the work of analysts.

• Message templates for SMTP integration.
  

When configuring alerts through SMTP integration, users can use the alert or correlation event fields that generated alerts in message templates. This enables you to create your own templates for different tasks and integration assignments.

These improvements make working with the system more productive, allowing analysts to focus on data analysis rather than routine.

R-Vision SIEM 1.6 with Correlator Distributed Mode

On June 27, 2024, R-Vision announced the release of R-Vision SIEM version 1.6. The update includes improvements in working with correlation rules, as well as increasing the ability to scale, additional control and user management.

R-Vision SIEM 1.6 has been supplemented by the correlator distributed operation mode, which is available when configuring the collector. You can now use the resources of multiple nodes in a cluster to handle events in parallel. Thus, to handle more events, it is possible to scale correlation resources horizontally by available physical machines, saving on the cost of large configurations.

The R-Vision SIEM team of experts also paid special attention to working with large infrastructures. A flexible role model is important for such customers. Therefore, in this version, the developers have implemented the functionality of multi-tenancy in the system, thanks to which you can centrally manage one solution to protect several branches of the organization.

The developer also provided a flexible system of restrictions due to permission groups and roles. Including the ability to distribute access roles and create groups of users with completely unique permissions. Password policy, in turn, establishes the requirements for the reliability and use of passwords for accounts, which increases the security of the system itself.

In addition, the developer has made the functionality of snippets for managing function templates that are used in the development of correlation and normalization rules. For example, if you plan to use the same fragment of code in several programs, you can save it as a snippet, and then use this snippet to add it to the desired places in the programs.

In R-Vision, we develop technologies based on customer feedback. We are constantly improving our products, adding new functions and making their use more convenient, - said Viktor Nikulichev, product manager of R-Vision SIEM. - The improvements made respond to the main customer request for system scaling and monitoring. And the functionality of distributed correlation opens up new opportunities for our customers.

Inclusion in the AFL Repository

On March 19, 2024, R-Vision announced the inclusion of the R-Vision SIEM solution in the FinTech Association Repository (AFL Repository). This repository contains verified information security products that are recommended for use as part of import substitution in the financial industry. R-Vision SIEM is listed on the AFL register on March 15, 2024. The registry number is AFT0247.

The inclusion of R-Vision SIEM in the FinTech Association repository is a step that will significantly expand R-Vision's opportunities for cooperation with organizations from the financial industry, "said Kamil Baimashkin, Deputy Executive Director of R-Vision. - This is especially important within the framework of the import substitution program of foreign software. Therefore, the introduction of the R-Vision SIEM information security event flow management system into the list of IT solutions for the financial sector confirms that the product will help financial institutions find a worthy replacement for foreign vendors who have left the market without losing functionality and performance, and provide a solution for even the most complex information security tasks.

In the banking sector, where security is a key factor, SIEM systems (Security Information and Event Management) play a crucial role. They allow you to quickly detect threats and respond to them, which is especially important in the context of frequent cyber attacks. With SIEM systems, banks can track and analyze large amounts of data, allowing them to identify suspicious transactions in a timely manner, assess risks and take measures to prevent possible incidents. This, in turn, helps to maintain customer confidence and maintain a reputation as a reliable financial institution.

In addition, SIEM systems provide centralized monitoring and control over all bank information systems, which greatly simplifies the security management process. They also allow you to automate the incident response process, which reduces the likelihood of errors and increases the efficiency of specialists.

Financial sector organizations pay great attention to technological development and strive to digitalize their processes and services as much as possible. This requires them to provide a high level of information security to prevent the leakage of critical data. The repository of the FinTech Association helps organizations choose reliable suppliers of information security solutions that have proven their viability in the market and are independent of foreign technologies, "said Viktor Nikulichev, product manager of R-Vision SIEM.

R-Vision SIEM 1.3

On January 16, 2024, R-Vision, a developer of cybersecurity systems, announced the expansion of the functionality of R-Vision SIEM technology. Version 1.3 includes a number of updates: the developer optimized the set of functions for collecting and processing events, implemented tools for working with content and search. He also added a report designer and expanded ways to integrate with external systems.

As reported, in this version of its own SIEM system, the company's experts have expanded the functionality of the event processing pipeline, which allows you to the analyst SOC to control the processing collection functionality in the graphical interface. data So, to the already available entry and exit points, buses and the event normalizer, the R-Vision command added elements: an aggregator, a router and a filter. This allows users to variably configure event management, which is especially important when there is a large source and system infrastructure.

In addition, the changes affected the work with the objects of expertise. Each such object is the content part of the product, which contains a written expertise on the processing and analysis of information security events. It includes: normalization and correlation rules, active lists, enrichment tables, as well as event models. The R-Vision team optimized the process of preparing expertise objects by adding functions. Now information security specialists, in addition to creating and changing their own rules, can copy and delete examination elements, enable, disable and update the rules used, use templates and versioning. Also in the update, the company's specialists optimized the functionality of validation and testing of rules, which helps SOC employees conduct additional checks on the effectiveness of the rules they developed in the test system. This allows you to avoid errors in the preparation of content and pre-evaluate its effectiveness. Which, in turn, reduces the number of false positives when they are started and will ensure system performance.

Also in R-Vision SIEM 1.3, the developer expanded the functions of the search tool: he added syntax highlighting, prompts to queries that SOC analysts form, fast filters directly from information security events, an interactive progress bar and a graph of event distribution. As well as support for all key query functions in databases, due to which the analyst can quickly find the necessary events in the stream of incoming data.

An important change in the system update was the addition of a report designer to the system that optimizes the reporting process. The constructor helps the SOC analyst to create report templates and send them according to established schedule.

Significant changes affected the work with external systems. So, in version 1.3, an active collection of events from various databases and using the HTTP protocol was added for SOC analysts. Also in the updated version, R-Vision experts have expanded integration capabilities, which, in particular, help to move to the interfaces of R-Vision SOAR, Endpoint and UEBA systems. This allows you to collect more events from different systems and automatically transmit incidents for response to SOAR.

2023: Presentation of the R-Vision SIEM solution

On September 28, 20232, R-Vision introduced two technologies - R-Vision SIEM and R-Vision VM, the creation of which was another step towards the development of its own ecosystem for the evolution of SOC R-Vision EVO.

R-Vision SIEM provides centralized event flow management from all information systems, helps identify incidents in a timely manner, and maintains business integrity. It allows you to optimize the use of company resources through an integrated approach to handling security events at all stages of data management.

R-Vision VM is a technology that allows you to identify information security vulnerabilities in the organization's infrastructure, aggregate the information received in a single database, as well as prioritize the discovered vulnerabilities and monitor the process of eliminating them.

Our partnership with R-Vision began a few years ago, when NSD was faced with the task of building a truly effective Vulnerability Management process. Against the background of the events of 2022, the situation was also complicated by the lack of support for solutions from foreign information security suppliers, which means that the issue of working with vulnerabilities has become even more acute. Modernizing the vulnerability management process using expertise and R-Vision technologies allowed us to quickly and easily automate it, thereby ensuring timely elimination of vulnerabilities and protection from their exploitation, "commented Oleg Kuserov, Director of Information Security at the National Settlement Depository.