Re: properly filtering windows logs
Yea, severity levels can be unreliable in some cases. What is the most critical activity that happens on the network for your company?Are you getting any firewall events logged? Is it just the windows...
View ArticleRe: Modifying your own AD account Alerts
Ah! That makes sense. Can you copy/paste a couple of example events (and maybe the source events from the event log)? Maybe we can find a way to make this work more cleanly.
View ArticleClik here to view.
LEM/FIM alerting to a file extension change
Hello All, I am new to LEM and I am trying to setup file auditing using FIM. I have FIM getting data when a file is changed, for example, Word.docx changes to word.docx.ecc. I want to setup a rule to...
View ArticleClik here to view.
Re: How to monitor activity by users of the admin group
Hi rickb@fresnocfcu.org - I have moved this to the LEM forum in the hopes you will have some more visibility on this question from folks that know LEM well.
View ArticleClik here to view.
Re: Modifying your own AD account Alerts
Here is a screenshot of what i wanted to alert on. Sorry for all the black I had to remove anything that reference's our AD or AD structure.
View ArticleRe: Error with Reports Manager
I had been having an issue with the login failure error message too. I tried different account types but had the same message regardless. Disabling TLS in the connection profile sometimes let it in but...
View ArticleRe: Error with Reports Manager
This was an excellent addition to the thread, thank you! I ran the steps as described and when the system checked the existing certificate it threw up this error: The current...
View ArticleSetting up LEM to detect Advanced Persistent Threats (APTs)/Trojan-Ransom
All, Due to recent events, my company wants to expand LEM to notify our team when Advanced Persistent Threats (APTs)/Trojan-Ransom infect our network. Reading the following links gives a good...
View ArticleRe: LEM SDK ?
Hey Nicole I just wanted to check and confirm that it's still true that LEM doesn't have any form of SDK or API that can be used to expose data? I understand why it wouldn't with it being a "secure"...
View ArticleClik here to view.
LEM Event Severity Filter
I'm looking to grab individualized severity levels in a filter. Anyone know a way to go about this intelligently?Ideally I'd have a user generated filter group that says "Severity" then underneath of...
View ArticleClik here to view.
Re: How to monitor activity by users of the admin group
Hi rickb@fresnocfcu.org, There are a couple of ways to monitor administrator activity. First I would caution on configuring a rule for all administrator activity. With everything an administrator...
View ArticleClik here to view.
Re: Creating a Rule to Monitor a Specific Folder
Thank you very much for this. I have imported the new rule but am having difficulty finding the corresponding $EventInfo and $DetectionTime fields - I can't find the "File Audit Alerts Only" field from...
View ArticleRe: LEM/FIM alerting to a file extension change
You have to drop the appropriate event fields in those empty "slots" under "Recipients". Look at the event data that has been generated and decide what information from those event data you want to see...
View ArticleClik here to view.
Re: LEM Event Severity Filter
This is what I have to trap events with the severity levels higher than 4. Pretty simple. But then you have to realize what information is being pulled into LEM in your case. I have some firewalls...
View ArticleRe: Setting up LEM to detect Advanced Persistent Threats (APTs)/Trojan-Ransom
Check out the rules that came with LEM, some of them (especially the ones in the Security section) are oriented towards detecting APTs, for instance SQL injection. I would like to hear opinion on this...
View ArticleRe: LEM: How to access printer log events (syslog)?
Update in case anyone else does any searching on this - I opened a support ticket with SolarWinds and had a tech support call on this topic. The LEM logging behavior is expected and working as...
View ArticleRe: LEM Event Severity Filter
Winner Winner (Food of choice that you get yourself) Dinner! Thanks! That's pretty sweet.
View ArticleClik here to view.
Logon attempts to local accounts
I was watching a very interesting video "Windows Security Log Secrets" the other day this looked as a useful rule to implement. Can anybody help me put this one together?
View ArticleClik here to view.
Re: Rule triggers went it is not suppose to trigger
Holyguacamole, Thank you for the reply. I made the changes you described. However, I am still getting events from the servers in which I have placed a NOT (≠) in the logic. Following are screen...
View Article