New features in MaxPatrol SIEM keep infrastructure information up to date

Positive Technologies has released version 6.1 of MaxPatrol SIEM. In the new version, users can quickly find and update IT assets with outdated data, store incidents in PostgreSQL, and monitor correlator loads.

Stay up to date with quicker collection and age monitoring of asset data

Previous versions would assign network scanning tasks to agents at the beginning of the data collection process. Over time, some agents would come to be under higher load than others, causing longer task queues. Tasks are now assigned to agents as resources become available. As a result, agent loads are more even and asset data is updated more quickly.

To keep infrastructure information up to date, users of MaxPatrol SIEM 6.1 can set a maximum age for asset data. Assets with outdated data can be identified with a special widget or by filtering the asset list.

Knowing about changes in assets is important for incident investigation. Previously, database filters reflected only current asset data. Finding information about the past state of an asset required navigating to view that particular asset. When performing searches in MaxPatrol SIEM 6.1, users can now specify a moment or time period with the help of special interface fields or PDQL queries. 1

Selecting a point in time to search for asset data
Selecting a point in time to search for asset data

Store incidents in PostgreSQL

MaxPatrol SIEM now stores security incidents in PostgreSQL. Previous versions used Microsoft SQL Server, with a maximum database size of 10 GB. Storing data above that limit required either clearing the database manually or buying an additional license for unlimited storage in SQL Server. With the transition to PostgreSQL, MaxPatrol SIEM users can store and process an unlimited amount of incident information.

Alexey Andreev, Director of Research and Development at Positive Technologies, said: "We chose PostgreSQL because it is cross-platform, running on both Windows and Linux. This is important because in the next version of MaxPatrol SIEM, we plan to give users the ability to opt for pure Linux installations."

Create dashboards with unlimited widgets and share them with colleagues

Dashboards have gained new features in MaxPatrol SIEM 6.1. Widgets can be added to a dashboard in any number and reordered. Widget width is now configurable. Dashboards can be shared with colleagues. To do this, save the dashboard as a template, which can be applied by other users of the current MaxPatrol SIEM installation. Another change: two new widgets allow monitoring the number of assets without a specified significance level and the age of asset data (based on the user-specified age threshold).

Updated dashboard
Updated dashboard

Use new taxonomy fields in normalization and correlation rules

MaxPatrol SIEM 6.1 adds new event fields related to user authentication, actions with accounts and groups, process launch, and request execution. These fields can be used in event normalization rules 2 and threat detection rules (correlation rules).

For more consistent data collection, the upcoming version of the product will include documented normalization schemes for the most popular event categories. This is necessary because Positive Technologies experts, company partners, and MaxPatrol SIEM users take different approaches when writing normalization rules. As a result, the same types of data can be collected from sources in different ways. Such variability makes it more difficult to detect incidents, since source-specific normalization "quirks" must be accounted for in correlation rules. Consistent data collection will simplify APT detection and increase the completeness of MaxPatrol SIEM search and reporting.

When MaxPatrol SIEM 7 is released, we will encourage partners and customers to use the documented normalization schemes for collecting data from new sources. Positive Technologies will adhere to these schemes when releasing new normalization rules. All existing normalization and correlation rules supplied by Positive Technologies will be gradually rewritten to take advantage of the updated taxonomy.

Monitor rule memory use

MaxPatrol SIEM 6.1 determines which correlation rules consume the most RAM and create the largest burden on the correlation engine. This helps to see which rules should be rewritten or adjusted for greater precision, to avoid extended waits for missing trigger conditions.

Memory footprints of correlation rules
Memory footprints of correlation rules

What's no longer in MaxPatrol SIEM

MaxPatrol SIEM no longer supports:

  • Endpoint Monitor, which was an agent designed to monitor activity on file servers and workstations (we plan to review our approach to this functionality at a later date)
  • Zabbix for monitoring the operation of MaxPatrol SIEM (affected customers should consider Telegraf or Grafana, which are easier to set up and use)

In MaxPatrol SIEM 6.1, display of information about asset vulnerabilities requires a MaxPatrol Vulnerability Management license.

Other changes

MaxPatrol SIEM 6.1 supports data import to the PT Knowledge Base, as well as new versions of Elasticsearch and Debian. Update and installation speeds have become 25 percent faster thanks to installer optimizations.


  1. Positive Data Query Language (PDQL) is a language developed by Positive Technologies for writing knowledge base queries involving security events, incidents, dynamic asset groups, and tabular lists in MaxPatrol SIEM.
  2. Normalization rules convert events received by MaxPatrol SIEM from diverse data sources (such as the OS, security products, logs, and databases) into a consistent format for ease of analysis and processing.