Key Features
Logster is an AI-driven threat detection platform. This page summarizes the features that matter most to security architects, SOC analysts, and SOC engineers evaluating Logster for an enterprise-level deployment.
For installation and configuration, start with the Admin Guide.
AI-driven detection
- Pre-trained detection models (one for Windows, one for Linux) classify 3-minute sliding windows of endpoint activity as benign or attack.
- Behavior-aware analysis — Logster analyzes endpoint activity across processes, files, scripts, network connections, and syscalls, along with the relationships and timing between them. The model discovers suspicious user behavioural patterns, not isolated security events.
- Platform-specific AI models — separate models for Windows and Linux, released and updated by Logster Support on a regular basis.
- Zero-day detection — because Logster reasons over behavioral patterns rather than static indicators of compromise (IOCs), it can flag novel attack patterns that share the structure of known attacks without requiring a signature update.
- No manual threat hunting required — detections are automatic and continuous; analysts work from the alert queue rather than chasing hypotheses.
MITRE ATT&CK coverage
Logster is designed to detect activity across the full attack lifecycle. From Logster Support's product materials, the covered tactics are:
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command & Control
- Impact
- Exfiltration
Real-time alert pipeline
- Deduplication — Same-endpoint alerts within a configurable window (default 5 minutes) are merged into a single alert, so noisy hosts do not spam the analyst queue.
- Lateral-movement correlation — When multiple endpoints in the same
tenant alert within a configurable window (default 60 seconds), they are
cross-linked via the
related_endpointsfield on the alert. - Severity — Every alert gets a severity based on a probability value,
attack_prob:CRITICAL >= 0.95,HIGH >= 0.85,MEDIUM >= 0.7. - MITRE ATT&CK enrichment — An optional TTP analyzer service enriches alerts with technique IDs and human-readable explanations.
- Alert lifecycle — Logster supports multiple incident response stages
while handling alerts triggered in the centralized Logster console. These
stages are
open → acknowledged → investigating → resolved / false_positive. - Notification sinks — Alerts triggered in the centralized Logster console
are published to the
logster-alertsKafka topic and can be consumed by downstream systems (for instance, any SOAR platform or any operational monitoring solution like ServiceNow, BMC, PagerDuty, JIRA, etc.).
Logster Console
The centralized Logster console is the primary SOC analyst interface. It provides:
- Host cards with per-endpoint threat gauges and alert counts.
- Attack timeline showing benign vs attack counts and average / maximum attack probability per bucket over time.
- Inference detail view — full detection model prediction with the list of events that contributed to the window.
- Process tree visualization — walk parent/child process relationships inside a detection window.
- Endpoint insights — user activity, privilege levels, file activity, network destinations, process relationships, command lines — for both Windows and Linux hosts from a single UI.
- Distribution and analytics — prediction histograms, severity breakdowns, MITRE TTP distribution, attack heatmaps by hour and day, trend analysis versus the previous period.
See the User Guide for the full walkthrough.
Data ingestion
Logster natively supports the mainstream enterprise log shippers on both Windows and Linux.
Logster's target ingestion scale is up to 100 Tbps/day in enterprise configurations.
Custom integrations outside this list can be built by the Logster Support engineering team on request.
Deployment flexibility
Logster is available in two deployment models:
- On-Prem — installed inside your own data center or private cloud to support better data privacy and regulatory compliance, since security logs never leave your environment. The customer will have to manage their own hardware, engineering, maintenance, and training.
- SaaS — hosted on the Logster Cloud. This deployment model supports real-time model updates and no maintenance hassle. Customers are, however, responsible for endpoint event collection and forwarding to Logster.
Both models deliver the same detection capability. See the Licensing Guide for the license terms and deployment trade-offs.
Observability and operations
- Detection metrics generated by Logster's detection service include raw event counts, normalized event counts, inference runs, active endpoints, inference latency, alerts created, dedup hits, lateral-movement detections.
- Centralized dashboards are pre-provisioned in the Logster console against the multiple data sources.
- Distributed Tracing that spans across the normalizer → inference → alerts pipelines in the Logster AI model.
- Structured stdout logging from every service, trivially shipped to any log aggregator.