Sem Admin Guide
Uploaded by
As LoSem Admin Guide
Uploaded by
As LoADMINISTRATOR GUIDE
Security Event Manager
Version 2022.4
Last Updated: Friday, December 9, 2022
© 2022 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the prior written consent of SolarWinds. All right, title, and interest in and to the software,
services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates,
and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR
IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT
LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY
INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS
LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY
OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of
SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office,
and may be registered or pending registration in other countries. All other SolarWinds trademarks,
service marks, and logos may be common law marks or are registered or pending registration. All
other trademarks mentioned herein are used for identification purposes only and are trademarks of
(and may be registered trademarks) of their respective companies.
Administrator Guide: Security Event Manager page 2
Table of Contents
SEM setup, configuration, and maintenance 7
Log in to SEM 7
SEM setup, configuration, and maintenance 11
Configure SEM settings and services 17
Manage SEM system resources 43
Secure SEM 55
SEM Console 60
Dashboard 60
Live and Historical Events 60
Rules 60
Configure 60
Visualize network and log data through the SEM Dashboard 62
Available SEM widgets 63
Edit the SEM dashboard 65
Add Dashboard widgets 67
Manage users in SEM 78
Add SEM users 78
View system privileges associated with a role 82
Set the global password policy for SEM users 95
Set up Active Directory authentication in SEM 95
Set up single sign-on in SEM 102
Change the SEM CMC password 113
Monitor role users and filters 114
Send event data to SEM via Agents, syslog, and SNMP 115
Get started adding systems and devices to SEM 115
Configure SEM agents after they are installed 116
Create connector profiles to manage and monitor SEM agents 117
Create a new connector profile 118
Add syslog and agent nodes to SEM 127
Administrator Guide: Security Event Manager page 3
Update SEM agents 129
Set up a separate syslog server for use with SEM 130
Node management 131
Edit node connectors 132
Update SEM agents manually 134
Update SEM connectors automatically 134
Add and remove agents from connector profiles 135
Configure the Email Active Response connector 136
Configure Windows domain controller connectors 138
KVerify USB Defender is installed on a SEM agent 139
B Enable additional connectors to add extra log sources to SEM 140
SEM and Configure a firewall connector on a SEM Manager 140
Verify that the correct alias value is associated with the connector 141
Export SEM node information 142
SEM connectors: Normalize events sent from specific products on your network 143
Configure SEM connectors for agent and non-agent devices 143
Apply a SEM connector update package 143
SEM connector categories 146
Microsoft SQL Server connectors authentication methods 151
Configure SEM to monitor firewalls, proxy servers, domain controllers, and more 152
Configure SEM to monitor firewalls for unauthorized access 152
Configure SEM to monitor proxy servers for suspicious URL access 159
Configure SEM to monitor antivirus software for viruses that are not cleaned 161
Configure FIM connectors to monitor Windows files, directories, and registry settings 163
Enable Windows file auditing for use with SEM 177
Configure Windows audit policy for use with SEM 178
Configure the USB Defender local policy connector in SEM 184
Configure SEM to monitor Microsoft SQL databases for changes to tables and schemas 185
Configure SEM to monitor Windows domain controllers for brute force hacking attempts 187
Configure SEM to track Cisco buildup and teardown events 193
Configure user-defined groups in SEM 195
How rules and filters use user-defined groups 195
Administrator Guide: Security Event Manager page 4
Create or edit a user-defined group 196
Customize the blank and sample user-defined groups included with SEM 201
About SEM groups 201
Import user-defined group elements 204
Export user-defined group elements 205
Configure Directory Service Groups in SEM 206
SEM Event Views: Live and Historical 210
The SEM Live Events Viewer 211
Analyze historical data in SEM 236
Set live and historical event limits 264
Occurrence settings 265
Editing expressions 266
SEM rules: Automate how SEM responds to events 267
Get started building custom rule expressions in SEM 267
About SEM rules 268
Create a new rule 269
Example SEM rules 292
SEM response actions: Respond to network and system events in SEM 302
About SEM response actions 302
Use computer-based active responses in SEM 314
Use the Append Text to File active response in SEM 315
Configure an active response connector on a SEM agent 316
Use the Block IP active response in SEM 316
Configure the Detach USB Device active response in SEM 318
Configure the Disable Networking active response in SEM 319
Configure the Kill Process active response in SEM 320
SEM reports: Create reports for regulatory and compliance purposes 321
About SEM reports 321
Setting up the SEM reports application 323
The SEM reports application interface 326
The Preferences group 332
Find, filter, and group SEM reports 333
Administrator Guide: Security Event Manager page 5
Run a SEM report on-demand or schedule a SEM report to run later 346
Create a custom SEM report 362
Use the Select Expert tool to create a more focused SEM report 366
Manage SEM reports: Open, print, and more 369
Default reports included with SEM 377
The SEM command-line interface: Using the CMC 428
About the CMC command line 428
SEM CMC main menu 428
SEM CMC appliance menu 430
SEM CMC manager menu 432
SEM CMC service menu 434
SEM CMC rawlogs menu 436
SEM troubleshooting 438
Troubleshoot alerts on the SEM Console 438
Troubleshoot SEM Agents and network devices 442
Troubleshoot network device logging or syslog device logging in SEM 446
Troubleshoot the SEM reports application 448
Glossary of SEM terms 450
Administrator Guide: Security Event Manager page 6
SEM setup, configuration, and maintenance
SEM setup, configuration, and maintenance
This section describes how to set up the Security Event Manager following installation, and how to
configure SEM to interact with other services in your IT environment.
SolarWinds advises that, as a best practice, the SEM appliance should not be set up to be
available to the Internet or any public-facing network. In addition, using this practice will help
prevent access by unauthorized users. For further information on SEM security, see the SEM
security checklists.
Log in to SEM
This section describes how to log into the user interfaces you will need to work with SEM.
Log in to the SEM Console
1. Open a web browser and connect to the SEM Console using the URL you were provided with.
2. Enter your user name and password, and then click Log in.
If SSO is enabled, you can log in by clicking Log in with SSO and using your Windows
credentials.
Administrator Guide: Security Event Manager page 7
Log in to SEM
Log in to the SEM CMC command line interface
Use the CMC command-line interface (CLI) to perform administrative tasks such as:
l Rebooting or shutting down the SEM VM
l Upgrading the SEM Manager software
l Applying connector updates
l Deploying new connector infrastructure to SEM Managers and Agents
There are two ways to log in to the CMC CLI:
l Connect using the console provided with your hypervisor
l Connect using a secure shell (SSH) client such as PuTTY
CMC Access Restrictions
The following access restrictions apply to the CMC command-line interface:
l You do not need an account with root access to administer SEM from the CMC command line.
l You need to enter the CMC user name and password to log in to the CMC command line using
SSH. The user name is cmc and the default CMC password is password. See Change the SEM
CMC password to change it.
l You need to enter the CMC username and password to login via the hypervisor console in Hyper
V and VMWare.
l SSH access to the CMC interface can be restricted by IP address or host name. If enabled, this
security feature blacklists everyone from logging in to the CMC interface except those users
who connect from an explicitly allowed IP address or host name. See Restrict SSH access to
the CMC interface for details.
Log in to the CMC command-line interface using the hypervisor virtual console
See your hypervisor documentation for information about using the virtual console.
1. Open your hypervisor and connect to the SEM VM:
For VMware vSphere:
a. Click the Console tab.
b. Select Advanced Configuration on the main console screen, and press Enter to access the
command prompt.
For Hyper-V:
Administrator Guide: Security Event Manager page 8
Log in to SEM
a. Click Action > Connect, and then click the Console tab.
b. Use the arrow keys to navigate to Advanced Configuration, and press Enter.
2. Enter the CMC user name and password.
The CMC menu appears with a cmc> prompt.
Next steps:
l See CMC: Using the SEM command line tool for a list of supported commands.
Log in to the CMC command-line interface using SSH
See CMC Access Restrictions for information about credentials and SSH access restrictions.
You can connect to SEM using a secure shell (SSH) client (such as PuTTY). The following steps show
how to configure PuTTY to open the CMC command line, but these settings will work in any SSH
client.
1. Open PuTTY and verify that Session is selected in the Category section.
2. Enter the following:
l Host Name (or IP address) – Enter the IP address of the SEM VM. In this example, the IP
address is 10.1.1.200.
Administrator Guide: Security Event Manager page 9
Log in to SEM
l Port – Enter 22.
l Protocol – Select SSH.
l Saved Sessions – Enter SEM Manager, and then click Save.
3. Click Open.
The next time, double-click SEM Manager in the Saved Session box to open the
connection.
4. Log in to the appliance:
a. At the log in as prompt, type cmc, and then press Enter.
b. At the password prompt, type your password, and then press Enter.
The default CMC password is password. See Change the SEM CMC password to
change it. For help recovering a lost CMC password, contact SolarWinds Support.
The cmc> prompt opens with a list of available commands.
Next steps:
l See CMC: Using the SEM command line tool for a list of supported commands.
Administrator Guide: Security Event Manager page 10
SEM setup, configuration, and maintenance
SEM setup, configuration, and maintenance
This section describes how to set up the Security Event Manager following installation, and how to
configure SEM to interact with other services in your IT environment.
SolarWinds advises that, as a best practice, the SEM appliance should not be set up to be
available to the Internet or any public-facing network. In addition, using this practice will help
prevent access by unauthorized users. For further information on SEM security, see the SEM
security checklists.
SEM Setup Wizard
Once SEM is set up and configured in your environment, you can access the SEM Console from SEM,
or log in directly.
1. Open a web browser and connect to the SEM Console using the URL you were provided. For
example, http://10.199.129.1/webui/auth.
Administrator Guide: Security Event Manager page 11
SEM setup, configuration, and maintenance
2. Enter your user name and password, and then click Login.
Administrator Guide: Security Event Manager page 12
SEM setup, configuration, and maintenance
3. To accept the terms of license agreement, select the check box, and then click Next.
4. Enter and confirm your new password, and then click Next.
Administrator Guide: Security Event Manager page 13
SEM setup, configuration, and maintenance
5. Enter your email address for contact and download verification, and then select or clear the
check box to send usage statistics to SolarWinds.
6. Click Start using SEM.
Run the activate command to secure SEM and configure network settings
You can still evaluate SEM without running the activate command. You can also turn off HTTP.
Run the Activate command after you install the license (see Manage SEM licenses for help). This
command will help secure SEM from unauthorized users.
The activation procedure prompts you to complete the following tasks:
l Configure a static IP address and hostname for the SEM VM
l Configure a secure password
l Verify your network configuration
l Specify a list of IP addresses that can access SEM reports (optional)
l Export the SSL certificate that ensures secure communications between the SEM desktop
console and the SEM Manager
Port 8080 is unsecure and is automatically disabled after activation has been completed. Port
8443 is always available.
Prepare to run the Activate command
If you plan to use the SEM desktop console, copy the SEM CA SSL certificate to the Trusted Root
Certification Authorities certificate store prior to running the Activate command.
Administrator Guide: Security Event Manager page 14
SEM setup, configuration, and maintenance
By default, SEM uses a pre-made, self-signed certificate.
When the activation is complete, the SEM VM automatically exports the SSL certificate, and the SEM
desktop console connects with the SEM Manager using secure communications on port 8443.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
The default password is password.
2. At the cmc> prompt, type manager.
3. At the cmc::manager> prompt, type exportcert.
This command exports the CA certificate so that you can import it into a computer running the
SEM console.
4. Follow the prompts to export the SEM Manager CA certificate.
An accessible network share is required. Once the export is successful, you will see the
following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ...
Success.
5. Locate and double-click the certificate on the network share.
6. Click Next, and then select Place all certificates in the following store.
7. Click Browse.
8. Select Trusted Root Certification Authorities, click OK, and then click Next.
9. Click Finish.
10. Click Yes to confirm that you trust the certificate.
Run the Activate command
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
The default password is password.
2. Configure SEM to use a static IP address:
SolarWinds recommends configuring a static IP address for the SEM VM. If you use
DHCP instead and your IP address changes, your deployed Agents may be disconnected
and require additional troubleshooting to resolve.
a. At the cmc> prompt, type appliance, and then press Enter.
The prompt changes to cmc::appliance> to indicate that you are in the appliance
configuration menu.
Administrator Guide: Security Event Manager page 15
SEM setup, configuration, and maintenance
b. Type activate, and then press Enter.
The Activation splash screen appears.
c. To go to the next screen, press Enter.
d. When prompted, select Yes to configure a static IP address for the SEM VM.
e. At the cmc::appliance> prompt, type netconfig, and then press Enter.
f. At the prompt, type static, and then press Enter.
g. Follow the steps on your screen to configure the Manager Appliance network parameters.
Be sure to enter a value for each prompt. Leaving blank entries results in a faulty
network configuration that requires you to rerun netconfig.
h. Record the IP address assigned to the SEM VM. You will use this IP address to log in to
the SEM console.
3. When prompted to change the hostname, select either Yes to specify a hostname, or No to
accept the default hostname. To specify a hostname, use the following naming conventions:
l Hostname labels can only contain the following:
o ASCII letters A through Z (letters are not case sensitive)
o Digits 0 through 9
o Hyphens (-)
l Hostnames cannot start with a digit or a hyphen, and must not end with a hyphen.
l No other symbols, punctuation characters, or white spaces are permitted.
4. When prompted to specify a list of IP addresses that can access reports, SolarWinds
recommends selecting Yes.
5. Confirm your network configuration.
a. To confirm your network configurations, enter viewnetconfig at the cmc::appliance>
prompt.
To ensure secure communications between SEM and the SEM desktop console, the
SEM VM automatically exports an SSL certificate when the activation completes.
Following activation, the SEM desktop console securely connects with the SEM VM
on port 8443.
b. Follow the prompts to export the certificate to a network share.
Administrator Guide: Security Event Manager page 16
Configure SEM settings and services
Configure SEM settings and services
This section describes how to configure SEM to interact with the other systems and services in your
IT environment.
See Sending logs and event data to SEM to learn how to configure SEM to receive log events
from other systems and services in your IT environment.
SEM console settings
On the SEM console, click the Settings button to access select authentication and configuration
settings. The following settings are available:
Tab Settings
Authentication In the Authentication settings, you can manage Single Sign On (SSO) connection
settings, create LDAP configurations, and set minimum password requirements
for local SEM user accounts.
Events Limits You can set the maximum number of results per historical search query, as well
as the maximum number of events appearing in each Events viewer filter and
dashboard widget.
Improvement Enter your email address to send usage statistics to SolarWinds to help us
Program improve our products.
Log Forwarding Enable log forwarding to direct your raw (unnormalized) log messages to a
dedicated server. This option allows you to forward log data to third-party
systems and other SIEM tools.
Manage View, upgrade, activate, and deactivate your SEM license.
License
System Lists the platform name, memory and CPU information, and the manager name,
Resources version, and IP address. Also includes the one-click download debugs feature.
Threat Enable the Threat Intelligence feed, which enables SEM to detect threats based on
Intelligence lists of known malicious IP addresses. Learn more here.
Updates Enable automatic updates for agents and connectors.
Web Console Create a customized plain-text notification banner to provide information to users
before they gain access to SEM.
Administrator Guide: Security Event Manager page 17
Configure SEM settings and services
Start and Stop SEM components
Follow these procedures to start and stop the SEM Manager and the SEM Agents.
Stop or restart the SEM Manager
These steps also apply to the SEM VM and SEM appliance.
Do not right-click the host and choose power off or shutdown guest. You can corrupt the SEM
database and file system if you do not shut down SEM properly.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. Type appliance at the cmc> prompt.
3. Either:
l Shut down the VM:
a. At the cmc::appliance> prompt, type shutdown.
b. Follow the commands to shut down the SEM VM.
l Restart the VM:
a. At the cmc::appliance> prompt, type reboot.
b. Follow the commands to restart the SEM VM.
Start and stop the SEM Agent on Windows
1. Press the Windows key + R to open the Run dialog box.
2. Type services.msc, and then press Enter.
The Services window opens.
3. Scroll down and select SolarWinds Security Event Manager Agent.
4. To stop or start the service, click the Stop or Start buttons near the top of the window.
Enable log forwarding
On the SEM Console Settings page, enable log forwarding to direct your raw (unnormalized) log
messages to a dedicated server. This option allows you to forward log data to third-party systems
and other SIEM tools.
When you configure connectors to send original log data to SEM, the messages are then auto-
forwarded to the designated location. To use this feature, configure rawlogs and applicable
connectors accordingly.
Administrator Guide: Security Event Manager page 18
Configure SEM settings and services
When enabled, you can switch between storing logs in the raw logs database and forwarding logs
with syslog protocols (RFC3164 and RFC 5244). There is no option to filter logs based on IP address,
connectors, rules, etc.
l Rules do not fire on raw (unnormalized) log data. Rules can only fire on normalized data.
l Raw (unnormalized) log messages do not appear in Monitor view in the console.
l If you enable original log storage (raw database storage), and you enable connectors to
send data to both databases, SEM storage requirements may double for the same
retention period, and extra resource reservations of at least two additional CPUs and 8-
16GB of RAM may be required.
Configure connectors to send original log data to SEM
1. Open the connector for editing in the Connector Configuration window for the SEM Manager or
SEM Agent, as applicable:
l If the connector has already been configured, stop the connector by clicking gear > Stop,
and then click gear > Edit.
l If the connector has not been configured, create a new instance of the connector by
clicking gear > New next to the connector you want to configure.
1. On the SEM Console, navigate to Configure > Node.
2. Select an agent node, and then click Manage node connectors.
Administrator Guide: Security Event Manager page 19
Configure SEM settings and services
3. Select a node connecter, click Stop, and then click Edit.
Administrator Guide: Security Event Manager page 20
Configure SEM settings and services
4. Under Output, select Raw or Raw + Normalized.
5. Click Save, and then click Start.
Establish log forwarding settings
1. On the SEM Console, click the Settings button.
Administrator Guide: Security Event Manager page 21
Configure SEM settings and services
2. On the Settings page, click the Log Forwarding tab.
3. To enable log forwarding for adjusted connectors, select the Enable log forwarding for adjusted
connectors check box.
Log Forwarding can only be enabled for connectors whose Output setting includes raw
logs.
4. Enter the destination IP address or host name, and then enter the destination port.
5. Make a selection from each of the following drop-down lists (the standard settings appear by
default):
l Protocol: UDP or TCP
l RFC format: 3164 or 5424
l Severity: The severity level is applied to all forwarded logs
l Facility: The destination application
6. Enter an App name (optional), and then click Save.
7. To return to the SEM Console, click the Events tab.
Administrator Guide: Security Event Manager page 22
Configure SEM settings and services
Download debug logs
SEM simplifies the system troubleshooting process by adding a one-click debug log download
feature, which no longer requires a third-party application and additional configuration steps.
1. On the SEM Console, click the Settings button.
2. On the Settings page, select the System Resources tab, and then click Download Debug logs.
The debug logs (.tgz file) will download to your system.
Set the date, time, and time zone on your SEM VM
This topic describes how to synchronize the date and time settings on the hypervisor and the SEM
VM.
The SEM VM is configured to synchronize with the hypervisor date and time by default. If the time is
off by more than five minutes, the SEM rules will not operate properly.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. Update the time zone in your SEM Manager.
a. At the cmc> prompt, type appliance, and then press Enter.
b. At the cmc::appliance> prompt, type dateconfig, and then press Enter.
c. Press Enter, and then enter the current date in month/day/year format (MM/DD/YYYY).
d. At the cmc::appliance> prompt, type tzconfig, and then press Enter.
e. To configure the time zone, press Enter, and then follow the onscreen prompts.
f. At the cmc::appliance> prompt, type exit, and then press Enter to return to the main
menu.
3. Update the time in your hypervisor.
a. At the cmc> prompt, type manager, and then press Enter.
b. At the cmc::manager> prompt, type viewsysinfo, and then press Enter.
The system information info displays.
Administrator Guide: Security Event Manager page 23
Configure SEM settings and services
Virtualization Platform: VMware
----------------------------------------
Clock
Synchronization : Enabled
Hypervisor Time : 6 May 2016 09:07:31
Guest Time : Fri May 6 09:07:31 2016
c. Using the keyboard, scroll down to Hypervisor Time and change the date and time so they
match the date and time in the SEM Manager.
Press h for help with moving and line editing commands.
d. Using the keyboard, scroll down to Guest Time and ensure that the date and time matches
the same settings in the SEM appliance.
4. Type Exit, and then press Enter.
5. To exit the CMC interface, type Exit, and then press Enter again.
Manage SEM licenses
View SEM license information
Use the following steps to view SEM license information.
See Choose a licensing method for your SEM deployment in the SEM Installation Guide to learn
how SEM is licensed.
Manage licenses
On the Settings page, you can view, upgrade, activate, and deactivate your SEM license.
Only administrators can upgrade, activate, and deactivate a license.
To display license information, click the Settings icon, and click Manage License.
The link on the upper right will depend upon whether the license is active or inactive.
If you do not have a license or it is inactive, Activate license will be displayed.
Administrator Guide: Security Event Manager page 24
Configure SEM settings and services
l For online activation: click Activate license, enter your license key, name, email, and phone
number, and then click Activate.
l For offline activation: click Activate license, use your unique ID to generate the license file, or
click Browse to select your license file, and then click Activate.
If you do not have a license key, click Purchase license key. This directs you to the current
licensing options available for SEM on the SolarWinds website.
If SEM is already licensed and activated, license information will be displayed and the options will be
to Upgrade or Deactivate.
Administrator Guide: Security Event Manager page 25
Configure SEM settings and services
Configure LDAP for SEM
In SEM 2020.4 and newer versions, you can create multiple LDAP connections.
1. Click the settings icon on the upper right.
2. Select Authentication > LDAP Configuration.
If any LDAP configurations have already been created these are displayed.
3. Click Create configuration.
The Create LDAP Configuration dialog is displayed.
Administrator Guide: Security Event Manager page 26
Configure SEM settings and services
Administrator Guide: Security Event Manager page 27
Configure SEM settings and services
4. Enter the following information:
Administrator Guide: Security Event Manager page 28
Configure SEM settings and services
Field Description
Configuration Enter a friendly name of your choosing for the LDAP configuration.
Name
IP or Hostname Enter the IP address or host name of your LDAP server.
Domain Enter the fully-qualified domain name for the account store.
Directory Service Use the format account_name@example.com.
Server User Name
SolarWinds recommends using a Directory Service account to prevent
integration issues if the software license expires. The user name does not
require special privileges (such as Domain Admin) to be a Directory
Service user.
Directory Service Enter the password for the user account.
ServerPassword
Use SSL (Optional) Select to use the transport layer security protocol (LDAPS) for a
Encryption secure connection. This option directs traffic from the SEM VM to a
designated server (usually a domain controller) for use with the Directory
Service tool.
LDAP Port If SSL encryption is not used, the default for this setting is 389. If SSL
encryption is used, the default for the port is 636.
Use for Select, then click Next if you wish to use Advanced Settings shown below.
Authentication
Domain Aliases Specify any Domain Alias names that should be authenticated using this
(Optional) LDAP configuration. (The role/group names configured on this page will
also apply.)
NetBIOS Names Specify any NetBIOS names that should be authenticated using this LDAP
(Optional) configuration. (The role/group names configured on this page will also
apply.)
Admin Group Specify the DS group in Active Directory to use for the SEM administrator
(Optional) role. If you do not specify a name, the default ROLE_LEM_
ADMINISTRATORS group is used.
Alerts Only Group Specify the DS group in Active Directory to use for the SEM auditor role. If
(Optional) you do not specify a name, the default ROLE_LEM_AUDITOR group is used.
Administrator Guide: Security Event Manager page 29
Configure SEM settings and services
Field Description
Guest Group Specify the DS group in Active Directory to use for the SEM guest role. If
(Optional) you do not specify a name, the default ROLE_LEM_GUESTS group is used.
Notify Only Group Specify the DS group in Active Directory to use for the SEM notifications
(Optional) role. If you do not specify a name, the default ROLE_LEM_CONTACTS
group is used.
Reports Group Specify the DS group in Active Directory to use for the SEM reports role. If
(Optional) you do not specify a name, the default ROLE_LEM_REPORTS group is
used.
5. Click Next.
6. If you are using SSL encryption, the SSL certificate will be shown. Click I trust this certificate to
confirm.
7. Click Finish to create this configuration.
8. Configurations can be sorted by name. For each configuration, the name, server, and domain are
displayed, plus flags to show if they use SSL and/or used for Authentication.
Enable and disable LDAP configurations
Configurations are enabled as soon as they are created.
Use the toggles to disable or enable individual LDAP configurations.
A warning message is displayed if you disable a configuration informing you that users will be
unable to log on from that domain and any logged-in users from that domain will be
immediately logged out.
Edit or delete an LDAP configuration
1. To edit or delete an LDAP configuration, click on the vertical ellipsis icon after the configuration.
2. Either:
l Click Edit to display the Configure LDAP details for this configuration, which can now be
edited and saved.
Or:
l Click Delete to remove this configuration.
Administrator Guide: Security Event Manager page 30
Configure SEM settings and services
Configure the Email Active Response connector in SEM
Configure the Email Active Response connector in SEM to send automated emails to console users
when a rule is triggered. This connector specifies the SMTP Relay mail host used to send emails and
provides the requisite server credentials.
If you used the SEM Setup Wizard to set up your SEM environment, then the Email Active
Response connector is already configured. See SEM Setup Wizard for more information.
Requirements
l An email server that allows SEM to relay email messages through it
l IP address or hostname of your email server
l A return email address for bounced messages and replies
l User credentials for your email server, only if your email server requires internal users to
authenticate to send email
To configure SEM to use Office 365 as a mail host, see Configure SEM to send email via Office
365 in the SolarWinds Success Center.
Configure the Email Active Response connector
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. To locate the Email Active Response connector, type email in the search box.
3. Select the Email Active Response connector, and then click Add Connector.
4. In the Name field, enter a new name, or keep the existing name.
5. In the Mail Host field, enter the mail host IP address.
If you use a hostname in the Mail Host field, SEM Manager must be able to resolve the mail host
from the DNS entries you entered during your SEM network configuration.
6. In the Port field, enter 25.
7. From the Transport Protocol drop-down list, select SMTP or TLS.
TLS 1.2 is supported for email connections in SEM 2020.2.1 and later.
8. In the Return Address field, enter a return address.
Administrator Guide: Security Event Manager page 31
Configure SEM settings and services
This field is pre-populated with noreply@solarwinds.com. Be sure to change this email
address.
9. If the email server requires an Active Directory user to send email, enter the authentication
server user name and password in the appropriate fields.
If the email server requires an email to be sent from a computer within the domain, the
email server must have an exception created for the SEM hostname. SEM cannot join the
domain.
10. Click Add. The connector appears on the Manager Connectors tab under Configured
connectors.
11. Under Configured connectors, select your connector, and then click Start.
Test the Email Active Response connector
Send a test email to verify that the connector is working properly.
l If you receive an email, the connector is working properly.
l If you do not receive an email, the SEM Internal Events filter provides the following information:
Administrator Guide: Security Event Manager page 32
Configure SEM settings and services
o Event Name: InternalInfo
o Event Info: Email notification failed
o Extraneous Info: Information about the failure. For example, server not reachable,
authentication issue, and so on.
Modify the connector configuration as required and then resend a test email.
See also:
l Troubleshoot SEM rules and email responses
Enable SEM to receive SNMP traps by turning on the SNMP Trap Logging
Service
Turn on the SNMP Trap Logging Service to enable SEM to receive SNMP traps from devices and
applications on your network. SEM can correlate events sent as SNMP traps from devices that have a
device-specific connector.
SEM can also correlate performance alerts sent as SNMP traps from the following SolarWinds
solutions:
l Network Performance Monitor (NPM)
l Server & Application Monitor (SAM)
l Virtualization Manager (VMAN)
The SNMP Trap Logging Service must be enabled to correlate events sent by these SolarWinds
products.
SEM receives SNMP traps on port 162.
See also:
l To configure SEM to output SNMP traps, turn on the SNMP Request Service. See Provide SNMP
traps from SEM to other applications by turning on the SNMP Request Service to learn how.
l To configure SEM to communicate with NPM and the Orion Web Console, see Monitor SEM
from NPM and the Orion Web Console using SNMP.
Complete the following steps to enable (or disable) the SNMP Trap Logging Service in SEM.
Enable or disable the SEM SNMP Trap Logging Service
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt type:
service
Administrator Guide: Security Event Manager page 33
Configure SEM settings and services
3. At the cmc::service> prompt type:
snmp
A prompt like the following appears:
SNMP Trap Logging Service is DISABLED
Would you like to ENABLE the SNMP Trap Logging Service? [Y/n]
If the service is running, the prompt displays:
SNMP Trap Logging Service is RUNNING
Would you like to STOP the SNMP Trap Logging Service? [Y/n]
4. Type Y or n, and then press Enter.
The SNMP Trap Logging Service is configured.
5. Next, a prompt like the following appears:
SNMP Request Service is DISABLED
Would you like to ENABLE the SNMP Request Service? [Y/n]
The SNMP Request Service is not the same as the SNMP Trap Logging Service:
l The SEM SNMP Request Service sends SNMP traps outside of SEM
l The SEM SNMP Trap Logging Service receives SNMP traps from other devices. See
Provide SNMP traps from SEM to other applications by turning on the SNMP
Request Service for more information.
Type Y or n, and then press Enter.
l If you enabled the SNMP Trap Logging Service, the following message appears:
The SNMP Trap Logging Service is started.
l If you disabled the SNMP Trap Logging Service, the following message appears:
The SNMP Trap Logging Service is stopped.
6. At the cmc::service> prompt, type exit.
7. To log out and close the CMC command-line, type exit again.
Monitor your SNMP traps messages in the SEM Console.
Administrator Guide: Security Event Manager page 34
Configure SEM settings and services
Send SNMP traps from SEM to other applications by turning on the SNMP
Request Service
Turn on the SNMP Request Service to allow SEM to output SNMP traps to one or more applications
on your network. SEM supports SNMP version 2 and SNMP version 3.
The SNMP Request Service must be turned on in SEM to do the following:
l Send SNMP traps to devices when SEM rules fire
l Use NPM and the SolarWinds Orion Web Console to monitor SEM system resources such as
CPU and memory
l If you use SolarWinds Network Performance Monitor (NPM) in your environment:
1. Enable the SNMP Request Service using the steps on this page.
2. To set up the Orion Console for SNMP monitoring, see Set up SEM to communicate
with NPM and the Orion Web Console using SNMP.
l To configure SEM to receive SNMP traps, see Enable SEM to receive SNMP traps by
turning on the SNMP Trap Logging Service for steps.
To enable or disable the SNMP Request Service
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt type:
service
3. At the cmc::service> prompt type:
snmp
A prompt like the following appears:
SNMP Trap Logging Service is DISABLED
Would you like to ENABLE the SNMP Trap Logging Service? [Y/n]
The SNMP Trap Logging Service is not the same as the SNMP Request Service. The SEM SNMP
Trap Logging Service receives SNMP traps from other devices, whereas the SEM SNMP Request
Service outputs SNMP traps outside of SEM. See Enable the SNMP Trap Logging Service in
SEM for more information.
4. Do not change the status of this service unless you know what you are doing.
To go to the next step, type Y or n, and then press Enter.
Administrator Guide: Security Event Manager page 35
Configure SEM settings and services
A prompt like the following appears:
SNMP Request Service is DISABLED
Would you like to ENABLE the SNMP Request Service? [Y/n]
5. To enable or disable the service, type Y or n, and then press Enter.
If you enabled the SNMP Request Service, the following prompt appears:
Enter the port number to access SNMP on SEM (default: 161):
6. Type the port number that SEM should use to communicate with SolarWinds Network
Performance Monitor (NPM), and then press Enter.
Ports 161 and 162 are standard.
The following prompt appears:
Enter the username to access SNMP on SEM (default: orion):
7. Type the user name to use, and then press Enter.
The following prompt appears:
Enter the password hashing algorithm (SHA1, MD5 or NO for no
authentication, default: SHA1):
8. Enter an option, and then press Enter.
The following prompt appears:
Enter the authentication password (default: orion123):
9. Type the password, and then press Enter.
The following prompt appears:
Enter the communication encryption algorithm (AES128, DES56 or NO for no
encryption, default: AES128):
10. Enter an option, and then press Enter.
Administrator Guide: Security Event Manager page 36
Configure SEM settings and services
The following prompt appears:
Enter the encryption key (default: orion123):
11. Type the encryption key, and then press Enter.
The SNMP Request Service is started.
12. To return to the main menu, type exit at the cmc::service> prompt.
13. To log out and close the CMC command-line, type exit again.
Collect Windows Filtering Platform (WFP) events in SEM
Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security log.
These alerts are background events that require additional SEM resources to process and are not
recommended for an optimized SEM deployment.
About Windows WFP events and SEM performance
By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows
noise in group policies has the following advantages:
l Reduces the space that these events occupy in the Security Event log
l Reduces network activity
l Reduces demand on SEM system resources (such as CPU, memory, and disk space)
The Windows Security Log connector stopped collecting WFP data in SEM version 6.2.
Configure SEM to collect WFP events (Optional)
If necessary, you can enable WFP event logging in SEM.
SolarWinds strongly recommends that you keep WFP logging turned off.
To collect WFP events in SEM, configure the Windows Filtering Platform Events connector. Enabling
this connector will result in SEM collecting a huge volume of data. To manage this data, see the
following sections.
Improve SEM performance by tuning Windows WFP events
If you collect WFP events in SEM, SolarWinds recommends tuning WFP in your Active Directory group
policies to decrease the load that background events place on the SEM Manager. The following tables
describe alerts located in the Event Distribution Policy in SEM Manager. You can filter out these
events by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules
columns. SEM will process the remaining events.
Administrator Guide: Security Event Manager page 37
Configure SEM settings and services
In SEM, the terms event and alert are interchangeable.
SolarWinds recommends disabling WFP alerts using Group or Local Policy.
The ProviderSID value in the following alerts match the Windows Security Auditing Event
ID format where Event ID is one of the Windows Event IDs listed in the following table.
Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152
Table of Descriptions by Event ID
Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen
on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
Monitor SEM from NPM and the Orion Web Console using SNMP
If you use Network Performance Monitor (NPM) and the SolarWinds Orion Web Console, you can use
it to monitor CPU, memory, and other critical resources utilized by SEM. Complete the steps in this
topic to configure SEM to communicate with NPM.
SEM can use SNMP version 3 to communicate with SolarWinds Network Performance Monitor
(NPM).
Administrator Guide: Security Event Manager page 38
Configure SEM settings and services
Enable the SNMP Request Service
See Provide SNMP traps from SEM to other applications by turning on the SNMP Request Service for
details. After you enable and configure the SNMP Request Service, go to the next topic, Set up the
Orion Web Console for SNMP monitoring.
Set up the Orion Web Console for SNMP monitoring
When you are finished enabling the SNMP Request Service, log in to the Orion Web Console and set
up the SEM Manager as a monitored node on the Orion Platform.
1. Log in to your Orion Web Console as an administrator.
2. Navigate to Settings > Manage Nodes, and then click Add a Node.
If the node already exists and it is not managed, click the node and select Not Managed Node >
Yes to manage the node.
The Define Node dialog displays.
3. In the Polling Hostname or IP Address field, enter the IP address of the SEM Manager.
4. Under Polling Method, select Most Devices: SNMP and ICMP.
Administrator Guide: Security Event Manager page 39
Configure SEM settings and services
5. Select your polling method settings.
a. From the SNMP drop-down list, select SNMPv3.
b. Enter the port number used to access SNMP on the SEM appliance.
c. Under SNMPv3 Credentials, enter the user name used to access SNMP on the SEM
appliance.
d. Under SNMPv3 Authentication, enter the hashing algorithm method and password.
e. Under SNMPv3 Privacy / Encryption, enter the communication encryption algorithm and
password.
f. Accept the default selections in the remaining options.
Administrator Guide: Security Event Manager page 40
Configure SEM settings and services
6. In the lower section of the form, ensure the fields remain blank.
This is a SEM-specific setting for SNMPv3. Completing the Username and Context fields,
for example, will cause the connection test to fail.
7. To test the connection, click Test.
If the connection is good, Test Successful appears. If it fails, troubleshoot your Orion
connection.
8. Click Next.
The Orion Platform authenticates the SEM Manager and runs a discovery to locate the
resources available to monitor on the SEM appliance. The discovered resources will list all the
elements that are available to monitor. The Orion Platform will automatically provide a list of
selected resources based on the device type.
9. In the Choose Resources dialog, select the resources to monitor on the node, and then click
Next.
10. In the Add Application Monitors dialog, click Next.
11. In the Change Properties dialog, click Next.
12. Click OK, Add Node.
The SEM appliance is added to the Orion Web Console for monitoring.
Administrator Guide: Security Event Manager page 41
Configure SEM settings and services
Troubleshooting your Orion connection
If you cannot establish a connection between your SEM appliance and the Orion Platform:
l Ensure that the settings you entered in the Define Node window match the settings used to
enable the SNMP Request Service.
l Review the Orion logs located at c:\ProgramData\SolarWinds\Discovery for errors.
l Ensure the Username and Context fields in the lower half of the poliing method configuration
settings are empty.
See Unable to add nodes through the Web Console for additional troubleshooting information.
Create a custom login banner
You can create a customized plain-text notification banner to provide information to users before they
gain access to SEM.
1. On the SEM Console, click the Settings button.
2. On the Settings page, click the SolarWinds Platform Web Console tab.
3. Move the toggle button to the On setting.
4. Enter your text (up to 3500 characters).
Images are not allowed on this banner.
5. Click Save.
Administrator Guide: Security Event Manager page 42
Manage SEM system resources
Manage SEM system resources
This section describes how to manage the hardware and software resources that SEM requires to
work properly.
View system resources
1. On the SEM Console, click the Settings button.
Administrator Guide: Security Event Manager page 43
Manage SEM system resources
2. On the Settings page, click the System Resources tab.
The System resources settings shows the platform name, memory and CPU information, and
the manager name, version, and IP address. You can also access the one-click download
debugs feature.
Details pane descriptions
Field Description
Platform The Manager platform name, which can be Trigeo SIM, VMware vSphere,
or Microsoft Hyper-V.
CPU Reservation The reserved CPU memory. Reserving CPU memory ensures enough
system resources are available for the allocated CPUs.
Number of CPUs The number of processors allocated to the virtual appliance.
Memory The maximum amount of memory the Manager can use. Set this value at
Allocation or above the reservation value. You can define this value in the VM
configuration. Setting memory allocation to a greater value than the
memory reservation has little effect on SEM performance.
Memory The amount of memory reserved for this system.
Reservation
Name The Manager or appliance name.
Version The Manager or appliance software version.
IP Address The Manager or appliance IP address.
Administrator Guide: Security Event Manager page 44
Manage SEM system resources
Allocate CPU and memory resources to the SEM VM
By default, SEM deploys with 8GB of RAM and 2 CPUs on the VMware ESX(i) and Microsoft Hyper-V
platforms. For SEM to work properly, you must allocate sufficient CPU and memory resources to the
SEM VM. This topic describes how to check resource settings and make updates.
See SEM system requirements in the SEM Installation Guide for hardware and software sizing
requirements.
SEM can send SNMP version 3 alerts to SolarWinds Network Performance Monitor (NPM). This
configuration allows you to monitor CPU, memory, and other critical SEM components from the
SolarWinds Orion Web Console.
Security Event Manager collects data from a continuous stream of traffic that fluctuates based on
user, server, and network activity. The type and volume of traffic varies based on the device sending
the traffic and the audit and log settings on those devices.
About incoming data traffic
Security Event Manager receives data from syslogs and traps using up to 500 connectors that receive
data traffic from several supported network devices. These connectors translate (or normalize) the
data into a readable and understandable format you can view on the SEM Console.
The events appear in the Monitor view, pass through the rules engine for specified actions, and then
move into a database for retrieval by the SEM Reports or nDepth search function. To process the data
in real time, SEM requires system resource reservations from the virtual appliance host.
When the volume of traffic exceeds 15 million events per day, be sure to reserve additional system
resources to support the additional data traffic.
View system resources on the SEM Console
1. On the SEM Console, click the Settings button.
Administrator Guide: Security Event Manager page 45
Manage SEM system resources
2. On the Settings page, click the System Resources tab.
The System resources settings shows the platform name, memory and CPU information, and
the manager name, version, and IP address. You can also access the one-click download
debugs feature.
Details pane descriptions
Field Description
Platform The Manager platform name, which can be Trigeo SIM, VMware vSphere,
or Microsoft Hyper-V.
CPU Reservation The reserved CPU memory. Reserving CPU memory ensures enough
system resources are available for the allocated CPUs.
Number of CPUs The number of processors allocated to the virtual appliance.
Memory The maximum amount of memory the Manager can use. Set this value at
Allocation or above the reservation value. You can define this value in the VM
configuration. Setting memory allocation to a greater value than the
memory reservation has little effect on SEM performance.
Memory The amount of memory reserved for this system.
Reservation
Name The Manager or appliance name.
Version The Manager or appliance software version.
IP Address The Manager or appliance IP address.
Administrator Guide: Security Event Manager page 46
Manage SEM system resources
You can view your reservation settings using vSphere or an SSH client (such as PuTTY). See your
VMware vSphere documentation for details about configuring resources, reservations, and storage on
a vSphere virtual appliance.
View vSphere reservation settings for SEM
You can view reservation settings using the vSphere client. See your VMware vSphere documentation
for details about configuring resources, reservations, and storage on a vSphere virtual machine.
1. Log into vSphere and check the Settings/Reservations.
2. Select SEM from the list (name listed may not be the host name), and view the Summary tab to
find the number of CPUs (such as 2 vCPU).
SEM requires at least two CPUs. The highest working setting for any SEM appliance is 16
CPUs.
3. Provisioned Storage on the right side of the screen shows the total disk space SEM can use.
l If SEM is set for thick provisioning, the used storage is always the total disk space.
l Thin provisioning allows the used storage to grow to the total amount of storage
allocated.
4. On the Resource Allocation tab, note the CPU reservation on the left, and the memory
reservations on the right.
5. At the bottom left, check the CPU reservation. 2.0Ghz is SEM's minimum setting. To support
higher speeds, see your VMware documentation for configuration information.
6. See the Memory reservation at the bottom right. This reservation is normally set at 8 GB or
higher. The Memory must be the same value or higher than the reservation. Memory
reservations can be set as high as 64GB of RAM, which can support over 150 million events per
day.
Change vSphere reservations for SEM
1. Shut down the SEM VM. See Starting and Stopping SEM components for steps.
2. Right-click the SEM VM to edit settings.
Select the Hardware tab and change the allocated memory size.
3. Select the Resources tab, and then change the CPU and memory settings.
l Set the limit to unlimited for both CPU and memory reservations.
4. To save the changes, click OK.
5. Use the vSphere console to start the SEM VM.
Administrator Guide: Security Event Manager page 47
Manage SEM system resources
View reservations settings using the CMC command-line
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, type manager.
3. Type viewsysinfo, and then press Enter.
The system returns memory and CPU information, as well as SEM version and license
information.
4. To return to the cmc::manager> prompt, type :q.
5. To exit the manager menu, type exit.
6. To exit the CMC command line, type exit at the cmc> prompt.
View Hyper-V reservation settings for SEM
Use the following tables to verify your Hyper-V client settings. For details about setting resources,
reservations, and storage on a Hyper-V virtual appliance, see your Microsoft Hyper-V documentation.
Memory settings
Setting Value
Static RAM 8GB, 16GB, 24GB, 32GB, 64GB, 128GB, 256GB
Memory Weight High
CPU settings (Windows Server 2008)
Setting Value
Number of processors 2, 4, 6, 8, 10, 12, 14, 16
VM reserve CPU cycles 100%
Limit CPU Cycles 100%
Relative weight for CPU 100%
CPU settings (Windows Server 2012)
Setting Value
CPU memory details Click the Advanced tab and set the view and details
CPU Priority High
Administrator Guide: Security Event Manager page 48
Manage SEM system resources
Setting Value
Reserve CPU cycle 100%
Limit CPU cycles 100%
Manage SEM data storage
This section addresses SEM database management.
About the three SEM data stores
By default, the SEM database is allowed 230 GB of the 250 GB allocated to the SEM virtual appliance.
This partition consists of three data stores:
l Syslog store
l Events store
l Original or raw log data store (optional)
The syslog store consists of all syslog or SNMP log data sent to the SEM VM. SEM reads and
processes the data in real time, and then sends it to the event store for long-term storage. SEM stores
the original data for 50 days in its original format (in case you need to review it). The data in the
syslog store is compressed and rotated daily to maintain a consistent 50-days' worth of data. The
amount of data stored here should level off at around the 50-day mark.
The event store (the second store) contains all normalized events generated by the SEM Manager
and SEM Agents. Data in this store is compressed at ratios of 40:1 to 60:1, which equates to an
average compression rate of 95–98 percent. Both nDepth and the SEM reports application query the
event store for event data when they run.
The original log store (the third store) is an optional store for original or raw log messages. The data
in this store can come from SEM Agents or other devices logging to the SEM appliance. You can
configure if data is sent to this store at the connector level, so not all devices have to store raw log
messages in this manner.
Strategies for managing your SEM data storage needs
Depending on the needs of your environment, you can use one or more of the alternate storage
methods listed below.
l Back up the SEM VM on a regular basis. This will provide offline storage for your SEM data
stores.
l Decrease the number of days that syslog and SNMP data is stored in SEM.
l Deploy another SEM VM to be used as a syslog server.
Administrator Guide: Security Event Manager page 49
Manage SEM system resources
l Deploy another SEM VM to be used as a database server.
l Increase the space allocated to your SEM VM.
To get help with any of these methods, submit a ticket to Customer Support:
https://customerportal.solarwinds.com/support/submit-a-ticket
View SEM database usage numbers
There are three locations to find metrics that indicate how the SEM database is used:
l Disk Usage summary in the CMC
l Database maintenance report
l Log storage maintenance report
View the Disk usage summary
When you use the command line to log in to SEM, SEM automatically generates a Disk Usage
summary. You can also generate an ad hoc disk usage summary by running the diskusage
command from the cmc >appliance prompt. The two lines to note here are Logs/Data and Logs.
l The Logs/Data figure represents the total space being utilized by the SEM database. This value
is presented in the percent % (usedG/allocatedG) format, where percent is the percent of the
allocated space currently being used, and allocated is the total amount of space currently
allocated to the SEM database.
l The Logs figure represents the amount of space used by the syslog store. This figure is
included in the used figure noted above. To figure out how much space is currently being used
by the Event store, subtract the Logs value from the used value. If you are storing original log
messages in the SEM database, the above calculation shows the combined space utilized by
both your Event and original log stores.
View the Database maintenance report
Run the Database Maintenance Report in SEM reports to view a snapshot of your current database
usage. The report includes the following values:
l Disk Usage Summary – provides disk usage values in terms of the percentage of space
allocated to the SEM database
l Disk Usage Details – provides disk usage values in terms of physical file size
l Database Time Span (days) – shows how many days' worth of live event data is currently stored
in the SEM database
l Other Files – represents the amount of space used by the syslog store
For more information, see the following KB article in the Customer Success Center:
Use the SEM Database Maintenance Report to See Retention and Volume of Traffic
Administrator Guide: Security Event Manager page 50
Manage SEM system resources
View the Log storage maintenance report
Run the log storage maintenance report in SEM reports to get detailed information about the original
log store. If you have not enabled SEM to store original log messages, this report will be blank.
For more information, see the following KB article in the Customer Success Center: Live Data
Storage Retention in SEM.
Create a disk usage alert in SEM to warn you when a disk reaches a set limit
You can create a disk usage alert from the CMC command line to warn you when a disk partition
reaches a preselected use limit. When the limit is reached, an InternalWarning event displays in the
Monitor view.
You can define the disk use limit by the percentage of unavailable disk space (such as 75 percent), or
by the amount of free disk space (such as 58G).
To create the disk usage alert:
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. To access the Appliance menu, at the cmc> prompt, enter appliance.
3. To view the disk use of each partition, at the cmc::appliance> prompt, enter diskusage. For
example:
cmc::appliance > diskusage
Checking Disk Usage (this could take a moment)
... ....00.00.00.00.00.00.00.
Partition Disk Usage:
SEM: 35% (991M/3.0G)
OS: 45% (1.3G/3.0G)
Administrator Guide: Security Event Manager page 51
Manage SEM system resources
Logs/Data: 1% (901M/234G)
Temp: 2% (252M/5.9G)
Database Queue(s): 4.0K (No alerts queued, 0 alerts waiting in memory)
Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Console Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
DataCenter Queue: 2.1M (0 alerts queued, unknown number of alerts waiting
in memory)
EPIC Rules Queue: 2.1M (0 alerts queued, 0 alerts waiting in memory)
Forensic Database Queue: 2.1M (0 data queued, unknown number of data
items waiting in memory)
Logs: 1.3M
Tool Profiles Message Queue: 2.1M (0 alerts queued, unknown number of
alerts waiting in memory)
cmc::appliance >
4. At the cmc::appliance> prompt, enter diskusageconfig.
Each partition and corresponding disk use limit displays on your screen. For example:
cmc::appliance > diskusageconfig
Current Disk Usage Configuration:
# | Partition (filesystem) | Configured limit
===============================================
1 | SEM (/usr/local) | 90%
2 | OS (/) | 90%
3 | Logs/Data (/var/) | 10G
4 | Temp (/tmp) | 90%
You can define your disk use limit by the percentage of unavailable disk
space (such as 75%) or the amount of free disk space (such as 58G).
Enter the partition number you want to change (enter 'exit' and press
<Enter> to quit):
5. Enter the partition number you want to change, and then press Enter.
6. Enter the disk usage limit value in percentage (such as 75 percent) or size (such as 58G), and
then press Enter.
Administrator Guide: Security Event Manager page 52
Manage SEM system resources
For example, to change the OS disk partition limit in step 3 from 45 percent to 4 percent, enter
40 percent. To change the OS disk partition limit from 1.3 GB to 2.0 GB, enter 2GB.
Disk usage limit [90%, sizeK, sizeM, sizeG, sizeT] (default 90%): 40%
Limit '40%' for the 'OS' partition is set.
Press <Enter> to set the next partition. Enter 'exit' and press <Enter>
to quit.
7. Press Enter to set the next partition and repeat step 6 (if required).
See Set the Logs/Data partition for additional information.
8. When you are finished, type exit, and then press Enter to quit.
Change the Logs/Data partition setting
When you set the Logs/Data partition (3), a message prompts you to consider changing the database
disk configuration using the dbdiskconfig command. SolarWinds recommends setting the
Logs/Data partition and the database disk configuration to the same value.
Change the database disk configuration
1. Finish configuring your partitions.
2. At the cmc::appliance> prompt, enter dbdiskconfig.
The following message displays:
Current configuration:
DoNotExceedPercentage = 90%
The Manager will restart and apply your changes. To exit, enter 'exit'
and press Enter.
Enter a new value for DoNotExceedPercentage (default 90):
Please enter an inter number 0-100 or 'exit'
3. At the prompt, enter a usage limit value between 0 and 100, and then press Enter.
If you enter a value less than 25, the partition will be deleted when this value is reached.
The database disk configuration value is saved, and the appliance restarts the Manager Service.
View a disk usage event
On the SEM Console, click the Live Events tab.
Administrator Guide: Security Event Manager page 53
Manage SEM system resources
For example, if you set the OS disk partition limit as a percentage, the following event displays in the
Events viewer table when the limit is reached:
InternalWarning Manager Monitor Warning! Disk Usage: The OS filesystem is over 40% full!
If you set the OS disk partition limit as a file size, the following event displays in the All Events grid
when the limit is reached:
InternalWarning Manager Monitor Warning! Disk Usage: The OS filesystem has under 2G left!
Learn more here.
SEM tuning and periodic maintenance tasks
SolarWinds recommends you complete the tasks in this topic to ensure SEM performs optimally as
your network changes.
Complete the following tasks to ensure that SEM uses processor and memory resources efficiently.
Review your rule configurations
Review your rules periodically to ensure that they are not triggering too frequently. This can be caused
by:
l Low threshold settings: consider increasing the threshold for rules that trigger due to network
traffic.
l Broadly-defined conditions: define rules to apply only to specific user names, IP addresses, or
systems. Consider whether a different set of rules with different conditions could serve two
distinct areas of your environment.
l Rules using event groups instead of a single event or subset of events: rules that detect
authentication or network traffic may trigger on additional events, but may only apply to a
subset of those events.
Administrator Guide: Security Event Manager page 54
Secure SEM
Secure SEM
This section describes how to secure SEM to prevent unauthorized access.
SEM security checklists: Ensure that only authorized users can access
SEM
Complete the following tasks to help prevent unauthorized users from accessing SEM.
General security tasks
Read the Security Event Manager Appliance Security and Data Protection blog post on
THWACK.
Secure the SEM manager and the SEM consoles
Run the activate command from the CMC command line.
Run this command to export the SSL certificate that ensures secure communications
between the SEM desktop console and the SEM manager.
See Run the activate command to secure SEM and configure network settings for steps.
Set the minimum password requirements for local SEM user accounts.
See Set the global password policy for SEM users for steps.
Restrict the filters that Monitor role users can access.
See "Specify the filters that users assigned the Monitor role can use on the SEM Console
for steps.
Secure the CMC command-line interface
Change the default CMC password.
See Change the SEM CMC password for steps.
Administrator Guide: Security Event Manager page 55
Secure SEM
Secure the CMC command-line interface
Restrict SSH access to the CMC command-line interface.
(Optional) This procedure blacklists everyone from logging in to the CMC interface except
those users who connect from an explicitly allowed IP address or host name.
See Restrict SSH access to the SEM CMC interface for steps.
Secure the SEM reports application
Secure the SEM reports application.
See Restrict access to the SEM reports application for steps.
Enable transport layer security (TLS) between the SEM reports application and the SEM
database.
From 2020.4 TLS is enabled by default.
From 2022.2 TLS cannot be disabled.
(Optional) The Transport Layer Security (TLS) option introduces an extra level of security
for data transfers between a SEM database and the Reports application.
See Enable transport layer security (TLS) in the SEM reports application for steps.
Restrict SSH access to the SEM CMC interface
Users who have CMC command-line interface (CLI) access can connect to the SEM VM and perform
administrative tasks. You can restrict SSH access to the CMC interface by IP address or host name.
This optional procedure blacklists everyone from logging in to the CMC interface except those users
who connect from an explicitly allowed IP address or host name.
To restrict SSH access to the CMC command line:
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. Type service, and then press Enter.
3. Type restrictssh, and then press Enter.
4. Complete the wizard to limit access to the SEM cmc console by IP address or host name. You
can enter multiple addresses and host names separated by a space.
Administrator Guide: Security Event Manager page 56
Secure SEM
Test the restriction by attempting to log in from a blacklisted host or IP address. Repeat the test to
confirm that you can log in from whitelisted hosts and IP addresses.
To remove access restrictions from the CMC interface
Complete the steps to allow users from any IP address or host name to access the CMC interface
using SSH.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. Type service, and then press Enter.
3. Type unrestrictssh, and then press Enter.
4. Complete the wizard to remove access restrictions.
Test the restriction by logging in from a previously blacklisted host or IP address.
Restrict access to the SEM reports application
This topic covers securing the SEM reports application so only authorized users can access it.
Understand your options for securing SEM reports
The SEM Reports application requires a username and password to allow the SEM Reports
application to access the database.
As with all versions of SEM, there is one additional level of security for the Reports application, but the
same holds true for the SSH connection or the Console connection (web-based or air-based). You
only need to run the restrictreports command (or restrictconsole or restrictssh commands) to create
a whitelist of computer hostnames or IP addresses that can run reports and access the database (or
the console or SSH, if using that parameter).
l Access can be restricted to specific computers.
l Access can be restricted by port number. The Reports application communicates over port
9001, using TLS or no encryption. Console access only on port 8443/443 when the SEM is
activated, but port 8080/80 is available during evaluation period. SSH access is allowed on port
22 or 32022, but support can assist you with forcing only one port.
l The SEM reports application can be configured to require a user name and password.
Restrict access to SEM reports to specific computers
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, type service.
3. At the cmc::service> prompt, type restrictreports.
Administrator Guide: Security Event Manager page 57
Secure SEM
4. When prompted, press the Enter key.
5. Enter the IP addresses of the computers you want to allow to run the SEM reports application,
separated by spaces.
Ensure that the list you provide is complete. Your entry will override any previous entries.
6. To confirm your entry, type y.
7. To return to the cmc> prompt, type exit.
8. To log out of the CMC command line, type exit.
Remove all SEM reports access restrictions
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, type service.
3. At the cmc::service> prompt, type unrestrictreports.
4. When prompted, press the Enter key.
Removing SEM reports restrictions will make the SEM database accessible to any
computer on your network that is running the SEM reports application.
5. To return to the cmc> prompt, type exit, and then press Enter.
6. To log out of the CMC command line, type exit, and then press Enter.
old Transport layer security (TLS) and the SEM reports application
The Transport Layer Security (TLS) option introduces an extra level of security for data transfers
between the SEM reports application and the SEM database. From SEM 2021.2, TLS for Reports has
been enabled by default.
From SEM 2022.2, the option to disable TLS has been removed.
For information on using the SEM reports application, see the SEM reports section.
Enable TLS if disabled
Use these steps if the SEM database is located on the same VM as the SEM Manager. This is the
most common arrangement.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
Administrator Guide: Security Event Manager page 58
Secure SEM
2. At the cmc::manager> prompt, type exportcert.
3. Follow the prompts to export the SEM Manager CA certificate.
An accessible network share is required. Once the export is successful, you will see the
following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ...
Success.
4. At the cmc::manager> prompt, enter enabletls.
5. At the cmc::manager> prompt, enter restart.
Import a self-signed certificate into the SEM Manager
Use the importcert command in the CMC to import a signed certificate by any CA into the manager.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the prompt, enter manager.
3. At the cmc::manager> prompt, type importcert.
4. Choose the network share path.
5. When prompted, confirm the share name.
6. When prompted for a file name, enter the full name of the certificate, including the CER
extension.
7. When completed, the following message appears:
Certificate successfully imported.
Administrator Guide: Security Event Manager page 59
SEM Console
SEM Console
Dashboard
Access the SEM Dashboard to highlight and summarize trends and suspicious activity through a
series of interactive widgets. You can create, edit, and arrange widgets to display log data in a variety
of tables and graphs based on filters within your Events viewer. Upon initial login, the SEM Dashboard
appears by default. Learn more here.
Live and Historical Events
Live and Historical Events provides instant access to live event monitoring and filtering as well as
historical record archives for in-depth analysis and troubleshooting. Within the console view, you can
quickly switch between real-time event streaming and historical log views based on user-defined date
and time parameters. In addition to live and historical keyword search options, all established SEM
Monitor filters are accessible on the SEM Console Filters pane. Learn more here.
Rules
Rules monitor event traffic and automatically respond to security events in real time, whether you are
monitoring the console or not. When an event (or a series of events) meets a rule condition, the rule
prompts the SEM manager to act. A response action can be discreet (for example, sending a
notification to select users by email), or active (for example, blocking an IP address or stopping a
process). Learn more .
Configure
The Configure menu option gives you access to node and connector management, and the creation of
users, email templates, directory service groups, and user defined groups.
You can add agent nodes, configure connectors and connector profiles, and then monitor activity on
the SEM Console. Upon node and connector configuration, click the Events tab to view your network
activity, and then create and apply filters to tailor your log feed to view event logs vital to maintaining
the health of your network environment. Learn more here.
Administrator Guide: Security Event Manager page 60
Configure
Create user-defined groups to organize related elements for use with rules and filters. Groups can
contain elements such as events, IP addresses, computer names, and user accounts. After a group is
defined, it can be referenced from multiple rules and filters.
You can use email templates to customize your email notifications when triggered as responses in
your custom rules. An email template includes static and dynamic text (or parameters). The static
text lets you customize the message body of the email. The dynamic text is filled in from the original
event that caused the rule to fire.
Administrator Guide: Security Event Manager page 61
Visualize network and log data through the SEM Dashboard
Visualize network and log data through the SEM
Dashboard
Access the SEM Dashboard to highlight and summarize trends and suspicious activity through a
series of interactive widgets. You can create, edit, and arrange widgets to display log data in a variety
of tables and graphs based on filters within your Events viewer.
SEM provides a library of widgets, or you can create your own by using filters that you have
customized to monitor specific activity. If your widget includes charts, you can click a specific line,
bar, or pie wedge to open the source filter. The corresponding filter opens the Events viewer, and
displays the targeted filter information. The filter lists only the events that correspond with the
selected chart item.
To access the SEM Dashboard, click the Dashboard tab on the SEM Console.
Click an event or data point in a widget to view associated details in the Events viewer.
Clicking the Others grouping in select widgets will show all events associated with that widget.
You can create, edit, and customize the following widget types:
Widget Type Description
KPI Displays metrics on the health and performance of the SEM appliance.
Administrator Guide: Security Event Manager page 62
Available SEM widgets
Widget Type Description
Proportional Displays an overview of widget group sizes in assorted charts (donut chart, pie
chart, horizontal bar chart, vertical bar chart).
New Time Series - Shows event data for up to the last seven days. Displays a broad range of
Long Term records with less granularity than short-term widgets.
New Time Series - Shows more granularity by allowing you to select filter and property data for a
Short Term specified number of groups. For example, it can display a timeline chart of
failed log-ons for the designated groups.
New Nodes Table Displays a variety of properties for each node in your network, such as IP
Widget address, operating system, connector profile, status, and more.
If you created custom widgets with the old Flash console, these are not automatically migrated
to the current SEM Dashboard, and you will need to recreate them.
Available SEM widgets
The following table describes the customizable widgets that ship with the SEM Console.
Widget Description
Active Directory Group Changes by Displays a donut chart of group changes by group name.
Group
Active Directory Group Changes by Type Displays a donut chart of group changes by event type.
Active Directory Group Changes by User Displays a pie chart of group changes by user source
account.
Active Directory User Changes by Type Displays a donut chart of user account changes by event
type.
All Events - Last 12 Hours Displays a time series view of all events occurring in the
last 12 hours.
All Events - Last 24 Hours Displays a time series view of all events occurring in the
last 24 hours.
All Events by Connector Name Displays a pie chart of all events by connector name via
the ToolAlias log property.
All Events by Event Type Displays a donut chart of the number of all event types.
Administrator Guide: Security Event Manager page 63
Available SEM widgets
Widget Description
Blocked Web Traffic by Source Machine Displays a donut chart of the top sources of blocked web
traffic.
Events Per Second - Last Hour Displays the total count of events per second for the past
hour.
File Audit Failures by User Displays a donut chart of the file audit failure events by
user.
Firewall Events by Type Displays a donut chart of the top firewall events by event
type.
Grouped events by IP Displays a donut chart of group events by detection IP.
HIPAA Events by Type Displays a pie chart of top HIPAA events by event type.
Incidents by Rule Name Displays a pie chart of incidents by inference rule.
Interactive Logons by User Displays a vertical bar chart of user logons by destination
account.
Log Database Used Storage Percent Displays the logs/data used percentage (KPI widget) with
an 80 percent warning threshold and a 90 percent critical
threshold.
Logon Failures - Last 24 Hours Displays a time series chart of failed logons for the past
24 hours.
Logon Failures by Reason Displays a pie chart of failed logons by failure reason.
Logon Failures by Source Machine Displays a pie chart of failed logons by destination
machine.
Logon Failures by User Displays a horizontal bar chart of failed logons by
destination account.
Node Health Displays a table of the latest events from monitored
network nodes.
PCI Events by Type Displays a donut chart of the top PCI events by event
type.
Rules Fired by Rule Name Displays a pie chart of rule activity by inference rule.
Scheduled query severity per tag
Scheduled query severity per tag
Administrator Guide: Security Event Manager page 64
Edit the SEM dashboard
Widget Description
Threat Events by Type Displays a pie chart of threat events by event type.
Traffic by Destination Port Displays a vertical bar chart of all network traffic by
destination port.
Traffic by Source Port Displays a vertical bar chart of all network traffic by
source port.
User Account Changes by Destination Displays a horizontal bar chart of all user account
Account changes by destination account.
User Account Changes by Source Displays a horizontal bar chart of all user account
Account changes by source account.
User Logon by Source Machine Displays a donut chart of all user logons by source
machine.
User Logon by User Displays a donut chart of user logons by destination
account.
Virus Attacks by Machine Displays a pie chart of virus attacks by source machine.
Virus Attacks by Virus Name Displays a pie chart of virus attacks by virus name.
Edit the SEM dashboard
Place the SEM Dashboard in edit mode to reorganize and resize widgets, edit widget properties, and
add or remove widgets.
1. On the SEM Console, click the Dashboard tab.
2. On the upper right of the SEM Dashboard, click Edit Dashboard.
Administrator Guide: Security Event Manager page 65
Edit the SEM dashboard
3. To resize a widget, drag the lower-right corner to increase or decrease the size.
4. To move a widget, drag the widget header to a different location on the SEM Dashboard.
In edit mode, you can also, add, edit, and remove widgets.
5. After you have completed your edits, click Done editing on the Edit dashboard toolbar.
Administrator Guide: Security Event Manager page 66
Add Dashboard widgets
Add Dashboard widgets
1. On the SEM Console, click the Dashboard tab.
2. On the upper right of the SEM Dashboard, click Edit Dashboard.
3. On the Edit Dashboard toolbar, click Add widgets.
The Creating Widget pane expands displaying a variety of widgets and widget templates.
4. From the Widget type drop-down list, select a widget category.
5. From the Data shown drop-down list, select Any, Events, or Nodes.
6. To further refine your search, enter a term in the search box.
Administrator Guide: Security Event Manager page 67
Add Dashboard widgets
7. Select a widget template (For example, New Proportional Widget), and then click Customize.
8. Click the edit icon in each template section to name the widget, add widget features and
establish the graphic style and content derived from the designated data source. You can click
Filter and property to set values based on your existing Event table filters.
For example, If you would like to see the number of logon failures, and the reason why, set your
filter to Failed Logons and your properties to FailureReason.
Administrator Guide: Security Event Manager page 68
Add Dashboard widgets
l The filter and properties are the primary values that populate widgets. You can
create and customize numerous widgets to present key data points associated with
your network environment. Reference the Filters pane in the Events tab to review
specific event filters to use when customizing your widgets. Learn more about
filters here.
l The number of events that display in your widgets are established in your filter
threshold settings here.
9. Click the arrows to set the number of groups to display in your widget.
Administrator Guide: Security Event Manager page 69
Add Dashboard widgets
10. Select your chart type (Donut, Pie, Horizontal, Vertical), legend, and refresh rate. As you make
your changes, the widget preview updates to the left of the widget template.
The data refresh rate is set to 30 seconds by default. You can increase it up to one hour,
or decrease it to one second.
11. When complete, click Create Widget, and then click Save changes.
The new widget appears on the SEM dashboard.
12. Move and resize the widget as needed.
13. To edit the widget (in edit mode), click the vertical ellipsis on the upper right of the widget, and
then select Edit widget.
14. To leave edit mode, click Save changes on the Edit dashboard toolbar.
15. To view the associated widget records in the Events viewer, click the widget chart.
Edit Dashboard widgets
1. On the SEM Console, click the Dashboard tab.
2. On the upper right of the SEM Dashboard, click Edit Dashboard.
Administrator Guide: Security Event Manager page 70
Add Dashboard widgets
3. To edit the widget, click the vertical ellipsis on the upper right of the widget, and then click Edit
widget.
To remove a widget, click the Remove Widget button .
Create a KPI widget
The KPI widget displays up-to-date metrics on the health and performance of your SEM appliance.
Starting with version 2020.2, SEM introduces a new data indicator to the KPI widget that
displays the age of the oldest stored event in your database. This can be especially helpful
when managing database storage and adjusting your data retention settings.
1. On the SEM Console, click the Dashboard tab.
2. On the upper right of the SEM Dashboard, click Edit Dashboard.
3. On the Edit Dashboard toolbar, click Add widgets.
The Creating Widget pane expands displaying a variety of widgets and widget templates.
Administrator Guide: Security Event Manager page 71
Add Dashboard widgets
4. Select *New KPI Widget*, and then click Customize.
5. Expand Title and Description, and enter a title for the widget (subtitle and description are
optional).
6. Click Add New Value to set your Description, Indicator Data, and Threshold values for a specific
data set. For example:
a. Expand Data Source, and select Logs/Data used storage percentage from the dropdown.
This option allows you to monitor the amount of free storage space.
b. Expand Thresholds, and select Use custom thresholds to establish notifications when
storage space is low. For example, you can set the warning to 80 percent full, and critical
to 90 percent full.
7. Continue to add more values to monitor in the KPI widget, such as events per second, or
manager memory used. As you continue to add values, The widget preview updates to the left of
the widget template.
Administrator Guide: Security Event Manager page 72
Add Dashboard widgets
8. To add your KPI widget to the dashboard, click Create Widget, and then click Save changes.
Create a time-series widget
Create interactive time-series widgets view data points at specific time intervals. Use long-term
widgets for view a broader range of records (up to seven days), or use short-term widgets to drill
down into specific log activity over a designated time.
1. On the SEM Console, click the Dashboard tab.
2. On the upper right of the SEM Dashboard, click Edit Dashboard.
3. On the Edit Dashboard toolbar, click Add widgets.
The Creating Widget pane expands displaying a variety of widgets and widget templates.
Administrator Guide: Security Event Manager page 73
Add Dashboard widgets
4. Select New Time Series Widget - Short Term*, and then click Customize.
To monitor a broader range of event logs, select the long-term widget.
5. Expand Title and Description, and enter a title for the widget (subtitle and description are
optional).
6. Expand the Filter and property section.
a. From the drop-down lists, select the specific event groupings to appear in the widget. For
example, if you want to monitor a time line of failed logons, select Failed Logons from the
Filters drop-down list, and then select DestinationAccount from the properties drop-down
list.
b. Click the arrows to set your number of shown groups (between one and 10).
7. Expand the Timeseries Metadata section, and select your starting time span, chart legend
display option, and then the auto refresh rate.
As you make your changes, the widget preview updates to the left of the widget template.
8. Click Create Widget, and then click Save changes.
Administrator Guide: Security Event Manager page 74
Add Dashboard widgets
9. To view event logs for a designated time, click a specific point in the chart.
The Events viewer opens displaying associated logs.
Create a nodes table widget
The nodes table widget displays a variety of properties for each node in your network, such as IP
address, operating system, connector profile, status, and more.
1. On the SEM Console, click the Dashboard tab.
2. On the upper right of the SEM Dashboard, click Edit Dashboard.
Administrator Guide: Security Event Manager page 75
Add Dashboard widgets
3. On the Edit Dashboard toolbar, click Add widgets.
The Creating Widget pane expands displaying a variety of widgets and widget templates.
4. Select New Table Widget and then click Customize.
5. Expand Title and Description, and enter a title for the widget (subtitle and description are
optional).
6. Expand Sorting, and select a sorting option.
7. Under Refresh, enable Refresh if required and set the refresh rate.
8. To add values and formatting to each column, select Add New Column.
9. Expand Description, and enter the column name.
10. Expand Property, and select the format and column value from the drop-downs .
Administrator Guide: Security Event Manager page 76
Add Dashboard widgets
11. Continue to add columns and values. As you make your changes, the widget preview updates to
the left of the widget template.
12. To add your widget to the dashboard, click Create Widget, and then click Save changes.
Administrator Guide: Security Event Manager page 77
Manage users in SEM
Manage users in SEM
This section contains topics related to managing SEM user accounts, including managing user
access to SEM data.
Add SEM users
Access to SEM data requires a user account. Even basic access, such as receiving notifications sent
by SEM through email or SMS text message, requires a user account.
About SEM roles
To restrict user access to sensitive data, user accounts need to be assigned to a SEM role. There are
six SEM role types: Administrator, Auditor, Monitor, Guest, Reports, and Contact. Role types are
described in the following table.
See also: System Privileges associated to roles.
Role Description
Administrator The default user. This role cannot be deleted and has full access to the SEM
console.
SolarWinds does not recommend multiple users sharing the Admin
account for auditing purposes.
Auditor User has extensive view rights to the system, but cannot modify anything
other than their own filters.
Monitor User has read-only access to the SEM console. See Modify filters for Monitor
role users to configure the filters assigned to this role. Users assigned to this
role cannot edit filters.
Guest User has extensive view rights to the system, but cannot modify anything
other than their own filters.
Contact User cannot log in to the SEM console, but can receive external notifications
such as email sent to either the user's email address, imported distribution
lists, or cellular email-to-SMS addressees for texts. Use this role if you have
an external incident resolution or trouble ticket system, or if you have a user
who does not need to access the console.
Administrator Guide: Security Event Manager page 78
Add SEM users
Role Description
Reports User cannot log in to the SEM console, but can access the SEM reports
application. This role can access the SEM database over a secure channel.
See Enable transport layer security (TLS) in the SEM reports application for
details.
Do not confuse roles and groups:
l Roles restrict the actions a user can perform in SEM.
l Groups organize related elements into logical units so that they can be used in SEM rules
and filters.
About SEM user accounts
There are two ways to add a user account in SEM:
l Add an Active Directory user account
l Create a local user account
SolarWinds recommends using Active Directory accounts if Microsoft Active Directory is in use
at your organization.
Each user should have a valid email address so that the user can receive notifications sent by SEM.
SolarWinds recommends that you create distinct users for everyone who needs to receive email
notifications from SEM Manager. If you want to send identical notifications to your IT department
personnel, associate a distribution list email address to all relevant users.
To establish minimum password requirements for local user accounts in SEM, see Set the
global password policy for SEM users.
How Active Directory accounts work in SEM
You can configure SEM to allow users to log in with their Active Directory credentials. Using Active
Directory for user authentication means you do not have to maintain duplicate user accounts in SEM,
and users do not have to remember an additional user name and password just for SEM.
See Set up Active Directory authentication in SEM to configure SEM to allow users to log in
with their Active Directory credentials.
SEM roles are mapped to DS groups in Active Directory if AD authentication is enabled.
Administrator Guide: Security Event Manager page 79
Add SEM users
See Configure or View Active Directory authentication settings in SEM to look up which Active
Directory groups are mapped to SEM roles.
SEM supports Active Directory single sign-on (SSO). If SSO is enabled, users can bypass the SEM
login screen and go straight to the application if they are already logged in to another application that
accepts the user's AD credentials.
See Set up single sign-on (SSO) in SEM to configure SEM to allow users to bypass the SEM
login screen if they are already logged in to an application that accepts the user's AD
credentials.
SEM can use Active Directory groups of Windows users and computer accounts in SEM rules and
filters. Any changes made to users or groups in Active Directory propagate to rules and filters in SEM.
Create a local SEM user account
Access to SEM data requires a user account. Even basic access, such as receiving notifications sent
by SEM through email or SMS text message, requires a user account.
User accounts need to be assigned to a SEM role to restrict access to sensitive data. There are five
SEM role types: Administrator, Auditor, Monitor, Guest, and Reports. Role types are described in the
following table.
1. On the SEM Console, navigate to Configure > Users.
2. On the Users toolbar, click Add user.
3. Complete the user account form, and then click Add. Reference the table below for information
on the form fields.
Field Description
Username User account name.
Administrator Guide: Security Event Manager page 80
Add SEM users
Field Description
Password User password to access the Manager. This can be an initial system password
or a temporary password that is assigned to replace a forgotten password.
If password restrictions are enabled ( > Authentication > Local Users), SEM
enforces the following policy:
Passwords must:
l Be between 6-40 characters
l Not include user names
l Not include forbidden characters
Passwords must also include at least three of the following:
l One upper case letter
l One lower case letter
l One special character
l One digit
Confirm Enter the password again.
password
Role Select a SEM role for this user.
l Administrator - Has full access to the system, and can view and modify
everything.
l Auditor - Has extensive view rights to the system, but cannot modify
anything other than their own filters.
l Monitor - Can access the console, cannot view or modify anything, and
must be provided a set of filters. See "Specify the filters that users
assigned the Monitor role can use on the SEM Console" for steps.
l Guest - Has extensive view rights to the system, but cannot modify
anything other than their own filters.
l Reports - Cannot log in to the SEM console, but can log in to the SEM
reports application. This role can access the SEM database over a secure
channel.
First name User's first name
Last name User's last name
Administrator Guide: Security Event Manager page 81
View system privileges associated with a role
Field Description
Description Type a brief description (up to 50 characters). For example, provide the user
title, position, or area of responsibility.
Contact e- Email address. SEM notifies users by email about network security events. You
mail can add as many email addresses as required.
4. Select a user in the list to edit the user account, change the user's password, require the user to
change passwords, or delete the user account.
In the Refine Results pane, you can filter users based on account type and last login.
Under Last modified, click the time setting to adjust the login time frame.
Edit user account settings
1. On the SEM Console, click the Configure tab, and select Users from the drop-down list.
2. Select a user account in the list:
l To edit the user account settings, click Edit user.
l To remove a local user account from the system, click Delete.
l To change a user's password, click Change password, then enter and confirm the
password in the pop-up window.
l To require that a user change their password when first logging in, click Require password
change.
View system privileges associated with a role
Below are the system privileges associated with a user role. Privileges are either allowed , not
allowed , or not applicable . The following roles are available:
l Admin
l Auditor
l Monitor
l Guest
l Reports
l Contact
Administrator Guide: Security Event Manager page 82
View system privileges associated with a role
Admin
Area Access Modify Audit
General
Options
Add Agents
Remove agents
Users
Policy
Database warehouse
Actions
Explorer
Nslookup
Traceroute
Whois
Get IP information
Tools
Manager tools
Agent tools
Tool profile tools
Groups
Alert groups
Directory service groups
Time-of-day sets
Tool profiles
User-defined groups
Properties
Administrator Guide: Security Event Manager page 83
View system privileges associated with a role
Area Access Modify Audit
Manager status
Manager tools
Manager remote updates
Agent status
Agent tools
Agent remote updates
Filters
Filter Editor
Organize
Rename
Export
Import
Clone
Delete
Enable/disable
Rules
Rule Editor
State variables
Notification templates
FIM
FIM driver controls
Reports
Report viewer
Return to top
Administrator Guide: Security Event Manager page 84
View system privileges associated with a role
Auditor
Area Access Modify Audit
General
Options
Add Agents
Remove agents
Users
Policy
Database warehouse
Actions
Explorer
Nslookup
Traceroute
Whois
Get IP information
Tools
Manager tools
Agent tools
Tool profile tools
Groups
Alert groups
Directory service groups
Time-of-day sets
Tool profiles
User-defined groups
Properties
Administrator Guide: Security Event Manager page 85
View system privileges associated with a role
Area Access Modify Audit
Manager status
Manager tools
Manager remote updates
Agent status
Agent tools
Agent remote updates
Filters
Filter Editor
Organize
Rename
Export
Import
Clone
Delete
Enable/disable
Rules
Rule Editor
State variables
Notification templates
FIM
FIM driver controls
Reports
Report viewer
Return to top
Administrator Guide: Security Event Manager page 86
View system privileges associated with a role
Monitor
Area Access Modify Audit
General
Options
Add Agents
Remove agents
Users
Policy
Database warehouse
Actions
Explorer
Nslookup
Traceroute
Whois
Get IP information
Tools
Manager tools
Agent tools
Tool profile tools
Groups
Alert groups
Directory service groups
Time-of-day sets
Tool profiles
User-defined groups
Properties
Administrator Guide: Security Event Manager page 87
View system privileges associated with a role
Area Access Modify Audit
Manager status
Manager tools
Manager remote updates
Agent status
Agent tools
Agent remote updates
Filters
Filter Editor
Organize
Rename
Export
Import
Clone
Delete
Enable/disable
Rules
Rule Editor
State variables
Notification templates
FIM
FIM driver controls
Reports
Report viewer
Return to top
Administrator Guide: Security Event Manager page 88
View system privileges associated with a role
Guest
Area Access Modify Audit
General
Options
Add Agents
Remove agents
Users
Policy
Database warehouse
Actions
Explorer
Nslookup
Traceroute
Whois
Get IP information
Tools
Manager tools
Agent tools
Tool profile tools
Groups
Alert groups
Directory service groups
Time-of-day sets
Tool profiles
User-defined groups
Properties
Administrator Guide: Security Event Manager page 89
View system privileges associated with a role
Area Access Modify Audit
Manager status
Manager tools
Manager remote updates
Agent status
Agent tools
Agent remote updates
Filters
Filter Editor
Organize
Rename
Export
Import
Clone
Delete
Enable/disable
Rules
Rule Editor
State variables
Notification templates
FIM
FIM driver controls
Reports
Report viewer
Return to top
Administrator Guide: Security Event Manager page 90
View system privileges associated with a role
Reports
Area Access Modify Audit
General
Options
Add Agents
Remove agents
Users
Policy
Database warehouse
Actions
Explorer
Nslookup
Traceroute
Whois
Get IP information
Tools
Manager tools
Agent tools
Tool profile tools
Groups
Alert groups
Directory service groups
Time-of-day sets
Tool profiles
User-defined groups
Properties
Administrator Guide: Security Event Manager page 91
View system privileges associated with a role
Area Access Modify Audit
Manager status
Manager tools
Manager remote updates
Agent status
Agent tools
Agent remote updates
Filters
Filter Editor
Organize
Rename
Export
Import
Clone
Delete
Enable/disable
Rules
Rule Editor
State variables
Notification templates
FIM
FIM driver controls
Reports
Report viewer
Return to top
Administrator Guide: Security Event Manager page 92
View system privileges associated with a role
Contact
Area Access Modify Audit
General
Options
Add Agents
Remove agents
Users
Policy
Database warehouse
Actions
Explorer
Nslookup
Traceroute
Whois
Get IP information
Tools
Manager tools
Agent tools
Tool profile tools
Groups
Alert groups
Directory service groups
Time-of-day sets
Tool profiles
User-defined groups
Properties
Administrator Guide: Security Event Manager page 93
View system privileges associated with a role
Area Access Modify Audit
Manager status
Manager tools
Manager remote updates
Agent status
Agent tools
Agent remote updates
Filters
Filter Editor
Organize
Rename
Export
Import
Clone
Delete
Enable/disable
Rules
Rule Editor
State variables
Notification templates
FIM
FIM driver controls
Reports
Report viewer
Return to top
Administrator Guide: Security Event Manager page 94
Set the global password policy for SEM users
Set the global password policy for SEM users
In the Authentication settings, you can set minimum password requirements for local SEM user
accounts.
1. On the SEM Console, click the Settings button.
2. On the Settings page, click the Authentication tab, and then select Local Users.
3. To require complex passwords for SEM users, click the Password Restrictions toggle button.
Passwords should be at least nine-characters long, cannot contain user names or control
characters, or be longer than 40 characters.
Complex passwords must include any three of the following four character types:
l One upper-case letter
l One lower-case letter
l One Number
l One special character (!, @, #, etc.)
4. Adjust the Minimum Password Length setting according to your preference, and then click Save.
Set up Active Directory authentication in SEM
Set up Active Directory authentication to allow users to log in to SEM with their Active Directory (AD)
credentials.
This task configures SEM for Active Directory authentication. See Configure Active Directory
and SEM to work with SEM rules and filters to configure SEM to monitor Active Directory
accounts for security violations.
Gather required information
Before you begin, gather the following:
l Either the IP address or fully-qualified domain name (FQDN) of the Active Directory server.
l The domain credentials for an account that SEM can use to log in to Active Directory.
SolarWinds recommends using a service account with a non-expiring password. This account
does not need elevated privileges.
Administrator Guide: Security Event Manager page 95
Set up Active Directory authentication in SEM
To get directory server details, open a Windows command prompt on a computer on the
correct network and type nslookup.
Create a user in Active Directory that SEM can use to log in
1. Log in to the domain controller and open Active Directory Users and Computers.
2. Create a user account that SEM can use to log in to Active Directory. SolarWinds recommends
using a service account with a non-expiring password. This account does not need elevated
privileges (such as Domain Admin privileges).
Create custom security groups in Active Directory for SEM to use
User access in SEM is based on Active Directory group membership.
l You can use your existing Active Directory groups for alerts, reports, and so on. Skip this
section and go to the next section: Configure or Active Directory authentication settings in
SEM.
1. Log in to the domain controller and open Active Directory Users and Computers.
2. Create at least one security group called ROLE_LEM_ADMINISTRATORS. Group names must be
identical to the names given below, otherwise users cannot log in to the SEM console.
SolarWinds recommends creating SEM group names using capital letters to help you quickly
identify SEM groups in Active Directory.
You can add up to six of the following SEM custom groups:
l ROLE_LEM_ADMINISTRATORS
l ROLE_LEM_ALERTS_ONLY
LEM_ALERTS_ONLY permissions correspond with the monitor user role.
l ROLE_LEM_AUDITOR
l ROLE_LEM_GUESTS
l ROLE_LEM_CONTACTS
l ROLE_LEM_REPORTS
Learn more about SEM roles here.
The ROLE_LEM_CONTACTS group is only used for email notification in rules. Users added to
this group do not have login rights.
Administrator Guide: Security Event Manager page 96
Set up Active Directory authentication in SEM
Configure or view Active Directory authentication settings in SEM
In SEM 2020.4 and newer versions, you can create multiple LDAP configurations.
1. Click the settings icon on the upper right.
2. Select Authentication > LDAP Configuration.
If any LDAP configurations have already been created these are displayed.
3. Click Create configuration.
The Create LDAP Configuration dialog is displayed.
Administrator Guide: Security Event Manager page 97
Set up Active Directory authentication in SEM
Administrator Guide: Security Event Manager page 98
Set up Active Directory authentication in SEM
4. Enter the following information:
Administrator Guide: Security Event Manager page 99
Set up Active Directory authentication in SEM
Field Description
Configuration Enter a friendly name of your choosing for the LDAP configuration.
Name
IP or Hostname Enter the IP address or host name of your LDAP server.
Domain Enter the fully-qualified domain name for the account store.
Directory Use the format account_name@example.com.
Service Server
SolarWinds recommends using a Directory Service account to prevent
User Name
integration issues if the software license expires. The user name does not
require special privileges (such as Domain Admin) to be a Directory Service
user.
Directory Enter the password for the user account.
Service Server
Password
Use SSL (Optional) Select to use the transport layer security protocol (LDAPS) for a
Encryption secure connection. This option directs traffic from the SEM VM to a
designated server (usually a domain controller) for use with the Directory
Service tool.
LDAP Port If SSL encryption is not used, the default for this setting is 389. If SSL
encryption is used, the default for the port is 636.
Use for Select, then click Next if you wish to use Advanced Settings shown below.
Authentication
Domain Aliases Specify any Domain Alias names that should be authenticated using this
(Optional) LDAP configuration. (The role/group names configured on this page will
also apply.)
NetBIOS Names Specify any NetBIOS names that should be authenticated using this LDAP
(Optional) configuration. (The role/group names configured on this page will also
apply.)
Admin Group Specify the DS group in Active Directory to use for the SEM administrator
(Optional) role. If you do not specify a name, the default ROLE_LEM_
ADMINISTRATORS group is used.
Administrator Guide: Security Event Manager page 100
Set up Active Directory authentication in SEM
Field Description
Alerts Only Specify the DS group in Active Directory to use for the SEM auditor role. If
Group you do not specify a name, the default ROLE_LEM_AUDITOR group is used.
(Optional)
Guest Group Specify the DS group in Active Directory to use for the SEM guest role. If you
(Optional) do not specify a name, the default ROLE_LEM_GUESTS group is used.
Notify Only Specify the DS group in Active Directory to use for the SEM notifications
Group role. If you do not specify a name, the default ROLE_LEM_CONTACTS group
(Optional) is used.
Reports Group Specify the DS group in Active Directory to use for the SEM reports role. If
(Optional) you do not specify a name, the default ROLE_LEM_REPORTS group is used.
5. Click Next.
6. If you are using SSL encryption, the SSL certificate will be shown. Click I trust this certificate to
confirm.
7. Click Finish to create this configuration.
8. Configurations can be sorted by name. For each configuration, the name, server, and domain are
displayed, plus flags to show if they use SSL and/or used for Authentication.
Enable and disable LDAP configurations
Configurations are enabled as soon as they are created.
Use the toggles to disable or enable individual LDAP configurations.
A warning message is displayed if you disable a configuration informing you that users will be
unable to log on from that domain and any logged-in users from that domain will be
immediately logged out.
Edit or delete an LDAP configuration
1. To edit or delete an LDAP configuration, click on the vertical ellipsis icon after the configuration.
Administrator Guide: Security Event Manager page 101
Set up single sign-on in SEM
2. Either:
l Click Edit to display the Configure LDAP details for this configuration, which can now be
edited and saved.
Or:
l Click Delete to remove this configuration.
Add an Active Directory user to SEM
To grant a user access to SEM, add the user to the appropriate role (security group) in Active
Directory.
SEM does not support nested Active Directory groups.
1. Open Active Directory Users and Computers.
2. Add the user to the appropriate role (security group) in Active Directory. Users added to the
ROLE_LEM_CONTACTS group do not have sufficient privileges to log in to SEM.
3. Add the user to an Active Directory security group that is configured for use with SEM. To see
which groups are configured for SEM, open the LDAP Configuration Management page and
expand the list under Advanced Settings. See Configure or View Active Directory settings in
SEM for details.
When configuring user accounts, make sure the user's Primary group is not assigned to a
custom group, otherwise the user cannot log in to SEM. The user will see an Invalid username
and password message instead, and a message like the following will be logged:
[SemSpringSecurityAuthManager] {http-nio-8080-exec-1:349} Authentication
failed: User is not member of any required role group!
Set up single sign-on in SEM
SEM supports Active Directory (AD) single sign-on (SSO). When enabled, SEM does not request a user
name and password if the user is already logged in to AD. Instead, AD authenticates the user in the
background, and automatically logs the user in to SEM with the appropriate user access rights. User
access on the SEM Consoles (Web, and the SEM reports application), is based on AD group
membership.
Administrator Guide: Security Event Manager page 102
Set up single sign-on in SEM
With SEM 2022.2 and later, the weak, deprecated 3DES and RC4 Kerberos encryption types
have been disabled by default. These have been replaced with AES-based encryption.
After upgrading to SEM 2022.2, users who were using 3DES or RC4 encryption will be unable to
log into SEM using the SSO login. In this case, Kerberos AES encryption needs to be enabled in
the respective Active Directory:
1. Locate the user account in Active Directory Users and Computers.
2. Select Properties.
3. Select the Account tab.
4. In the section titled Account Options, ensure one or both of the following options are
selected.
l Enable Kerberos AES-based encryption
l Set up Active Directory authentication in SEM
l Generate a keytab file using Ktpass
l Configure SSO settings
l Configure browser settings for SSO
l Configure SEM for either SSO-only authentication, or SSO and local authentication
l Configure SSO settings in SEM using the command-line (Deprecated)
Enable Kerberos AES-based encryption
In SEM 2022.2, the weak, deprecated 3DES and RC4 Kerberos encryption types have been
disabled by default. These have been replaced with AES-based encryption.
After upgrading to SEM 2022.2, users who were using 3DES or RC4 encryption will be unable to
log into SEM using the SSO login.
There are two options to enable Kerberos AES encryption:
For the whole Active Directory:
1. Open the Group Policy Management Console, locate the relevant domain and select Default
Domain Policy
Administrator Guide: Security Event Manager page 103
Set up single sign-on in SEM
2. Right-click Default Domain Policy and select Edit.
3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies
> Security Options
4. Open Network security: Configure encryption types allowed for Kerberos:
l Enable Define these policy settings.
l Enable AES128_HMAC_SHA1.
l Enable AES256_HMAC_SHA1.
For a single user in the Active Directory:
1. Locate the user account in Active Directory Users and Computers.
2. Select Properties.
3. Select the Account tab.
Administrator Guide: Security Event Manager page 104
Set up single sign-on in SEM
4. In the section titled Account Options, ensure the following options are selected.
Set up Active Directory authentication in SEM
First configure Active Directory (AD) authentication and verify that users can log in to SEM with their
AD credentials. For details, see Set up Active Directory authentication in SEM. After verifying that
users can log in to SEM with their AD credentials, complete the next step.
Generate a keytab file using Ktpass
To configure SEM for Active Directory (AD) SSO, a Kerberos keytab file is required. SEM uses this file
to authenticate users with AD and to enforce user account security. The keytab file is exported from
AD and imported into SEM, and contains a table of AD user accounts, along with the encrypted hash
of each user's password. ktpass is the Windows Server command-line tool that generates the
.keytab file, as well as the shared secret key that SEM uses to securely authenticate users with AD.
See the Microsoft Technical Documentation article, ktpass, for further information about the
ktpass command and ktpass arguments.
Before you run the ktpass command, gather the following information:
l Fully-qualified domain name (FQDN) of the SEM VM – The FQDN is the complete domain name
of the SEM virtual machine on the Internet. It includes the host name (the label assigned to a
device on the network), and the name of the domain that hosts the device. For example, if the
device name is swi-sem and the company domain is yourcompany.local, the FQDN is swi-
sem.yourcompany.local.
l Realm – This is the Active Directory Domain Services (AD DS) domain name. The realm name is
used to route authentication requests to the AD server that holds user credentials. The realm
name is case sensitive and normally appears in upper-case letters. To simplify your Kerberos
client configuration, make the realm name identical to your DNS domain name by only using
upper-case letters. For example, if YourCompany belongs to the DNS domain name
yourcompany.com, the Kerberos realm should be YOURCOMPANY.COM.
l Service principal name (SPN) – The SPN provides an alias (or pointer) to your domain account.
The SPN consists of the FQDN, followed by the @ symbol, followed by the realm.
Administrator Guide: Security Event Manager page 105
Set up single sign-on in SEM
For example, the SPN for a device named swi-sem located at http://www.yourcompany.com
would be http/swi-sem.yourcompany.local@YOURCOMPANY.COM where swi-
sem.yourcompany.local is the FQDN, and YOURCOMPANY.COM is the realm.
1. Do the following to obtain the SEM host name and IP address:
a. Open the SEM CMC command line. See Log in to the SEM CMC command line interface
for steps.
b. At the prompt, enter appliance to access the Appliance menu.
c. At the prompt, enter viewnetconfig.
d. When prompted, enter b to select the brief network configuration.
e. Record the domain name, host name, and the host name's resolved IP address.
f. Exit the management console.
2. Create a new user (host) in DNS:
a. Open DNS manager on your domain controller.
b. Create an A record entry for SEM on the DNS server using the host name and IP address.
Verify that DNS Manager populated the domain field with the correct domain membership.
3. Open Active Directory Users and Computers.
4. Create an organizational unit (OU) and name it Keytab.
5. Select the Keytab OU and create a new user account (or Service Principle Name [SPN]).
Write down the SPN. You will need it in a later step.
Administrator Guide: Security Event Manager page 106
Set up single sign-on in SEM
6. Use the Kerberos keytab file using the ktpass command:
a. Log in to the Active Directory server as an administrator.
b. Open a command prompt as an administrator.
c. Run the following ktpass command:
ktpass -princ HTTP/<fqdn>@<REALM> -pass <SPN_account_password>
-mapuser <domain_name>\<user_name> -pType KRB5_NT_PRINCIPAL -crypto
ALL -out c:\sem.keytab
If you receive an error when you run the command, replace the -mapuser argument
with -mapuser <user_name>.
The ktpass command takes the following arguments:
l -princ specifies the server principal name (SPN) in the form
HTTP/<fqdn>@<REALM>. You will use this path in your SEM configuration.
l -pass is the SPN account password.
l -mapuser maps the Kerberos principle name (specified in the -princ argument) to
the specified domain account.
l -pType specifies the principal type as Kerberos 5 for Microsoft Windows.
l -crypto specifies the encryption type. Entering ALL indicates all supported types.
l -out specifies the name and location for the generated Kerberos 5 keytab file.
7. Navigate to the keytab file location (for example, c:\sem.keytab specified in the -out
argument).
8. To allow SEM access to Active Directory, import the keytab file into SEM.
Configure SSO settings
SEM 2021.2 and later simplifies and improves Single Sign-On (SSO) configuration, moving these to
the Authentication section of Settings.
SEM uses HTTP/2 protocols and rejects HTTP/1 requests. However, if you use Single Sign-On,
HTTP/1 has to be enabled as SSO uses Kerberos/NTLM authentication which does not support
HTTP/2. If SSO is subsequently disabled, HTTP/1 is also disabled.
Administrator Guide: Security Event Manager page 107
Set up single sign-on in SEM
1. To view the Authentication section, click and select Authentication.
2. Select the SSO Configuration tab.
Existing SSO Configurations are listed. These can be temporarily deactivated using the green
toggle switches.
To add a new SSO login:
1. Click Create Configuration to display the Create SSO Configuration window.
2. Enter the Service Principle Name (SPN). For example:
http/sem.yourcompany.local@YOURCOMPANY.COM
Administrator Guide: Security Event Manager page 108
Set up single sign-on in SEM
3. Click Browse, and then select the keytab file.
See Generate a keytab file using Ktpass for further information.
4. Click Save.
Your keytab file is uploaded to SEM. If you are logged in as a local user, SEM logs you out of the
Admin user interface.
This SSO is now configured on SEM.
Edit or delete a SSO
To edit or delete a SSO, click the vertical ellipsis icon after the SSO name and click Edit or Delete.
Configure browser settings for SSO
By default, most browsers do not restrict the transmission of login credentials for intranet sites.
However, your company may have policies that have this restriction on intranet sites.
Google Chrome, Microsoft Edge, and Opera
1. Click Search and enter Internet Options.
The Internet Properties window is displayed.
2. Click the Advanced tab and scroll down to the Security section.
3. Check that Enable Integrated Windows Authentication is enabled. If not, check the box.
4. Click the Security tab and select Local Intranet.
5. Click Custom Level.
6. Scroll down to the User Authentication section at the very end of the list of options.
7. Check that Automatic logon only in Intranet zone is enabled. If not, check the box.
8. Still on the Security tab, click Sites.
9. Check that all boxes are checked, then click Advanced.
10. Add your FQDN or URL as a website in the Local Intranet zone.
For example:
https://swi-sem.yourcompany.local
The FQDN must be added to the list of trusted sites.
11. Save your settings and close Internet Options.
Administrator Guide: Security Event Manager page 109
Set up single sign-on in SEM
12. To test your settings, close all browser windows (clear cache, if needed), and then open the SEM
FQDN to confirm it is working.
Mozilla Firefox
1. Open Firefox, and then enter about:config in the address bar.
2. In the Filter field, enter network.negotiate-auth.trusted-uris.
3. In the list, double-click network.negotiate-auth.trusted-uris.
4. Enter the fully-qualified domain name (FQDN) or URL that you use for SEM.
For example: mysemappliance.example.com
The web browser is now configured for SSO.
Configure SEM for either SSO-only authentication, or SSO and local
authentication
Complete these steps to configure which credentials users can use to log in to SEM. You can allow
users to log in with either local SEM credentials or SSO (LDAP) credentials, or you can restrict users to
only SSO (LDAP) credentials.
1. Select the Login Options tab.
2. Use the toggle switches to select the login options to be used.
Updates take place immediately. Log in using the appropriate credentials to verify that the
settings are correct.
Administrator Guide: Security Event Manager page 110
Set up single sign-on in SEM
Configure SSO settings in SEM using the command-line
This option is deprecated in versions 6.8 and later.
Use these alternate steps if you do not want to use the SEM admin user interface to upload the keytab
file. (You do not have to repeat this process if you already uploaded the keytab file to SEM.)
1. Log in to the CMC command-line interface. See Log in to the CMC command line interface for
steps.
2. At the cmc> prompt, enter import.
3. Follow the prompts on your screen to complete the import.
The file is uploaded in the appliance file system.
4. Return to the management console menu.
5. At the cmc> prompt, enter admin to access the admin command-line interface.
6. Enter your user name and password.
Administrator Guide: Security Event Manager page 111
Set up single sign-on in SEM
7. Arrow down to LOGIN, and then press Enter.
8. Arrow down to SSO configuration, and then press Enter.
9. Arrow down to Add New Configuration, and then press Enter.
The content on this screen may vary with your SEM implementation.
Administrator Guide: Security Event Manager page 112
Change the SEM CMC password
10. Enter your SSO configuration settings.
a. Enter the Service Principle Name (SPN). See Generate a keytab file using Ktpass for
details.
For example: http/swi-sem.yourcompany.local@YOURCOMPANY.COM
b. Enter the path to your keytab file using the following syntax:
/var/transfer/storage/<your_keytab_file_name>.keytab
11. Arrow down to Save, and then press Enter.
The upload is completed.
12. Exit the management console.
SSO is now configured on your appliance.
Updates take place immediately. Log in using the appropriate credentials to verify that the settings
are correct.
Change the SEM CMC password
The CMC command-line interface (CLI) is used to connect to the SEM VM and perform administrative
tasks. SolarWinds recommends that you periodically change the password used to access the CMC
command-line.
These steps require the current CMC password. The default password is password.
1. Log in to the CMC command-line interface. See Log in to the SEM CMC command line interface
for steps.
2. Type appliance, and then press Enter.
3. Type password, and then press Enter.
Administrator Guide: Security Event Manager page 113
Monitor role users and filters
4. Complete the wizard to change the password. See Special characters allowed in CMC
commands and passwords for help choosing a CMC password.
5. To return to the root CMC command line, type exit, and then press Enter.
6. To log out and close the CMC interface, type exit, and then press Enter again.
Test the new CMC password by logging back in to the CMC interface.
Recover a lost CMC password
Contact SolarWinds Support for help if you no longer have the CMC password needed to log in to the
CMC interface. You can still access the CMC interface without the CMC password by logging into the
VM console through the hypervisor and clicking on Advanced Configuration.
Monitor role users and filters
SEM users assigned to the Monitor role can use the filters they have access to, but they cannot
create, edit, delete, or import/export filters.
See About SEM roles to learn more.
By default, this role has access to the same set of filters as other users. To remove and/or modify the
filters that Monitor-role users can access in the console, complete the following steps. You will need
to complete some of these steps on the end-user's computer. When the user logs in to SEM using the
same computer and Windows profile, they will only have access to the filters specified.
1. From the SEM console, navigate to Configure > Users.
2. Select the appropriate user and click Edit User.
3. Temporarily assign the user to the Administrator role.
4. Instruct the user to log in to the SEM console using their Windows profile.
5. Change the filters as needed, deleting any unnecessary filters.
If you created and exported the filters in a previous procedure, you can add new filters to
the user Filters list by creating or importing the filter as appropriate. To remove a filter
from the user Filter list, point to the filter and click x that appears to the right.
6. Log out the user and close the console window.
7. Using your administrator login, change the user back to the Monitor role.
8. From the user computer, have the user log in with their credentials, and then click Monitor.
The user should only see the specified filters.
Administrator Guide: Security Event Manager page 114
Send event data to SEM via Agents, syslog, and SNMP
Send event data to SEM via Agents, syslog, and
SNMP
This section describes how to configure SEM to receive events from systems, devices, and
applications in your IT environment. SEM can receive events sent by SEM Agents, syslog, and SNMP.
SEM can correlate SNMP traps from devices and applications that have a corresponding
connector. To configure SEM to receive SNMP traps, turn on the SNMP Trap Logging Service.
See Enable SEM to receive SNMP traps by turning on the SNMP Trap Logging Service for
details.
Get started adding systems and devices to SEM
This section describes how to add agent devices (servers, domain controllers, and workstations), and
non-agent devices (firewalls, router, and switches) to SEM.
There are two ways to configure computers and devices on your network to send log events to SEM:
l To add servers, domain controllers, and workstations, install a SEM agent.
l To add firewalls, routers, or switches, configure your devices to send log events directly to the
SEM VM using syslog or SNMP traps. After configuring your device to log to SEM, configure the
appropriate connectors directly on the SEM Manager.
Click the video icon to view a tutorial about adding devices to SEM.
About the SEM agent
Install the SEM agent on servers, domain controllers, and workstations to monitor local events on the
systems in your network. The SEM agent is a stand-alone service that collects and normalizes log
data on the remote system before it is sent to SEM for processing.
See Install SEM agents to protect servers, domain controllers, and workstations in the SEM
Installation Guide for installation steps.
SEM agents can:
l Capture events in real time
l Encrypt and compress the data for efficient and secure transmission to SEM
l Buffer the events locally if the Agent loses network connectivity to SEM
Administrator Guide: Security Event Manager page 115
Configure SEM agents after they are installed
In addition to monitoring local events, the agent provides event alerting on workstations and servers.
It is also required for some active responses, including logging off a user, shutting down a computer,
and detaching a USB device.
Install the SEM agent on computers that allow third-party software, including servers, domain
controllers, and workstations. On Windows, the SEM agent captures log information from sources
such as Windows Event Logs, a variety of database logs, and local anti-virus logs.
SolarWinds recommends installing the SEM agent if you have the option. If installing the SEM
agent is not feasible, send log events directly to SEM.
About sending log events directly to SEM
Configure non-agent devices, such as firewalls, routers, or switches, to send log events directly to
SEM using syslog or SNMP traps. Then, configure the appropriate device connector using the SEM
console. For a complete list of supported devices, see the SEM Connector List.
See Add syslog and Agent nodes to forward log and event data to SEM for more information
about configuring devices that do not allow third-party software.
Configure SEM agents after they are installed
This section documents SEM agent configuration tasks.
After installation, the SEM agent captures log information from sources such as Windows Event Logs,
database logs, and local antivirus logs. Additionally, the SEM agent allows SEM to take specific
actions that you can define as rules.
View the SEM Agents
1. On the SEM console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
Administrator Guide: Security Event Manager page 116
Create connector profiles to manage and monitor SEM agents
About the SEM Agent for Windows connectors
The SEM agent for Windows includes several preconfigured connectors that collect and display data
from these systems immediately after you install the SEM Agent. By default, the SEM Agent for
Windows includes the following preconfigured connectors:
l Windows Security Log (for the host OS version)
l Windows Active Response
l Windows Application Log
l Windows System Log
For broader coverage on your Windows computers, configure specific connectors to obtain your
targeted data.
Create connector profiles to manage and monitor SEM
agents
Use a connector profile to group agents that share the same connector configuration. You can use
the profile to configure a set of standardized connector settings, and then apply those settings to all
agents assigned to that profile. Once applied, every agent in the profile will have the same connector
settings.
Connector profiles maintain all agents in a profile by updating only the profile connector
configuration. The system then propagates your changes to all the agents in the profile.
Most agents in a network have only a few different connector configurations. Using connector
profiles, you can streamline the process of connecting your network security products to SEM. If you
decide not to use connector profiles, you must create at least one connector instance for every
product that you intend to integrate with SEM, and then repeat this process for each agent.
A well-planned set of connector profiles provides you with a versatile and efficient method for
configuring and maintaining your agent connector configurations. You can create as many connector
profiles as you need to reflect each of your common connector configurations. For example, you can
set up a standard user workstation profile, a web server profile, and so on. SolarWinds provides
several default connector profiles that address common configurations.
Administrator Guide: Security Event Manager page 117
Create a new connector profile
About the connector-profile group type
SEM lets you use connector profiles in filters, rules, and searches. After you define a connector
profile, you can use it in rules and filters to include or exclude the agents associated with that profile.
For example, you can create a filter using the Domain Controller connector-profile group to shows you
web traffic from the computers in that group.
Groups organize related elements for use with SEM rules and filters. See About SEM groups for
information about the various SEM group types.
Connector profile guidelines
A well-planned set of connector profiles provides you with a versatile and efficient method of
updating and maintaining your agent connector configurations.
When you configure your connector profiles, use the following guidelines:
l An agent can only be a member of one connector profile.
l You cannot add an agent to multiple connector profiles.
Create a connector profile: process overview
This section provides an overview of the steps required to create a connector profile. Creating a
connector profile is a three-step process:
1. Install the SEM agent software on all the systems that you want to include in your new
connector profile, then configure a single SEM agent to serve as the template for your connector
profile.
2. Add the agents to the connector profile. When completed, the system applies the template to all
agents in the profile.
3. Verify the connector status.
When you select an agent for a template, ensure the agent has a configuration that mirrors your
concept of the final connector configuration.
You can prepare a template agent in advance by configuring an agent you know will be a member of
the new profile. When completed, use the agent as the template for the new profile. This process
minimizes your need to edit the profile connector configuration in the future.
Create a new connector profile
Create a new connector profile without preconfigured connectors or agents.
Administrator Guide: Security Event Manager page 118
Create a new connector profile
1. On the SEM Console, navigate to Configure > Connector Profiles.
2. On the Connector Profile toolbar, click Create Connector Profile, select New profile, and then
click Continue.
3. Enter a name for the profile and a description (optional), and then click Create and Next.
4. Under Configured connectors, click Add connector.
5. Under Refine Results, expand the Type group, and then select Connector or Active Response (or
both).
Administrator Guide: Security Event Manager page 119
Create a new connector profile
6. Find the connector to configure. Type part of the connector name in the search box, or use the
filter menus in the Refine Results pane.
7. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
8. Click Add.
9. Continue to add more connectors to the profile as needed, and then click Next.
10. Click Assign agents.
11. Filter and select one or more agents to add to the profile, and then click Assign.
An agent can only be a member of one connector profile. Learn more about connector
profiles here.
12. To complete the connector profile configuration, click Finish.
Create a connector profile from a template
Create a profile from a template with preconfigured connectors.
Administrator Guide: Security Event Manager page 120
Create a new connector profile
1. On the SEM Console, navigate to Configure > Connector Profiles.
2. On the Connector Profile toolbar, click Create, and then select From template.
3. From the Connector profile template drop-down list, select a template, and then click Continue.
Administrator Guide: Security Event Manager page 121
Create a new connector profile
4. Enter a new name and description for the profile, and then click Create and Next.
Under Configured connectors is a list of preconfigured template connectors.
5. To configure an additional connector, click Add connector.
6. Under Refine Results, expand the Type group, and then select Connector or Active Response.
7. Find the connector to configure. Type part of the connector name in the search box, or use the
filter menus in the Refine Results pane.
Administrator Guide: Security Event Manager page 122
Create a new connector profile
8. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
9. Click Add.
10. Continue to add more connectors to the profile as needed, and then click Next.
11. Click Assign agents to add one or more agents to the profile.
An agent can only be a member of one connector profile. Learn more about connector
profiles here.
12. To complete the connector profile configuration, click Finish.
Create a connector profile from an agent
Create a new connector profile with preconfigured connectors from a selected agent.
1. On the SEM Console, navigate to Configure > Connector Profiles.
Administrator Guide: Security Event Manager page 123
Create a new connector profile
2. On the Connector Profile toolbar, click Create, and then select From agent.
3. Click select agent node, to view a list of available agents.
4. Choose an agent node from the list, click Select, and then click Continue.
5. Enter a name for the profile and a description (optional), and then click Create and Next.
Connectors that were already configured for this agent node will appear in the connector
list
6. Under Configured connectors, click Add connector.
7. Under Refine Results, expand the Type group, and then select Connector or Active Response.
Administrator Guide: Security Event Manager page 124
Create a new connector profile
8. Find the connector to configure. Type part of the connector name in the search box, or use the
filter menus in the Refine Results pane.
9. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
10. Click Add.
11. Continue to add more connectors to the profile as needed, and then click Next.
12. Click Assign agents.
An agent can only be a member of one connector profile. Learn more about connector
profiles here.
13. To complete the connector profile configuration, click Finish.
Clone a connector profile
Cloning a connector profile allows you to duplicate an existing profile, and then make additional edits
where needed. This option saves valuable time when associating new connectors and agents to a
similar profile configuration.
Administrator Guide: Security Event Manager page 125
Create a new connector profile
1. On the SEM Console, navigate to Configure > Connector Profiles.
2. From the profile list, select the required connector profile, and click Clone.
3. Enter a new profile name, and then click Create.
4. Find and select your cloned connector profile in the list, and click Edit.
5. Make changes to the profile where needed, and click Finish.
Edit a connector profile
1. On the SEM Console, navigate to Configure > Connector Profiles.
2. From the profile list, select a connector profile, and click Edit.
3. Make changes to the profile as needed, and click Finish.
Administrator Guide: Security Event Manager page 126
Add syslog and agent nodes to SEM
Add syslog and agent nodes to SEM
This section describes several different ways you can add syslog and agent nodes to SEM.
Add an agent node through the SEM Console
1. On the SEM Console, click the Nodes tab, and then click Add Agent Node.
The Add agent node window appears displaying options for remote and local installation.
Administrator Guide: Security Event Manager page 127
Add syslog and agent nodes to SEM
2. Select an option, and then follow the instructions to add the monitored node. Find how to add
your node connectors here.
Other ways to add nodes to SEM
You can add nodes from the Getting Started wizard by clicking Add Nodes to Monitor.
A dialog box prompts you to choose the type of node you want to add.
Click the drop-down list, select an Agent or non-Agent node to monitor, and then follow the
instructions to add the monitored node.
You can also click Add Node in the Node Health widget to perform the same function.
Administrator Guide: Security Event Manager page 128
Update SEM agents
Update SEM agents
This section describes how to update SEM agents on remote or local Windows computers.
Update SEM agents automatically
On the SEM Console Settings page, you can enable automatic updates for SEM agents and set the
number of concurrent updates.
1. On the SEM Console, click the Settings button.
2. On the Settings page, click the Updates tab.
3. In the Agent Updates section, click the toggle button to allow automatic updates.
4. Set the maximum number of concurrent updates, and then click Save.
This setting determines the number of agents that can be updated at the same time.
Manually upgrade SEM agents on Unix, Linux, Mac, and Windows hosts
using SEM agent installers
If you are installing SEM agents on the far end of a WAN link, copy the SEM Agent Installer executable
to the end of the WAN link and run it there.
Check the SEM release notes or readme file first to be sure that the SEM agent version you are
planning to install is compatible with your installed SEM Manager version.
If you are installing SEM agents on the far end of a WAN link, copy the SEM Agent Installer executable
to the end of the WAN link and run it there.
Check the SEM release notes or readme file first to be sure that the SEM agent version you are
planning to install is compatible with your installed SEM Manager version.
Administrator Guide: Security Event Manager page 129
Set up a separate syslog server for use with SEM
1. In the SEM Console, navigate to Configure > Nodes.
2. Filter nodes by selecting Type - Agent in the Refine Results column
l To update one agent, select the agent node and select Upgrade agent from the More
dropdown menu.
l To update two or more agents, select the agent nodes and select Upgrade agent from the
Commands dropdown menu.
A progress bar appears in the upper right of the console as the agents are being upgraded.
Run the SEM Remote Agent Installer for Windows
Learn how to use the SEM Remote Agent Installer here.
Set up a separate syslog server for use with SEM
This topic describes how to add a separate syslog server to SEM. The SEM VM includes a syslog
server, but you can add a separate syslog server.
You can monitor your switches, routers, and firewalls using a syslog server. This server collects and
sends syslog messages from non-Agent devices to the SEM Manager over TCP or UDP. SEM uses
this information to monitor syslog events and displays them in the Live and Historical Events.
Each device is paired with a connector, enabling SEM to parse messages from the syslog server and
normalize the log message content to a SEM event.
To set up a separate syslog server, you must deploy another SEM VM to function as a syslog server.
Contact SolarWinds Customer Support for assistance.
Administrator Guide: Security Event Manager page 130
Node management
Node management
You can add agent nodes, configure connectors, and then monitor activity. Once you have configured
nodes and connectors, you can click the Events tab to view your network activity, and then create and
apply filters to tailor your log feed to view event logs vital to maintaining the health of your network
environment.
To display nodes, navigate to Configure > Nodes. This displays the two types of node:
l Agents: An agent is a software application installed on the device that collects and normalizes
log data before it is sent to the SEM Manager.
l Non-Agent devices: These are devices that send log data directly to the SEM Manager for
normalization and processing, such as firewalls, switches, and routers.
On the Nodes tab, you can view a list of both agent and non-agent nodes, and select multiple nodes to
conduct bulk operations, such as deleting nodes, upgrading agent nodes, and starting File Integrity
Monitoring (FIM) on agent nodes.
Select one or more items in the Refine Results pane to organize your nodes view, or use the Nodes
toolbar to search for nodes, or organize nodes by Name, IP address, OS type, or version.
Edit node connectors 132
Update SEM agents manually 134
Update SEM connectors automatically 134
Add and remove agents from connector profiles 135
Configure the Email Active Response connector 136
Configure Windows domain controller connectors 138
KVerify USB Defender is installed on a SEM agent 139
B Enable additional connectors to add extra log sources to SEM 140
SEM and Configure a firewall connector on a SEM Manager 140
Verify that the correct alias value is associated with the connector 141
Export SEM node information 142
Administrator Guide: Security Event Manager page 131
Edit node connectors
Edit node connectors
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. Select a node connector, click Stop, and then click Edit.
You can choose to configure the agent's connector profile, or configure the agent directly.
4. To configure the agent connector directly, click Agent Connector Configuration.
This action removes the agent from the profile.
Administrator Guide: Security Event Manager page 132
Edit node connectors
5. Edit the connector configuration form.
l Name: Enter a user-friendly label for your connector.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
6. Click Save.
You can also stop, start, and delete connectors.
Administrator Guide: Security Event Manager page 133
Update SEM agents manually
Update SEM agents manually
If you are installing SEM agents on the far end of a WAN link, copy the SEM Agent Installer executable
to the end of the WAN link and run it there.
Check the SEM release notes or readme file first to be sure that the SEM agent version you are
planning to install is compatible with your installed SEM Manager version.
1. In the SEM Console, navigate to Configure > Nodes.
2. Filter nodes by selecting Type - Agent in the Refine Results column
l To update one agent, select the agent node and select Upgrade agent from the More
dropdown menu.
l To update two or more agents, select the agent nodes and select Upgrade agent from the
Commands dropdown menu.
A progress bar appears in the upper right of the console as the agents are being upgraded.
Update SEM connectors automatically
On the SEM Console Settings page, you can enable automatic updates for SEM connectors and
initiate a manual connector update.
1. On the SEM Console, click the Settings button.
Administrator Guide: Security Event Manager page 134
Add and remove agents from connector profiles
2. On the Settings page, click the Updates tab.
3. In the Connector Updates section, click the toggle button to allow automatic updates.
Add and remove agents from connector profiles
1. On the SEM Console, click the Nodes tab, and then select Agent in the Refine Results pane.
Learn more about connector profiles here.
2. Select an agent check box to expose the configuration toolbar.
3. From the More drop-down list, select Add to Profile.
Administrator Guide: Security Event Manager page 135
Configure the Email Active Response connector
4. Select a profile from the list, and then click Add.
A notification appears indicating the agent was added successfully.
To remove an agent from a profile:
1. Select an agent, and then navigate to More > Remove from Profile. A confirmation dialog
appears.
2. Click Remove.
Configure the Email Active Response connector
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. To locate the Email Active Response connector, type email in the search box.
3. Select the Email Active Response connector, and then click Add Connector.
Administrator Guide: Security Event Manager page 136
Configure the Email Active Response connector
4. In the Name field, enter a new name, or keep the existing name.
5. In the Mail Host field, enter the mail host IP address.
If you use a hostname in the Mail Host field, SEM Manager must be able to resolve the mail host
from the DNS entries you entered during your SEM network configuration.
6. In the Port field, enter 25.
7. From the Transport Protocol drop-down list, select SMTP or TLS.
TLS 1.2 is supported for email connections in SEM 2020.2.1 and later.
8. In the Return Address field, enter a return address.
This field is pre-populated with noreply@solarwinds.com. Be sure to change this email
address.
9. If the email server requires an Active Directory user to send email, enter the authentication
server user name and password in the appropriate fields.
If the email server requires an email to be sent from a computer within the domain, the
email server must have an exception created for the SEM hostname. SEM cannot join the
domain.
10. Click Add. The connector appears on the Manager Connectors tab under Configured
connectors.
Administrator Guide: Security Event Manager page 137
Configure Windows domain controller connectors
11. Under Configured connectors, select your connector, and then click Start.
Configure Windows domain controller connectors
Configure the following connectors that apply to your installation on your Windows domain
controllers:
Administrator Guide: Security Event Manager page 138
KVerify USB Defender is installed on a SEM agent
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. Find the connector to configure. Type part of the connector name in the search box, or use the
filter menus in the Refine Results pane.
5. Select an available connector, and then click Add Connector.
6. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
7. Click Add.
8. To start a connector, select a configured connector, and then click Start.
KVerify USB Defender is installed on a SEM agent
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. To determine which nodes have USB defender, in the Agent nodes list, observe the nodes with a
green check icon next to USB.
4. If USB Defender is not installed on one or more SEM Agents, reinstall the agent and ensure that
you select Install USB-Defender after you confirm the Manager Communication Settings.
Administrator Guide: Security Event Manager page 139
B Enable additional connectors to add extra log sources to SEM
B Enable additional connectors to add extra log sources to
SEM
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. Under Available connectors, select a supported device or application to log.
Enter a keyword in the search box, or use the Category drop-down list to filter connectors
by category.
4. Select an available connector, and then click Add connector.
5. Update your settings, if needed, and then click Add.
6. To start the connector, select the configured connector, and then click Start.
SEM and Configure a firewall connector on a SEM Manager
After you configure your firewall to log to SEM, configure the corresponding connector on your
SolarWinds SEM Manager. Many of the firewall connectors are similar, and some will include unique
settings.
This example describes how to configure a Cisco PIX and IOS connector on your SEM Manager.
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. Find the connector to configure. Type part of the connector name (Cisco PIX) in the search box,
or use the filter menus in the Refine Results pane.
3. Select the connector, and then click Add Connector.
Administrator Guide: Security Event Manager page 140
Verify that the correct alias value is associated with the connector
4. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
5. Click Add.
6. Under Configured connectors, select your connector, and then click Start.
Verify that the correct alias value is associated with the
connector
The following procedure applies to devices configured to send logs to SEM. To verify agent
connectors, use this same procedure, but apply it to the agent associated with the connector instead.
Administrator Guide: Security Event Manager page 141
Export SEM node information
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. Under Configured connectors, select the connector instance you want to verify.
3. On the connector toolbar, click Edit.
4. Verify the connector name (alias) is correct (change the name, if not), and click Save.
5. On the connector toolbar, click Start.
Export SEM node information
From release 2022.4 of SEM, you can export the details of individual or multiple nodes as a CSV file.
1. Navigate to Configure > Nodes.
2. If necessary, use the options in the left column to refine the list of nodes shown.
3. Select the node or nodes you want to export.
4. Click Export.
5. Select a suitable location and file name and save the file.
Administrator Guide: Security Event Manager page 142
SEM connectors: Normalize events sent from specific products on your network
SEM connectors: Normalize events sent from
specific products on your network
Configure connectors to intercept events sent from a specific product on your network and convert
those events into normalized messages that SEM can understand.
Configure SEM connectors for agent and non-agent devices
This section describes how to configure SEM connectors.
Configure the sensor and actor connectors for each SEM agent
SEM lets you set up agent connectors for the target products that are either installed on or are
remotely logging to the agent computer. After configuring agent connectors, SEM can monitor and
interact with the products and devices on that computer.
Agent connectors run locally to monitor log files, as well as data logged to the agent computer from
remote devices that cannot run an agent. The active response connectors (actors) allow the agent to
receive instructions from the Manager and perform active responses locally on the agent computer,
such as sending pop-up messages or detaching USB devices.
Use connector profiles to configure multiple agents
Most agents in a network include a few different connector configurations. You can streamline your
connector configuration process by creating connector profiles. A connector profile groups agents
that share the same connector configuration.
For more information, see Create connector profiles to manage and monitor SEM agents.
Apply a SEM connector update package
This section describes different options for updating SEM connectors.
On the SEM Console Settings page, you can enable automatic updates for SEM connectors and
initiate a manual connector update.
1. On the SEM Console, click the Settings button.
Administrator Guide: Security Event Manager page 143
Apply a SEM connector update package
2. On the Settings page, click the Updates tab.
3. In the Connector Updates section, click the toggle button to allow automatic updates.
Update SEM connectors manually using the CMC interface
Customer Support occasionally provides stand-alone connector updates to address unmatched data
alerts in your environment. These need to be applied manually.
1. Go to the SolarWinds Customer Portal and download the Connector Update package from the
Additional Components page.
2. Prepare the update package:
a. Extract the update package from the .zip file, and then open the SolarWinds-SEM-
Connectors folder.
b. Copy the SEM folder to the root of a network share. For example: C:\share\SEM\.
3. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
4. At the cmc> prompt, enter manager.
5. At the cmc::manager> prompt, enter sensortoolupgrade.
6. To start the upgrade process, press Enter.
7. To indicate that the update is located on the network, enter n.
Administrator Guide: Security Event Manager page 144
Apply a SEM connector update package
8. To continue, press Enter.
9. Enter the path to the network share where the update package is located. Specify the path using
the following UNC format: \\server\volume
10. To confirm your entry, enter y.
11. Enter the domain and user name for a user that can access the share. Use the following format:
domain\user.
12. To confirm your entry, enter y.
13. Enter the password for the user.
Re-enter the password to confirm your entry.
14. To start the update, enter 1.
The update will take several minutes.
Verify that the configured connectors restart after they are updated by watching for
InternalToolOnline alerts in the default SolarWinds Alerts filter on the SEM Console.
15. After the update is finished, type exit twice to exit the CMC interface.
Troubleshooting SEM connector upgrades
During the update process, the update script restarts all configured SEM connectors. In most cases,
restarted connectors trigger one offline and one online alert in your SEM console.
An InternalWarning alert may appear, indicating that a connector started at the beginning of the
corresponding log file. This alert may be caused by:
l An unnecessary connector. For example, you could have an NT DNS connector configured on a
server that is not running the DNS service.
l A misconfigured connector. For example, you could have a connector pointing to the wrong
location for the requisite log file.
l The device associated with the connector rotated its logs while the connector was offline.
Below is the event information for the InternalWarning alert.
EventInfo: -1:Start location was -1. Init set to 'newest' record,
record info: 1 - 193 (101 - 293) @ -1. InsertionIP: lab-vm-exc10.lab.exc
Manager: sem DetectionIP: 10.0.0.1 InsertionTime: 11:51:04 Thu Jun 16 2016
DetectionTime: 11:51:04 Thu Jun 16 2016 Severity: 2 ToolAlias: NT DNS
InferenceRule: ProviderSID: FASTCenter normal error ExtraneousInfo:
Component: FASTCenter:NT DNS Description: -1:Start location was -1. Init set
to 'newest' record, record info: 1 - 193 (101 - 293) @ -1. Detail:
Administrator Guide: Security Event Manager page 145
SEM connector categories
StackTrace:
SEM connector categories
The table in this section describes the various categories of network security products that can be
connected to SEM. The Description column describes how the connectors (sensors and actors)
typically work with each type of product or device. The Use with columns indicate if each product type
requires Manager connectors, Agent connectors, or both. Find the full list of connectors here. If the
connector for your product is not listed, you can submit a feature request: learn more here.
Category Description Use with
Managers Agents
Anti-Virus This category lets you configure sensors for use
with common anti-virus products. These
products protect against, isolate, and remove
viruses, worms, and Trojan programs from
computer systems.
To configure an anti-virus connector, the anti-
virus software must be currently installed on the
Agent computer.
Some anti-virus connectors can also be run on
the Manager by remotely logging from an Anti-
Virus server.
Due to software conflicts, SolarWinds
recommends running only one brand of anti-virus
software per computer.
Application Switch This category lets you configure sensors for use
with application switches. Application-Layer
switches transmit and monitor data at the
application layer.
Database This category lets you configure sensors for use
with database auditing products. These products
monitor databases for potential database
intrusions, changes, and database system
events.
Administrator Guide: Security Event Manager page 146
SEM connector categories
Category Description Use with
Managers Agents
File Transfer and This category lets you configure sensors for use
Sharing with file transfer and file sharing products. These
products are used to share files over the local
network and the Internet. Monitoring these
products provides information about what files
are transferred, by whom, and system events.
Firewalls This category lets you configure sensors and
actors for use with applications and devices used
to protect and isolate networks from other
networks and the Internet.
Firewall sensors connect to, read, and retrieve
firewall logs. Most firewalls also have an active
response connector. These connectors configure
actors that interface with routers and firewalls to
perform block commands. Actors can perform
active responses either via telnet or a serial or
console cable. Normally, you will configure these
connectors on the Manager.
To configure a firewall connector, the firewall
product must already be installed on the Agent
computer, or it must be remotely logging to an
Agent or Manager. Normally, you will configure
these connectors on the Manager.
You must also configure each firewall’s data
gathering and active response capabilities
separately. For example, configuring a firewall’s
data gathering capabilities does not configure the
firewall’s active response settings.
Identity and This category lets you configure sensors for use
Access with identity access, identity management, and
Management other single-sign on connectors. These products
provide authentication and single-sign on
capabilities, account management, and other
user access features. Monitoring these products
provides information about authentication and
management of accounts.
Administrator Guide: Security Event Manager page 147
SEM connector categories
Category Description Use with
Managers Agents
IDS and IPS This category lets you configure sensors and
actors for use with network-based and host-
based intrusion detection systems. These
products provide information about potential
threats on the network or host, and can be used
to raise alarms about possible intrusions,
misconfigurations, or network issues.
Generally, network-based IDS and IPS connectors
are configured to log remotely, while host-based
IDS and IPS systems log locally on an Agent
system. Some network-based IPS systems
provide the capability to perform an active
response via their actor connector, allowing you
to block an IP address at the IPS device.
Manager This category lets you configure sensors for use
with the Manager and other Appliances. These
connectors monitor for conditions on the
Manager that may be informational or display
potential problems with the appliances.
Network This category lets you configure sensors for use
Management with network management connectors. These
connectors monitor for different types of network
activity from users on the network, such as
workstation-level process and application
monitoring. Generally, these systems are
configured to log remotely from a central
monitoring server.
Network Services This category lets you configure sensors for use
with different network services. These
connectors monitor service-level activity for
different network services, including DNS and
DHCP. Most network services are configured to
log locally on an Agent's system. However, some
are configured to log remotely.
Administrator Guide: Security Event Manager page 148
SEM connector categories
Category Description Use with
Managers Agents
Operating Systems This category lets you configure sensors for use
with utilities in the Microsoft Windows operating
system that monitor system events.
This category includes a Windows Active
Response connector. This connector configures
an actor that enables Windows active response
capabilities on Agents using Windows operating
systems. This allows SEM to perform operating
system-level responses, such as rebooting
computers, shutting down computers, disabling
networking, and disabling accounts.
To configure an operating system connector, the
operating system software must already be
installed on the Agent computer.
If you perform the remote Agent installation, the
Windows NT/2000/XP Event Application Logs
and System Logs connectors are configured by
default.
Proxy Servers and This category lets you configure sensors for use
Content Filters with different content monitoring connectors.
These connectors monitor user network activity
for such activities as web surfing, IM/chat, and
file downloads, and events related to
administering the monitoring systems
themselves. Generally, these connectors are
configured to log remotely from the monitoring
system.
Administrator Guide: Security Event Manager page 149
SEM connector categories
Category Description Use with
Managers Agents
Routers/Switch This category lets you configure sensors, and in
some cases actors, for use with different routers
and switches. These connectors monitor activity
from routers and switches such as
connected/disconnected devices,
misconfigurations or system problems/events,
detailed access-list information, and other related
messages. Some routers/switches have the
capability to configure an actor connector to
block an IP address at the device. Generally,
these connectors are configured to log remotely
from the router/switch.
System Scan This category lets you configure sensors for use
Reporters with different asset scanning connectors, such
as vulnerability scanners. These connectors
provide information about potential
vulnerabilities, exposures, and misconfigurations
with different devices on the network. Generally,
these connectors create events in the 'Asset'
categories in the event tree.
System This category lets you configure the Manager
Connectors with an external notification system, so SEM can
transmit event messages to SEM users via email
or pager.
VPN and Remote This category lets you configure sensors and
Access actors for use with Virtual Private Network (VPN)
server products that provide secure remote
access to networks. Normally, you will configure
these connectors on the Manager.
Web Server This category lets you configure sensors for use
with Web server products. To configure a web
server connector, the web server software must
already be installed on the Agent or Manager
computer.
Administrator Guide: Security Event Manager page 150
Microsoft SQL Server connectors authentication methods
Microsoft SQL Server connectors authentication methods
When creating connector for MSSQL Server, there are two authentication methods currently available:
l SQL Authentication
l Windows Authentication
SQL Authentication
SQL authentication is the simplest solution.
l There must be a user created in the database to which you are trying to connect.
l Database connectors have the option attribute defined in DefaultReaderConfiguration,
but in this case this attribute should be empty
l The user connecting must have the privilege to read from accessed table/view.
Windows Authentication
Windows authentication takes advantage of Windows Users and Active Directory to authenticate to
the database. However, Microsoft's JDBC driver does not support remote logging as a specific user,
so you have to work around that. To do so, SEM should be configured as following:
l Agent needs to be installed on the machine with database
l Agent service must run as User, and want to connect to the database:
1. Go to Services and right-click on agent service.
2. Select Properties.
3. Go to Log On tab. and Select using This account.
4. Fill in the credentials for the required user to login to the database.
5. Restart the service.
l The user connecting must have the privilege to read from the accessed table/view.
l The account filled in service must have administrator rights for FIM and USB Defender to work.
l When configuring the connector, the option field should have integratedSecurity=true
filled in
Administrator Guide: Security Event Manager page 151
Configure SEM to monitor firewalls, proxy servers, domain controllers, and more
Configure SEM to monitor firewalls, proxy servers,
domain controllers, and more
This section includes information to help you configure SEM components to monitor and protect
specific systems and devices on your network.
Configure SEM to monitor firewalls for unauthorized access
Configure SEM Manager to monitor your firewalls and detect unauthorized access such as port
scans, unusual data packets, network attacks, and unusual traffic patterns.
To set up a firewall monitor, configure your firewalls to log to SEM, and then configure a new
connector in the SEM Manager. When an unauthorized user attempts to access SEM, the event
displays in the default Firewall filter running on the SEM console. You can also create custom filters
that display network traffic to and from specific computers, as well as view web traffic and other
traffic events across your network.
Click the video icon to view a tutorial about the Threat Intelligence feed available in SEM.
For more information, see Using the Threat Intelligence feed in SEM in the SolarWinds Success
Center.
Configure a firewall to log to SEM
You can configure SEM to collect firewall information from firewalls manufactured by Cisco®, Check
Point® Software Technologies, Juniper® Networks, and others. Set your firewall to log to your SEM
appliance to centralize its log data with your SEM events. See the SolarWinds Success Center or
contact Technical Support for more information.
Configure a firewall connector on the SEM Manager
After you configure your firewall to log to SEM, configure the corresponding connector on your
SolarWinds SEM Manager. Many of the firewall connectors are similar, and some will include unique
settings.
This example describes how to configure a Cisco PIX and IOS connector on your SEM Manager.
Administrator Guide: Security Event Manager page 152
Configure SEM to monitor firewalls for unauthorized access
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. Find the connector to configure. Type part of the connector name (Cisco PIX) in the search box,
or use the filter menus in the Refine Results pane.
3. Select the connector, and then click Add Connector.
4. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
5. Click Add.
6. Under Configured connectors, select your connector, and then click Start.
Administrator Guide: Security Event Manager page 153
Configure SEM to monitor firewalls for unauthorized access
View network traffic from specific computers
You can create custom filters that highlight specific firewall events. For example, to monitor traffic
from a specific computer, create a filter for all network traffic coming from the targeted computer.
Use connector profiles and other groups to broaden or refine the scope of custom filters. The
following procedure provides an example of creating a filter to monitor all traffic from a targeted
computer.
1. On the SEM Console, click the Live Events tab.
2. To create a filter at the group level in the Filters pane, move the mouse pointer over a group
heading to expose the vertical ellipsis, and then select Add New Filter.
Or:
To create a filter at the root level, click the add icon, and then select Add New Filter.
The Add new filter window is displayed.
Administrator Guide: Security Event Manager page 154
Configure SEM to monitor firewalls for unauthorized access
3. Enter a descriptive name for your new filter.
4. In the panel on the left, expand Event Groups, and then drag Network Audit Alerts into the filter
builder.
When you drag a value into the filter builder, the correct drop location is illuminated with a blue
line.
5. Under Network Audit Alerts, drag SourceMachine into the filter builder.
Administrator Guide: Security Event Manager page 155
Configure SEM to monitor firewalls for unauthorized access
6. Click Drop item here, or add it, enter the domain name of the computer, and click Save.
7. Click Save to return to the Live Events screen.
8. To view associated activity, click the Events tab, and then select your new filter. You can also set
up a rule to alert on this activity by moving your mouse pointer over the filter, clicking the vertical
ellipsis, and then selecting Send Filter to Rule. Learn more here.
Create and enable a SEM rule to identify port scanning traffic
To identify suspicious firewall traffic indicative of port scanning, clone and enable the PortScans rule.
This rule generates a default TCPPortScan event, which the SolarWinds SEM console displays in the
default Security Events filter. Use this event to monitor suspicious network traffic and prevent
unauthorized access to your firewall.
1. On the SEM Console, click the Rules tab.
Administrator Guide: Security Event Manager page 156
Configure SEM to monitor firewalls for unauthorized access
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter PortScans.
4. Select the PortScans rule template, and then click Next.
5. Review the existing conditions and values, and click Edit if you need to change any of these.
Administrator Guide: Security Event Manager page 157
Configure SEM to monitor firewalls for unauthorized access
6.
7.
8. C
9. click Next.
10. Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.
Enable the Threat Intelligence feed
On the SEM Console Settings page, you can enable the Threat Intelligence feed, which enables SEM to
detect threats based on lists of known malicious IP addresses. Learn more here.
Threat Intelligence is enabled by default. It identifies events as threats by matching event IP
information against a list of known bad IP addresses.
1. On the SEM Console, click the Settings button.
2. On the Settings page, click the Threat Intelligence tab.
3. Toggle the button to allow SEM to enable the Threat Intelligence feed.
Only administrators have permissions to enable or disable the Threat Intelligence feed.
Disabling and re-enabling the Threat Intelligence feed forces a threat intelligence update and
creates an InternalAudit event. Restarting SEM also forces the Threat Intelligence feed to
update.
Administrator Guide: Security Event Manager page 158
Configure SEM to monitor proxy servers for suspicious URL access
Configure SEM to monitor proxy servers for suspicious URL
access
Monitor proxy servers to track network users who attempt to access suspicious websites using
partial or complete URL addresses. Configure your proxy server to log to SEM and set up the
appropriate connector on your SolarWinds SEM Manager.
Set your proxy server to log to a virtual appliance
Set your proxy server to log to SEM to centralize its log data with your SEM events. You can integrate
proxy servers from popular vendors such as Websense and Barracuda.
Because the integration process is different for each vendor, each proxy server is documented
separately in the SolarWinds Success Center. If a knowledge base article is not available, contact
Customer Support.
Configure a proxy server connector
After you configure your proxy server to log to your SEM appliance, configure the corresponding
connector. Many of the proxy server connectors are similar - with some unique settings.
The following example procedure describes how to set up a connector for a Websense proxy server.
You can find instructions for additional firewall connectors in the SolarWinds knowledge base.
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. In the search box, type "Websense Web Filter".
3. Select the Websense Web Filter and Websense Web Security connector, and then click Add
Connector.
4. In the Name field, enter a new name, or keep the existing name.
5. Click Add. The connector appears on the Manager Connectors tab under Configured
connectors.
6. Under Configured connectors, select this connector, and then click Start.
Create and enable the Known Spyware Site traffic rule
You can track when users attempt to access suspicious websites using partial or complete URL
addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event
by default that you can use in conjunction with the Incidents report to notify auditors that you are
auditing critical events on your network.
Administrator Guide: Security Event Manager page 159
Configure SEM to monitor proxy servers for suspicious URL access
Before you enable this rule, ensure your proxy server transmits complete URL addresses to your SEM
Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If
your proxy server does not log web traffic events with this level of detail, check the events coming
from your firewalls, as they can sometimes be used for this rule as well.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter "known spyware site traffic". As you type the list of templates will be
filtered to show just the one required.
4. Select the Known Spyware Site Traffic rule template, and click Next.
5. Review and edit the existing conditions and values where needed, and click Next.
6. Review and adjust the rule details where needed, and click Create.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 160
Configure SEM to monitor antivirus software for viruses that are not cleaned
Configure SEM to monitor antivirus software for viruses that
are not cleaned
You can monitor your antivirus software performance by configuring the software to log to SEM.
When completed, set up the appropriate connector on the SEM Manager, and then use the SEM
console to view events in the default Virus Attack filter.
Configure antivirus software to log to SEM
Set your antivirus software to log to SEM. This process centralizes the antivirus log data with your
existing SEM events.
You can integrate SEM with antivirus software from manufacturers such as Symantec and McAfee.
See the SolarWinds Knowledge Base or contact SolarWinds Support for more information.
Configure an antivirus connector on the SEM Manager
The following procedure describes how to configure the Symantec Endpoint Protection 11 connector
on the SEM Manager.
1. On the SEM console, navigate to Configure > Manager Connectors.
2. In the search box, type "Symantec Endpoint Protection".
3. Select the Symantec Endpoint Protection 11 connector, and click Add Connector.
For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on SEM,
plus 16. For example, the default Log File for /var/log/local6.log on SolarWinds SEM
corresponds to Log Facility 22 in your Symantec Endpoint Protection 11 settings.
4. In the Name field, enter a new name, or keep the existing name.
5. Click Add.
The connector appears on the Manager Connectors tab under Configured connectors.
6. Under Configured connectors, select your connector, and then click Start.
Create a SEM rule to track when viruses are not cleaned
Create and enable the Virus Attack – Bad State rule to track virus attacks reported by your anti-virus
software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully
cleaned by your anti-virus software. This includes any virus that is not addressed, quarantined, or
renamed.
Administrator Guide: Security Event Manager page 161
Configure SEM to monitor antivirus software for viruses that are not cleaned
The default action for this rule is to generate a HostIncident event, which you can use in conjunction
with the Incidents report to notify auditors you are auditing the critical events on your network.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter "virus".
4. Select the Virus Attack - Bad State rule template, and then click Next.
5. Review and edit the existing conditions and values where needed, and then click Next.
6. Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 162
Configure FIM connectors to monitor Windows files, directories, and registry settings
Configure FIM connectors to monitor Windows files,
directories, and registry settings
File integrity monitoring (FIM) monitors all Windows file types for unauthorized changes. Using FIM,
you can detect changes to critical files to ensure systems have not been compromised.
Please note that FIM does not support the monitoring of network shares. Only local drives are
supported.
FIM monitors Windows systems that are configured to process data through the supported
SEM agent for Windows. See the SEM system requirements for more information.
FIM can detect unauthorized modifications to configuration files, executables, log and audit files,
content files, database files, web files, and so on. When FIM detects that a monitored file has
changed, it logs an event. The event then prompts SEM to execute the configured action. You can
build correlation rules to act as a second-level filter to send an alert if certain patterns of activity occur
(not just single instances). When an alert is triggered, the data is in context with your network and
other system log data.
Features of FIM
l Monitor real-time access and identify users who change file and registry keys.
l Configure file and directory logic and registry keys and values to monitor different types of
access (create, write, delete, change permissions/metadata).
l Standardize configurations across many systems.
l Configure monitoring templates to monitor the basics and create and customize your own
monitors.
l Configure templates for rules, filters, and reports to assist in including FIM events.
See:
Administrator Guide: Security Event Manager page 163
Configure FIM connectors to monitor Windows files, directories, and registry settings
Start a FIM driver
File Integrity Monitoring (FIM) monitors all file types for unauthorized changes. Using FIM, you can
detect changes to critical files to ensure systems have not been compromised.
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and select Agent.
3. In the FIM driver group, select Stopped.
4. Select an agent to view the configuration toolbar.
Administrator Guide: Security Event Manager page 164
Configure FIM connectors to monitor Windows files, directories, and registry settings
5. From the More drop-down list, select Start FIM Driver.
6. Upon successful configuration, a success dialog appears in the upper-right console.
From the More drop-down list, you can start an FIM driver, and enable or disable FIM on Agent
startup.
Add a FIM connector to a node
1. On the SEM Console, navigate to Configure > Node.
2. In the Refine Results pane, expand the Type group, and then select Agent.
Administrator Guide: Security Event Manager page 165
Configure FIM connectors to monitor Windows files, directories, and registry settings
3. In the agent list, select an agent, and then click Manage node connectors on the toolbar.
4. In the search box, type FIM to view the configured and available FIM connectors.
5. Select a connector, and then click Create Configuration or Configure from template on the
connector toolbar.
6. Click Save. A confirmation message appears in the upper-right corner of the SEM Console.
7. Under Configured connectors, select your connector, and then click Start.
Create a FIM connector configuration
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. To locate an available FIM connector, type FIM in the search box.
Administrator Guide: Security Event Manager page 166
Configure FIM connectors to monitor Windows files, directories, and registry settings
4. Select an available connector, and then click Create configuration.
On the Applied Conditions page, you can create inclusions and exclusions , import
conditions from the monitor, and export to monitor.
Depending on your connector type, you can add file and directory inclusions/exclusions or
registry inclusions/exclusions.
5. Establish your applied conditions, and then click Next.
6. Expand and adjust the advanced configuration settings, if necessary, and then click Create.
Configure a FIM connector from a template
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
Administrator Guide: Security Event Manager page 167
Configure FIM connectors to monitor Windows files, directories, and registry settings
3. To locate an available FIM connector, type FIM in the search box.
4. Select a connector, and then click Configure from template.
Administrator Guide: Security Event Manager page 168
Configure FIM connectors to monitor Windows files, directories, and registry settings
5. Keep the current name or enter your own.
6. From the drop-down list, select a pre-defined template.
Administrator Guide: Security Event Manager page 169
Configure FIM connectors to monitor Windows files, directories, and registry settings
7. Expand the Advanced connector settings.
8. Keep the current settings or change the output and sleep time.
The sleep time must be a numeric value and cannot be less than one. This is the time (in
seconds) the connector sensor is to wait between event monitoring sessions.
9. If you do not want to run the connector after saving, click the toggle button.
10. Click Save.
Edit a FIM connector configuration
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
Administrator Guide: Security Event Manager page 170
Configure FIM connectors to monitor Windows files, directories, and registry settings
3. To locate an available FIM connector, type FIM in the search box.
4. Select a configured connector, and then click Edit.
On the Applied Conditions page, you can create or edit inclusions and exclusions , import
conditions from the monitor, and export to monitor.
Create FIM file and directory inclusions
On the Applied conditions page, you can create, edit, delete, and import inclusions for a FIM file and
directory connector.
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. Select a configured FIM file and directory connector, and then click Edit.
Administrator Guide: Security Event Manager page 171
Configure FIM connectors to monitor Windows files, directories, and registry settings
4. On Applied conditions page toolbar, click Create inclusions.
5. Enter one or more paths to the file or directory that FIM is watching and click Add Path, or click
Browse to locate and select one or more files or directories.
6. Select whether the files are recursive or non-recursive.
Recursive The folder selected and all its sub-folders which match the given mask will be
monitored for corresponding selected operations.
Non- Only the files in the selected folders will be monitored.
recursive
Administrator Guide: Security Event Manager page 172
Configure FIM connectors to monitor Windows files, directories, and registry settings
7. Enter a mask using the asterisk (*) as a wildcard, for example: *.exe or directory*.
8. For a FIM File and Directory, select Create, Read, Write, and/or Delete for Directory, File,
Permissions, and Other operations, and then click Create.
For information about the Other option, refer to the Microsoft MSDN information.
Create FIM file and directory exclusions
On the Applied conditions page, you can create, edit, delete, and import exclusions for a FIM file and
directory connector.
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. Select a configured FIM file and directory connector, and then click Edit.
4. On Applied conditions page toolbar, click Create exclusions.
5. Enter a mask using the asterisk (*) as a wildcard, for example: *.exe or directory*.
Administrator Guide: Security Event Manager page 173
Configure FIM connectors to monitor Windows files, directories, and registry settings
Directory* can be used as an exclusion, and it will exclude any file/folder that matches
the name from monitoring. It will not exclude the contents of the directory from
monitoring.
For example, if there is directory named DirectoryContent with files content1.txt
and content2.txt in it, modifications to the directory itself will not be monitored (for
example, a permissions change), but changes to the files in that directory will be
monitored. You cannot exclude files in specific folders from being monitored, other than
set up inclusions to not watch the folder at all.
6. Click Create.
Create FIM registry inclusions
On the Applied conditions page, you can create, edit, delete, and import inclusions for a FIM file and
directory connector.
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. Select a configured FIM registry connector, and then click Edit.
Administrator Guide: Security Event Manager page 174
Configure FIM connectors to monitor Windows files, directories, and registry settings
4. On Applied conditions page toolbar, click Create inclusion.
5. Manually enter the registry key to watch, and then click Add Key, or click Browse to locate and
select one or more keys.
You can manually add one or more keys.
6. Select whether the files are recursive or non-recursive.
Recursive The folder selected and all its sub-folders which match the given mask will be
monitored for corresponding selected operations.
Non- Only the keys in the selected folders will be monitored.
recursive
7. Enter a mask using the asterisk (*) as a wildcard, for example: *.exe or directory*.
8. Select Create, Read, Write, and Delete for the Key and Value, and then click Create.
For information about the Other option, refer to the Microsoft MSDN information.
Administrator Guide: Security Event Manager page 175
Configure FIM connectors to monitor Windows files, directories, and registry settings
Create FIM registry exclusions
On the Applied conditions page, you can create, edit, delete, and import exclusions for a FIM file and
directory connector.
1. On the SEM Console, navigate to Configure > Nodes.
2. Select an agent node, and then click Manage node connectors.
3. Select a configured FIM registry connector, and then click Edit.
4. On Applied conditions page toolbar, click Create exclusion.
5. Enter a mask using the asterisk (*) as a wildcard, for example: *.exe or directory*.
6. Click Create.
FIM advanced connector settings
Complete the Advanced connector settings form according to the device you're configuring. The
following fields and descriptions are common for most connectors:
Administrator Guide: Security Event Manager page 176
Enable Windows file auditing for use with SEM
Field Description
Wrapper Name This is an identification key that the SolarWinds SEM uses to uniquely identify the
and number properties that apply to this connector. This is read-only information for
SolarWinds reference purposes.
Log Data Type Select either Normalized, Raw + Normalized, or Raw (unnormalized). Storage for
to Save original log data must also be enabled on the appliance.
Sleep Time Type or select the time (in seconds) the connector sensor is to wait between
event monitoring sessions. The default (and minimum) value for all connectors is
one (1) second. If you experience adverse effects due to too many rapid readings
of log entries, increase the Sleep Time for the appropriate connectors.
Windows NT-based connectors automatically notify Windows Event Log sensors
of new events that enter the log file. Should automatic notification stop for any
reason, the Sleep Time dictates the interval the sensor is to use for monitoring
new events.
Run connector When this option is selected, the connector starts when you click Create.
after saving
Enable Windows file auditing for use with SEM
Enable file auditing in Windows to monitor events related to users accessing, modifying, and deleting
sensitive files and folders on your network. To maximize the value of this type of auditing, enable
auditing on a file server on which you have installed a SEM agent, and only for the specific files and
folders you want to monitor. If you enable auditing on all files or folders, or even a many of them, you
will create an unnecessary burden on SEM.
Complete the two-part process below to first enable object auditing on your server, and then enable
file auditing on the files and folders that you want to audit. Provided Windows is logging the events
and your server has a SEM agent installed on it, the SEM console will begin displaying the new file
auditing alerts immediately.
Enable object auditing in Windows
1. In Windows Control Panel, navigate to Administrative Tools > Local Security Policy.
2. In the left pane, expand Local Policies, and then click Audit Policy in the left.
3. Select Audit object access in the right pane, and then click Action > Properties.
4. Select Success and Failure, and then click OK.
5. Close the Local Security Policy window.
Administrator Guide: Security Event Manager page 177
Configure Windows audit policy for use with SEM
Enable file auditing on a file or folder in Windows
1. In Windows Explorer, locate the file or folder you want to audit.
2. Right-click the file or folder, and then select Properties.
3. Click the Security tab.
4. Click Advanced.
5. Click the Auditing tab.
6. Click Add. (If using Windows Server 2008, click Edit.)
7. Enter the name of a user or group you want to audit for the selected file or folder, and then click
Check Names to validate your entry. For example, enter Everyone.
8. Click OK.
9. Select Success and Failure next to full control to audit everything for the selected file or folder.
10. Optionally, clear Success and Failure for unwanted events such as:
l Read attributes
l Read extended attributes
l Write extended attributes
l Read permissions
11. Click OK in each window until you are back at Windows Explorer.
12. Repeat these steps for all files or folders you want to audit.
Configure Windows audit policy for use with SEM
The Windows audit policy determines the amount of data that Windows Security logs on domain
controllers and other computers in the domain.
Verbosity is the amount of known data.
See Microsoft's TechNet knowledge base for details on Windows Audit Policy Definitions. These
definitions are effective from both a best-practice and compliance standpoint, and are based on
customer experience and recommendations from Microsoft.
See also:
l Audit Policies and Best Practices for SEM in the SolarWinds Success Center.
Administrator Guide: Security Event Manager page 178
Configure Windows audit policy for use with SEM
Requirements
Using the Windows Audit Policy with SEM requires:
l Windows Server 2008 SR or higher
l Permissions to change the Windows Audit Policy at the domain controller and domain level
l SolarWinds SEM installation
Windows Audit Policy
The following events and descriptions are adapted from information available on the Microsoft
TechNet knowledge base. You can query relevant articles on TechNet by searching for audit
policy best practice.
Event Description
Audit account logon events Represents user log on or log off instances on a computer logging
those events. These events are specifically related to domain logon
events and logged in the security log for the related domain
controller.
Audit account management The change management events on a computer. These events
include all changes made to users, groups and machines.
Audit logon events Represents user log on or log off instances from a computer logging
those events. These events are logged in the security log of the local
computer onto which the user is logging, even when the user is
logging onto the domain using their local computer.
Audit object access Track users accessing objects with their own system access control
lists. These objects include files, folders and printers.
Audit policy change Represents instances where local or group policy changed. These
changes include user rights assignments, audit policies and trust
policies.
Audit privilege use Track users accessing objects based on their privilege level. These
objects include files, folders and printers, or any object with its own
system access control list defined.
Audit process tracking Logs all instances of process, service, and program starts and stops.
This can be useful to track both wanted and unwanted processes,
such as AV services and malicious programs.
Administrator Guide: Security Event Manager page 179
Configure Windows audit policy for use with SEM
Event Description
Audit system events Includes start up and shut down events on the computer logging
them, along with events that affect the system’s security. These are
operating system events and are only logged locally.
Best practice
Windows audit policy is defined locally for each computer. SolarWinds recommends using group
policy to manage the audit policy at both the domain controller and domain levels.
Set the Windows audit policy
Use the Group Policy Object Editor to set your Windows audit policy settings on desktop systems
running at least Windows 7, and servers running Windows Server 2008 and 2012. The following
procedure applies to setting up sub-category-level auditing.
1. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies >
Security Options > Audit > Force Audit Policy Subcategory Settings, and then select enabled.
2. Change or set the policies in Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies.
When enabling the Force Audit Policy Subcategory option, set the subcategory auditing to
enabled and the category-level auditing will be disabled.
Default Domain Controllers Policy
Select Success and Failure for all policies except:
l Audit object access
l Audit privilege use
Default Domain Policy
The Default Domain Policy applies to all computers on your domain except your domain controllers.
For this policy, select Success and Failure for:
l Audit account logon events
l Audit account management
l Audit logon events
l Audit policy change
l Audit system events
You can also select Success and Failure for audit process tracking critical processes (such as the AV
service) or unauthorized programs (such as games or malicious executable files).
Administrator Guide: Security Event Manager page 180
Configure Windows audit policy for use with SEM
Enabling auditing at the audit level will increase the number of events in the system logs. As a result,
your SEM database will quickly expand as it collects these logs.
Similarly, there could be bandwidth implications as well. This is dependent upon your network traffic
volume and bandwidth capacity. Since Agent traffic is transmitted to the Manager as a real-time
trickle of data, bandwidth impact is minimal.
SolarWinds recommends meeting PCI Auditing. However, this may be applicable to other auditing as
well. For more information, see PCI Compliance and Security Event Manager.
Category or Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object access
File System Success and Failure
Administrator Guide: Security Event Manager page 181
Configure Windows audit policy for use with SEM
Category or Subcategory Setting
Registry Success and Failure
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share Success and Failure
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non-Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Administrator Guide: Security Event Manager page 182
Configure Windows audit policy for use with SEM
Category or Subcategory Setting
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events Success and Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service No Auditing
Replication
Directory Service Access Failure
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
Administrator Guide: Security Event Manager page 183
Configure the USB Defender local policy connector in SEM
Configure the USB Defender local policy connector in SEM
The USB Defender Local Policy connector enables a SEM Agent to enforce restrictions on USB
devices, even when the Agent is not connected to the SEM Manager. Instead of using rules when
disconnected, the connector uses a list of permitted users or devices. The Agent compares the fields
in all USB device-attached events to a locally stored white list of users or devices. If none of the fields
match an entry on the list, the Agent detaches the device.
See also Configure the Detach USB Device active response in SEM
When the Agent is connected to the Manager through the network, the Manager rule also applies. Any
devices listed in the local white list must be in the User Defined Group for authorized devices.
Otherwise, the rule takes effect and the device detaches even though it was allowed by the white list
in the USB Defender local policy. When the Agent is connected, the USB Defender Local Policy and the
SEM rule are active.
1. Create a text file with one entry per line.
This file serves as the local policy. Each entry can be a user name or a USB device ID, from the
Extraneous Info field of an attached alert.
2. On the SEM Console, navigate to Configure > Nodes.
3. Select a node, and then click Manage node connectors.
4. In the search box, type USB defender.
5. Select the USB Defender Local Policy connector, and then click Add Connector.
6. In the Name field, enter a new name, or keep the existing name.
7. Click Browse, and then locate and upload the text file you created above.
8. Click Add. The connector appears on the Manager Connectors tab under Configured
connectors.
9. Under Configured connectors, select your connector, and then click Start.
The authorized devices in the local white list must also be in the UDG for Manager Detach
Unauthorized USB rule or the rule on the Manager enforces detachment when the laptop is
connected to the network. In reverse, if you are using a blacklist and the device is in the USB
Local Policy and not in the User Defined Group of the rule, the device still detaches.
Having a device or user in one white list or black list and not in the other is not recommended
and yields inconsistent results.
Administrator Guide: Security Event Manager page 184
Configure SEM to monitor Microsoft SQL databases for changes to tables and schemas
Configure SEM to monitor Microsoft SQL databases for
changes to tables and schemas
You can track successful or failed attempts to access your database tables and schemas by installing
MSSQL Auditor for Windows on a SEM Agent running SQL Server 2008 or later with Profiler. This
configuration allows you to monitor your local or remote SQL Server databases.
MSSQL Auditor runs as a service in conjunction with the SEM Agent service.
You can now configure SQL audit events and use our new SQL Audit Events connector to parse
those events. Learn more here.
Configure your database servers
Download MSSQL Auditor for Windows from the Customer Portal and install the software on your
server. When configured and enabled, the software provides your SolarWinds SEM Agent access to
details about any database configuration changes to your database server.
To enable the SolarWinds SEM Agent access to details about your database configuration changes,
install the following software on your database server:
l Microsoft SQL Server 2008 or later
l Microsoft .NET 3.5 and 4.0 Framework
l SolarWinds SEM Agent for Windows
When completed, install the MSSQL Auditor for Windows on your server.
Install MSSQL Auditor on a SEM Agent
1. Download the MSSQL Auditor for Windows from the SolarWinds Customer Portal.
2. To begin the installation, double-click the EXE file.
3. To start the wizard, click Next.
4. Accept the End User License Agreement if you agree, and then click Next.
5. Click Change to specify an installation folder, or accept the default, and then click Next.
6. Click Install.
7. When the installation is finished, select Launch SolarWinds MSSQL Auditor, and then click
Finish.
Administrator Guide: Security Event Manager page 185
Configure SEM to monitor Microsoft SQL databases for changes to tables and schemas
Configure MSSQL Auditor on your servers
If you did not select Launch SolarWinds MSSQL Auditor after installing the application, you can launch
the application from the SolarWinds Security Event Manager program group in your Start menu.
1. Enter the name of the SQL server to monitor in the SQL Server\Instance field, and then click Add
Server.
To specify an instance other than the default, enter your server name in the following format:
Server\Instance
2. Repeat step 1 for any additional servers you need to monitor.
3. To use an account other than the Local System Account to run MSSQL Auditor on your database
server, select This Account in the Run Service As and provide the appropriate credentials.
SolarWinds recommends using an account in the sysadmin role on your database. The
account only requires Execute permissions for any stored procedures with the xp_trace
prefix.
4. In the Manage Auditor Service section, click Start Auditor Service, and then click OK.
Configure the MSSQL Auditor Connector on a SEM Agent
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. In the search box, type MSSQL.
5. Select the SolarWinds Security Event Manager MSSQL Auditor connector, and then click Add
Connector.
6. In the Name field, enter a new name, or keep the existing name.
7. Click Add.
8. Under Configured connectors, select your connector, and then click Start.
9. Repeat the steps for the MSSQL 2000 Application Log connector.
Administrator Guide: Security Event Manager page 186
Configure SEM to monitor Windows domain controllers for brute force hacking attempts
Configure SEM to monitor Windows domain controllers for
brute force hacking attempts
Monitor your Windows domain controllers using the SolarWinds SEM agent. After you install and
configure the agent, the software tracks brute force and other types of hacking attempts to your
domain controllers and reports all events to the SEM Manager.
These events include:
l Unauthorized access to your administrative accounts
l Failed logon attempts
l Account lockouts
l User and group modification
l Change management events
Install the SolarWinds SEM agent on all domain controllers to ensure the SEM Manager captures all
your domain events (even if they are not replicated across all domain controllers).
You can view the events on the SEM Console using the change management filter and create custom
filters to report all activity on your domain controllers.
Install and configure the SEM agent
When you install the SEM agent, you have the option to install USB Defender. This application works
together with the SEM agent to provide real-time notification when a USB drive is installed in your
domain controller server. By default, USB Defender generates events related to USB mass storage
devices attached to your SEM agents.
For additional security, Microsoft implemented a method in their operating system to log security
events. As a result, SolarWinds SEM agents on systems running Windows Server 2008, Windows
Vista, or Windows 7 require different connectors than the agents running on systems with the legacy
Windows operating systems.
If you are running both old and legacy Windows operating systems in your environment, create a
connector profile for each operating system.
For SEM agent software and hardware requirements, see the system requirements in the SEM
Installation Guide.
Install a SEM agent on a single Windows domain controller
1. Download the SolarWinds SEM agent installer for Windows from the SolarWinds Customer
Portal.
Administrator Guide: Security Event Manager page 187
Configure SEM to monitor Windows domain controllers for brute force hacking attempts
2. Extract the ZIP file contents to a local or network directory.
3. Run Setup.exe.
4. To start the installation wizard, click Next.
5. Accept the End User License Agreement if you agree, and then click Next.
6. In the Manager Name field, enter the host name of your SEM Manager, and then click Next.
Do not change the default port values.
7. Confirm the Manager Communication settings, and then click Next.
8. (Optional) To install USB Defender with the SEM agent, select the check box.
9. Confirm the settings on the pre-Installation summary, and then click Install.
10. When the installation is complete, click Next to start the SEM agent service.
11. Inspect the agent log for any errors, and then click Next.
12. To exit the installer, click Done.
The SEM Agent is installed on your system and begins sending events to your SEM Manager
and SEM console.
The SEM Agent continues running on your system until you uninstall the software or manually
stop the SEM Agent service.
Configure Windows domain controller connectors
Configure the following connectors that apply to your installation on your Windows domain
controllers:
Administrator Guide: Security Event Manager page 188
Configure SEM to monitor Windows domain controllers for brute force hacking attempts
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. Find the connector to configure. Type part of the connector name in the search box, or use the
filter menus in the Refine Results pane.
5. Select an available connector, and then click Add Connector.
6. Complete the connector configuration form. The following fields are common across most
connectors:
l Name: Enter a user-friendly label for your connectors.
l Log File: Enter the location of the log file that the connector will normalize. This is a
location on either the local computer (Agents), or the SEM appliance (non-Agent devices).
l Output: Normalized, Raw + Normalized, Raw. You only need to configure these values if
SEM is configured to save raw (unnormalized) log messages.
7. Click Add.
8. To start a connector, select a configured connector, and then click Start.
Administrator Guide: Security Event Manager page 189
Configure SEM to monitor Windows domain controllers for brute force hacking attempts
Maintain and monitor multiple domain controller Agents
Connector Profiles help you maintain and monitor multiple domain controllers in your SEM console.
You can use these profiles to configure and modify connector settings at the profile level, as well as
provide a group you can use to filter incoming event traffic from your SEM Agents to your SEM
console.
Create a connector profile based on a single SolarWinds SEM Agent
Follow this procedure to create a connector profile based on a single SEM Agent and a corresponding
filter to monitor activity on all systems in the profile.
1. Install the SEM Agent software on all systems you want to include in your new connector profile.
2. Configure a single SEM Agent to serve as the template for your connector profile.
3. On the SEM menu bar, navigate to Configure > Connector Profile.
4. Click Create Connector Profile.
5. Enter a profile name and description.
6. From the Template list, select the new SEM Agent, and then click Save.
7. In the Groups list, locate your new connector profile.
Use the Refine Results pane if needed.
8. Next to your connector profile, click , and then select Edit.
9. In the Available Agents pane, locate the SolarWinds SEM Agents you want to add to your
connector profile.
10. Click the arrow next to each SEM Agent you want to add to the Contained Agents pane.
11. When complete, click Save.
Create a filter for all activity in a Connector Profile
1. On the SEM Console, select Live Events.
2. To create a filter at a group level in the Filter Values pane, for example, the Overview group,
move the mouse pointer over a group heading to expose the vertical ellipsis, and click Add New
Filter.
Administrator Guide: Security Event Manager page 190
Configure SEM to monitor Windows domain controllers for brute force hacking attempts
Or:
To create a filter at the root level, click the add icon, and then select Add New Filter.
3. Enter a descriptive name for your new filter in the Name field on the right.
4. In the first column under Filter Values on the left, expand Event Groups, and select Any Alert.
5. Drag DetectionIP from the second column on the left into the filter builder.
When you drag a value into the filter builder, the correct drop location is illuminated with a blue
line.
Administrator Guide: Security Event Manager page 191
Configure SEM to monitor Windows domain controllers for brute force hacking attempts
6. In the same way, expand the Connector Profiles group, select your profile, and drag it into the
filter value drop location.
7. Click Save.
Create and enable a critical logon failures rule
Clone and enable critical account logon failures rule to track failed logon attempts to the default
Windows Administrator account. The default action for this rule is to generate a HostIncident event,
which you can use in conjunction with the Incidents report to notify auditors you are auditing the
critical events on your network.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter "critical account" failures.
Administrator Guide: Security Event Manager page 192
Configure SEM to track Cisco buildup and teardown events
4. Select the Critical Account Logon Failures rule template, and then click Next.
5. Review and edit the existing conditions and values where needed, and then click Next.
6. Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.
Tune Windows Logging for SEM implementation
After you install and configure your SEM Agents, optimize your SEM deployment by tuning your
Windows operating system to log the specific events you want to see in your SEM console and store
in your SEM database. Set your group and local policies according to your environment requirements.
See Configure Windows audit policy for use with SEM for more information.
Configure SEM to track Cisco buildup and teardown events
You can enable SEM to track buildup and tear-down events that occur on your network.
To monitor accepted traffic, use the log target in your accepted ACLs instead of the buildup logging.
This lets you control the accepted traffic that will generate an alert. To monitor the information about
the actual NAT, consider the event load this will create. Plan a test phase where you turn it on and
determine if it is valuable to you for further investigation.
If you need to monitor unmodified log data (versus the normalized data), consider the original log
message store. Remember that this process requires additional disk space.
Also, consider whether you need both buildups and tear-downs, or just buildup messages. The tear-
down NAT messages include the same information as the built messages, along with some duration
and size information that may or may not be useful. Colleges and universities that use the built
messages do not rely on the tear-down messages. They only need to know a connection was
established for verification, analysis, and correlation.
Be sure to check your syslog data to determine and enable only those buildup or teardown events are
of use.
Tracking Buildup Events
SEM is preconfigured to capture Cisco events 302003, 302009, and 603108.
You can configure SEM to capture Cisco firewall buildup events as well. The primary buildup event to
use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303,
305009, 305011, and 609011. Check the description of these events in the Cisco System Log
Messages Guide located on the Cisco website to ensure you need to capture these events.
Administrator Guide: Security Event Manager page 193
Configure SEM to track Cisco buildup and teardown events
Tracking tear-down Events
Out of the box, SEM captures Cisco event 603019.
You can also enable SEM to capture Cisco firewall tear-down NAT events. The teardown sibling to
buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010,
305012, 617100, and 609002. You can see description of these events in the Cisco System Log
Messages Guide to make sure they are ones you want to capture.
Enabling SEM to track buildup and teardown events
1. Ensure that your firewalls are sending log events to SEM, and that the appropriate SEM
connector is monitoring your firewall data.
2. Access the firewalls that contain the buildup and tear-down messages you need to monitor and
adjust the severity level of those events from 6 (the default) to 0.
For more information, see the Changing the Severity Level of a Syslog Message section in
Monitoring the Security Appliance (© Cisco 2020, available from cisco.com, retrieved on
10/28/2020).
Administrator Guide: Security Event Manager page 194
Configure user-defined groups in SEM
Configure user-defined groups in SEM
Use user-defined groups to create groups of values relevant to your IT environment, such as user and
computer names, sensitive file locations, trusted IP addresses, and so on. Like other groups, they
contain information that can be used in rules and filters. This topic provides steps to add and edit
values in user-defined groups. You can also create rules that auto-populate user-defined groups with
values. See Auto-populate user-defined groups using a SEM rule for details.
If Active Directory is available, use directory service groups to add user and computer accounts
to rules and filters. A user-defined group cannot be synchronized with Active Directory, but a
directory service group can synchronize with Active Directory every five minutes. See Configure
Directory Service Groups in SEM for details.
How rules and filters use user-defined groups
Following are a few example rules that depend on user-defined groups:
l A rule that stops SEM from blocking accounts in a user-defined group of trusted administrator
accounts.
l A second rule that sends out an alert when an account in the same user-defined group of
trusted admin accounts logs in or makes changes.
l A rule that checks a user-defined group containing trusted IP addresses to see if it should block
a certain IP address.
Rules and filters typically make use of user-defined groups in slightly different ways:
l In a rule, user-defined groups are typically used like a white list or black list that tell SEM which
events it should include or ignore.
l In a filter, user-defined groups limit the scope of the filter to items that belong to the group.
Rules that use user-defined groups include:
l Authentication - Unknown User
l Critical Account Logon Failures
l Detach Unauthorized USB Devices
l File Audit - Delete Sensitive Files
l Non-Admin Server Logon
l Vendor - Unauthorized Server Logon
Administrator Guide: Security Event Manager page 195
Create or edit a user-defined group
Filters that use user-defined groups include:
l Admin Account Authentication
l Domain Controllers (all)
The Domain Controllers (all) filter uses a connector profile in the constant position by
default. You can replace the profile with a user-defined group or a directory service group
if the tool profile is not sufficient for your environment. For additional information about
connector profiles, see Create connector profiles to manage and monitor SEM Agents.
Create or edit a user-defined group
You can create as many user-defined groups as you need to support your rules and filters.
You can only add a group to one SEM manager at a time. To copy a group for use with another
SEM manager, export the group and then import it into the other manager's Groups grid.
1. On the SEM Console, click the Configure tab.
2. From the Configure drop-down list, select User-defined groups.
3. Click Create User-defined group.
The Create User-defined group window is displayed.
Administrator Guide: Security Event Manager page 196
Create or edit a user-defined group
Administrator Guide: Security Event Manager page 197
Create or edit a user-defined group
4. Click Add element.
5. In the Name field, enter a nickname for the element. This name is for reference only.
6. In the Value field, enter a value to define the element. You can use wildcard characters, such as
asterisks (*), to abbreviate these entries.
Administrator Guide: Security Event Manager page 198
Create or edit a user-defined group
7. In the description field, enter a description (optional), and then click Add.
In the elements list, you can search for a specific element, and select an element to edit
the values or delete it. You can also export the elements to a CSV file to import into other
user-defined groups.
Administrator Guide: Security Event Manager page 199
Create or edit a user-defined group
8. Continue to add elements as needed, and then click Next.
9. Add your group name and description (optional), and then click Create. The new group appears
in the user-defined groups list, and can now be used when configuring rules and filters.
10. To edit a user-defined group, select a group in the list, and then click Edit on the toolbar. In the
Refine Results pane, you can also filter the groups by the modifier and the time last modified.
Administrator Guide: Security Event Manager page 200
Customize the blank and sample user-defined groups included with SEM
Customize the blank and sample user-defined groups
included with SEM
SolarWinds recommends customizing the following blank and sample user-defined groups for your
environment:
l Admin accounts
l Admin groups
l Approved DNS servers
l Authorized USB devices
l Authorized VPN users
l Sensitive files
l Service accounts
l Suspicious external machines
l Suspicious local machines
l Trusted IPs
l Trusted server sites
l Vendor and contractor accounts
l Vendor-authorized servers
The Admin Accounts group is used in several template rules as a placeholder for a custom list
of administrative users. This group represents the default administrative accounts in Windows
and Unix/Linux environments.
About SEM groups
Groups in SEM are objects used to organize related elements for use with rules and filters. Groups
can contain elements such as events, IP addresses, computer names, user accounts, and so on. After
a group is defined, it can be referenced from multiple rules and filters.
Do not confuse groups and roles:
l Groups organize related elements into logical units so that they can be used in rules and
filters.
l Roles restrict the actions that users can perform in SEM. See About SEM roles for
information about SEM role types.
Administrator Guide: Security Event Manager page 201
About SEM groups
About SEM Group Types
There are seven group types in SEM:
l User-defined groups
l Event groups
l Directory Service groups
l Time-of-day sets
l Connector profiles
l Email templates
l State variables
Each group type is briefly described below.
User-defined groups
User-defined groups contain data specific to your environment, such as user and computer names,
the names of sensitive files, trusted IP addresses, and so on. User-defined groups are typically used in
rules and filters to whitelist or blacklist events that SEM should include or ignore when evaluating
rules and filters. SEM ships with more than two dozen user-defined groups that need to be populated
with values for your environment. See Configure user-defined groups in SEM for more information.
You can also create rules that auto-populate user-defined groups with values.
Event groups
Event groups gather similar events into a single category for use with rules and filters. For example,
create an event group for events that should all trigger the same response from SEM. If an event in
the group occurs, SEM will fire the rule for that group. SEM ships with more than a dozen predefined
event groups, such as: virus/scanner events, process start/stop events, change management events,
and so on.
Directory Service groups
Directory Service groups (DS groups) are groups of users or computers that SEM imports from
Microsoft Active Directory. DS groups are synchronized with Active Directory every five minutes. Use
DS Groups in rules and filters to match specific users or computers. For example, use a DS group in a
filter to limit the scope of events to only users or computers in that group.
Time-of-day sets
Time-of-day sets are defined time periods that you can use in rules and filters. Use time-of-day sets to
perform specific actions at different hours of the day. For example, if you define a time-of-day set for
Working Hours, and another for Outside Working Hours, you can assign different rules to each set.
SEM ships with the following predefined time-of-day sets: business hours, early shift, graveyard shift,
late shift, normal shift, and reboot cycle.
Administrator Guide: Security Event Manager page 202
About SEM groups
Connector profiles
Connector profiles are groups of Agents with common connector configurations. Most Agents in a
network only have a few different network security connector configurations. Using connector
profiles, you can group Agents by their common connector configurations, and enable your rules and
filters to include or exclude the Agents associated with a profile.
Email templates
Email templates are pre-formatted email messages that your rules use to notify you when an event
occurs.
State variables
State variables are used in rules to represent temporary or transitional states. For example, you can
create a state variable to track the state of a system, setting it to a different value depending on
whether the system comes online or goes offline.
How groups are added to filters and rules on the SEM Console
This section demonstrates how groups are used in filters and rules.
Use groups in filters
The following image shows the filter builder, which is accessed by selecting Live Events from the top
menu, clicking the icon in the left panel, and clicking Add new filter.
In the left drag panel, groups are organized by group type. On the right side, the filter builder shows
that the Service Audit Alerts event group is included as a condition of the filter.
Administrator Guide: Security Event Manager page 203
Import user-defined group elements
Use groups in rules
The next image shows a rule definition, which is accessed by selecting Rules > Create New Rules.
Again, groups are organized by group-type on the left side. On the right side, the rule definition builder
shows two different groups in the rule conditions: the Network Audit Alerts event group, and the
Approved DNS Servers user-defined group. Four child fields are specified in the Network Audit Alerts
event group: SourcePort, DestinationPort, SourceMachine, and DestinationMachine.
Import user-defined group elements
If you have group elements saved to a CSV (Comma Separated Values) file, you can import those
elements into your user-defined group.
For each element a name and value are required. The asterisk (*) wildcard symbol can be used in
values, if appropriate. In addition an optional description can be added for each element.
The CSV file must begin with the Name, Value, Description header. For example:
Name,Value,Description
Administrators,Administrators, Top level administrators only
Backup Operators,backup oper*,
DNS Admins,DNSAdmin*,
Domain Admin,domain admin*,
Importing elements will not overwrite an existing element list in a user-defined group. Imported
elements are added to the list, and duplicate elements are skipped.
1. On the SEM Console, click the Configure tab.
2. From the Configure drop-down list, select User-defined groups.
Administrator Guide: Security Event Manager page 204
Export user-defined group elements
3. On the toolbar, click Create User-defined group, or select an existing user-defined group and
click Edit.
4. Click Import elements, navigate to your CSV file, and then click Open.
The CSV file must include populated Name and Value columns. The Description column
is optional.
Export user-defined group elements
1. On the SEM Console, click the Configure tab.
2. From the Configure drop-down list, select User-defined groups.
Administrator Guide: Security Event Manager page 205
Configure Directory Service Groups in SEM
3. On the toolbar, click Create User-defined group, or select an existing user-defined group and
click Edit.
4. Click Export elements. The CSV file downloads to your local system.
Configure Directory Service Groups in SEM
Complete these steps to select the Active Directory groups to synchronize with SEM. The
synchronization process runs every five minutes if the connector is running.
Administrator Guide: Security Event Manager page 206
Configure Directory Service Groups in SEM
1. On the SEM Manager menu bar, navigate to Configure > Directory Service Groups.
2. Click Import Directory service group.
The Import Directory service groups dialog is displayed.
3. Select the LDAP Configuration to use from the dropdown menu.
4. Click Add Groups. This opens a dialog into which you should enter the Distinguished Name (DN)
of the directory service group you want to add. For example: cn=A-group, ou=support,
dc=mycompany, dc=com.
Administrator Guide: Security Event Manager page 207
Configure Directory Service Groups in SEM
5. Click Search group to verify the group exists.
Administrator Guide: Security Event Manager page 208
Configure Directory Service Groups in SEM
6. If the group is found, click Add group.
7. If you want to import further groups, repeat from step 4.
8. When you have selected all the group to import, click import.
View a directory service group member
The Directory service groups page lists all group synchronized with SEM. Select a DS group to view
the members of that group.
1. On the SEM Manager menu bar, navigate to Configure > Directory Service Groups.
2. Select the group by checking the box in front of its name, and click Show members.
The Directory Service Group pane is displayed listing the group members.
Remove a directory service group
The Directory service groups page lists all group synchronized with SEM. Select a DS group to view
the members of that group.
1. On the SEM Manager menu bar, navigate to Configure > Directory Service Groups.
2. Select the group by checking the box in front of its name, and click Delete.
The Directory Service Group is removed.
Administrator Guide: Security Event Manager page 209
SEM Event Views: Live and Historical
SEM Event Views: Live and Historical
This section covers historical and live events, and explains how to set up, manage and import/export
queries and filters.
Administrator Guide: Security Event Manager page 210
The SEM Live Events Viewer
The SEM Live Events Viewer
The SEM Console provides instant access to live event monitoring and filtering as well as historical
record archives for in-depth analysis and troubleshooting. Within the console view, you can quickly
switch between real-time event streaming and historical log views based on user-defined date and
time parameters.
The Live Events view consists of three panes: the filters, the event table and the event details.
Number Item Description
1 Events The Events table displays the events that exist for your selected filter.
The title bar displays the name of the filter currently selected in the
Filters pane. Events that match the selected filter are displayed as they
occur if the Live Mode switch above the table is on. If set to off, the feed
is frozen and the number of undisplayed event messages is displayed
alongside the filter name.
2 Filters The Filters pane displays the filters that can be applied to the event
messages. To apply a filter, click to expand a filter group, and click on
the filter. The events table title changes to the name of the filter and the
table is refreshed to displays the incoming events matching the filter
conditions.
For more on using filters, see About Filters. To create or edit filters, see
Create filters in SEM. Click the Hide Pane icon to collapse this pane,
or the Show Pane icon to expand it. For information on importing and
exporting filters, see Export and Import live event filters.
Administrator Guide: Security Event Manager page 211
The SEM Live Events Viewer
Number Item Description
3 Toolbar Switch between Live Events and Historical Events on the Toolbar. You
can also access the dashboard, work with rules, and configure nodes,
connectors, users, directory service groups, user-defined groups and e-
mail templates.
4 Detail The Detail pane displays information about the highlighted event in the
Events table. When you click an event, the event details are displayed.
Click the Hide Pane icon to collapse the pane, or the Show Pane
icon to expand it. Click the icon to copy CSV-formatted event details
to your system clipboard. You can also enter specific keywords in the
pane to filter and view specific event data.
About SEM filters
This section introduces filters and briefly describes the default filters included with SEM.
Since a network of any size will generate vast numbers of events and alerts, only some of which are of
interest or use at any particular time, SEM filters let you capture and display just those that meet your
specific requirements.
You can turn filters on and off, pause filters to sort or investigate events, perform actions to respond
to events, and configure filters to notify you when they capture an event. Filters can also be used with
widgets, which are charts and graphs that visually represent event data.
Filter conditions can be broad or specific. For example:
l The default "All" filter captures all events, regardless of the source or event type
l The filter "User Account Changes" in the Change Management group of filters, only captures one
event: Auditable User Events Occurred
l The filter "FTP Traffic" in the group of filter, captures any of the following events:
o Network Audit Alerts.EventInfo is equal to *FTP*
o Network Audit Alerts.SourcePort is equal to 20
o Network Audit Alerts.SourcePort is equal to 21
o Network Audit Alerts.DestinationPort is equal to 20
o Network Audit Alerts.DestinationPort is equal to 21
Filters and rules
Create filters when you want to group a type of event. For example, create filters to collect all events
from your domain controllers, or all events for a specific type of user.
Administrator Guide: Security Event Manager page 212
The SEM Live Events Viewer
Create rules when you want SEM to take action in response to one or more events. For more on rules,
see SEM rules: Automate how SEM responds to events.
Rules can be quickly created from filters as described in Create a rule from a filter.
Use filters to group a type of event or to monitor specific events
You can create filters to collect:
l All events from your firewalls
l All events from your domain controllers
l All events for a specific type of user
l All events except for recurring, expected events
Create custom filters to monitor specific events, such as:
l Change Management filters to monitor configuration changes users create in your network.
l High Volume Event filters to monitor traffic spikes or unexpected off-peak traffic.
l General Interest filters to monitor log in failures and failed authentications.
A failed authentication is an event triggered by three logon failures by the same account
within an extremely short period of time.
l Rule Scenario Event filters to determine if you have the appropriate events to create a rule for a
specific scenario.
l Daily Problem Event filters to monitor basic operational problems (such as account lockouts) in
real time.
About the default filters included with SEM
SolarWinds SEM ships with filters that support best practices in the security industry. You can modify
these filters to meet your needs, or you can create an unlimited number of custom filters. A single set
of filters can monitor data collected across multiple SEM Managers.
Find and view filters
To find a filter in SEM, click the Live Events tab on the SEM Console. Expand a category (such as
Overview or IT Operations) to view its filters. The number of events that match the filter's criteria is
displayed to the right. Click on a filter to display the filtered events in the log viewer table. Initially all
events are displayed.
Administrator Guide: Security Event Manager page 213
The SEM Live Events Viewer
About SEM filter categories
By default, filters are grouped into the following seven categories in the Filters pane:
l Overview
l Security
l IT Operations
l Change Management
l Authentication
l Endpoint Monitoring
l Compliance
Learn about creating filters here.
Default filters included with SEM
The following default filters are included with SEM.
Overview filters
Name Description Default
Status
All Events Displays all events from all sources. On
Administrator Guide: Security Event Manager page 214
The SEM Live Events Viewer
Security filters
Name Description Default
Status
Incidents Filters all events categorized as Incidents. On
Security Events Filters events categorized as attack activity or potentially On
suspicious.
Network Event Filters events with source or destination detected in the threat On
Threats intelligence feed as potentially bad actors.
All Firewall Events Filters events from firewall devices that match the targeted On
name.
All Threat Events Filters all events with the source or destination detected in the On
threat intelligence feed as potentially bad actors.
Denied ACL Traffic Filters events from network devices that indicate denied ACL Off
activity.
Unusual Network Filters unusual network traffic and scans. On
Traffic
Blocked Web Traffic Filters events from proxy servers or other web servers that On
blocked an attempt to access a URL.
Proxy Bypassers Filters web traffic users who are bypassing your proxy server. Off
Web Traffic - Filters web traffic events to potential spyware sites. Off
Spyware
Virus Attacks Filters events that indicate potential virus detection. On
IDS Scan / Attack Filters security events detected by IDS tools (such as Snort). On
Activity
Security Processes Filters security-related process activities. On
File Audit Failures Filters events that indicate failed attempts to access files. On
Administrator Guide: Security Event Manager page 215
The SEM Live Events Viewer
IT Operations filters
Name Description Default
Status
All Domain Controller Displays all traffic from machines in the Domain Controllers Off
Events tool profile.
All Web Traffic Filters all web traffic-related events from network devices, On
proxy servers, and web servers.
Software Filters events related to software installation and updates. On
Installation/Update
Service Events Filters events related to starting and stopping services, as On
well as service warnings and information.
System Events Filters events related to system availability and status On
information.
Error Events Filters events from all sources that contain "error". On
Warning Events Filters events from all sources that contain "warning". On
Windows Error Events Filters events from Microsoft Windows event logs that On
contain "error".
Error Events for Device Filters events from a specific device that contain "error". Off
Web Traffic for Source Filters web traffic emanating from a certain source machine. Off
Machine
All Network Traffic Filters all network traffic-related events from all devices and On
systems.
FTP Traffic Filters TCP traffic events between one or more FTP ports On
reported by any device or system.
SNMP Traffic Filters UDP traffic events between one or more SNMP ports On
reported by any device or system.
SMTP Traffic Filters UDP traffic events between one or more SMTP ports On
reported by any device or system.
Administrator Guide: Security Event Manager page 216
The SEM Live Events Viewer
Change Management filters
Name Description Default
Status
General Change Filters all events that indicate changes to devices, systems, On
Management users, groups, and domains.
User Account Changes Filters changes to existing user accounts. On
Machine Account Filters changes to existing machine accounts. On
Changes
Group Changes Filters creation, deletion, and changes to groups. On
Domain & Membership Filters new and deleted domain accounts (including On
Changes users/groups) and domain changes.
Device/System Policy Filters events related to policy changes on devices and On
Changes systems.
All File Audit Activity Filters events related to all types of audited file access. On
USB File Auditing Filters file-related alerts from Agents running USB Defender On
Authentication filters
Name Description Default
Status
User Logons Filters all types of user logons. On
Interactive User Filters background network logon types. On
Logons
Remote User Logons Filters events that indicate remote Windows system logons. On
Failed Logons Filters events that indicate failed logon attempts to devices On
and systems.
Account Lockouts Filters events that indicate an account was locked out. On
Authentication Event Filters authentication events with a source or destination On
Threats detected in the threat intelligence feed as potentially bad
actors.
Admin Account Filters authentication events related to specified Off
Authentication administrative accounts.
Administrator Guide: Security Event Manager page 217
The SEM Live Events Viewer
Endpoint Monitoring filters
Name Description Default
Status
Workstation Logon/Logon Filters non-network workstation logon/logon failure to a On
Failure Activity domain or local account.
Local Account Filters any user-related audit events that are not to or On
Authentication/Changes from the corporate domain.
Software Installed on Filters software installations on workstation systems. On
Workstations
USB-Defender Events Filters USB Defender events. On
Workstation Events with Filters all events detected on endpoints with a source or On
Threats destination detected in the threat intelligence feed as
potentially bad actors.
Compliance filters
Name Description Default
Status
Top PCI Events Filters the most common PCI events of interest, which include Off
change management, unexpected file access, incidents, and
attacks.
Top HIPAA Events Filters file activity, changes, and incidents related to HIPAA Off
events.
Top Banking Filters common banking compliance events, including change Off
Compliance Events management, users and groups, and potentially suspicious
attack activity.
Create filters in SEM
Using the SEM Console, you can create custom filters for your event log stream to complement
existing SEM filters. On the Add New Filter page, create filters by dragging and dropping default filter
fields to the right side of the page, and set up values and conditions using this fields, to build a filter
that determines which events are monitored.
Administrator Guide: Security Event Manager page 218
The SEM Live Events Viewer
1. On the SEM Console, click the Live Events tab.
2. To create a filter within a group, move the mouse pointer over the group heading to expose the
vertical ellipsis icon .
3. Click on the vertical ellipsis icon , and select Add New Filter.
To create a filter outside of the groups, click the add icon at the very top of the column, and
select Add New Filter.
Administrator Guide: Security Event Manager page 219
The SEM Live Events Viewer
4. Enter a descriptive name for your new filter.
To establish notifications for the new filter, you can create a rule based on your filter with
one click.
Administrator Guide: Security Event Manager page 220
The SEM Live Events Viewer
5. There are several ways to add filter fields to a filter, but the drag and drop method is easiest:
a. Expand Events or Event Groups in the left column to display filter entities.
b. Some filter entities, such as those in the Events group, can be expanded to show filter
fields.
Administrator Guide: Security Event Manager page 221
The SEM Live Events Viewer
c. Drag an entity or field to the panel on the right.
When you drag a filter field into the filter builder, the place to drop it is illuminated
with a blue line.
d. Move the cursor over the condition you have just created.
e. The current condition is displayed. Use the drop-downs to change this to your required
condition. For example, in this case the only meaningful change you can make is from
"Access.IsThreat is equal to True" to "Access.IsThreat is equal to False", but other
conditions can involve strings, numerical values, or group values (see below for using
group values). For information on using operators (such as "is equal to", "is in", etc) see
Compare values with operators in SEM.
Administrator Guide: Security Event Manager page 222
The SEM Live Events Viewer
f. Click save when you have set up the condition how you want it.
6. A filter can consist of one or more conditions. To add further conditions, drag the required field
to just beneath the previous condition. As before a blue line shows where to drop it.
Initially, multiple conditions are assumed to be additive, and the AND operator is displayed.
7. To change the operator, click AND, and then select OR.
Administrator Guide: Security Event Manager page 223
The SEM Live Events Viewer
If you create a multiple condition that combines conditions with AND and OR operators, you will
need to group the conditions accordingly. For example, the following condition flags an error as
the condition is ambiguous.
To show that you want this filter to display events where the access severity does not matter
but detection time is during business hours or events where the detection time is during the late
shift and the severity is not less than 5, you need to group as follows.
8. Click on AND, and select Group.
The condition is redisplayed.
Administrator Guide: Security Event Manager page 224
The SEM Live Events Viewer
9. Click Save to save the filter. It is now be available in the column on the left.
Compare values with operators in SEM
This section covers the use of operators when creating filters in SEM.
Operators in a single condition
The following tips apply to operators:
l When comparing two numeric values, the full range of mathematical operator options is
available.
l An IP address is treated as a string (or text) value. Therefore, operators are limited to equal and
not equal.
l DateTime fields have a default value of > Time Now, which means, greater than the current date
and time.
The following table describes each operator and how it should be interpreted when used as a filter
condition.
A list item (indicated with an * in the following table) can be another event variable, such as an
event field. For example, you may want to evaluate if an event's source is equal to a certain
destination. In this case, you would compare two event fields, such as SourceMachine =
DestinationMachine.
Administrator Guide: Security Event Manager page 225
The SEM Live Events Viewer
Operator Description
Exists Use these operators to specify if a particular event or Event Group exists. Read
conditions with these operators as follows: This [event/Event Group] must [exist/not
exist].
Not exist
Not exist is only used in rules.
is in Use these operators when comparing event fields with groups (such as Event Groups,
User-Defined Groups, etc.). They determine the filter’s behavior, based on whether or
the field is contained a specific Group.
is not in Read conditions with these operators as follows:
l This [event field] must be in this [Group].
l This [event field] must not be in this [Group].
Equals Read conditions with these operators as follows:
l This [event variable] must equal this [list item*].
Does not l This [event variable] must not equal this [list item*].
equal Text comparisons (for IP addresses, host names, etc.) are limited to equal or not
equal operators.
Greater Read conditions with these operators as follows:
than
l This [event variable] must be greater than this [list item*].
Greater l This [event variable] must be greater than or equal to this [list item*].
than OR l This [event variable] must be less than this [list item*].
equal to l This [event variable] must be less than or equal to this [list item*].
Less than
Less than
OR
equal to
AND Conditions and groups of conditions are subject to AND and OR comparisons.
l The AND symbol means two or more conditions (or groups) must occur
together for the filter to apply. This is the default comparison for new groups.
l The OR symbol means any one of several conditions (or groups) may occur for
OR the filter to apply. When comparing groups of distinct events, you must use the
OR symbol.
If you click an AND operator, it changes to an OR, and vice versa.
Administrator Guide: Security Event Manager page 226
The SEM Live Events Viewer
AND and OR Operators linking multiple conditions in a filter
Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR
conditions. By default, new groups, conditions, and correlations appear with an AND condition. Both
AND and OR conditions can surround nested groups, and they can be used between groups on the
same level to create complex filter conditions or rule correlations.
Example Description
If x AND y AND z occur, report the event. If all the conditions apply, report the event.
If x OR y OR z occurs, report the event. If any of the conditions apply, report the event.
If (x AND y) OR z occurs, report the If conditions x and y occur, or if condition z occurs, report
event. the event.
If (a AND b) OR (x AND y) OR (z), occurs, In this case, you would create three groups, two nested
report the event. within the third:
l The nested groups are configured as (a AND b) and
(x AND y), joined with an OR.
l The outer group is configured as (z), surrounding
the nested groups with an OR.
Condition1 AND In this example, the filter reports the event when it meets
Condition2 AND Condition3 OR the following conditions:
Condition4 AND Condition5. Condition1 and Condition2 and Condition3, or
Condition1 and Condition4 and Condition5.
Example filter: View network traffic from specific computers
You can create custom filters to highlight specific firewall events. For example, to monitor traffic from
a specific computer, create a filter for all network traffic coming from the targeted computer. Use
connector profiles and other groups to broaden or refine the scope of custom filters.
The following procedure gives an example of a filter that monitors all traffic from a targeted
computer.
1. On the SEM Console, click Live Events.
2. To create a filter at a group level in the Filters pane, move the mouse pointer over a group
heading to expose the vertical ellipsis, and select Add New Filter. For example, to add a filter to
the Overview group, click the vertical ellipsis after Overview, and click Add New Filter.
Administrator Guide: Security Event Manager page 227
The SEM Live Events Viewer
Or, to create a filter at the root level, outside of all the groups, click the add icon, and select
Add New Filter.
3. Enter a descriptive name for your new filter in the Name field.
4. In the first column of the Filter Values on the left, expand Event Groups, and drag Network Audit
Alerts into the filter builder.
When you drag a value into the filter builder, the correct drop location is illuminated with a blue
line.
5. From the second column of the Filter Values, drag SourceMachine to the filter builder
6. Mouse over Network Audit Alerts.SourceMachine to expose the filter builder toolbar.
7. Click the "or add it" link and enter the fully qualified domain name of the computer.
8. Click Save.
Administrator Guide: Security Event Manager page 228
The SEM Live Events Viewer
Create a filter for all activity in a connector profile
1. On the SEM Console, select Live Events.
2. To create a filter at a group level in the Filter Values pane, for example, the Overview group,
move the mouse pointer over a group heading to expose the vertical ellipsis, and click Add New
Filter.
Or:
To create a filter at the root level, click the add icon, and then select Add New Filter.
3. Enter a descriptive name for your new filter in the Name field on the right.
4. In the first column under Filter Values on the left, expand Event Groups, and select Any Alert.
5. Drag DetectionIP from the second column on the left into the filter builder.
When you drag a value into the filter builder, the correct drop location is illuminated with a blue
line.
Administrator Guide: Security Event Manager page 229
The SEM Live Events Viewer
6. In the same way, expand the Connector Profiles group, select your profile, and drag it into the
filter value drop location.
7. Click Save.
Use the ToolAlias field in SEM rules and filters to capture traffic from a specific device
The ToolAlias field is a useful field to know if you have to create filters, rules, and searches that
target traffic from a specific device. Every device that sends events to SEM has an Alias property
that you can customize with a device-specific name. Use the ToolAlias field to examine the Alias
property and find events that match your filter criteria.
You can also use the DetectionIP event to monitor events from a device that has a specific IP
address, for example AnyAlert.DetectionIP=10.1.1.1.
Create a filter to capture events from a specific device
1. On the SEM Console, click the Live Events tab.
2. To create a filter at the group level in the Filter Values pane, move the mouse pointer over a
group heading to expose the vertical ellipsis, and then select Add New Filter.
Administrator Guide: Security Event Manager page 230
The SEM Live Events Viewer
Or:
To create a filter at the root level, click the add icon, and then select Add New Filter.
3. Enter a descriptive name for your new filter.
4. In the first column on the left, expand Event Groups and select one of the following:
l To view all traffic from your device, select Any Alert.
l To view all network events from your device, select Network Audit Alerts.
l To view web traffic from your device, select WebTrafficAudit from the Event groups.
5. From the second column list, drag ToolAlias into the filter builder.
When you drag a value into the filter builder, the correct drop location is illuminated with a blue
line.
6. Click the or add it hyperlink.
7. Enter a filter value to match the alias property of the device that you want to track. Use asterisks
(*) as wildcard characters if required.
For example, consider the default Firewall filter. Its condition is Any Alert.ToolAlias =
*firewall*. This assumes that the firewall connector was configured with a Tool Alias that
includes "firewall" in the name.
8. Click Save.
Verify that the correct Alias value is associated with the connector
The following procedure applies to devices configured to send logs to SEM. To verify agent
connectors, use this same procedure, but apply it to the agent associated with the connector instead.
Administrator Guide: Security Event Manager page 231
The SEM Live Events Viewer
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. Under Configured connectors, select the connector instance you want to verify.
3. On the connector toolbar, click Edit.
4. Verify the connector name (alias) is correct (change the name, if not), and click Save.
5. On the connector toolbar, click Start.
Export and Import live event filters in SEM
You can export and import live event filters from SEM as a single file in JSON format.
Export all filters
To export all search queries:
1. Navigate to Live Events.
2. Click the vertical ellipsis icon at the top of the filters list.
3. Select Export All Filters.
It is not currently possible to export single or selected filters.
4. Enter a meaningful filename and click Save.
Import filters
To import filters:
Administrator Guide: Security Event Manager page 232
The SEM Live Events Viewer
1. Navigate to Live Events.
2. Click the vertical ellipsis icon at the top of the filters list.
The Import Filters window is displayed.
3. Click Browse file, navigate to the required JSON file, and click Open.
4. Click Next.
The filters contained in the selected JSON file are listed.
Administrator Guide: Security Event Manager page 233
The SEM Live Events Viewer
5. Remove any filters you do not want to import by unchecking the boxes in front of the filter
names, and then click Next.
The import process begins. The filters that are successfully imported are listed. Those that
cannot are shown along with the reasons why.
Administrator Guide: Security Event Manager page 234
The SEM Live Events Viewer
6. When the import is complete, click OK.
Filter and export event logs
You can filter and export your event logs to a CSV file from the SEM Console. Use CSV files to attach
search results to a help ticket, share with members of your team, archive data for historical reference,
and more. Each exported record includes the date, time, severity level, IP address, node, source, and
message.
1. On the SEM Console, select Live Events.
2. Set your search parameters, and then initiate your search. The number of returned events
appears above the Live Mode toggle button.
You can export records from live mode, paused mode, and historical search. The number
of returned historical events is determined by your search results threshold on the
Settings page.
Administrator Guide: Security Event Manager page 235
Analyze historical data in SEM
3. Below the console toolbar, click Export.
Change the location and name of the download file if necessary. and click Save.. By default the
file will be named yyyy_mm_dd_hhmm.csv
SEM exports the CSV file containing the search results to your local system.
Analyze historical data in SEM
The SEM historical data search engine can locate any event data that has passed through a particular
SEM Manager instance. You can use the historical data search to conduct custom searches,
investigate your search results and event data, and then act on your findings.
Learn how to build a search query here.
Use historical search to do the following:
l Search normalized event data.
l View, explore, and search significant event activity. Historical search summarizes event activity
in a selectable table or list view that you can use to easily select and investigate areas of
interest.
l See specific date and time range data using the custom time picker.
l Conduct custom searches. You can also create complex search queries with the intuitive search
builder.
l Save and reuse custom searches.
l Export and import queries as JSON files.
l Schedule saved searches.
l Export your search results to a spreadsheet file in CSV format.
Since certain searches parameters can result in huge number of matching results and thus
negatively impact performance, SEM limits the number of events that are retrieved. For more
on this, see Event Limits.
To view historical events:
Administrator Guide: Security Event Manager page 236
Analyze historical data in SEM
1. From the SEM console, click Historical Events.
When you first open Historical Events it shows unfiltered events (that is, all events on the
network) for the last ten minutes as a chart and a table.
1 Query This is where you build queries to filter the historical results. For information
Builder on creating queries, see Create a search query.
2 Time Click to specify the time period for this query. You can either use preset
Picker "quick picks" or create your own custom periods.
Administrator Guide: Security Event Manager page 237
Analyze historical data in SEM
3 Options The options displayed when you click this depend on whetherthe search
query has already been saved and scheduled.
Save query as new: Save the new query currently being viewed with a user-
supplied name. The query will then be available from the Queries list.
Save and schedule: Save the query and open the Schedule search window so
that you can run the currently viewed query at specified dates and times, and
have the results emailed to selected email addresses and LDAP users or
used in Scheduled Query Severity dashboard widgets.
Edit saved query: Apply tags and thresholds to a query for use in Scheduled
Query Severity dashboard widgets.
Schedule this query: Open the Schedule search window so that you can run
the currently viewed query at specified dates and times, and have the results
emailed to selected email addresses and LDAP user or used in Scheduled
Query Severity dashboard widgets.
4 Queries/ Switch between the list of saved queries and the Refine Results. The Refine
Refine Results lists the fields available for filtering historical events by category.
results Drag these to the Query Builder field, or click the Add icon. For more
information on using these fields and creating queries, see Create a search
query.
5 Event The number of events over the specified period of time are displayed as a
chart simple bar chart. Drag the cursor over a time period to zoom in on that period;
click on the icon when then appears in the top right of the chart to return to
the previously specified period.
6 Event Select a single event in the table to display additional information in the Event
Detail Details pane.
7 Menu The menu options displayed depend on what is selected.
l Click Export to save as a CSV file.
l Click Switch to List view to display the filtered events as a list.
l Click Switch to Table view to display the filtered events as a table.
l Click Hide Chart to remove the chart from display.
l Click Show Chart to display the chart.
8 Events Shows the total number of events meeting the query.
Maximum number of events shown
The number of loaded events is displayed here.
Administrator Guide: Security Event Manager page 238
Analyze historical data in SEM
By clicking the icon you can see:
l the number of loaded events
l the maximum number of loaded events
l the number of event found (loaded and not-loaded)
Since searches with a high maximum threshold can negatively impact performance, you can set the
maximum number of events that are loaded. On average, every 1000 returned search results
consumes approximately 100MB of RAM. This can result in up to 10GB being consumed by one
search query if the threshold is set to the 100,000 maximum.
1. Click the information icon for more information.
2. To change the maximum limit, click Change limits and see Set search and filter thresholds.
Administrator Guide: Security Event Manager page 239
Analyze historical data in SEM
The custom time picker
1. Refine your search results with the custom time picker.
You can select a quick pick, or set a specific date and time range.
Create a search query
Use the intuitive search builder to create custom search queries. To conduct custom searches,
navigate to Historical Events in the SEM console.
By default, the initial search period covers the last hour. Specifically, the search period starts at the
time you go to Historical Events, and stops one hour before.
As you build your search query, keep in mind the available operators and functions:
Operator Definition
= Equals
!= Not equal to
> Greater than
< Less than
>= Greater than or equal to
<= Less than or equal to
Administrator Guide: Security Event Manager page 240
Analyze historical data in SEM
Operator Definition
in True if the operand is equal to one of a list of expressions.
not in Displays a record if the condition is not true.
Function Definition
And Displays results if all the conditions separated by And are true.
Or Displays results if all the conditions separated by Or are true.
() Parentheses: gives solving priority to the conditions inside of the first grouping when
more than one grouping is listed.
You can build a query two different ways:
Build by selecting fields from the left column
1. Click Refine Results to list the categories of available fields.
2. Click on a category to display the existing field values and the number of occurrences within
events. For example, if you created a query that simply returned all events involving the IP
address that starts with lab-checkpoint you would have a query containing 933 events.
Administrator Guide: Security Event Manager page 241
Analyze historical data in SEM
3. Move the mouse over the plus icon and click.
4. Continue adding other fields until you have created your query. By default, the query is built up
using ANDs but these can be changed to OR conditions and parenthesis added as required.
Build by manually entering queries data
You can also manually enter query data. As you type in the query builder, tips and suggestions appear
to guide you as you enter your query parameters.
Administrator Guide: Security Event Manager page 242
Analyze historical data in SEM
Add the time period for the query
When you have created the query fields you can use the time picker to select the date range you want
the query to cover.
When your query is complete, press Search to initiate the search.
Administrator Guide: Security Event Manager page 243
Analyze historical data in SEM
Query building tips and examples
The query builder supports a combination values, operators, and functions.
Basic query structure
A basic query uses full-text values. For example:
someText"
You can also chain the conditions using logical operators "AND" and "OR." For example:
someText" AND "someOtherText" OR "someOtherText2"
To make sure your conditions are properly executed, you can also use brackets (parentheses). For
example:
someText" AND ( "someOtherText" OR "someOtherText2" )
Advanced conditions
Aside from basic conditions, you can add conditions with two operands connected by an operator.
For example, if you want to search for an event NOT containing certain text, you can write it as
follows:
Text != "someText"
You can also search for events containing a value in a specific property. For example:
DestinationPort = 1234
Also, you can specify the event type and condition. For example:
Access.DestinationPort = 1234
Or, it can be split into separate conditions:
EventType = Access AND DestinationPort = 1234
And, you can enter name of the event group if it contains non-alphanumerical characters. For
example:
Any Alert".DestinationPort = 1234
Special characters and spaces
Queries support a wide range of special characters, including Unicode characters like ☃ ☀ ♫, for
example. One of the main restrictions is using spaces and double quotes in names of custom groups
and other things a user can create. To use them in a query, the value must be wrapped in quotes. For
example:
Administrator Guide: Security Event Manager page 244
Analyze historical data in SEM
Any Alert".DestinationPort = 1234 OR DetectionIP in
UserDefinedGroup."Auditd Watchers Excludes"
If the name or value contains a double quote, it must be doubled in the query. For example:
Text = "sometext""containing""quotes"
This will result in searching for the following text:
sometext"containing"quotes
Wildcards in strings
Wildcards can be used in string values, but it's important to understand where to place them.
The following examples use the asterisk (*) wildcard character.
Starting wildcard
What this will What this will NOT
Text Explanation
match? match?
*sometext" "xxx sometext" "xxxsometext" A wildcard at the beginning indicates
that other "words" can be before the
"sometext" "xxx sometext xxx"
following text, so "*sometext" and "*
sometext" are actually equivalent
queries.
Ending wildcard
What this will What this will NOT
Text Explanation
match? match?
sometext*" "sometext" "xxx sometext" A wildcard at the end of the text
WITHOUT a space indicates the value
"sometextxxx" "xxxsometext"
can continue with any other parts
"sometextxxx (without a starting wildcard this query
someothertext" would look for values starting with
TEXT "sometext").
sometext *" "sometext" "xxxsometext" A wildcard at the end separated from
the text by a space indicates that after
"sometext xxx "sometextxxx"
the specified "word," any number of
someothertext"
other words in the value would match
(without a starting wildcard this query
would look for values starting with the
WORD "sometext").
Administrator Guide: Security Event Manager page 245
Analyze historical data in SEM
A Wildcard In The Text
What this will What this will NOT
Text Explanation
match? match?
some*text" "sometext" "xxxsometext" A wildcard in the middle of the word
looks for a "word" which can contain
"someothertext" "sometextxxx"
any number of alphanumerical
"xxx sometext xxx" characters in a place of the wildcard
(without starting or ending wildcard
"some text" this query would look for values
"some xxx text" containing one WORD starting with
text "some" and ending with text
"text").
Combination of wildcards
What this will What this will NOT
Text Explanation
match? match?
*some*text *" "sometext" "xxx some text" You can combine these wildcards to
more complex expressions based
"someOtherText" "xxx sometextxxx"
on the rules above.
"xxx sometext"
"sometext xxx
someothertext"
Custom Groups
The following are supported groups used with the "in" operator:
l SubscriptionGroup
l UserDefinedGroup
l DirectoryServiceGroup
l ConnectorProfileGroup
Unsupported groups:
l TimeGroup
Since groups do not currently restrict unique names across group types, use the prefix to search for a
group
Group Type Prefix
SubscriptionGroup Subscription
Administrator Guide: Security Event Manager page 246
Analyze historical data in SEM
Group Type Prefix
UserDefinedGroup UserDefinedGroup
DirectoryServiceGroup DSGroup
ConnectorProfileGroup Profile
The query would be similar to the following:
DetectionIP in UserDefinedGroup.BlockedAddresses
If the name contains non-alphanumerical characters, it would be similar to the following:
DetectionIP in UserDefinedGroup."Auditd Watchers Excludes"
Hinter
This feature provides suggestions possible query values. The provided "hints" are based on cursor
position in the input. As you type, hints are filtered to provide more specific options.
Limitations and restrictions
From previous versions, there is change, that it's not supported having Event Group named same as
some Event Type. That will end up not being able to recognize which is which and match first to find.
Queries are limited to 10,000 characters.
Troubleshooting
Currently, there is a known issue that hinter is a bit horizontally misaligned to the input. On some
occasions, the hinter suggestions may be vertically misaligned to the input. To fix the issue, close or
open it.
Edit a search query
Once you have created a historical search query, you can edit it by selecting it in the queries column
and selecting Options > Edit Saved Query.
The search query screen consists of two tabs:
Details
Here you can edit the name and add tags to this query. Tags enable you to group queries into
categories.
Thresholds
(Thresholds are used to determine the severity level and colors on Dashboard overview widgets.
Administrator Guide: Security Event Manager page 247
Analyze historical data in SEM
No tags set up. Thresholds will only be shown if widget and a query have corresponding tags set up.
Seems like this query has currently no tags up. Tag settings)
Save a search query
Once you have created a query that meets your requirements, you can save it for future use by
clicking Save.
If you load a saved query and make changes to it, an additional menu entry is displayed,
enabling you to Update the saved query.
Enter a unique name for this query.
This query will now be available in the Queries tab in the left column.
Schedule a search query
Scheduling a query means it can be run automatically at set times and days, and the results sent to
one or more email addresses or used in dashboard widgets.
Administrator Guide: Security Event Manager page 248
Analyze historical data in SEM
1. Click Options and select the schedule option.
If this is a newly- created query the option will be Save and schedule. If it has already been
saved the option will be Schedule this query.
2. You are asked to enter a unique name for this query.
3. Select when you want the query to be run. This can be daily, weekly or monthly.
4. Select the time or times on the selected day or days that you want the query to be run.
5. Select the start and optional end date.
Administrator Guide: Security Event Manager page 249
Analyze historical data in SEM
6. Enter or select the email addresses to which you want the results of this query to be sent. You
can add LDAP users if you have configured SEM for LDAP.
7. Click Schedule.
Manage and load saved search queries
Historical event queries can be divided into four categories:
Favorites: Queries that have been created in other categories but marked as favorites appear here.
See Manage search queries below for more information.
Administrator Guide: Security Event Manager page 250
Analyze historical data in SEM
User-created: These are queries that have been created by the current user for their own use and
have not been made accessible or editable by other users. By default, all queries that you create are
only visible to, and usable by, you. However, you can share queries, and also make them editable if
required. See Manage search queries below for more information.
Predefined: These are a set of the most commonly required queries set up in advance.
Public: Queries that have been made public can be used by any SEM user on your system. If followed
by the Use Only icon a query can be used but cannot not edited. (However, it can be copied and the
copy can be edited.) If followed by the Editable icon , the query can be edited, renamed and saved.
Once a query has been made editable, it cannot be made non-editable or made private.
To access queries:
1. Navigate to the Historical Events page.
2. Select the Queries tab in the left column.
Administrator Guide: Security Event Manager page 251
Analyze historical data in SEM
3. Click on the required query type.
If a query has a clock icon after its name then it has a schedule running.
4. Click a query to load it.
Manage search queries
Search queries can be managed individually by moving the cursor over the query name and clicking
the vvertical ellipsis icon that is displayed as shown below:
Administrator Guide: Security Event Manager page 252
Analyze historical data in SEM
The available options are mostly self explanatory:
l Click Schedule this query to open the Schedule window for this query. A scheduled query can be
unscheduled.
l Click Rename to change the name of a query. Note you cannot rename a Public query if it has a
Use Only icon by it, and the option is not displayed.
l Click Create Copy to create an identical copy of a query prefixed with "Copy of". This copy will be
placed in the User-Created category.
l Click Sharing options if you want to make a query public, that is usable by other SEM users on
your network. You can specify whether you want other SEM users to be able to edit this query (in
which case it will be marked with the icon) or if they are only allowed to use the query exactly
as it is (this is indicated by the icon.)
Administrator Guide: Security Event Manager page 253
Analyze historical data in SEM
l Click Export to export this query as a JSON file. To export more than one query, see Import and
export queries for information.
l Click Favorite to highlight this query with a star icon and place it in the Favorites category.
l Click Manage queries option to open the Manage Saved queries window. This allows you to
perform the above options on multiple queries by searching, sorting and selecting the queries.
You can also import and export filtered queries from this window.
Administrator Guide: Security Event Manager page 254
Analyze historical data in SEM
In this window, schedules (if created) and query timeframes are displayed.
The Manage Saved queries window is also available by clicking the gear icon at the top of
the queries list.
Load queries
When you load a query, its name is displayed in the upper left and the query is displayed in the search
query builder box.
If there is a icon after the name, this indicates that the query has a schedule. Move the cursor over
this icon to display the schedule details.
Administrator Guide: Security Event Manager page 255
Analyze historical data in SEM
If you make any changes to a saved search query, this is indicted by the icon after the
name. Click this icon if you want to revert to the original query.
You can now save this updated search query as either a new query with a new name or update the
existing query.
Click the Unload Current Query icon if you do not want to use the loaded query. Note that the
contents of the search query builder box are not automatically cleared by this action.
Search query tags and thresholds
SEM 2022.4 enables you to apply tags to queries so they can be grouped for use with the Scheduled
Query Severity and Scheduled Query Table Severity widgets on the SEM dashboard. For example you
could apply the End User Monitoring tag to all queries relating to End User Monitoring.
To apply tags to a query:
1. From the Historical Events screen, select Queries.
2. Open the appropriate query category and select the required query.
3. From the Options drop-down menu in the top right corner, select Edit saved query.
The Edit screen for the query is displayed.
Administrator Guide: Security Event Manager page 256
Analyze historical data in SEM
4. Click Add tag and select the required tag or tags to apply to this query. Tags applied to the query
are displayed above the Add tags link.
Once you have selected a tag or tags, you can specify the thresholds that determine whether event
search results are shown as Critical, Warning or OK on the dashboard widgets.
Thresholds
You can apply threshold values to search queries to set the number of occurrences per evaluation
(that is, when the query was last run) that result in an event query result being deemed critical,
warning or OK severity.
Administrator Guide: Security Event Manager page 257
Analyze historical data in SEM
Once you have set up tags and thresholds for a query, you can use this data to set up widgets on the
SEM dashboard.
Widgets
The scheduled query widgets are created and customized in the same way as other SEM Dashboard
widgets.
The Scheduled Query Table Severity widget
The following widget has been customized to list all search queries that have returned one or more
event within the most recent evaluation. It shows the number of occurences and the time the query
was last run.
The Scheduled Query Severity widget
Administrator Guide: Security Event Manager page 258
Analyze historical data in SEM
Click on the red, yellow or green area of the query severity widget to display the corresponding query
on the Historical Events page. If more than one query is tagged, the Manage Saved queries window
will be displayed listing all the queries to which this severity level applies.
Export historical search results in CSV format
You can export logs from your historical event query to a CSV file. Once the search engine has
returned the results of your query, click Export to download a CSV file to your local system.
You are asked to provide a filename and file path, or accept the default.
Administrator Guide: Security Event Manager page 259
Analyze historical data in SEM
Import and export historical event queries in SEM
You can export search queries from SEM historical events in JSON format either as individual queries
or by exporting multiple queries.
Export a single query
To export a single query:
1. On the SEM Console, click the Historical Events tab.
2. Select the queries tab and open the category containing the required query.
3. Move the cursor over the required query and click on the vertical ellipsis icon .
The Queries menu is displayed.
4. Click Export.
5. Enter a meaningful filename and click Save.
Export multiple queries
To export all search queries:
1. On the SEM Console, click the Historical Events tab.
2. Select the Queries tab.
Administrator Guide: Security Event Manager page 260
Analyze historical data in SEM
3. Click the gear icon at the top of the queries list.
4. The Manage Saved queries window is displayed.
5. Initially the options are Import and Export All. These change depending on how you proceed.
l To export all your queries, click Export All.
l To export a set of queries, use the checkboxes on the left to filter queries by category,
whether scheduled or not, etc and select Export Filtered.
l To export specific queries use the checkboxes in front of the query names and click
Export.
6. Enter a meaningful filename and click Save.
Import queries
To import search queries that have been previously saved as a JSON file:
Administrator Guide: Security Event Manager page 261
Analyze historical data in SEM
1. On the SEM Console, click the Historical Events tab.
2. Select the queries tab.
3. Click the gear icon at the top of the queries list.
The Manage Saved queries window is displayed.
4. Click Import.
The Import Queries window is displayed.
5. Click Browse file, navigate to the required JSON file, and click Open.
6. Click Next.
The queries contained in the selected JSON file are listed.
Administrator Guide: Security Event Manager page 262
Analyze historical data in SEM
7. Filter out any queries you do not want to import by unchecking the boxes in front of the query
names, then click Next.
The import process begins. The queries that are successfully imported are listed. Those that
cannot be imported are shown along with the reasons why.
Administrator Guide: Security Event Manager page 263
Set live and historical event limits
8. When the import is complete, click OK to close the box. The queries will now be listed in the
appropriate categories in the Queries column.
Set live and historical event limits
You can set the maximum number of events that populate the filters in your SEM Live Events and
Historical Events viewers. This setting also applies to the dashboard widget showing event data.
The default setting for each is 10,000 events.
On average, every 1,000 returned search results consumes approximately 100MB of RAM,
which can increase up to 10GB for one search query if the threshold is set to the 100,000 max-
imum. Predictably, executing multiple search queries simultaneously will add additional strain
to system resources and cause diminished performance.
To change the number of events that populate these filters:
1. On the SEM Console, click the Settings button.
Administrator Guide: Security Event Manager page 264
Occurrence settings
2. On the Settings page, click the Events Limits tab.
3. Click Live or Historic, depending on which set of events you want to set the limits for, enter the
number of search results, and click Save.
4. Restart the manager service for the new setting(s) to take place.
Occurrence settings
By default, a condition only has to occur once to satisfy part of a rule. However, you can change this
using the occurrence setting. For example you might only want to know if an occurrence happens five
times in thirty seconds.
To apply occurrence settings for this part of the rule, click the icon on the SEM rule builder tool bar.
If you change the number of times this condition occurs to satisfy this part of the rule, the window is
expanded as shown below.
You can also specify additional conditions. For example the following would be true if the event
occurred twice within ten minutes with the same DetectionIP.
Administrator Guide: Security Event Manager page 265
Editing expressions
You can additionally set a period that must elapse before this part of the rule can be triggered again
by checking the Occurrence time box.
Editing expressions
To change the expression for a rule part, click the icon on the SEM rule builder tool bar. A popup
window is displayed showing the components of the expression. For an entity, this will show two
field: the entity name and whether or not the condition occurred. For an entity field, the following
fields are displayed.
Administrator Guide: Security Event Manager page 266
SEM rules: Automate how SEM responds to events
SEM rules: Automate how SEM responds to events
SEM rules monitor event traffic and automatically respond to security events in real time, whether you
are monitoring the console or not. When an event (or a series of events) meets a rule condition (or set
of conditions), the rule prompts the SEM Manager to act. A response action can be discreet (for
example, sending a notification to select users by email), or active (for example, blocking an IP
address or stopping a process). Learn more about SEM rules here.
See About SEM response actions for information about response actions.
Get started building custom rule expressions in SEM
This section provides information to help you write custom rule expressions in SEM.
See also: Create a new rule for step-by-step instructions.
About custom rule expressions
You create a custom rule to trigger certain actions when a defined event or events occur. Custom
rules can be as simple or as complex as required to meet specific needs: these can range from a
single yes/no event to a combination of precisely defined occurrences over a period of time, and can
trigger actions from sending an email to logging off a user or shutting down a device.
Use caution when creating rules. SolarWinds recommends that you practice creating filters before
you start creating rules. Creating rules is similar to creating filters, but filters report event occurrences
whereas rules act on them.
Begin configuring rules when you are comfortable with configuring filters. Always test your
rules before implementing them.
You can create rules by configuring conditions between alert variables and other components (such
as time of day sets, user-defined groups, constants, and so on). Using rules, you can correlate alert
variables with other alerts and their alert variables.
You can configure rules to fire after multiple alerts occur. SEM remembers alerts that meet the basic
rule conditions and waits for additional conditions to be met. The rule does not execute until the
alerts meet all the conditions and correlations defined for the rule. You can specify how often and in
what time frame the correlations must be met before the rule is triggered. The combined correlations
dictate when the rule initiates an active response.
Administrator Guide: Security Event Manager page 267
About SEM rules
About SEM rules
Rules can respond to one or more events. In many cases, you can base rules on several events that
SEM correlates to trigger an action. You can also configure a rule to be triggered by a single event.
Rules can only fire on normalized data and not on raw log data that is received.
Rules play a key role in detecting operational and compliance issues on your network, such as
external breaches, insider abuse, and policy violations. SEM comes with a set of preconfigured rules
to help you get started.
SEM rule scenarios
Countless scenarios may warrant a rule. Consider these combinations of rules and actions:
l Respond to change management events with the Send Email Message action.
l Respond to port scanning events with the Block IP action.
l Respond to isolated spikes in network traffic with the Send Email Message or Disable
Networking action.
l Respond to users playing games on monitored computers with the Send Popup Message or Kill
Process action.
l Respond to users attaching unauthorized USB devices to monitored computers using the
Detach USB Device action.
Any activity or event that can pose a threat to your network warrants a SEM rule.
Rule configuration requirements and best practices
Review the following requirements and best practices about creating SEM rules.
Use descriptive rule names
To keep rules simple to manage, SolarWinds recommends creating the rule with a name that
describes the event, and a full description.
Set the Correlation, Correlation time, and Action
Each rule requires you to define three settings:
l Correlation: The number of events that occur within a selected amount of time and the amount
of time allocated to responding to the events.
l Correlation time: The volume of events that match the correlation conditions and the rolling time
Administrator Guide: Security Event Manager page 268
Create a new rule
window to evaluate the correlation.
l Action: The action that occurs when the rule is triggered.
Enable a rule to upload local changes
When you create a new rule, or change an existing rule, you are working on a local copy of the rule.
The SEM Manager cannot use the rule change until you activate it. Activating a rule tells the SEM
Manager to reload its enabled rules and upload updates from your local copies.
Enable rules whenever you create a new rule, edit an existing rule, or change the test mode status.
Otherwise, the SEM Manager will not recognize your changes. After enabling rules, SEM begins
processing rules.
Verify that a rule fired
Check your console for InternalRuleFired events using a filter. These events will show the
triggered rule and when it occurred.
Test new rules before putting them into production
Before you put a rule into production, try it out in test mode. In test mode, the SEM Manager
processes the rule alert messages, but does not execute any rule actions. This lets you see how the
activated rule will behave without disrupting your network.
Create a new rule
1. On the SEM Console, click the Rules tab.
2. On the Rules toolbar, click Create new rule.
Administrator Guide: Security Event Manager page 269
Create a new rule
The Create new rule screen is displayed. The left area shows categories such as Events, Event
Groups, User Defined Groups, etc.
1. Click a category to show the entities it contains, and click an entity to show the entity fields it
contains.
The search box can be used to help find entitles and entity fields. All matches are highlighted as
shown below:
3. Drag the appropriate entity or entity field into the rule definition builder.
When you drag a value into the rule builder, the correct drop location is shown with a blue
line.
Administrator Guide: Security Event Manager page 270
Create a new rule
Moving an entity or entity field to the right pane creates a condition.
l If it is an entity, by default the condition will be created showing that it occurred. For
example:
Click on "occurred" to change to "did not occur" if required.
l If it is an entity field, by default the condition will be created showing that the field is equal
to [blank].
Click on "is equal to" to change to an alternative operator as required, and either enter a
value for the comparison, click to display the available valuesor drag across another field
as appropriate.
4. Once you have set up a part of a rule, you can change it by moving the cursor over it to display
the rule builder toolbar.
Administrator Guide: Security Event Manager page 271
Create a new rule
This enables you to:
l apply occurrence settings for this part of the rule by clicking the icon
l edit the expression by clicking the icon
l delete the expression by clicking the icon
l add an addition entity or entity field by clicking the icon
5. To add subsequent rule parts, click the rule definition icon, and then create the condition as
shown above.
6. From the drop-down list, select an option, enter a specific value or keyword directly.
7. By default rule parts are linked with And operators to show that all rule parts must be true. To
change an And operator, click And, and then select Or.
8. By default, the actions are triggered whenever the conditions that make up the rule are true.
However, you can change this so that the rule has to be true multiple times. For information, see
Occurrence settings.
Administrator Guide: Security Event Manager page 272
Create a new rule
9. Click Next to display Details and actions.
10. Under Details and actions, enter a rule name and optional description.
11. Click the icon to select one or more optional tags for this rule.
Tags make it easier to catalog and find rules.
Administrator Guide: Security Event Manager page 273
Create a new rule
12. Turn off the Click Enable rule after saving option if you want to save a rule without adding an
action. The rule can be enabled afterward from the Rules screen.
13. Turn on the Enable test mode option if you want to use this rule test mode. This means it will
run but will not trigger actions. This lets you see how the activated rule will behave without
disrupting your network. You can Identify test mode rules in your list by the Test icon .
14. Click Add new action to add an action when the rule triggers.
15. Enter a search term, or select an action from the list, and then click Next.
16. Define the trigger action, and then click Add.
SEM provides over 30 actions that can be triggered using rules, ranging from Sending a
pop-up message to Disabling Networking. For each the procedure is similar: select or
enter the required parameters, and click Add.
17. You can add multiple actions to a rule by clicking Add new action.
18. Click Create when you have finished adding actions to this rule. The rule will now be available in
the list of rules.
Administrator Guide: Security Event Manager page 274
Create a new rule
19. To edit, delete, and toggle test mode, click the vertical ellipsis next to a rule.
Occurrence settings
By default, a condition only has to occur once to satisfy part of a rule. However, you can change this
using the occurrence setting. For example you might only want to know if an occurrence happens five
times in thirty seconds.
To apply occurrence settings for this part of the rule, click the icon on the SEM rule builder tool bar.
If you change the number of times this condition occurs to satisfy this part of the rule, the window is
expanded as shown below.
Administrator Guide: Security Event Manager page 275
Create a new rule
You can also specify additional conditions. For example the following would be true if the event
occurred twice within ten minutes with the same DetectionIP.
You can additionally set a period that must elapse before this part of the rule can be triggered again
by checking the Occurrence time box.
Editing expressions
To change the expression for a rule part, click the icon on the SEM rule builder tool bar. A popup
window is displayed showing the components of the expression. For an entity, this will show two
field: the entity name and whether or not the condition occurred. For an entity field, the following
fields are displayed.
Administrator Guide: Security Event Manager page 276
Create a new rule
Create a rule from a rules template
SEM comes with over 30 predefined templates that can be easily adapted to your precise
requirements.
1. On the SEM Console, click the Rules tab.
2. On the Rules toolbar, click Create rule from template.
Administrator Guide: Security Event Manager page 277
Create a new rule
3. Select a template from the list (or enter a search term for a specific template), and then click
Next.
4. Review the existing conditions and values, and click Edit Rule if you need to change these.
For help on changing rule settings see Create a new rule.
5. When you have amended the rule, click Next.
6. Review and adjust the rule details and actions where needed, and then click Create.
Create a rule from a filter
From the Filters pane, you can create a new rule based on any existing filter with a single click. This
allows you to set alerts for specific event activity without manually duplicating filter values in the
custom rule builder.
Administrator Guide: Security Event Manager page 278
Create a new rule
1. On the SEM Console, click Live Events.
2. In the Filters pane, scroll down to locate your filter, move the pointer over the filter to expose the
vertical ellipsis, click it, and then select Send Filter to Rule.
The rule builder appears displaying the existing values for the filter.
Administrator Guide: Security Event Manager page 279
Create a new rule
3. To complete the rule configuration, see Create a new rule.
If rule definition changes are made to a rule that was created from a filter, those changes are
not reflected in the existing filter. Likewise, if the filter changes, the associated rule is not
updated with the filter changes.
Administrator Guide: Security Event Manager page 280
Create a new rule
Test, enable, and disable rules in SEM
About selecting rules to test, enable, or disable
1. On the SEM Console, click the Rules tab.
2. To disable a rule, click the enabled toggle button next to a rule. To edit, delete, and toggle test
mode, click the vertical ellipsis next to a rule.
To learn more, see Create rules.
Enable rules from the rules builder
1. On the SEM Console, select Rules.
2. Click the vertical ellipsis next to a rule, and then select Edit rule.
3. Click Next.
Administrator Guide: Security Event Manager page 281
Create a new rule
4. Under details and actions, click the toggle button to enable the rule after saving, and then click
Save.
To learn more, see Create rules.
Testing rules in SEM
Before you put a rule into production, try it out in test mode. In test mode, the SEM Manager
processes the rule alert messages, but does not execute any rule actions. This lets you see how the
activated rule will behave without disrupting your network.
Administrator Guide: Security Event Manager page 282
Create a new rule
Enable or disable test mode in the Rules list
1. On the SEM Console, select Rules.
2. To disable a rule, click the enabled toggle button next to a rule. To enable or disable test mode,
click the vertical ellipsis next to a rule, and then toggle Test mode.
To learn more, see Create rules.
Enable or disable test mode from the rules builder
1. On the SEM Console, click the Rules tab.
2. Click the vertical ellipsis next to a rule, and then select Edit rule.
3. Click Next.
Administrator Guide: Security Event Manager page 283
Create a new rule
4. Under details and actions, click the toggle button to enable or disable test mode, and then click
Save.
To learn more, see Create rules.
Disable rules in SEM to stop them from processing
The SEM Manager continues to use active rules if they are enabled. Turn off rules by disabling them.
Administrator Guide: Security Event Manager page 284
Create a new rule
Disable rules from the Rules list
1. On the SEM Console, select Rules.
2. To disable a rule, click the enabled toggle button next to the rule.
To learn more, see Create rules.
Disable rules from the Rules builder
1. On the SEM Console, select Rules.
2. Click the vertical ellipsis next to a rule, and then select Edit rule.
3. Click Next.
Administrator Guide: Security Event Manager page 285
Create a new rule
4. Under details and actions, toggle off the Enable the rule after saving, and then click Save.
To learn more, see Create rules.
Import and export SEM rules
From the 2022.4 release of SEM you can import and export SEM rules in JSON file form.
Administrator Guide: Security Event Manager page 286
Create a new rule
1. From the SEM console, select Rules.
Import SEM rules
1. Click Import. The Import Rules window is displayed.
2. Click Browse file and navigate to the JSON file containing the SEM rules.
3. Click Next.
The list of rules in the selected file is displayed.
Depending on the number of rules there may be a brief delay before the next screen is displayed.
Administrator Guide: Security Event Manager page 287
Create a new rule
This list can be sorted, filtered or searched. Initially all rules are selected for import, but you can
select or unselect all or individual rules as required.
If any rules are invalid a message is displayed showing how many are invalid. Invalid rules
cannot be imported and are shown in the list in gray with a brief message explaining why
they are invalid.
4. When you have selected the rules you want to import, click Import.
Administrator Guide: Security Event Manager page 288
Create a new rule
5. If any of the rules you are trying to import have the same name as a rule already set up, the
following screen is displayed allowing you to skip, overwrite or rename the imported rule.
The list of successfully imported rules is displayed.
6. Click Close to return to the complete list of rules.
Export SEM rules
1. To export SEM rules, click Export All.
Depending on the number of rules there may be a brief delay before the Save As screen is
displayed.
2. Navigate to the required directory, enter a name for the exported rules file, and click Save.
Administrator Guide: Security Event Manager page 289
Create a new rule
Create email templates for use with SEM rules
Email templates are pre-formatted messages that SEM sends to users when alert events trigger a
rule.
About SEM email templates
You can use email templates to customize your email notifications that are triggered as responses in
your rules. An email template includes static and dynamic text (or parameters). The static text lets
you customize the appearance of the email. The dynamic text is created from the original event that
triggered the rule to fire.
Create email templates to report specific information about an alert event and variables that capture
specific parameters about that event. For example, you can report which server is affected, what time
the event occurred, or which Agent was shut down. Or you can create an Account Lockout template to
notify key personnel when an account is locked out, or automatically file a trouble ticket. Create static
text to describe the event, and incorporate dynamic text that provides the account information from
the original event.
Create templates that are specific to an event type to avoid having to create one email template per
rule. For example, you can have one template for Account Modification that can provide a notification
when a user is added or removed from a group, when a password is reset, or when other account
details are changed. There is no limit to the number of templates you can create.
Best practices to keep rules, events, and emails simple to manage
To keep rules, events, and emails simple to manage, SolarWinds recommends the following:
l Create the rule with a name that describes the event.
l Create the email template with a name that describes the event.
l In the email template subject or message, enter the event or rule name to describe the event or
alert.
When you receive the email, you can identify the email template, the rule that fired, and the event that
caused the rule to fire.
Create or edit an email template
You can use email templates to customize your email notifications when triggered as responses in
your custom rules. An email template includes static and dynamic text (or parameters). The static
text lets you customize the message body of the email. The dynamic text is filled in from the original
event that caused the rule to fire.
Administrator Guide: Security Event Manager page 290
Create a new rule
1. On the SEM Console, click the Configure tab.
2. From the Configure drop-down list, select E-mail templates, and then click Create E-mail
template.
3. In the Email template name field, enter a descriptive name for the template.
4. In the Subject field, enter the subject of the template email.
5. In the Message field, enter the text of the message to be included in this email. This text is static
and cannot be editing within emails created from this template, but you can include parameters
which are replaced by the appropriate metrics (or string) when an email is generated by a rule
that uses this template.
6. To add parameters, either type $ or click Add parameter, then add the parameter. You do not
need to specify the values here, and can use any combination of letters, number and the "." ,"_",
and "-" characters.
Administrator Guide: Security Event Manager page 291
Example SEM rules
When you create the rule, the fields that can be substituted for these parameters are displayed.
For example, if your message is:
This $info event occurred at $time.
And you create a rule triggered by Access.IsThreat, you will be able to assign any of the Access
fields to replace the parameters.
7. To save your template, click Create.
The new template is now available as an action type in your custom rule builder. To learn more, see
Create a new rule.
In the Refine Results pane, you can also filter the groups by the modifier and the time last
modified.
Example SEM rules
This section shows how to create SEM rules.
Administrator Guide: Security Event Manager page 292
Example SEM rules
Create and enable a SEM rule to identify port scanning traffic
To identify suspicious firewall traffic indicative of port scanning, clone and enable the PortScans rule.
This rule generates a default TCPPortScan event, which the SolarWinds SEM console displays in the
default Security Events filter. Use this event to monitor suspicious network traffic and prevent
unauthorized access to your firewall.
1. On the SEM Console, click the Rules tab.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter PortScans.
Administrator Guide: Security Event Manager page 293
Example SEM rules
4. Select the PortScans rule template, and then click Next.
5. Review the existing conditions and values, and click Edit if you need to change any of these.
6.
7.
8. C
9. click Next.
10. Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.
Create and enable the Known Spyware Site traffic rule
You can track when users attempt to access suspicious websites using partial or complete URL
addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event
by default that you can use in conjunction with the Incidents report to notify auditors that you are
auditing critical events on your network.
Administrator Guide: Security Event Manager page 294
Example SEM rules
Before you enable this rule, ensure your proxy server transmits complete URL addresses to your SEM
Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If
your proxy server does not log web traffic events with this level of detail, check the events coming
from your firewalls, as they can sometimes be used for this rule as well.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter "known spyware site traffic". As you type the list of templates will be
filtered to show just the one required.
4. Select the Known Spyware Site Traffic rule template, and click Next.
5. Review and edit the existing conditions and values where needed, and click Next.
6. Review and adjust the rule details where needed, and click Create.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 295
Example SEM rules
Create a SEM rule to track when viruses are not cleaned
Create and enable the Virus Attack – Bad State rule to track virus attacks reported by your anti-virus
software. The Bad Virus State User-Defined Group defines a bad state as any virus that is not fully
cleaned by your anti-virus software. This includes any virus that is not addressed, quarantined, or
renamed.
The default action for this rule is to generate a HostIncident event, which you can use in conjunction
with the Incidents report to notify auditors you are auditing the critical events on your network.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter "virus".
4. Select the Virus Attack - Bad State rule template, and then click Next.
5. Review and edit the existing conditions and values where needed, and then click Next.
Administrator Guide: Security Event Manager page 296
Example SEM rules
6. Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.
Create and enable a critical logon failures rule
Clone and enable critical account logon failures rule to track failed logon attempts to the default
Windows Administrator account. The default action for this rule is to generate a HostIncident event,
which you can use in conjunction with the Incidents report to notify auditors you are auditing the
critical events on your network.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter "critical account" failures.
4. Select the Critical Account Logon Failures rule template, and then click Next.
5. Review and edit the existing conditions and values where needed, and then click Next.
6. Review and adjust the rule details where needed, and then click Create.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 297
Example SEM rules
Create and enable a change management rule
Change management rules notify you when a user makes network configuration changes. For
example:
l Adding, changing, or deleting users in Active Directory
l Installing software on monitored computers
l Making changes to the firewall policy
You can create a general change management rule to instruct SEM to notify you when a user changes
your network configuration, or you can create a more specific rule that applies to specific users,
groups, or types of changes. Generally, if you can see an event in your console, you can create a rule
for the event. Use your filters as a starting point for creating custom rules.
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create new rule.
3. Under Rule Values, expand the Events group, and then select NewGroupMember.
Administrator Guide: Security Event Manager page 298
Example SEM rules
4. Under NewGroupMember fields, locate EventInfo, and then drag it into the rule builder.
5. To account for all variations on the word administrator, click the or add it hyperlink and enter
*admin*.
6. Keep the default occurrence and trigger actions settings.
7. Click Next.
8. Enter an appropriate rule name. For example, New Admin User.
9. Under Options, click the toggle button to enable the rule after saving.
10. Click Add new action, select Send Email Action, and then click Next.
11. From the Email Template drop-down list, select a template.
12. From the Recipients drop-down list, select one or more recipients, and then click Add.
13. Review your details and actions, and then click Create.
Select an event response from an existing rule
1. On the SEM Console, select Rules.
2. Select a rule in the list, click Edit, and then click Next.
3. Under Actions, click Add new action.
4. Select your response action type, and then click Next.
5. From the Define action drop-down lists, select your options based on the action type, and then
click Add.
6. Adjust the details and actions, if needed, and then click Save.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 299
Example SEM rules
Learn about response actions here.
Add the Send Email Message action to a rule created from a template
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create rule from template.
3. In the search box, enter user account lockout.
4. Select the required rule template, and click Next.
5. Review and edit the existing conditions and values where needed, and then click Next.
6. Under Rule details, click Add new action, select Send Email Message, and select Next..
7. Select an email template and add recipients.
Administrator Guide: Security Event Manager page 300
Example SEM rules
8. Select the data fields to use for any parameters in the email template.
9. Click Add, and then Create.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 301
SEM response actions: Respond to network and system events in SEM
SEM response actions: Respond to network and
system events in SEM
About SEM response actions
See Create a new rule to learn how to create an active response rule.
About SEM active response
An active response (also called an event response) in SEM is an action that SEM takes in response to
suspicious activity or an attack. Active response actions include the Block IP active response, the
Disable Networking active response, the Log off User active response, the Kill Process active
response, the Detach USB Device active response, and so on.
The Select action type list in the rules builder provides a list of actions you can execute for a specific
event. Each Respond command opens the Respond form. This form includes data from the field you
selected and options for customizing the action—similar to configuring the active response for a rule
in the Rule Creation.
The Respond menu is context-sensitive. The event type or cell currently selected in the event grid
determines which responses you can choose.
Select an event response from an existing rule
1. On the SEM Console, select Rules.
2. Select a rule in the list, click Edit, and then click Next.
3. Under Actions, click Add new action.
4. Select your response action type, and then click Next.
5. From the Define action drop-down lists, select your options based on the action type, and then
click Add.
6. Adjust the details and actions, if needed, and then click Save.
See Create a new rule for additional guidance.
Administrator Guide: Security Event Manager page 302
About SEM response actions
Use SEM active responses to perform Windows actions related to users,
groups, and domains
Use the following user-based active responses to perform Windows-based actions related to users,
groups, and domains on your SEM Agents.
l Add Domain User To Group
l Add Local User To Group
l Create User Account
l Create User Group
l Delete User Account
l Delete User Group
l Disable Domain User Account
l Disable Local User Account
l Enable Domain User Account
l Enable Local User Account
l Log Off User
l Remove Domain User From Group
l Remove Local User From Group
l Reset User Account Password
These actions are useful to respond to unauthorized change management activity and to automate
user-related maintenance. They can be automated in a SEM rule, or executed manually from the
Respond menu on the SEM Console.
Configure an active response connector on a SEM agent
Configure the Windows active response connector on each SEM agent that requires active responses.
You can deploy your SEM agents and configure the Windows active response connector based on
where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent
to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each
computer that requires a response.
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. In the search box, type Windows Active Response.
5. Select the Windows Active Response connector, and then click Add Connector.
Administrator Guide: Security Event Manager page 303
About SEM response actions
6. Enter a custom alias name for the new connector, or accept the default, and then click Add.
7. Under Configured connectors, select your configured connector, and then click Start.
Actions SEM can take to respond to events
The following table lists the various actions a SEM Manager can take to respond to events. These
actions are configured in the Respond form when you are initiating an active response, and in the
rules window’s Actions box when you are configuring a rule's automatic response.
The table’s Action column lists the actions that are available. They are alphabetized for easy
reference. The Description column briefly states how the action behaves. The Fields column lists the
primary data fields that apply with each action. Some data fields will vary, depending on the options
you select.
Action Description Fields
Add Domain This action adds a Domain Controller Agent
User To Group domain user to a
Select the event field or constant that defines the Agent
specified user group
on which the group to be modified resides.
that resides on a
particular Agent. To modify a group at the domain level, specify a domain
controller as the Agent.
Group Name
Select the event field or constant that defines the group
that is to be modified.
Username
Select the event field or constant that defines the user
who is to be added to the group.
Administrator Guide: Security Event Manager page 304
About SEM response actions
Action Description Fields
Add Local User This action adds a Agent
To Group local user to a
Select the event field or constant that defines the Agent
specified user group
on which the group to be modified resides.
that resides on a
particular Agent. To modify a group at the domain level, specify a domain
controller as the Agent.
Group Name
Select the event field or constant that defines the group
that is to be modified.
Username
Select the event field or constant that defines the user
who is to be added to the group.
Add User- This action adds a new User-Defined Group Element
Defined Group data element to a
From the User-Defined Groups list, select the User-
Element particular user-defined
Defined Group that is to receive the new data Element.
group.
Value
Select the event field or constant that defines the data
element that is to be added to the specified User-Defined
Group. The fields will vary according to which User-
Defined Group you select.
Append Text To This action appends Agent
File text to a file. This
Select the event field or constant that defines the Agent
allows you to data
on which the file to be appended is located.
from an event and put
it in a text file. File Path
Select the event field or constant that defines the path to
the Agent file that is to be appended with text.
Text
Select the event field or constant that defines the text to
be appended to file.
Administrator Guide: Security Event Manager page 305
About SEM response actions
Action Description Fields
Block IP This action blocks an IP Address
IP address.
Select the event field or constant that identifies the
device’s IP address.
Create User This action creates a Agent
Account new user account on
Select the event field or constant that defines the Agent
an Agent.
on which the new user account is to be added.
To create a user account at the domain level, specify a
domain controller as the Agent.
Account Name
Select the event field or constant that names the account
that is to be created.
Account Password
Select the event field or constant that defines the
password that is to be assigned to the new account.
Create User This action creates a Agent
Group specified user group
Select the event field or constant that defines the Agent
on an Agent.
on which the new user group is to reside.
A user group is a new
To create a user group at the domain level, specify a
group of Windows
domain controller as the Agent.
users on a Windows
PC, server, or network Group Name
who are external to the
SEM system. Select the event field or constant that defines which user
group is to be created.
Delete User This action deletes a Agent
Account user account from an
Select the event field or constant that defines the Agent
Agent.
on which the user account is to be deleted.
To delete a user account at the domain level, specify a
domain controller as the Agent.
Account Name
Select the event field or constant that names the account
that is to be deleted.
Administrator Guide: Security Event Manager page 306
About SEM response actions
Action Description Fields
Delete User This action deletes a Agent
Group user group from a
Select the event field or constant that defines the Agent
particular Agent.
on which the user group to be deleted resides.
To delete a user group at the domain level, specify a
domain controller as the Agent.
Group Name
Select the event field or constant that defines the user
group that is to be deleted.
Detach USB This action detaches a Agent
Device USB mass storage
Select the event field or constant that defines the Agent
device that is
from which the USB device is to be detached.
connected to an Agent.
Device
Select the event field or constant that defines the device
ID of the USB device that is to be detached.
Disable Domain This action disables a Domain Controller Agent
User Account Domain User Account
Select the event field or constant that defines the Domain
on a Domain Controller
Controller Agent on which the domain user is to be
Agent.
disabled.
Destination Account
Select the event field or constant that defines the
account that is to be disabled.
Disable Local This action disables a Agent
User Account local user account on
Select the event field or constant that defines the Agent
an Agent.
on which the local user is to be disabled.
Destination Account
Select the event field or constant that defines the
account that is to be disabled.
Administrator Guide: Security Event Manager page 307
About SEM response actions
Action Description Fields
Disable This action disables an Agent
Networking Agent’s network
Select the event field or constant that defines the Agent
access.
that is to be disabled from the network.
The result is that the
Message
specified Agent will be
unable to connect to Type the message that is to appear on the Agent.
the network.
Disable This action disables a Domain Controller Agent
Windows Windows machine
Select the event field or constant that defines the Domain
Machine account that resides
Controller Agent on which the account is to be disabled.
Account on a Domain Controller
Agent. Destination Account
Select the event field or constant that specifies which
Windows account is to be disabled.
Enable Domain This action enables a Domain Controller Agent
User Account Domain User Account
Select the event field or constant that defines the Domain
on a Domain Controller
Controller Agent on which the domain user is to be
Agent.
enabled.
Destination Account
Select the event field or constant that defines the
account that is to be enabled.
Enable Local This action enables a Agent
User Account local user account on
Select the event field or constant that defines the Agent
an Agent.
on which the local user is to be enabled.
Destination Account
Select the event field or constant that defines the
account that is to be enabled.
Administrator Guide: Security Event Manager page 308
About SEM response actions
Action Description Fields
Enable This action enables a Domain Controller Agent
Windows Windows machine
Select the event field or constant that defines the Domain
Machine account that resides
Controller Agent on which the account is to be enabled.
Account on a Domain Controller
Agent. Destination Account
Select the event field or constant that specifies which
Windows account is to be enabled.
Incident Event This action escalates Event
potential issues by
Select which Incident Event the rule is to create.
creating an Incident
Event. Event Fields
From the list pane, select the events and constants that
define the appropriate data elements for each event
fields The fields vary, depending on which Incident Event
is selected.
Infer Event This action escalates Event
potentially irregular
Select which Event the rule is to infer.
audit traffic into
security events by Event Fields
creating (or inferring) a
new event with a From the list pane, select the events and constants that
higher severity. define the appropriate data elements for each event field.
The fields vary, depending on the which event is selected.
Kill Process by This action terminates Agent
ID the specified process
Select the event field or constant that defines the Agent
on an Agent by using
on which the process is to be terminated.
its process ID value.
Process ID
Select the event field or constant that identifies the ID
number of the process that is to be terminated.
Administrator Guide: Security Event Manager page 309
About SEM response actions
Action Description Fields
Kill Process by This action terminates Agent
Name the specified process
Select the event field or constant that defines the Agent
on an Agent by
on which the process is to be terminated.
referring to the process
name. Process Name
Select the event field or constant that identifies the name
of the process that is to be terminated.
Account Name
Select the event field or constant that identifies the name
of the account that is running the process to be
terminated.
Log Off User This action logs the Agent
user off of an Agent.
Select the event field or constant that defines the Agent
from which the user is to be logged off.
Account Name
Select the event field or constant that identifies the
specific account name that is to be logged off.
Modify State This action modifies a State Variable
Variable state variable.
From the State Variables list, drag the state variable that
the rule is to modify.
State Variable Fields
From the appropriate component list, type or drag the
data element that is to be modified in the state variable.
The fields vary, depending on the which state variable is
selected.
Administrator Guide: Security Event Manager page 310
About SEM response actions
Action Description Fields
Remove This action removes a Domain Controller Agent
Domain User domain user from a
Select the event field or constant that defines the domain
From Group specified user group
controller Agent on which the group to be modified
that resides on a
resides.
particular Agent.
Group Name
Select the event field or constant that defines the group
that is to be modified.
User Name
Select the event field or constant that defines the user
who is to be removed from the group.
Remove Local This action removes a Agent
User From local user from a
Select the event field or constant that defines the Agent
Group specified user group
on which the group to be modified resides.
that resides on a
particular Agent. Group Name
Select the event field or constant that defines the group
that is to be modified.
User Name
Select the event field or constant that defines the user
who is to be removed from the group.
Remove User- This action removes a User-Defined Group
Defined Group data element from a
From the User-Defined Groups list, select the user-
Element particular user-defined
defined group from which the specified data element is
group.
to be removed.
Value
Select the event field or constant that defines the data
element that is to be removed from the specified user-
defined group. The fields will vary according to which
user-defined group you select.
Administrator Guide: Security Event Manager page 311
About SEM response actions
Action Description Fields
Reset User This action resets a Agent
Account user account password
Select the event field or constant that identifies the Agent
Password on a particular Agent.
on which the user password is to be reset.
To reset an account at the domain level, specify a
domain controller as the Agent.
Account Name
Select the event field or constant that identifies the user
account that is to be reset.
New Password
Select the event field or constant that defines the user’s
new password.
Restart This action reboots an Agent
Machine Agent.
Select the event field or constant that identifies the Agent
that is to be rebooted.
Delay (sec)
Type the time (in seconds) after the event occurs that the
Manager is to wait before rebooting the Agent.
Restart This action restarts the Agent
Windows specified Windows
Select the event field or constant that identifies the Agent
Service service on an Agent.
on which the Windows service will be restarted.
Service Name
Select the event field or constant that identifies the name
of the service that is to be restarted.
Administrator Guide: Security Event Manager page 312
About SEM response actions
Action Description Fields
Send Email This action sends a Email Template
Message preconfigured email
Select the template that the email message is to use.
message to a
predetermined email Recipients
distribution list.
Click the check boxes to select which users are to
receive the email message.
Email Fields
Either drag a field from the components list, or select a
constant from the components list to select the
appropriate data elements that are to appear in each
email template field. The fields vary, depending on which
email template is selected.
Send Popup This action displays a Agent
Message pop-up message to an
Select the event field or constant that identifies the Agent
Agent.
that is to receive the pop-up message.
Account Name
Select the event field or constant that identifies the user
account to receive the message.
Message
Select the event field or constant that defines the
message that is to appear on the Agent’s monitor.
Shutdown This action shuts down Agent
Machine an Agent.
Select the event field or constant that identifies the Agent
that is to be shut down.
Delay (sec)
Type the time (in seconds) after the event occurs that the
Manager is to wait before shutting down the Agent.
Administrator Guide: Security Event Manager page 313
Use computer-based active responses in SEM
Action Description Fields
Start Windows This action starts the Agent
Service specified Windows
Select the event field or constant that identifies the Agent
service on an Agent.
on which the Windows service is to be started.
Service Name
Select the event field or constant that defines the
Windows service that is to be started.
Stop Windows This action stops the Agent
Service specified Windows
Select the event field or constant that identifies the Agent
service on an Agent.
on which the Windows service is to be stopped.
Service Name
Select the event field or constant that defines the
Windows service that is to be stopped.
Use computer-based active responses in SEM
To perform Windows-based actions related to computers and computer services on your SEM
Agents, use the following Computer-based active responses. These actions are useful to respond to
insider abuse, computer infections, and other suspicious activity. They can be automated in a SEM
rule, or executed manually from the Respond menu on the SEM Console.
l Disable Windows Machine Account1
l Enable Windows Machine Account1
l Disable Networking
l Detach USB Device
l Restart Machine
l Restart Windows Service
l Send Popup Message
l Shutdown Machine
l Start Windows Service
l Stop Windows Service
Requirements
Configure the Windows Active Response connector on each SEM Agent on which you want to be able
to use these active responses.
Administrator Guide: Security Event Manager page 314
Use the Append Text to File active response in SEM
Deploy your SEM Agents and configure the Windows Active Response connector based on where you
want to perform these actions. To perform actions at the domain level, deploy a SEM Agent to at least
one domain controller. To perform actions at the local level, deploy a SEM Agent to each computer
you want to be able to respond to.
Use the Append Text to File active response in SEM
Use the Append Text To File active response to append static or dynamic text to a flat text file on your
network. This action is useful for keeping a running list of deployed SEM Agents or tracking certain
types of activity across several users and computers. You can automate this response with a SEM
rule, or execute it manually from the Respond menu on the SEM Console.
Requirements
To use this active response, ensure that the file you want to append already exists. Follow these
guidelines when creating the file:
l Use a .txt file, or a similar flat-text file format.
l Avoid using spaces in the file path or name.
l Note the complete file path and name, because you will need it to configure the active response.
Configure the Append Text to File active response and Windows active response connectors on each
SEM Agent on which you want to be able to use this active response.
Configure the Append Text to File Active Response connector on a SEM Agent
1. On the SEM Console, navigate to Configure > Nodes.
2. Select your agent node, and then click Manage node connectors.
3. In the search box, enter append.
4. Select the Append Text to File Active Response connector, and then click Add Connector.
5. Enter a new name, or keep the default.
6. From the How to append drop-down list, select Newline to append the text to a new line, or No
Newline.
7. Specify a Maximum file size, or accept the default, and then click Add.
8. Under Configured connectors, select your connector, and then click Start.
Configure the Append Text to File action in a rule
Administrator Guide: Security Event Manager page 315
Configure an active response connector on a SEM agent
1. On the SEM Console, select Rules.
2. Select an existing rule that triggers on a specific event, click Edit, and then click Next.
3. Under Actions, click Add new action.
4. Select Append Text to File, and then click Next.
5. Under Define action, begin typing to locate the event defined in your rule definition.
6. Fill in the directory structure in the File Path, indicating the name of the file.
7. The Text field will contain the text that you are inserting into the file. If using plain text, select
String from the drop-down list.
8. Click Add, and then click Save.
Configure an active response connector on a SEM agent
Configure the Windows active response connector on each SEM agent that requires active responses.
You can deploy your SEM agents and configure the Windows active response connector based on
where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent
to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each
computer that requires a response.
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. In the search box, type Windows Active Response.
5. Select the Windows Active Response connector, and then click Add Connector.
6. Enter a custom alias name for the new connector, or accept the default, and then click Add.
7. Under Configured connectors, select your configured connector, and then click Start.
Use the Block IP active response in SEM
Use the Block IP active response to block an IP address at your firewall using your SEM Manager. This
action is useful for blocking port scanners, and can be automated in a SEM rule, or executed manually
from the Respond menu on the SEM Console.
Administrator Guide: Security Event Manager page 316
Use the Block IP active response in SEM
Requirements
You can use the Block IP active response with the following firewalls/modules:
l Cisco PIX
l Cisco ASA
l Cisco Firewall Services Module
l FortiGate Firewalls
l Juniper NetScreen
l Check Point OPSEC
l SonicWALL
l WatchGuard Firebox (including Vclass)
Configure the Active Response connector for one of the firewalls listed above on your SEM manager.
Configure the Active Response connector for your firewall
1. On the SEM Console, navigate to Configure > Manager Connectors.
2. In the search box, enter active response.
3. Select your firewall active response connector, and then click Add Connector.
4. Complete the connector configuration form according to your firewall specifications, and then
click Add.
5. Under Configured connectors, select the connector, and then click Start.
Configure the rule
1. On the SEM Console, select Rules.
2. On the Rules toolbar, click Create new rule.
3. Drag one or more values into the rule definition builder. The drag panel on the left contains
searchable filter values that you can drag into the rule definition builder. Expand a rule values
group to select a value, or locate your value by entering a term in the search field.
When you drag a value into the filter builder, the correct drop location is illuminated with a
blue line. Learn more here.
4. Click Next.
5. Under details and actions, add a descriptive rule name.
6. To add the Active Response tag to your rule, click Add tag, and then select it from the Activity
Types list.
7. Click a toggle button to enable the rule after saving, or to enable in test mode.
Administrator Guide: Security Event Manager page 317
Configure the Detach USB Device active response in SEM
8. Click Add new action, select Block IP, and then click Next.
9. Enter the IP address to be blocked, click Add, and then click Create.
Additional Information
The Block IP active response creates a rule on your firewall to block the IP addresses you specify. To
allow an IP address through your firewall, delete or modify the rule on your firewall as appropriate.
Configure the Detach USB Device active response in SEM
Use the Windows active response to detach a USB device from a SEM Agent running USB Defender.
This action is useful for allowing only specific devices to be attached to your Windows computers or
detaching any device exhibiting suspicious behavior, and can be automated in a SEM rule, or executed
manually from the Respond menu on the Manage > Nodes page.
USB Defender is an option when the Agent is originally installed. If not installed at the time of Agent
install, re-install the Agent with USB Defender. Additionally, configure the Windows Active Response
tool on each SEM Agent where you require an active response.
Verify that USB Defender is installed on a SEM Agent
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Under Refine Results, expand the USB Monitoring group, and then select the Installed check box.
The check next to USB indicates USB defender is installed.
4. If USB Defender is not installed on one or more SEM Agents, reinstall the Agent and ensure that
you select Install USB-Defender after you confirm the Manager Communication Settings.
Detach USB devices
By default, USB devices are audited and the USB File Audit Activity filter will display those events. The
filter is set for FileAuditAlerts.ProviderSID=*USB* To monitor all USB device activity, create a
filter for AnyAlert.ProviderSID=*USB*
USB devices are not detached by default. You must configure a rule to detach the device. The SEM
Console includes several templates you can access modify as needed.
Administrator Guide: Security Event Manager page 318
Configure the Disable Networking active response in SEM
You can enforce USB Defender policy locally. See Configure the USB Defender local policy
connector for details.
Configure the Disable Networking active response in SEM
Use the Disable Networking Active Response to disable networking on a SEM Agent at the Windows
Device Manager level. Use this active response for isolating network infections and attacks. You can
automate the active response in a SEM rule or manually execute the response from the Respond
menu on the SEM Console.
Use caution with this active response, because it responds to the SEM Agent at the Device Manager
level. To avoid disabling networking unintentionally, consider placing new rules with this action in Test
mode until you are sure your correlations are configured appropriately.
Configure the Windows active response connector on each SEM agent that requires active responses.
You can deploy your SEM agents and configure the Windows active response connector based on
where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent
to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each
computer that requires a response.
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. In the search box, type Windows Active Response.
5. Select the Windows Active Response connector, and then click Add Connector.
Administrator Guide: Security Event Manager page 319
Configure the Kill Process active response in SEM
6. Enter a custom alias name for the new connector, or accept the default, and then click Add.
7. Under Configured connectors, select your configured connector, and then click Start.
Re-enable networking on a computer affected by the active response
1. Log in to the computer locally with administrative privileges.
2. Open Control Panel, and then navigate to System and Security > Administrative Tools >
Computer Management.
3. In Computer Management, navigate to System Tools > Device Manager.
4. Expand the Network adapters group.
5. Select the network adapter, and then click Action > Enable.
Configure the Kill Process active response in SEM
Use the Kill Process active response to end Windows-based processes in your SEM Agents. This
response helps to stop suspicious or unauthorized processes. You can automate the response using
a SEM rule or manually execute the response from the Respond menu on the SEM Console.
Configure the Windows active response connector on each SEM agent that requires active responses.
You can deploy your SEM agents and configure the Windows active response connector based on
where you want to perform these actions. To perform actions at the domain level, deploy a SEM agent
to at least one domain controller. To perform actions at the local level, deploy a SEM agent to each
computer that requires a response.
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the Type group, and then select the Agent check box.
3. Select an agent, and then click Manage node connectors.
4. In the search box, type Windows Active Response.
5. Select the Windows Active Response connector, and then click Add Connector.
6. Enter a custom alias name for the new connector, or accept the default, and then click Add.
7. Under Configured connectors, select your configured connector, and then click Start.
Administrator Guide: Security Event Manager page 320
SEM reports: Create reports for regulatory and compliance purposes
SEM reports: Create reports for regulatory and
compliance purposes
About SEM reports
This topic introduces SEM reports and describes how to log in to the SEM reports application.
See Install the SEM reports application in the SEM Installation Guide if you have not yet
installed the reports application.
SEM reports overview
The SEM reports application converts SEM database data into information that can be used to
troubleshoot and identify network problems. Run reports on your Security Event Manager database to
view events and trends and make informed decisions about your network activity. You can run over
200 standard and industry-specific reports that can help you make informed decisions about your
network security.
About report categories
SEM reports are organized into categories:
l Standard Reports ship with SEM. Most standard reports capture specific event data that occurs
during a particular period.
l Industry Reports support the compliance and auditing needs of certain industries (such as
financial services and healthcare), and the accountability requirements of publicly-traded
companies.
l Custom Reports display reports you created to meet a specific need.
l Favorite Reports displays the standard, industry, and custom reports you use most often. You
can add and remove reports to this category as needed.
Standard and Custom reports are essentially the same report. The only difference is that Custom
reports are undocumented and created specifically by (or for) you.
Administrator Guide: Security Event Manager page 321
About SEM reports
About report levels
There are three SEM report levels:
l A primary report is a standard report that includes a series of subtopics, where each subtopic
contains a specific set of details about the higher-level primary topic. Together, these topics
create the report, similar to chapters in a book. Primary reports include a graphical summary
page.
l A detail report is a report that includes all events and event details.
l A top report includes the top events for a selected category.
About scheduled and on-demand reports
The reports application can run scheduled or on-demand reports:
l Scheduled reports are reports you configure to automatically run on their own, on a particular
schedule, and without intervention.
l On-demand reports are reports you run only when you need them.
SolarWinds recommends identifying who needs to receive performance or status reports, and
how often they should receive them.
After you run a report, you can print it or export it to several supported formats, including PDF and
Microsoft Word).
Open the SEM reports application
Launch Reports as an administrator the first time you run the application. Depending on your
Windows security set up, you may always need to run reports using the Run as administrator option.
See To automatically Run as administrator every time you run Reports for help.
1. Log in to a Windows computer that has the SEM reports application.
Click Start, and then select All Programs.
2. Choose the SolarWinds folder, and then click the Reports shortcut.
The SEM reports application opens.
To automatically Run as administrator every time you run Reports
1. Right-click the Reports application icon.
2. On the Shortcut tab, click Advanced.
3. Select the Run as administrator check box, and then click OK.
Administrator Guide: Security Event Manager page 322
Setting up the SEM reports application
Setting up the SEM reports application
Complete the steps in this section after you install the reports application.
See Install the SEM reports application" in the SEM Installation Guide if you have not yet
installed the reports application.
Configure the SEM reports application to communicate with the SEM
database
SolarWinds recommends that you create a special service account for use with the SEM
reports application. See Create a local SEM user account for instructions and specify Reports
in the SEM Role field. The Administrator and Auditor roles can also use the SEM reports
application.
1. Open the SEM reports application. See Open the SEM reports application for steps.
l Launch Reports as an administrator the first time you run the application.
Depending on your Windows security set up, you may always need to run reports
using the Run as administrator option. See To automatically Run as administrator
every time you run Reports for help.
l The first time you open Reports, a pop-up dialog displays the message: A manager
list was not found. Please create a list containing at least one manager. This is not
an error. Click OK to close the pop-up dialog.
2. On the Settings tab, click the Configure button (the button with a gear icon).
3. Choose Managers - Credentials and Certificates.
4. Complete the fields as required.
a. Manager name – Enter the IP address of the SEM Manager.
b. User name – Enter the service account user you created to log in to the SEM reports
application.
c. Enter the password for the service account user.
d. Select the green + button to save the credentials.
e. Close the dialog.
Administrator Guide: Security Event Manager page 323
Setting up the SEM reports application
5. Click Test Connection to verify the connection.
See Troubleshoot the SEM reports application database connection if the connection failed.
6. Click OK.
The reports application is connected to the SEM database server.
Secure the SEM reports application
To secure the SEM reports application, see the following topics in the Securing SEM section of the
SEM Administrator Guide:
l Restrict access to the SEM reports application
l ETransport layer security (TLS) and the SEM reports
Select a default primary data source
Select the primary data source connection for running reports when you open the SEM reports
application. The connection settings display as the default setting in the Data Source drop-down
menu.
You can select a different data source when you open the SEM reports application. The next time you
open the application, the setting defaults to the primary data source.
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click Configure, and then select Primary Data Source.
3. In the Primary Data Source list, select the default data source.
Administrator Guide: Security Event Manager page 324
Setting up the SEM reports application
4. To verify your connection to the data source, click Test Connection.
If the test succeeds, Ping Test success appears in the dialog box. If the test fails, an error
message appears. See Troubleshoot the SEM reports application database connection.
5. Click OK.
The default primary data source is configured.
Configure a syslog server (optional)
You can enable a SEM Manager to send report log information to a syslog server to record all report-
related events and application messages. The server logs basic report activity, such as the user name,
report type, targeted database, report time, and any error messages that occur while generating the
report.
The syslog server is set to the Primary Manager by default, but can be set to any server running a
standard syslog service. The server must have an Agent installed to communicate with the SEM
Manager.
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click Configure, and then select Syslog Server.
The Set Syslog Server form appears.
3. In the Syslog Server (Host Name) box, enter the server host name.
4. Click Test.
Administrator Guide: Security Event Manager page 325
The SEM reports application interface
The system tests the connection.
You must test the connection before the server can be accepted. A successful test does
not confirm that the host is a syslog server.
l If the ping test succeeds, The Ping Test succeeded notification appears in the dialog box
with the host IP address.
l If the ping test fails, an error message appears. Verify that you entered a host name that
matches a valid DNS entry, and then click Test.
5. Click OK.
The syslog server is configured.
The SEM reports application interface
This section describes the SEM reports application interface. See About SEM reports for a SEM
reports overview and steps to log in to the reports application.
The Reports application features
This topic describes the Reports application interface and its key features.
Administrator Guide: Security Event Manager page 326
The SEM reports application interface
The following table describes the reports application.
Item Name Description
1 Menu Opens, saves, or prints a report. Also provides additional options for your
button report.
2 Quick Contains a set of commands independent of the currently-selected tab. You
Access can customize the toolbar by adding buttons for the commands you use
toolbar most often and move the toolbar to two different locations. See the Quick
Access toolbar for more information.
3 Ribbon Locates the commands you need to complete a task. Commands are
organized in logical groups under tabs. Each tab relates to a type of activity,
such as running and scheduling reports, or viewing and printing reports. To
save space, you can minimize the Ribbon, displaying only the tabs. See
Minimize the ribbon for more information.
4 Settings tab Helps you select the reports you want to run, open, and schedule. You can
also configure reports and the report data source settings.
5 View tab Provides options to print, export, resize and view a report.
Click this tab after you run a report to view the report contents.
6 Grouping Provides options to group, sort, and organize the reports list.
bar
7 Report list/ Displays a list of standard reports by default. When you select a new report
Preview category, the grid displays the reports for your selected category. Use this
pane grid to select report that you want to run or schedule.
You can also filter and sort the grid to quickly find the reports you want to
work with.
When you open or run a report, this section changed into a report preview
pane that displays the report. The ribbon automatically switches to the View
tab with a toolbar to print, export, resize, or view the report.
Administrator Guide: Security Event Manager page 327
The SEM reports application interface
Menu button
Click the menu button to open a drop-down menu and execute the most common report commands.
In Reports, the menu button opens a menu that lets you execute the most common report commands,
as described below.
Menu Option Description
Open Report Opens a report saved in RPT format. The report opens in the Reports Preview
pane in the View tab where you can view, search, print, and export the report. You
can also view and execute recently-opened report files.
Export Report Exports the selected report.
Schedule Report Configures a schedule to automatically run the selected report in the report list.
Print Report Prints your selected report to your default printer.
Printer Setup Opens a Print Setup dialog box to select a printer and customize the print
settings.
Refresh Report Refreshes the report list for each report category. Select this option when you add
List new report files (such as new custom reports) that do not appear in the report list.
Exit Closes the Reports application.
Administrator Guide: Security Event Manager page 328
The SEM reports application interface
Quick Access toolbar
The Quick Access toolbar contains a set of commands that are independent of the active tab. You
can customize the toolbar by adding buttons for the commands you use most often, and you can
move the toolbar to two different locations.
The Quick Access toolbar
Default commands
By default, the Quick Access toolbar shows the commands listed in the following table.
Button Command Description
Open Opens a report saved in RPT format. The report opens in the Reports
Preview pane in the View tab where you can view, search, print, and
export it.
Run Runs the report currently selected in the report list. If the report requires
any parameters, the Enter Parameter Values form appears. See Run and
schedule reports to run a report.
Refresh Refreshes the report list for each report category. Use this command if
Report List you added new report files (such as new custom reports) and they do
not appear in the report list. This command accesses the Reports
directory on your computer, retrieves information about all of the reports,
and rebuilds the lists for each report category.
Exit Exits the Reports application.
Administrator Guide: Security Event Manager page 329
The SEM reports application interface
Customize the Quick Access toolbar
You can customize the toolbar by adding or removing any command displayed on the ribbon,
customizing the toolbar with the commands you use most often.
1. Next to the Quick Access toolbar, click the drop-down list.
2. In the Customize Quick Access Toolbar form, add or remove commands from the toolbar.
To add a button to the toolbar, select the corresponding command check box.
To remove a button from the toolbar, clear the corresponding command check box.
To choose from a list of additional commands, click More Commands, and then use the
Customize view to add or remove commands to the toolbar.
Add commands from the ribbon
1. On the ribbon, click the appropriate tab or group to display the command you want to add to the
toolbar.
2. Right-click the command, and then click Add to Quick Access Toolbar on the shortcut menu.
The command appears in the toolbar.
Move the Quick Access toolbar
The Quick Access toolbar is in the upper-left corner of the window next to the Reports Button (default)
or below the ribbon. You can move the toolbar to another location.
1. Next to the Quick Access toolbar, click the drop-down list.
The Customize Quick Access toolbar form appears.
2. In the Customize Quick Access toolbar form, move the toolbar below or above the ribbon.
Administrator Guide: Security Event Manager page 330
The SEM reports application interface
To move the toolbar below the Ribbon, click Show Quick Access toolbar Below the Ribbon.
To move the toolbar above the Ribbon, click Show Quick Access toolbar Above the Ribbon.
Minimize the ribbon
You can minimize the ribbon to make more space available on your screen. When the Ribbon is
minimized, only the tabs display
To keep the ribbon minimized, click the drop-down list next to the Quick Access toolbar and select
Minimize the Ribbon. To use the ribbon while it is minimized, click the tab you want to use and select
the option or command you want to use. After you click the command, the ribbon returns to a
minimized view.
To restore the Ribbon, click the drop-down list next to the Quick Access toolbar and clear the
Minimize the Ribbon check box.
To toggle between full and minimized view, double-click the name of the active tab or press Ctrl+F1.
Administrator Guide: Security Event Manager page 331
The Preferences group
The Preferences group
In the Preferences group, use the Configure drop-down menu to link the SEM reports application to a
data source (such as a SEM Manager). You can select a primary data source, a syslog server, or a
data warehouse.
The following table describes each option in the Preferences group.
Preference / Option Description
Configure
Primary Data Source Provides the default data source to run reports when you open the SEM
reports application. This option becomes the default setting in the Data
Source drop-down menu.
Syslog Server Enables the selected SEM Manager to send report log information to a
syslog server. This server logs basic report activity, such as the user name,
report type, targeted database, report time, and any error messages that
occur while generating the report.
Managers - Enables the SEM reports application to communicate with the SEM
Credentials and database server. You can use the Reports credentials to provide secure
Certificates reporting, audit users who access the server running on the SEM VM,
enable third-party authentication servers (such as Active Directory) for SEM
reporting, and set up roles for user access to prevent unauthorized users
from accessing the SEM reports application.
The selected SEM Manager name or IP address appears in and above the
Reports Data Sources drop-down menu.
Data Source
Data Source Selects the targeted data source to run reports. When you select a data
source in the drop-down menu, the data source temporarily overrides the
Primary Data Source (default) you selected as the primary data source in
the Configure drop-down menu.
Administrator Guide: Security Event Manager page 332
Find, filter, and group SEM reports
Find, filter, and group SEM reports
This section describes how to find and work with SEM reports.
Find a SEM report by title
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. Click the Settings tab.
3. From the Category drop-down list, select the category that contains your targeted report.
4. Click a report title and begin entering your report name.
The console highlights the first report that matches your text. For example, if you click Standard
Reports and enter Event, the system highlights Event Summary, which is the first matching
report title.
Find reports for specific industries
Use the Industry Setup tab to select the industries and areas of regulatory compliance related to your
company. This helps you reduce the number of reports that display in the Industry Reports list.
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. In the Manage Categories form, click the Industry Setup tab.
The Classifications section lists industries and regulatory areas supported by standard Reports.
The Reports for section displays the standard reports that support your classification
selections.
4. Select the check box for each industry related to your company.
The Reports for section displays all standard reports that support your selected industry.
5. Select the check box for each regulatory area related to your company.
See Industry options for more information.
6. Click OK.
Administrator Guide: Security Event Manager page 333
Find, filter, and group SEM reports
Industry Options
Industry reports are standard reports designed to support the compliance and auditing needs of
certain industries. SolarWinds provides reports that support the financial services and health care
industries, as well as the accountability reporting needs of publicly traded companies. The following
table describes the compliance and auditing areas supported in the reports.
Supported Industry Description
Education
FERPA Federal Educational Rights and Privacy Act (FERPA), which gives parents
and eligible students certain rights with respect to their children's
education records.
Federal
CoCo UK Code of Connection regulations.
DISA STIG Defense Information Systems Agency's (DISA) Security Technical
Implementation Guide (STIG).
FISMA Federal Information Security Management Act (FISMA).
NERC-CIP North American Electric Reliability Council (NERC) Critical Infrastructure
Protection (CIP) reliability standards.
Finance
CISP Cardholder Information Security Program, which helps safeguard credit
card and bank card transactions at the point of sale, over the Internet, on
the phone, or through the mail. CISP helps protect cardholder data for
cardholders, merchants, and service providers.
COBIT Control Objectives for Information and related Technology (COBIT™).
COBIT is an open standard for IT security and control practices. It includes
more than 320 control objectives and includes audit guides for more than
30 IT processes.
GLBA Gramm Leach Bliley Act (GLBA).
GLBA requires financial institutions to protect the security, integrity, and
confidentiality of consumer information. It affects banking institutions,
insurance companies, securities firms, tax preparation services, all credit
card companies, and all federally insured financial institutions.
Security information and event management (SIEM) plays a vital role in
GLBA.
Administrator Guide: Security Event Manager page 334
Find, filter, and group SEM reports
Supported Industry Description
NCUA National Credit Union Administration (NCUA).
NCUA is the federal agency that charters and supervises federal credit
unions and insures savings in federal and most state-chartered credit
unions across the country through the National Credit Union Share
Insurance Fund (NCUSIF), a federal fund backed by the United States
government.
PCI Payment Card Industry (PCI) Data Security Standard requirements of VISA
CISP and AIS, MasterCard SDP, American Express and Discover Card.
SOX Sarbanes-Oxley (SOX) Act of 2002. Sarbanes-Oxley protects company
investors by improving the accuracy and reliability of corporate
disclosures made pursuant to securities laws. Provisions within Sarbanes-
Oxley hold executive management and the board of directors liable for
criminal and civil penalties. Specifically, under Section 404 of the
Sarbanes-Oxley Act, executives must certify and demonstrate that they
have established and are maintaining an adequate internal control
structure and procedures for financial reporting.
General
GPG13 Good Practice Guide 13 (GPG13), a mandatory aspect of CoCo
compliance.
ISO 17799/ ISO 17799, ISO 27001, and ISO 27002 international security standards.
27001/27002
Healthcare
HIPAA Health Insurance Portability and Accountability Act (HIPAA), which
requires national standards for electronic health care transactions.
Administrator Guide: Security Event Manager page 335
Find, filter, and group SEM reports
View SEM report properties
In the reports grid, select a report, and then click Report Properties. A dialog box appears with
information about your report.
Filter and sort SEM report lists in the reports application
Use the Reports window to filter your report list and display only those reports associated with a
particular report title, category, level, or type. You can also apply more than one filter at a time to
display a very small subset of the report list. If required, you can create your own custom filter, and
save them for later use.
Administrator Guide: Security Event Manager page 336
Find, filter, and group SEM reports
Each report list column header includes a drop-down list that displays column filter options, as shown
below.
For example, selecting Audit reduces the list to show only the reports associated with the Audit
category.
When you apply a filter, a yellow status bar appears below the reports list. The status bar lists which
filters are currently applied. You can use this list to remove each filter individually, or to remove them
all at once.
Filter the report list to reduce the number of listed reports
1. Decide which column you want to use for the filter.
2. Click , and then select a filter option.
The report list refreshes to display the filtered list.
3. Repeat the previous step for each additional filter you want to apply.
Administrator Guide: Security Event Manager page 337
Find, filter, and group SEM reports
Change a filter setting
In the status bar below the report list, click and select a different filter option from your list of most
commonly-used filters.
Sort the report list
You can sort the report list by clicking the column headers. This sorts the entire report list by the
contents of your selected column in either ascending or descending order.
l The column header appears indicating the report list is sorted by this column in ascending
order.
l Click the column header again to reverse-sort the report list in descending order. The column
header appears indicating the report list is sorted by this column in descending order.
Administrator Guide: Security Event Manager page 338
Find, filter, and group SEM reports
Turn off report filters
In the Reports window, when you are finished with a report filter, you can turn it off. Turning off a filter
refreshes the report list so that it displays the list without that column filter. You can turn off a single
filter or all of the filters at once.
To turn off a filter, clear the check box next to the filter in the status bar.
To turn off all of the filters, click in the status bar. The report list refreshes to display the list
without any filters.
Manage report categories
Use the Manage Categories form to select reports from several industries, including Federal,
Education, and Healthcare. You can search for specific reports and add reports to your Favorite
Reports list.
Using the Industry Setup tab, you can select the industries and areas of regulatory compliance related
to your company. Reports related to the options you select display in the Industry Reports list.
The Favorites Setup tab includes a search option to list, sort, and group the report list by industry and
regulatory area. It highlights reports currently listed in your Favorite Reports list and allows you to add
new reports to the list.
Administrator Guide: Security Event Manager page 339
Find, filter, and group SEM reports
The tab also includes a Favorites tab that displays your current list of favorite reports. You can use
this view to sort and group your favorite reports to locate a specific report. When needed, this view is
also used to remove a report from your list of favorites.
Create a favorite SEM reports list
You can access frequently-used reports by adding them to the Favorite Reports list. This list can
include both standard and custom reports. To create a favorite reports list, search the reports and
then add your selections to your Favorites list.
Each authorized reports application user can set up a list of favorite reports. Each list is unique to the
user logged in to the console. A reports application user is determined by the user’s Windows
account. If two users on the same computer log in to the same account, they will share a list of
favorites.
Step 1: Search the reports
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. Click the Favorites Setup tab.
4. Click the Search tab.
The Classifications section lists industries and regulatory areas supported by standard Reports.
The Reports Matching Search Criteria box lists all standard SolarWinds report. If a report
appears highlighted in green, the report is in your Favorite Reports tab.
5. In the Classifications section, select each industry or regulatory area related to your company.
6. Click Search.
Administrator Guide: Security Event Manager page 340
Find, filter, and group SEM reports
The Reports Matching Search Criteria section displays all standard reports that support your
options.
For example, if you select Finance, Search lists reports associated with Finance. If you selected
Finance and PCI, Search lists every report that is associated with either Finance or PCI.
You can organize the report list by sorting, filtering, and grouping the report list.
Step 2: Add a report to your Favorites tab
1. In the report list, locate a report to save to the Favorite Reports list.
2. Right-click the report, and then select Add to Favorites.
3. Click Apply.
The report is saved to your Favorites list.
Remove a report from the Favorites tab
When you remove a report from the Favorite Reports list, the report remains in its original category. It
is not deleted from the reports application.
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click Manage, and then select Manage Categories.
3. Click the Favorites tab.
4. Select a report, and then click Remove From Favorites.
5. Click Apply.
The report is removed from the Favorites tab.
Administrator Guide: Security Event Manager page 341
Find, filter, and group SEM reports
Search SEM reports for specific text
The Reports window includes a search tool in the View tab to search for key words or phrases in text-
based reports.
This tool only works when you are viewing a text-based view of a report in the Preview pane. You
cannot use this tool with graphical-only reports, or the default graphical view that is displayed when
you first run the report.
View the text-based details of a report
In the View tab, click the tree button to open the subtopics in the reports list. Click the content-based
subtopic to jump to that section of the report.
Use the Search tool
1. In the Reports window, open or run the report you want to view.
The report appears in the Preview pane.
2. Display the text-based details you want to search in the Preview pane.
3. In the View tab, click Search.
The Find form appears.
4. In the Find what box, type the text you want to search for.
5. Select Match whole word only to search for entire words that match, omitting matching letters
within words.
6. Select Match case to make the search sensitive to uppercase or lowercase letters.
Administrator Guide: Security Event Manager page 342
Find, filter, and group SEM reports
7. In the Direction area, select Up to search from where you are now to the start of the document.
Select Down to search from where you are now to the end of the document.
8. Click Find Next.
The tool locates the next instance of the text in the report and highlights it for easy viewing.
9. Continue clicking Find Next for each remaining instance of the text you want to find.
10. To close the Search form, click Cancel.
Categorize and display SEM reports by group
You can sort the report list into groups of reports by dragging one or more column headers into the
grouping box. This allows you to quickly organize and display groups of reports that fall into very
specific categories. For example, to group reports by category, drag the Category column header from
the report list into the grouping box.
You can rearrange the report list into groups defined by items from the Category column, as shown
below.
Groups change the report list into a series of nodes. There is a separate node for each unique item or
category from the column that defines the grouping. The nodes are alphabetized, and each node is
named by the column and category that defines the grouping.
For example, the Category column that defines the grouping in the example above includes three
unique categories: Audit, Security, and Support. Grouping by the Category column creates three
nodes: Category: Audit, Category: Security, and Category: Support. Opening a particular node displays
only the reports associated with the particular grouping configuration.
You can group reports by any column header in the report list (such as Title, Category, Level, and
Type). You can also create sub-groups to create parent-child hierarchies. For example, you could
create a Category group and a Type sub-group.
Administrator Guide: Security Event Manager page 343
Find, filter, and group SEM reports
Create a report group in the SEM reports application
To create a report group, decide which column defines the report groupings.
Next, drag the column header into the area above the Reports Title column. In this example, the
Category header was dragged to the area above the Reports Title column. The report list now displays
a separate node for each unique item that is in the column that is defining the grouping. The nodes
are alphabetized and labeled for easy reference.
View the reports within a group in the SEM reports application
Click a node to display a list of reports that fall within that grouping. To close the node, click it again.
Administrator Guide: Security Event Manager page 344
Find, filter, and group SEM reports
Create a sub-group in the SEM reports application
1. Drag another column header into the Drag a column header here to group by that column area.
2. Perform one of the following steps:
l Place the new column header above the existing header to have the new header act as the
primary grouping. In the example shown above, the report list would be grouped by Level
and then Type.
l Place the new column header below the existing header to have the new header act as the
secondary grouping. In the example shown above, the report list would be grouped by
Type and then Level.
The report list refreshes to display two levels of nodes—one level of nodes for the primary
group, and one set of nodes for the secondary group.
3. To view the reports within a particular grouping, click a higher-level group node, and then a sub-
group node.
The report list displays only those reports that apply to both groupings.
4. Repeat Steps 1 and 2 for each additional grouping you require.
Administrator Guide: Security Event Manager page 345
Run a SEM report on-demand or schedule a SEM report to run later
Run a SEM report on-demand or schedule a SEM report to
run later
This section describes how to run a SEM report on-demand, as well as schedule reports to run
automatically. This section also documents how to run the default SEM Batch Reports using Windows
Task Scheduler.
Run an on-demand report in the SEM reports application
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click the Data Source drop-down menu and select a SEM Manager instance
(the IP address or hostname of your SEM VM).
3. From the Category drop-down list, select a report category filter—for example, Audit (Optional).
4. Select a report title, and then click Run in the toolbar.
5. Select your start and end date and time parameters, and then click OK.
Administrator Guide: Security Event Manager page 346
Run a SEM report on-demand or schedule a SEM report to run later
The report appears in the View tab.
This process may take several minutes to complete.
6. To send the report to a local or network printer, click Print.
7. To export the report to the appropriate format (such as a PDF or a Microsoft Word document),
click Export.
Create a scheduled report in the SEM reports application
The following list provide an overview of the report scheduling process. Each step is described in
greater detail in the subsections that follow.
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. Select the report that you want to schedule, and then click Schedule.
3. Name the scheduled task to distinguish it from other similar tasks.
Administrator Guide: Security Event Manager page 347
Run a SEM report on-demand or schedule a SEM report to run later
4. Set the schedule parameters.
This states when the scheduled report runs.
5. Apply any advanced scheduling options.
6. Define when the system can and cannot run the task.
7. Apply the scheduled report to the data source (Manager) for which you want a report. Then
define the scope, which is the period you want to the report to cover.
When the system runs the report, it retrieves any pertinent events that occurred within the period
defined by the scope.
8. Select any export options for the report.
This allows you to export to the folder of your choice, and in a format that is easy to read and
print. If you do not export the report, it will automatically print to your default printer.
Repeat this process for each report you want to schedule.
You can create more than one schedule for the same report. This allows you to run the same
report on different SEM Managers or run the same report in different intervals (such as daily,
weekly, or monthly), each with a different scope.
Step 1: Selecting the report you want to schedule
In this step, you will select the report you want to schedule, and then open the Report Scheduler Tasks
dialog.
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. On the Settings tab, click the Category drop-down menu and select a report category
The report list displays all saved reports in the category.
3. In the Report Title column, locate the report you want to schedule.
4. Right-click the report, and then select Schedule Report.
The Report Scheduler Tasks dialog appears.
Administrator Guide: Security Event Manager page 348
Run a SEM report on-demand or schedule a SEM report to run later
The Event Summary box only displays the tasks that apply to your selected report.
5. Add, edit, and delete your scheduled report tasks.
Step 2: Add a new scheduled report task
Name and configure the new scheduled task associated with this report.
1. In the Reports Scheduler Tasks dialog, click Add.
2. Enter a name for the report, and then click OK.
Administrator Guide: Security Event Manager page 349
Run a SEM report on-demand or schedule a SEM report to run later
The task scheduler form appears.
3. Verify that the path in the Run field is correct. Click Browse and select the correct path, if
required.
4. Verify that the user name in the Run as field is correct.
To change the user path, use the following format:
[Domain]\[UserName].
5. To set up a password for the current user to run the report, click Set password.
6. To run the scheduled task using the schedule you select in the Schedule tab, select the Enabled
check box.
To disable the schedule, clear the check box.
7. To save your changes, click Apply.
8. Complete the Task tab as described in the table.
9. To save your changes, click Apply.
Administrator Guide: Security Event Manager page 350
Run a SEM report on-demand or schedule a SEM report to run later
Step 3: Schedule the report
Create the report schedule. The settings on the Schedule tab tell the system when to run the report.
You can create multiple schedules for each report that is within the same scope. For example, you
can run an event summary report for the current week and display the running total for the week at
each hour. When completed, you can set the report to Week: Current and have multiple schedules
that run on an hourly schedule and on a twice-daily schedule.
1. Click the Schedule tab.
For new tasks, the tab states that the task is not scheduled.
2. To create a new report schedule, click New.
3. Complete the Schedule tab selections.
4. To save your changes, click Apply.
The new report schedule appears in the list box near the top of the tab.
Administrator Guide: Security Event Manager page 351
Run a SEM report on-demand or schedule a SEM report to run later
Step 4: Select the advanced scheduling options
If you clicked Advanced in the Schedule tab, the Advanced Schedule Options dialog box appears. You
can schedule start and end dates for the report, or set a task to repeat for a set period of time.
1. In the Schedule tab, click Advanced.
2. Select the start and end dates.
3. To start running repeated tasks, select the Repeat task check box.
4. In the Until section, select the time or how long you want the task to run.
By limiting the task run time, you can prevent the task from running continuously if a
problem should occur.
5. Select If the task is still running, stop it at this time to stop the system from running a report
when the Time or Duration setting occurs. Clear this check box to have the system finish
running a report that overlaps the Time or Duration setting.
Administrator Guide: Security Event Manager page 352
Run a SEM report on-demand or schedule a SEM report to run later
The following illustration displays the valid and invalid date formats for reports.
In this example, the configured report runs every four hours, starting on Monday, August 18, and
running through Sunday, August 30. Each time the task runs, the system will stop it if it
continues to run for more than one hour.
6. To save your changes and exit the form, click OK.
You return to the task scheduler form.
Step 5: Stating when the system can or cannot run the task
Use the Settings tab to select when the system can and cannot run the task.
1. Click the Settings tab.
2. Complete the selections as required.
Administrator Guide: Security Event Manager page 353
Run a SEM report on-demand or schedule a SEM report to run later
3. To save your changes, click Apply.
4. To close the task scheduler form and return to the Report Scheduler Tasks dialog, click OK.
Administrator Guide: Security Event Manager page 354
Run a SEM report on-demand or schedule a SEM report to run later
Step 6: Assign the data source and scope
Assign the task to a particular data source (or Manager) and define the task scope (the period you
want the report to cover). When the system runs the report, it retrieves any relevant events that
occurred within the period defined by the scope.
1. Select the report schedule you want to assign.
2. Click Load to View or Edit.
The Report Execution Settings For Selected Task section is enabled.
3. Use this section to configure the report execution settings for the task (report schedule) you
selected above.
4. Use the Select the report data source list to select the Manager or to which you want to assign
this task.
You can only assign a task to a single Manager. If you need to assign a similar or identical
task to a second Manager, create a new task.
Administrator Guide: Security Event Manager page 355
Run a SEM report on-demand or schedule a SEM report to run later
Assign the task scope
In the Report Scope section, set up the task scope for this data source. The scope is the event period
(or time frame) for the events you want the report to cover.
1. From the Date Range drop-down list, select the date range you want the report to cover for this
task and data source.
In this example, the date range is Day: Today. The report will cover the period from 12:00:00 AM
to 11:59:59 PM of the current date.
If you select Week: Previous, the scheduled report will contain information from the last full
week—from 12:00:00 AM the last Monday to 11:59:59 PM the last Sunday. For example, if today
is Wednesday the 11th, the task runs from 12:00:00 AM on the 2nd to 11:59:59 PM on the 8th.
Select one of the following date ranges:
l Day: Today: Run for the specified time frame on the current (today’s) date.
l Day: Yesterday: Run for the specified time frame on the previous (yesterday’s) date.
l Week: Current: Run from one week ago to the current time.
l Week: Previous: Run from 12:00:00 AM last Monday to at most 11:59:59 Sunday. This
report will capture the last full week of data.
l Month: Current: Run from one month ago to the current time.
l Month: Previous: Run from 12:00:00 AM on the first of the month until 11:59:59 PM on the
last day of the month. This will report will capture the last full month of data.
l User Defined: Run another report scope. Use this option to schedule reports for arbitrary
periods or periods that are outside of the conventional scope of a day, week, or month.
2. Enter or select a start time and end time for reporting events that occurred on this Manager. The
report will only show those events that occurred on the Manager within this period.
If you select a week or month scope, you cannot edit the Start and End date and time
fields.
Administrator Guide: Security Event Manager page 356
Run a SEM report on-demand or schedule a SEM report to run later
3. To configure the report so it automatically exports to a file, go to the next step. Otherwise, click
Save.
The Count Settings area only applies to count-based reports, such as Top 20 reports.
4. In the Number of Items box, type or select the number of items you want the report to track.
Step 7: Export a scheduled report
You can enable the report utility to automatically export a scheduled report in PDF format to a specific
folder. Otherwise, the system will send the report to your default printer.
1. Open the Report Scheduler Tasks dialog.
2. Select the scheduled report task you want to export in the Task Description box.
3. Select the Export check box in the Report Settings tab to name and export this report when the
task scheduler runs this report.
4. From the Format drop-down list, select a file format for the exported report.
5. Click the folder icon, locate the folder where you want to save the report, and a unique file name
for the report.
If the report has multiple schedules, give each scheduled report a different name. Otherwise, the
exported file names files will overwrite each other or increment according to the If File Exists
setting.
6. In the If File Exists list, choose one of the following options:
l Select Increment to store the new report along with any previous versions of the report in
the folder. The reports application increments each report by appending the report file
name with an underscore and a digit. For example, [FileName]_1.pdf.
l Select Overwrite to have each new version of the report overwrite the previous version of
the report in the folder.
7. Click Save.
8. Click Close to close the Report Scheduler Tasks dialog and return to the Reports dialog.
Administrator Guide: Security Event Manager page 357
Run a SEM report on-demand or schedule a SEM report to run later
9. Repeat Step 2: Adding a new scheduled report task through Step 7: Export a scheduled report
for each report you want to schedule and assign to a particular data source.
Remove a report from the report scheduler
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. Click the Settings tab.
3. From the Category drop-down list, select Standard Reports or Custom Reports.
The grid displays all reports in your selected category.
4. In the Report Title column, click the name of the scheduled report for which you want to delete
the task schedule.
5. Click Schedule.
6. In the Report Scheduler Tasks dialog, select the scheduled report in the Task Description list
that includes the schedule you want to delete.
7. Click Modify.
The task schedule form appears.
8. In the Task Schedule dialog, click the Schedule tab and select the Show Multiple Schedules
check box.
9. In the schedule list, select the schedule you want to delete, and then click Delete.
10. To close the Report Scheduler Tasks form, click Close.
Configure Windows Task Scheduler to run the default SEM Batch Reports
The SEM reports application includes a default batch set of .ini files used to schedule reports.
These files contain the configurations necessary to schedule several best-practice reports on either a
daily or weekly basis, depending on the scope.
Prepare the INI file
Modify the default .ini files in the SEM reports installation directory to specify the hostname of the
SEM Manager or SEM database in your environment, and the export destination for your scheduled
reports.
Administrator Guide: Security Event Manager page 358
Run a SEM report on-demand or schedule a SEM report to run later
To modify the default INI files:
1. Navigate to the SEM Reports installation directory and open the SchedINI folder:
l On 32-bit computers: C:\Program Files\SolarWinds Security Event Manager
Reports
l On 64-bit computers: C:\Program Files (x86)\SolarWinds Security Event
Manager Reports
2. Open each of the BRPT*.ini files and make the following changes in a text editor:
l Replace the default value next to Manager1 with the hostname of the SEM Manager or
database appliance in your environment. Use the hostname of your SEM database
appliance if you have a dedicated appliance to store your normalized SEM alert data.
l Modify the ExportDest file path if you want to customize the location to which SEM
Reports saves the exported reports. The default file path is
%ProgramFiles%\SolarWinds Security Event Manager Reports\Export.
3. Save your changes and close the files.
Schedule the Reports to Run using Windows Task Scheduler
Schedule your batch reports to run using Windows Task Scheduler. Complete the following procedure
twice: once for the daily reports and once for the weekly reports.
1. Create a new scheduled task by opening Control Panel > Administrative Tools > Task Scheduler.
2. Select Task Scheduler Library.
3. In the Actions pane, click Create Basic Task.
4. Enter a name for your task that reflects the frequency of the scheduled task. For example, enter
SEM Reports - Weekly for the weekly task, and then click Next.
5. Select Daily or Weekly, depending on what batch of reports you are scheduling, and then click
Next.
6. Set the start time and frequency for your scheduled reports, and then click Next.
l For the daily task: 1 AM, Recur every 1 Day
l For the weekly task: 3 AM, Recur every 1 week, Monday
7. Select Start a program, and then click Next.
8. For the Program/script field, click Browse to browse for SWSEMReports.exe. See Step 1 in
Prepare the INI file " on the previous page for the default installation paths.
9. In the Add arguments (optional) field, enter the following, according to the task being created:
Administrator Guide: Security Event Manager page 359
Run a SEM report on-demand or schedule a SEM report to run later
l Use the %ProgramFiles(x86)% environment variable on 64-bit computers.
l The /l at the beginning of the additional argument is optional. This generates a log file
called SWSEMReports.log when Task Scheduler runs your task. The file is saved in
%ProgramFiles%\SolarWinds Security Event Manager Reports.
10. For the daily task: /l "%ProgramFiles%\SchedINI\BATCHDay.ini"
11. For the weekly task: /l "%ProgramFiles%\SchedINI\BATCHWeek.ini"
12. Click Next.
13. To verify the task details on the Summary dialog, select Open the Properties dialog for this task
when I click Finish, and then click Finish.
14. To change the user account the task scheduler should use to complete the task, click Change
User or Group.
l Provide a user with administrator level permissions.
l If you specified a network location in Step 2 in Prepare the INI file " on page 13,
provide a user with write permissions to that folder.
l Use a service account to avoid having to maintain the task according to your
password change policy.
15. On the Properties dialog, select Run whether user is logged on or not.
16. Select Run with highest privileges.
17. Select the appropriate operating systems in the Configure menu, and then click OK to save your
changes and exit the Properties dialog.
18. Enter the Windows password for the user specified for this task, and then click OK.
Default Report Schedules
Once configured, the scheduled tasks run and export the following reports:
Daily Reports
l EventSummary.pdf
l SubscriptionsByUser.pdf
l Incidents.pdf
l NetworkTrafficAudit.rpt
Weekly Reports
l MaliciousCode.rpt
l NetSuspicious.rpt
Administrator Guide: Security Event Manager page 360
Run a SEM report on-demand or schedule a SEM report to run later
l NetAttackAccess.rpt
l NetAttackDenial.rpt
l Authentication.rpt
l FileAudit.rpt
l MachineAudit.rpt
l ResourceConfiguration.rpt
l You can open reports with the .rpt extension in the SEM reports application for filtering
and exporting. If you have a program like Crystal Reports associated with this file format,
you can access these reports with the SEM reports application by opening SEM Reports
first and then clicking Open on the Settings tab.
l If you create a scheduled report, you can remove the task from Windows task scheduler,
and the .ini file will still be under the SchedINI directory. You can change the name of
the RPTxxxxx-x.ini to BRPTxxxxx-x.ini, and add the file to the BatchDay.INI or the
BatchWeek.INI.
Edit a scheduled report in the Task Scheduler
When you create custom and scheduled reports, SolarWinds recommends that you document your
procedures for disaster recovery.
The scheduled Report INI files are located in: Program Files\SolarWinds Security Event
Manager Reports\SchedINI. These report INI files are generated automatically when you schedule
a report on the SEM Console. If you need to edit an INI file or change a report format, add the
corresponding report format after the equal sign to the line containing "ExportFormat= ".
The following table identifies the number assigned to each possible format for a SEM report.
Number Report Format
1 Excel: MS Excel 97-2000, with headings format
2 Exceldata: MS Excel 97-2000, data only format
3 HTML32: HTML version 3.2 format
4 HTML40: HTML version 4.0 format
5 PDF: Adobe Portable Document format
6 RTF: Rich Text Format
7 CSV: Separated Values Text format
8 TAB: Tab Separated text format
Administrator Guide: Security Event Manager page 361
Create a custom SEM report
Number Report Format
9 Text: Text based report format
10 Word: MS Word Document format
11 XML: XML Document format
12 RPT: Crystal RPT w/ Data format
Below is an example of a SEM scheduled report INI file:
[TaskSetup]
Keyword=2009331
Filename=C:\Program Files\SolarWinds Security Event Manager
Reports\Reports\RPT2009-33-1.rpt
[DSNManager]
Manager1=sherman
[RptParams]
RptDateRangeDesc=DAY_P
RptDateRange=2
RptStartTime=12:00:00 AM
RptStopTime=11:59:59 PM
TopN=20
[Export]
DoExport=T
ExportDesc=EXCEL
ExportFormat=1
ExportDest=C:\Program Files\SolarWinds Security Event Manager Reports\Export
ExportFileName=format1.xls
ExportOverWrite=INCREMENT
Create a custom SEM report
This section describes how to customize a SEM report.
To view a tutorial about filtering and exporting SEM Reports, see:
http://video.solarwinds.com/watch/pMuk9eqsTPtja99u4EUvrx
Administrator Guide: Security Event Manager page 362
Create a custom SEM report
Create a custom report in the SEM reports application
If you want to report about a specific event (such as a user logon failure), you can create a custom
report that reports on a specific field. Using the left menu in the reports application to select the field
for your report.
1. Run a report. See "Run an on-demand report in the SEM reports application for help.
The report opens on the View tab.
2. In the left column of the report, select the field you want to query.
3. On the View tab, examine the report to identify the value you want to use in your filter.
Hover over any value in the report to view a tooltip that contains its complete field name
as it is used in Select Expert.
4. Click Select Expert.
The Select Expert dialog box opens.
The Select Expert tool filters the report to show only the type of data that you want to see
in your custom report. See "Use the Select Expert tool to create a more focused report for
more information.
5. Click New.
The Fields dialog box opens.
Administrator Guide: Security Event Manager page 363
Create a custom SEM report
6. Select a field to report on, and then click OK.
7. From the Boolean drop-down list, select your comparison value.
8. Select or enter a second value. Click New to select or enter additional fields and expand your
query.
9. Click OK.
Select Expert filters out only the information in your query.
All fields are listed as column labels across the top. You can also mouse over data to display
the reported field.
Administrator Guide: Security Event Manager page 364
Create a custom SEM report
10. To print your report, click Print.
11. To export your report to a PDF, Word Document, or other format, click Export.
Export and save a copy of the filtered SEM report with a new name
1. Create and run the custom report. See Create a custom report in the SEM reports application
for help.
2. On the View tab, click Export.
The Export dialog box opens.
3. Select Crystal Reports (RPT) from the Format menu.
Leave Destination set to Disk file, and then click OK.
4. In the Save File window, navigate to the following folder:
C:\Program Files (x86)\SolarWinds Security Event Manager
Reports\CustomReports
This is the default location for 64-bit operating systems. If you are using a 32-bit
operating system, the default folder would be C:\Program Files\SolarWinds
Security Event Manager Reports\CustomReports.
5. In the File name field, type a name for your filtered report to identify the report by the file name
under Custom Reports
6. Click Save.
Administrator Guide: Security Event Manager page 365
Use the Select Expert tool to create a more focused SEM report
Open a custom report in the SEM reports application
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. In the Reports window, click the Settings tab.
3. In the Category list, select Custom Reports.
4. On the Quick Access toolbar, click the Refresh Report List icon or press F5.
When the refresh completes, the new custom report appears in the list, and displays any
changes made to its Properties.
5. Launch your custom report for any time frame.
Use the Select Expert tool to create a more focused SEM
report
The Select Expert tool lets you execute queries to create a smaller, more focused report from a larger
text-based report.
You can use this tool when you are viewing the text-based view of a report in the Preview frame. You
cannot use this tool with the default graphical view displayed when you first run the report.
To View the text-based details of a report, check that the View tab is open and click the tree
button to open the subtopics in the reports list. Click the content-based subtopic to jump to that
section of the report.
If using the Select Expert to filter report data by date or time fields (such as InsertionTime or
DetectionTime) results in an error, clear the error prompt, return to the Select Expert, and
delete the time-based filter. To filter by time and date, you must run the report with the
specified range.
View the text-based details of a report
In the View tab, click the tree button to open the subtopics in the reports list. Click the content-based
subtopic to jump to that section of the report.
Run a report query using the Select Expert tool
1. Run a report. See Run an on-demand report in the SEM reports application for help.
The report opens on the View tab.
Administrator Guide: Security Event Manager page 366
Use the Select Expert tool to create a more focused SEM report
2. On the View tab, locate the View group, and then click Select Expert.
3. Click either the New button or the <New> tab.
The Fields form appears with the various report fields you can query on this report.
Click Browse to display a list of available fields you can select with the tool.
4. Select the field you want to query, and then click OK.
The Select Expert form appears.
Administrator Guide: Security Event Manager page 367
Use the Select Expert tool to create a more focused SEM report
The first tab displays your selected field name. It lists the query options for that field and
includes an adjacent list where you can select a specific value.
5. From the left drop-down list, select a query option for the field.
6. From the adjacent drop-down list, select a specific value for the field.
You can click Browse Data to view a complete list of values in the report for that field. From the
Browse Data box, you can select a value, and then click Close to apply that value to the query.
7. Repeat Steps 3 – 6 for each field you want to add to the query.
8. To close the form and apply the query, click OK.
The new report appears in the Preview frame.
You can use the Preview frame’s toolbar to save or export the report.
Administrator Guide: Security Event Manager page 368
Manage SEM reports: Open, print, and more
Restore the original report after using the Select Expert tool
When you are through querying a report with the Select Expert tool, you can restore the report to its
original state.
To turn off the Select Expert settings:
1. On the View tab in the View group, click Select Expert.
The Select Expert form appears.
2. To remove the query options, click Delete.
3. Click OK.
The original report appears in the Preview frame.
Manage SEM reports: Open, print, and more
This section describes how to manage SEM reports in the reports application.
Open your saved reports
Whenever a report is saved or exported to RPT format, you can use the Open command to reopen and
view the report contents. This applies to scheduled reports that the system ran and saved, as well as
on-demand reports that you ran and exported for later viewing.
Administrator Guide: Security Event Manager page 369
Manage SEM reports: Open, print, and more
1. Open the SEM reports application. See Open the SEM reports application for steps.
2. Click the Menu button, and then select Open Report.
The Open Report File form appears.
3. Use the Open Report File form to locate the report file you want to view.
If you cannot locate the report, be sure you selected Crystal Reports (*.rpt) in the File type list.
4. Select the file and click Open.
The report opens in the Reports Preview pane.
View the primary report sections
Some standard reports are primary reports. A primary report is a report that includes a series of
subtopics, where each subtopic contains a specific set of details about the higher-level topic.
Together, these topics create the report, similar to chapters in a book.
When a report includes more than one subtopic, a subtopic pane appears in the Preview pane. The
subtopic pane lists the subtopics found in the report. If you click a subtopic, the Preview pane
displays the first page of that section of the report.
Administrator Guide: Security Event Manager page 370
Manage SEM reports: Open, print, and more
To view a section of a primary report, select the subtopic you want to review. The Preview pane
displays the first page of that section in the report.
Hide and show a primary report subtopic pane
When you preview a primary report, Tree is enabled in the View tab. Click Tree to toggle between
hiding and revealing the report’s subtopic pane.
You can hide the subtopic pane in the View group by clicking Tree. The subtopic pane is hidden, as
shown below.
Administrator Guide: Security Event Manager page 371
Manage SEM reports: Open, print, and more
To restore the subtopic pane, click Tree again. The subtopic pane appears again.
View the report pages
In the reports application, the Navigate group provides tools to browse through the pages of a multi-
page report. If the report includes only one page, the toolbar is disabled.
Click or to move to the first or last page of the report. Click or to move to the previous or
next page of the report.
The Page field displays the page number currently active in the Preview frame, as well as the total
number of pages in the report. A plus (+) next to a page number indicates additional pages in the
report.
To determine how many pages are in the report, click in the toolbar. This takes you to the last page
of the report, forcing the console to determine how many pages there are. It also causes the + to
display the actual number of pages.
You can also use this feature to display a particular page of the report. In the Page box, enter a page
number you want to view and press Enter. The Preview frame displays your selected page.
Administrator Guide: Security Event Manager page 372
Manage SEM reports: Open, print, and more
Magnify and reducing report pages
Use the Zoom feature to resize a report. You can select a percentage or have the report expand or
reduce to fit the Preview pane. Click the Zoom drop-down menu and select an option to resize your
report in the Preview pane.
Stop a report in progress
To stop running or loading a report that is progress, click Stop on the status bar.
Edit a scheduled report task
When required, you can edit a scheduled report task or task schedule by editing the task settings. This
process allows you to modify your report scheduling when conditions change within your
organization.
1. Open the Reports application. See Open the SEM reports application for steps.
2. Click the Settings tab.
3. From the Category drop-down list, select Standard Reports or Custom Reports.
Administrator Guide: Security Event Manager page 373
Manage SEM reports: Open, print, and more
4. In the Report Title column, select the report that requires a schedule change, and then click
Schedule.
5. In the Report Scheduler Tasks window, select the report schedule you want to edit, and then
click Modify.
6. In the Scheduler window, edit the Task, Schedule, and Settings tabs as required.
To change the settings for a particular schedule, click the Schedule tab and select the schedule
you want to change. Use the boxes to change the settings, and then click Apply.
7. To close the window, click OK.
8. Make any additional changes to the Report Settings as required in the Report Schedule Tasks
window.
9. Click Save.
10. To close the Report Scheduler Tasks window, click Close.
Export a report
You can export a report from the Preview pane into several formats, including:
l Adobe Portable Document File (PDF)
l Crystal Reports RPT file
l HTML
l Microsoft Excel file
SEM officially supports PDF and RPT formats.
1. In the Reports window, open or run the report you want to export.
The report appears in the Preview pane.
Administrator Guide: Security Event Manager page 374
Manage SEM reports: Open, print, and more
2. On the View tab in the Output group, click Export.
The Export form appears.
3. In the Format list, select the fine type to save the report.
The Description box at the bottom of the form describes your selected file format.
4. Use the Destination list to browse to the folder and save the file.
5. Click OK.
The system saves the file in your selected format to your destination folder.
Print reports
You can print any report displayed in the Preview pane.
1. In the Reports window, open or run the report you want to print.
The report appears in the Preview pane.
Administrator Guide: Security Event Manager page 375
Manage SEM reports: Open, print, and more
2. On the View tab, click Print in the Output group.
3. In the Print form, select the printer and any print options.
4. Click Print.
The report is sent to your printer based on your print options.
Set up your printer preferences
Use the Printer Setup command to define the default print settings (such as Portrait or Landscape) for
printing your reports.
1. In the Reports window, open or run the report you want to print.
The report appears in the Preview pane.
2. On the View tab, click Printer Setup in the Preferences group.
3. In the Page Setup dialog box, select the appropriate options.
Administrator Guide: Security Event Manager page 376
Default reports included with SEM
4. Click OK.
The report is printed according to your selected print options.
Default reports included with SEM
This section describes the reports included with SEM and suggests how often to run each report.
Scheduling terminology used in this topic
This section describes the scheduling terminology used in the reports table.
Schedule Description
Daily Run and review this report once each day.
Weekly Run and review this report once each week.
As needed SolarWinds suggests that you run these reports only when needed for specific
auditing purposes, or when you need the details surrounding a Priority event or a
suspicious event.
As requested These reports are diagnostic tools and should only be run at the request of
SolarWinds' technical support personnel.
Audit reports included with SEM
The following table lists and describes each audit report, listed alphabetically by title.
Title Description File Name Schedule
Authentication This report lists all authentications tracked RPT2003-02.rpt Weekly
Report by the SolarWinds system, including user
logon, logoff, failed logon attempts, guest
logons, and so on.
Authentication This report lists event events that are RPT2003-02-10.rpt As needed
Report - related to authentication and authorization
Authentication of accounts and account “'containers'”
Audit such as groups or domains. These events
can be produced from any network node
including firewalls, routers, servers, and
clients.
Administrator Guide: Security Event Manager page 377
Default reports included with SEM
Title Description File Name Schedule
Authentication This report lists event events that are RPT2003-02-9.rpt As Needed
Report - Suspicious related to suspicious authentication and
Authentication authorization events. These events include
excessive failed authentication or
authorization attempts, suspicious access
to unauthenticated users, and suspicious
access to unauthorized services or
information.
Authentication This report lists the Top User Log On RPT2003-02-6-2.rpt As needed
Report - Top User events grouped by user name.
Log On by User
Authentication This report lists the Top User Log On RPT2003-02-7-2.rpt As needed
Report - Top User Failure events grouped by user name.
Log On Failure by
User
Authentication This report shows logon, logoff, and logon RPT2003-02-8.rpt As needed
Report - failure activity to the SolarWinds Console.
SolarWinds
Authentication
Authentication User Logoff events reflect account logoff RPT2003-02-5.rpt As needed
Report - User Log events from network devices (including
Off network infrastructure devices). Each
event will reflect the type of device from
which the user was logging off. These
events are usually normal events but are
tracked for consistency and auditing
purposes.
Authentication User Logon events reflect user account RPT2003-02-6.rpt As needed
Report - User Log logon events from network devices
On monitored by SolarWinds (including
network infrastructure devices). Each
event will reflect the type of device that the
logon was intended for along with all other
relevant fields.
Authentication This report lists all account logon events, RPT2003-02-6-1.rpt As needed
Report - User Log grouped by user name.
On by User
Administrator Guide: Security Event Manager page 378
Default reports included with SEM
Title Description File Name Schedule
Authentication User Logon Failure events reflect failed RPT2003-02-7.rpt As needed
Report - User Log account logon events from network
On Failure devices (including network infrastructure
devices). Each event will reflect the point
on the network where the user was
attempting logon. In larger quantities,
these events may reflect a potential issue
with a user or set of users, but as
individual events they are generally not a
problem.
Authentication This report lists all account logon failure RPT2003-02-7-1.rpt As needed
Report - User Log events, grouped by user name.
On Failure by User
Change This report includes changes to domains, RPT2006-20.rp As needed
Management - groups, machine accounts, and user
General accounts.
Authentication
Related Events
Change This report includes changes to domains, RPT2006-20-01.rpt As needed
Management - including new domains, new members, and
General modifications to domain settings.
Authentication:
Domain Events
Change This report lists changes to domain type. RPT2006-20-01- As needed
Management - These events are uncommon and usually 7.rpt
General provided by the operating system. Usually,
Authentication: these changes are made by a user account
Domain Events - with administrative privileges, but
Change Domain occasionally a change will happen when
Attribute local system maintenance activity takes
place.
Administrator Guide: Security Event Manager page 379
Default reports included with SEM
Title Description File Name Schedule
Change This report lists event events that occur RPT2006-20-01- As needed
Management - when an account or account container 4.rpt
General within a domain is modified. Usually, these
Authentication: changes are made by a user account with
Domain Events - administrative privileges, but occasionally
Change Domain an event occurs when local system
Member maintenance activity takes place. Events
of this nature mean a user, machine, or
service account within the domain has
been modified.
Change This report lists event events that occur RPT2006-20-01- As needed
Management - upon removal of a trust relationship 8.rpt
General between domains, deletion of a
Authentication: subdomain, or deletion of account
Domain Events - containers within a domain. Usually, these
Delete Domain changes are made by a user account with
administrative privileges.
Change This report lists event events that occur RPT2006-20-01- As needed
Management - when an account or account container has 3.rpt
General been removed from a domain. Usually,
Authentication: these changes are made by a user account
Domain Events - with administrative privileges, but
Delete Domain occasionally they occur when local system
Member maintenance activity takes place.
Change This report lists event events that happen RPT2006-20-01- As needed
Management - when the alias for a domain member has 5.rpt
General been changed. This means an account or
Authentication: account container within a domain has an
Domain Events - alias created, deleted, or otherwise
Domain Member modified. This event is uncommon and is
Alias used to track links between domain
members and other locations in the
domain where the member may appear.
Administrator Guide: Security Event Manager page 380
Default reports included with SEM
Title Description File Name Schedule
Change This report lists authentication, RPT2006-20-01- As needed
Management - authorization, and modification events that 1.rpt
General are related only to domains, subdomains,
Authentication: and account containers. These events are
Domain Events - normally related to operating systems.
DomainAuthAudit However, they can be produced by any
network device.
Change This report lists event events that occur RPT2006-20-01- As needed
Management - upon creation of a new trust relationship 6.rpt
General between domains, creation of a new
Authentication: subdomain, or creation of new account
Domain Events - containers within a domain. Usually, these
New Domain creations are done by a user account with
administrative privileges.
Change This report lists event events that occur RPT2006-20-01- As needed
Management - when an account or an account container 2.rpt
General (a new user, machine, or service account)
Authentication: has been added to the domain. Usually,
Domain Events - these additions are made by a user
New Domain account with administrative privileges, but
Member occasionally they occur when local system
maintenance activity takes place.
Change This report lists changes to groups, RPT2006-20-02.rpt As needed
Management - including new groups, members
General added/removed to/from groups, and
Authentication: modifications to group settings.
Group Events
Change This report lists event events that occur RPT2006-20-02- As needed
Management - when a group type is modified. Usually, 6.rpt
General these changes are made by a user account
Authentication: with administrative privileges, but
Group Events - occasionally they occur when local system
Change Group maintenance activity takes place.
Attribute
Administrator Guide: Security Event Manager page 381
Default reports included with SEM
Title Description File Name Schedule
Change This report lists event events that occur RPT2006-20-02- As needed
Management - upon deletion of a new group of any type. 5.rpt
General Usually, these additions are made by a
Authentication: user account with administrative
Group Events - privileges.
Delete Group
Change This report lists event events that occur RPT2006-20-02- As needed
Management - when an account or group has been 3.rpt
General removed from a group. Usually, these
Authentication: changes are made by a user account with
Group Events - administrative privileges, but occasionally
Delete Group they occur when local system
Member maintenance activity takes place.
Change This report lists authentication, RPT2006-20-02- As needed
Management - authorization, and modification events 1.rpt
General related only to account groups. These
Authentication: events are normally operating system
Group Events - related, however could be produced by any
Group Audit network device.
Change This report lists NewGroup events. These RPT2006-20-02- As needed
Management - events occur upon creation of a new group 4.rpt
General of any type. Usually, these additions are
Authentication: made by a user account with
Group Events - administrative privileges.
New Group
Change This report lists NewGroupMember events. RPT2006-20-02- As needed
Management - These events occur when an account (or 2.rpt
General other group) has been added to a group.
Authentication: Usually, these additions are made by a
Group Events - user account with administrative
New Group privileges, but occasionally an event will
Member occur when local system maintenance
activity takes place. A new user, machine,
or service account has been added to the
group.
Administrator Guide: Security Event Manager page 382
Default reports included with SEM
Title Description File Name Schedule
Change This report includes changes to machine RPT2006-20-03.rpt As needed
Management - accounts, including enabling/disabling
General machine accounts and modifications to
Authentication: machine account settings.
Machine Account
Events
Change This report lists MachineDisable events. RPT2006-20-03- As needed
Management - These events occur when a machine 3.rpt
General account is actively disabled and/or when
Authentication: an account is forcibly locked out by the
Machine Account operating system or other authentication
Events - Machine tool. These events are usually operating
Disabled system related and could reflect a
potential issue with a computer or set of
computers.
Change This report lists MachineEnable events, RPT2006-20-03- As needed
Management - which reflect the action of enabling a 1.rpt
General computer or machine account. These
Authentication: events are normally related to the
Machine Account operating system, and will trigger when a
Events - Machine machine is “enabled,” normally by a user
Enabled with administrative privileges.
Change This report lists MachineModifyAttribute RPT2006-20-03- As needed
Management - events, which occur when a computer or 2.rpt
General machine type is changed. These events are
Authentication: uncommon and usually provided by the
Machine Account operating system.
Events - Machine
Modify Attribute
Change This report includes changes to user RPT2006-20-04.rpt As needed
Management - accounts, including enabling/disabling
General user accounts and modifications to user
Authentication: account settings.
User Account
Events
Administrator Guide: Security Event Manager page 383
Default reports included with SEM
Title Description File Name Schedule
Change This report lists UserDisable events. These RPT2006-20-04- As needed
Management - events occur when a user account is 3.rpt
General actively disabled and/or when a user is
Authentication: forcibly locked out by the operating system
User Account or other authentication tool. These events
Events - User are usually related to the operating system
Disabled and can reflect a potential issue with a
user or set of users.
Change This report lists UserEnable events, which RPT2006-20-04- As needed
Management - reflect the action of enabling a user 1.rpt
General account. These events are normally related
Authentication: to the operating system. They occur both
User Account when an account is unlocked after lockout
Events - User due to unsuccessful logons, and when an
Enabled account is “enabled” in the traditional
sense.
Change This report lists UserModifyAttribute RPT2006-20-04- As needed
Management - events that occur when a user type is 2.rpt
General changed. These events are uncommon
Authentication: and usually provided by the operating
User Account system.
Events - User
Modify Attributes
Change This report includes accesses to network RPT2006-21.rpt As needed
Management - infrastructure device policy, including
Network viewing or changing device policy.
Infrastructure:
Policy/View
Change
Change This report includes creations of RPT2006-22-01.rpt As needed
Management - Windows/Active Directory groups.
Windows/Active
Directory Domains:
Group Created
Administrator Guide: Security Event Manager page 384
Default reports included with SEM
Title Description File Name Schedule
Change This report includes deletions of RPT2006-22-02.rpt As needed
Management - Windows/Active Directory groups.
Windows/Active
Directory Domains:
Group Deleted
Change This report includes Windows/Active RPT2006-22.rpt As needed
Management - Directory group-related events.
Windows/Active
Directory Domains:
Group Events
Change This report includes changes to RPT2006-22-03.rpt As needed
Management - Windows/Active Directory group
Windows/Active properties, such as the display name.
Directory Domains:
Group Property
Updated
Change This report includes Windows/Active RPT2006-23.rpt As needed
Management - Directory machine-related events.
Windows/Active
Directory Domains:
Machine Events
Change This report includes creations of RPT2006-23-01.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts.
Directory Domains:
Machine Events -
Account Created
Change This report includes deletions of RPT2006-23-02.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts.
Directory Domains:
Machine Events -
Account Deleted
Administrator Guide: Security Event Manager page 385
Default reports included with SEM
Title Description File Name Schedule
Change This report includes disables of RPT2006-23-03.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts.
Directory Domains:
Machine Events -
Account Disabled
Change This report includes enables of RPT2006-23-04.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts.
Directory Domains:
Machine Events -
Account Enabled
Change This report includes changes to RPT2006-23-05.rpt As needed
Management - Windows/Active Directory machine
Windows/Active account properties, such as the display
Directory Domains: name.
Machine Events -
Account Properties
Update
Change This report includes additions of RPT2006-23-06.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts to groups.
Directory Domains:
Machine Events -
Added To Group
Change This report includes additions of RPT2006-23-07.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts to Organizational Units.
Directory Domains:
Machine Events -
Added To OU
Administrator Guide: Security Event Manager page 386
Default reports included with SEM
Title Description File Name Schedule
Change This report includes removals of RPT2006-23-08.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts from groups.
Directory Domains:
Machine Events -
Removed From
Group
Change This report includes removals of RPT2006-23-09.rpt As needed
Management - Windows/Active Directory machine
Windows/Active accounts from Organizational Units.
Directory Domains:
Machine Events -
Removed From OU
Change This report includes additions of RPT2006-22-04.rpt As needed
Management - Windows/Active Directory user accounts
Windows/Active to critical groups, such as Domain or
Directory Domains: Enterprise Admins.
New Critical Group
Members
Change This report includes Windows/Active RPT2006-24.rpt As needed
Management - Directory Organizational Unit-related
Windows/Active events.
Directory Domains:
OU Events
Change This report includes creation of RPT2006-24-01.rpt As needed
Management - Windows/Active Directory Organizational
Windows/Active Units.
Directory Domains:
OU Events - OU
Created
Change This report includes deletion of RPT2006-24-02.rpt As needed
Management - Windows/Active Directory Organizational
Windows/Active Units.
Directory Domains:
OU Events - OU
Deleted
Administrator Guide: Security Event Manager page 387
Default reports included with SEM
Title Description File Name Schedule
Change This report includes updates to RPT2006-24-03.rpt As needed
Management - Windows/Active Directory Organizational
Windows/Active Unit properties, such as the display name.
Directory Domains:
OU Events - OU
Properties Update
Change This report includes Windows/Active RPT2006-25.rpt As needed
Management - Directory user-related events.
Windows/Active
Directory Domains:
User Events
Change This report includes creations of RPT2006-25-01.rpt As needed
Management - Windows/Active Directory user accounts.
Windows/Active
Directory Domains:
User Events -
Account Created
Change This report includes deletions of RPT2006-25-02.rpt As needed
Management - Windows/Active Directory user accounts.
Windows/Active
Directory Domains:
User Events -
Account Deleted
Change This report includes disables of RPT2006-25-03.rpt As needed
Management - Windows/Active Directory user accounts.
Windows/Active
Directory Domains:
User Events -
Account Disabled
Change This report includes enables of RPT2006-25-04.rpt As needed
Management - Windows/Active Directory user accounts.
Windows/Active
Directory Domains:
User Events -
Account Enabled
Administrator Guide: Security Event Manager page 388
Default reports included with SEM
Title Description File Name Schedule
Change This report includes user-driven disables of RPT2006-25-05.rpt As needed
Management - Windows/Active Directory user accounts,
Windows/Active such as a user triggering an excessive
Directory Domains: failed password limit.
User Events -
Account Lockout
Change This report includes changes to RPT2006-25-06.rpt As needed
Management - Windows/Active Directory user account
Windows/Active properties, such as the display name.
Directory Domains:
User Events -
Account Properties
Updated
Change This report includes additions of RPT2006-25-07.rpt As needed
Management - Windows/Active Directory user accounts
Windows/Active to groups.
Directory Domains:
User Events -
Added To Group
Change This report includes additions of RPT2006-25-08.rpt As needed
Management - Windows/Active Directory user accounts
Windows/Active to Organizational Units.
Directory Domains:
User Events -
Added To OU
Change This report includes removals of RPT2006-25-09.rpt As needed
Management - Windows/Active Directory user accounts
Windows/Active from groups.
Directory Domains:
User Events -
Removed From
Group
Administrator Guide: Security Event Manager page 389
Default reports included with SEM
Title Description File Name Schedule
Change This report includes removals of RPT2006-25-10.rpt As needed
Management - Windows/Active Directory user accounts
Windows/Active from Organizational Units.
Directory Domains:
User Events -
Removed From OU
File Audit Events This report tracks file system activity RPT2003-05.rpt Weekly
associated with audited files and system
objects, such as file access successes and
failures.
File Audit Events - File Attribute Change is a specific File RPT2003-05-41.rpt As needed
File Attribute Write event generated for the modification
Change of file attributes (including properties such
as read-only status). These events may be
produced by any tool that is used to
monitor the activity of file usage, including
a Host-Based IDS and some Operating
Systems.
File Audit Events - File Audit events are used to track file RPT2003-05-11.rpt As needed
File Audit activity on monitored network devices,
usually through the Operating System or a
Host-Based IDS. These events will note
success or failure of the requested
operation.
File Audit Events - File Audit Failure events are used to track RPT2003-05-12.rpt As needed
File Audit Failure failed file activity on monitored network
devices, usually through the Operating
System or a Host-Based IDS. These events
will note what requested operation failed.
File Audit Events - File Create is a specific File Write event RPT2003-05-42.rpt As needed
File Create generated for the initial creation of a file.
These events may be produced by any tool
that is used to monitor the activity of file
usage, including a Host-Based IDS and
some Operating Systems.
Administrator Guide: Security Event Manager page 390
Default reports included with SEM
Title Description File Name Schedule
File Audit Events - File Data Read is a specific File Read event RPT2003-05-31.rpt As needed
File Data Read generated for the operation of reading data
from a file (not just properties or status of
a file). These events may be produced by
any tool that is used to monitor the activity
of file usage, including a Host-Based IDS
and some Operating Systems.
File Audit Events - File Data Write is a specific File Write event RPT2003-05-43.rpt As needed
File Data Write generated for the operation of writing data
to a file (not just properties or status of a
file). These events may be produced by
any tool that is used to monitor the activity
of file usage, including a Host-Based IDS
and some Operating Systems.
File Audit Events - File Delete is a specific File Write event RPT2003-05-44.rpt As needed
File Delete generated for the deletion of an existing
file. These events may be produced by any
tool that is used to monitor the activity of
file usage, including a Host-Based IDS and
some Operating Systems.
File Audit Events - File Execute is a specific File Read event RPT2003-05-32.rpt As needed
File Execute generated for the operation of executing
files. These events may be produced by
any tool that is used to monitor the activity
of file usage, including a Host-Based IDS
and some Operating Systems.
File Audit Events - File Handle Audit events are used to track RPT2003-05-21.rpt As needed
File Handle Audit file handle activity on monitored network
devices, usually through low level access
to the Operating System, either natively or
with or a Host-Based IDS. These events
will note success or failure of the
requested operation.
Administrator Guide: Security Event Manager page 391
Default reports included with SEM
Title Description File Name Schedule
File Audit Events - File Handle Close is a specific File Handle RPT2003-05-22.rpt As needed
File Handle Close Audit event generated for the closing of file
handles. These events may be generated
by a tool that has low-level file access,
such as an Operating System or some
Host-Based IDS'.
File Audit Events - File Handle Copy is a specific File Handle RPT2003-05-23.rpt As needed
File Handle Copy Audit event generated for the copying of
file handles. These events may be
generated by a tool that has low-level file
access, such as an Operating System or
some Host-Based IDS'.
File Audit Events - File Handle Open is a specific File Handle RPT2003-05-24.rpt As needed
File Handle Open Audit event generated for the opening of
file handles. These events may be
generated by a tool that has low-level file
access, such as an Operating System or
some Host-Based IDS'.
File Audit Events - File Link is a specific File Write event RPT2003-05-45.rpt As needed
File Link generated for the creation, deletion, or
modification of links to other files. These
events may be produced by any tool that is
used to monitor the activity of file usage,
including a Host-Based IDS and some
Operating Systems.
File Audit Events - File Move is a specific File Write event RPT2003-05-46.rpt As needed
File Move generated for the operation of moving a
file that already exists. These events may
be produced by any tool that is used to
monitor the activity of file usage, including
a Host-Based IDS and some Operating
Systems.
Administrator Guide: Security Event Manager page 392
Default reports included with SEM
Title Description File Name Schedule
File Audit Events - File Read is a specific File Audit event RPT2003-05-33.rpt As needed
File Read generated for the operation of reading files
(including reading properties of a file or the
status of a file). These events may be
produced by any tool that is used to
monitor the activity of file usage, including
a Host-Based IDS and some Operating
Systems.
File Audit Events - File Write is a specific File Audit event RPT2003-05-47.rpt As needed
File Write generated for the operation of writing to a
file (including writing properties of a file or
changing the status of a file). These events
may be produced by any tool that is used
to monitor the activity of file usage,
including a Host-Based IDS and some
operating systems.
File Audit Events - Object Audit events are used to track RPT2003-05-51.rpt As needed
Object Audit special object activity on monitored
network devices, usually through the
Operating System or a Host-Based IDS.
Generally, Objects are special types of
system resources, such as registry items
or user account databases. These objects
may be actual 'files' on the system, but are
not necessarily human readable. These
events will note success or failure of the
requested operation.
File Audit Events - Object Audit Failure events are used to RPT2003-05-52.rpt As needed
Object Audit track special object activity on monitored
Failure network devices, usually through the
Operating System or a Host-Based IDS.
Generally, Objects are special types of
system resources, such as registry items
or user account databases. These objects
may be actual 'files' on the system, but are
not necessarily human readable. These
events will note a failure of the requested
operation.
Administrator Guide: Security Event Manager page 393
Default reports included with SEM
Title Description File Name Schedule
File Audit Events - Object Delete is a specific Object Audit RPT2003-05-53.rpt As needed
Object Delete event generated for the deletion of an
existing object. These events may be
produced by any tool that is used to
monitor the activity of file and object
usage, including a Host-Based IDS and
some Operating Systems.
File Audit Events - Object Link is a specific Object Audit event RPT2003-05-54.rpt As needed
Object Link generated for the creation, deletion, or
modification of links to other objects.
These events may be produced by any tool
that is used to monitor the activity of file
and object usage, including a Host-Based
IDS and some Operating Systems.
Incident Events This report tracks the Incident, RPT2006-19.rpt Daily
HostIncident, HybridIncident and
NetworkIncident events that have been
generated to reflect enterprise-wide
issues.
Inferred Events This report tracks events that are triggered RPT2006-27.rpt As needed
by correlations built in the SolarWinds Rule
Builder.
Inferred Events by This report tracks events that are triggered RPT2006-27-01.rpt As needed
Inference Rule by correlations, and orders them by the
correlation rule name.
Log On/Off/Failure Track activity associated with account RPT2003-03.rpt Weekly
events such as log on, log off and log on
failures. This is a refined version of the
Authentication Report that does not
include SolarWinds authentication events.
It is more appropriate for management
reports or audit reviews than regular use.
Administrator Guide: Security Event Manager page 394
Default reports included with SEM
Title Description File Name Schedule
Network Traffic Track activity associated with network RPT2003-06.rpt Daily, if
Audit traffic audit events such as TCP, IP and needed
UDP events. Specifically, this report tracks
regular network traffic activity, such as
encrypted traffic, web traffic, and other
forms of UDP, TCP and ICMP traffic. It
gives you both an overview and some
details of exactly what is flowing through
your network. This report can be quite
large.
Network Traffic ApplicationTrafficAudit events reflect RPT2003-06-11.rpt As needed
Audit - Application network traffic that is mostly or all
Traffic application-layer data. Events that are
children of ApplicationTrafficAudit are also
related to application-layer resources.
Events placed in the parent
ApplicationTrafficAudit event itself are
known to be application-related, but are
not able to be further categorized based on
the message provided by the tool or
because they are uncommon and rarely, if
ever, imply network attack potential.
Network Traffic This report lists all Application Traffic RPT2003-06-11- As needed
Audit - Application events (such as WebTrafficAudit), grouped 2.rpt
Traffic by by destination machine/IP.
Destination
Machine
Network Traffic This report lists all Application Traffic RPT2033-06-11- As needed
Audit - Application events (such as WebTrafficAudit), grouped 3.rpt
Traffic by Provider by provider SID.
SID
Network Traffic This report lists all Application Traffic RPT2003-06-11- As needed
Audit - Application events (such as WebTrafficAudit), grouped 1.rpt
Traffic by Source by source machine/IP.
Machine
Administrator Guide: Security Event Manager page 395
Default reports included with SEM
Title Description File Name Schedule
Network Traffic This report lists all Application Traffic RPT2003-06-11- As needed
Audit - Application events (such as WebTrafficAudit), grouped 0.rpt
Traffic by Tool by the SolarWinds sensor tool alias that
Alias reported each event.
Network Traffic Configuration Traffic Audit events reflect RPT2003-06-02.rpt As needed
Audit - application-layer data related to
Configuration configuration of network resources.
Traffic Included in ConfigurationTrafficAudit are
protocols such as DHCP, BootP, and
SNMP. ConfigurationTrafficAudit events
generally indicate normal traffic, however,
events of this type could also be
symptoms of misconfiguration,
inappropriate usage, attempts to
enumerate or access network devices or
services, attempts to access devices that
are configured via these services, or other
abnormal traffic.
Network Traffic CoreTrafficAudit events reflect network RPT2003-06-03.rpt As needed
Audit - traffic sent over core protocols. Events
Core Traffic that are children of CoreTrafficAudit are all
related to the TCP, IP, UDP, and ICMP
protocols. Events of this type and its
children do not have any application-layer
data. Events placed in the parent
CoreTrafficAudit event itself are known to
be a core protocol, but are not able to be
further categorized based on the message
provided by the tool.
Network Traffic This report lists all Core Traffic events RPT2003-06-03- As needed
Audit - Core Traffic (such as TCPTrafficAudit), grouped by 2.rpt
by Destination destination machine/IP.
Machine
Network Traffic This report lists all Core Traffic events RPT2003-06-03- As needed
Audit - Core Traffic (such as TCPTrafficAudit), grouped by 3.rpt
by Provider SID provider SID.
Administrator Guide: Security Event Manager page 396
Default reports included with SEM
Title Description File Name Schedule
Network Traffic This report lists all Core Traffic events RPT2003-06-03- As needed
Audit - Core Traffic (such as TCPTrafficAudit), grouped by 1.rpt
by Source source machine/IP.
Network Traffic This report lists all Core Traffic events RPT2003-06-03- As needed
Audit - Core Traffic (such as TCPTrafficAudit), grouped by the 0.rpt
by Tool Alias SolarWinds tool sensor alias that reported
the event.
Network Traffic Encrypted Traffic Audit events reflect RPT2003-06-04.rpt As needed
Audit - Encrypted application-layer traffic that has been
Traffic encrypted and is intended for a secure
host. Included in Encrypted Traffic Audit
are client and server side application
events, such as key exchanges, that
normally occur after the low-level session
creation and handshaking have completed.
Network Traffic Link Control Traffic Audit events are RPT2003-06-05.rpt As needed
Audit - generated for network events related to
Link Control Traffic link level configuration. Link Control Traffic
Audit events generally indicate normal
traffic, however, events of this type could
also be symptoms of misconfiguration at
the link level, inappropriate usage, or other
abnormal traffic.
Network Traffic Members of the Network Audit tree are RPT2003-06-06.rpt As needed
Audit - Network used to define events centered on usage of
Traffic network resources/bandwidth.
Network Traffic Point To Point Traffic Audit events reflect RPT2003-06-07.rpt As needed
Audit - application-layer data related to point-to-
Point to Point point connections between hosts. Included
Traffic in Point To Point Traffic Audit are
encrypted and unencrypted point-to-point
traffic.
Administrator Guide: Security Event Manager page 397
Default reports included with SEM
Title Description File Name Schedule
Network Traffic Remote Procedure Traffic Audit events RPT2003-06-08.rpt As needed
Audit - Remote reflect application-layer data related to
Procedure Traffic remote procedure services. Included in
Remote Procedure Traffic Audit are the
traditional RPC services used to service
remote logons and file shares, and other
services which require remote procedure
access to complete authentication, pass
data, or otherwise communicate.
RemoteProcedureTrafficAudit events
generally indicate normal traffic for
networks that have remote procedure
services on their network; however, events
of this type could also be symptoms of
inappropriate access, misconfiguration of
the remote procedure services, errors in
the remote procedure calls, or other
abnormal traffic.
Network Traffic Routing Traffic Audit events are generated RPT2003-06-09.rpt As needed
Audit - Routing for network events related to configuration
Traffic of network routes, using protocols such as
IGMP, IGRP, and RIP. RoutingTrafficAudit
events generally indicate normal traffic,
however, events of this type could also be
symptoms of misconfigured routing,
unintended route configuration, or other
abnormal traffic.
Network Traffic Time Traffic Audit events reflect RPT2003-06-10.rpt As needed
Audit - application-layer data related to network
Time Traffic time configuration. Included in
TimeTrafficAudit are protocols such as
NTP and activities, such as detection of
client-side network time updates.
Network Traffic This report lists the Top Application Traffic RPT2003-06-01- As needed
Audit - events (such as WebTrafficAudit), grouped 2.rpt
Top Application by source machine/IP.
Traffic by Source
Administrator Guide: Security Event Manager page 398
Default reports included with SEM
Title Description File Name Schedule
Network Traffic This report lists the Top Core Traffic RPT2003-06-03- As needed
Audit - events (such as TCPTrafficAudit), grouped 2.rpt
Top Core Traffic by by source machine/IP.
Source
Network Traffic WebTrafficAudit events reflect application- RPT2003-06-01.rpt As needed
Audit - layer data related to web services.
Web Traffic Included in WebTrafficAudit are client and
server web events from web servers, web
applications, content filter related events,
and other web services. WebTrafficAudit
events generally indicate normal traffic,
however, events of this type could also be
symptoms of inappropriate web usage,
potential abuse of web services, or other
abnormal traffic.
Network Traffic This report lists all WebTrafficAudit events RPT2003-06-01- As needed
Audit - Web Traffic grouped by destination machine/IP. 2.rpt
by Destination
Machine
Network Traffic This report lists Web Traffic Audit events RPT2003-06-01- As needed
Audit - grouped by provider SID. 3.rpt
Web Traffic by
Provider SID
Network Traffic This report lists all WebTrafficAudit events RPT2003-06-01- As needed
Audit - Web Traffic grouped by source machine/IP. 1.rpt
by Source Machine
Network Traffic This report lists Web Traffic Audit events RPT2003-06-01- As needed
Audit - grouped by tool alias. 0.rpt
Web Traffic by
Tool Alias
Network Traffic This report lists the most frequently visited RPT2003-06-01- As needed
Audit - URLs grouped by the requesting client 5.rpt
Web URL Requests source machine.
by Source Machine
Administrator Guide: Security Event Manager page 399
Default reports included with SEM
Title Description File Name Schedule
Network Traffic This report shows graphs of the most RPT2003-06-01- As needed
Audit - frequently visited URLs for each client 4.rpt
Web URL Requests source machine.
by Source Machine
- Graphs
Resource The Resource Configuration report details RPT2003-08.rpt Weekly
Configuration events that relate to configuration of user
accounts, machine accounts, groups,
policies and their relationships. Items such
as domain or group modification, policy
changes, and creation of new network
resources.
Resource Events that are part of the Auth Audit tree RPT2003-08-01.rpt As needed
Configuration - are related to authentication and
Authorization Audit authorization of accounts and account
containers such as groups or domains.
These events can be produced from any
network node including firewalls, routers,
servers, and clients.
Resource Domain Auth Audit events are RPT2003-08-02.rpt As needed
Configuration - authentication, authorization, and
Domain modification events related only to
Authorization Audit domains, subdomains, and account
containers. These events are normally
operating system related, however could
be produced by any network device.
Resource Group Audit events are authentication, RPT2003-08-03.rpt As needed
Configuration - authorization, and modification events
Group Audit related only to account groups. These
events are normally operating system
related, however could be produced by any
network device.
Administrator Guide: Security Event Manager page 400
Default reports included with SEM
Title Description File Name Schedule
Resource Machine Auth Audit events are RPT2003-08-04.rpt As needed
Configuration - authentication, authorization, and
Machine modification events related only to
Authorization Audit computer or machine accounts. These
events can be produced from any network
node including firewalls, routers, servers,
and clients, but are normally operating
system related.
Resource Policy Audit events are used to track RPT2003-08-06.rpt As needed
Configuration - access, modification, scope change, and
Policy Audit creation of authentication, domain,
account, and account container policies.
Many of these events reflect normal
system traffic. Most PolicyAudit events are
provided by the Operating System.
Resource User Auth Audit events are authentication, RPT2003-08-05.rpt As needed
Configuration - authorization, and modification events
User Authorization related only to user accounts. These
Audit events can be produced from any network
node including firewalls, routers, servers,
and clients.
Administrator Guide: Security Event Manager page 401
Default reports included with SEM
Security reports included with SEM
The following table lists and describes each of the security reports, listed alphabetically by title.
Title Description File Name Schedule
Authentication Failed Authentication events occur when a user has RPT2003- As needed
Report - Failed made several attempts to authenticate themselves 02-1.rpt
Authentication which has continuously failed, or when a logon failure
is serious enough to merit a security event on a single
failure.
Authentication This report shows logins to various Guest accounts. RPT2003- As needed
Report - Guest 02-2.rpt
Login
Authentication Restricted Information Attempt events describe a user RPT2003- As needed
Report - attempt to access local or remote information that 02-3.rpt
Restricted their level of authorization does not allow. These
Information events may indicate user attempts to exploit services
Attempt which they are denied access to or inappropriate
access attempts to information.
Authentication Restricted Service Attempt events describe a user RPT2003- As needed
Report - attempt to access a local or remote service that their 02-4.rpt
Restricted level of authorization does not allow. These events
Service Attempt may indicate user attempts to exploit services which
they are denied access to or inappropriate access
attempts to services.
Console The Console report shows every event that passes RPT2003- As needed
through the system in the given time interval. It 10.rpt
mimics the basic management console view. It does
not contain the same level of field detail, but it is
useful to get a quick snapshot of activity for a period,
a lunch hour, for example. This report can be very
large, so you will only want to run for small time
intervals, such as hours.
Console - An overview of all events during the specified time RPT2003- As needed
Overview range. Shows graphs of the most common generic 10-00.rpt
event field data from the console report.
Administrator Guide: Security Event Manager page 402
Default reports included with SEM
Title Description File Name Schedule
Event Summary Event Summary Sub Report - Attack Behavior RPT2003- As needed
- Statistics 01-02.rpt
Attack Behavior
Statistics
Event Summary Event Summary Sub Report - Authorization Audit RPT2003- As needed
- Authorization Statistics 01-03.rpt
Audit Statistics
Event Summary The event summary report gathers statistical data RPT2003- Daily
- from all major event categories, summarizes it with a 01.rpt
Graphs one-hour resolution, and presents a quick, graphical
overview of activity on your network.
Event Summary Event Summary Sub Report - Machine Audit Statistics RPT2003- As needed
- 01-05.rpt
Machine Audit
Statistics
Event Summary Event Summary Sub Report - Policy Audit Statistics RPT2003- As needed
- 01-06.rpt
Policy Audit
Statistics
Event Summary Event Summary Sub Report - Resource Audit Statistics RPT2003- As needed
- 01-07.rpt
Resource Audit
Statistics
Event Summary Event Summary Sub Report - Suspicious Behavior RPT2003- As needed
- Statistics 01-08.rpt
Suspicious
Behavior
Statistics
Event Summary Event Summary Sub Report - Top Level Statistics RPT2003- As needed
- 01-01.rpt
Top Level
Statistics
Administrator Guide: Security Event Manager page 403
Default reports included with SEM
Title Description File Name Schedule
Machine Audit Track activity associated with machine process and RPT2003- Weekly
service audit events. This report shows machine-level 09.rpt
events such as software installs, patches, system
shutdowns, and reboots. It can be used to assist in
software license compliance auditing by providing
records of installs.
Machine Audit - This report tracks activity associated with file system RPT2003- As needed
File System audit events including mount file system and 09-010.rpt
Audit unmount file system events. These events are
generally normal system activity, especially during
system boot.
Machine Audit - Mount File System events are a specific type of File RPT2003- As needed
File System System Audit that reflect the action of creating an 09-012.rpt
Audit - Mount active translation between hardware to a usable files
File System system. These events are generally normal during
system boot.
Machine Audit - Unmount File System events are a specific type of File RPT2003- As needed
File System System Audit that reflect the action of removing a 09-013.rpt
Audit - Unmount translation between hardware and a usable files
File System system. These events are generally normal during
system shutdown.
Machine Audit - This report tracks activity related to processes, RPT2003- As needed
Process Audit including processes that have started, stopped, or 09-030.rpt
reported useful process-related information.
Machine Audit - This report lists Process Audit events that are RPT2003- As needed
Process Audit - generated to track launch, exit, status, and other 09-031.rpt
Process Audit events related to system processes. Usually, these
events reflect normal system activity. Process-related
activity that may indicate a failure will be noted
separately from normal activity in the event detail.
Machine Audit - Process Info is a specific type of Process Audit event RPT2003- As needed
Process Audit - that reflects information related to a process. Most of 09-032.rpt
Process Info these events can safely be ignored, as they are
generally normal activity that does not reflect a failure
or abnormal state.
Administrator Guide: Security Event Manager page 404
Default reports included with SEM
Title Description File Name Schedule
Machine Audit - Process Start is a specific type of Process Audit event RPT2003- As needed
Process Audit - that indicates a new process has been launched. 09-033.rpt
Process Start Usually, Process Start reflects normal system activity.
Machine Audit - Process Stop is a specific type of Process Audit event RPT2003- As needed
Process Audit - that indicates a process has exited. Usually, Process 09-034.rpt
Process Stop Stop reflects normal application exit, however in the
event of an unexpected error the abnormal state will
be noted.
Machine Audit - Process Warning is a specific type of Process Audit RPT2003- As needed
Process Audit - event that indicates a process has returned a 09-035.rpt
Process 'Warning' message that is not a fatal error and may
Warning not have triggered an exit of the process.
Machine Audit - This report tracks activity related to services, RPT2003- As needed
Service Audit including services that have started, stopped, or 09-040.rpt
reported useful service-related information or
warnings.
Machine Audit - This report tracks ServiceInfo events, which reflect RPT2003- As needed
Service Audit - information related to a particular service. Most of 09-041.rpt
Service Info these events can safely be ignored, as they are
generally normal activity that does not reflect a failure
or abnormal state.
Machine Audit - This report tracks ServiceStart events, which indicate RPT2003- As needed
Service Audit - that a new system service is starting. 09-042.rpt
Service Start
Machine Audit - This report tracks ServiceStop events, which indicate RPT2003- As needed
Service Audit - that a system service is stopping. This activity is 09-043.rpt
Service Stop generally normal, however, in the event of an
unexpected stop the abnormal state will be noted.
Machine Audit - This report lists ServiceWarning events. These events RPT2003- As needed
Service Audit - indicate a service has returned a Warning message 09-044.rpt
Service Warning that is not a fatal error and may not have triggered an
exit of the service.
Machine Audit - This report tracks activity associated with system RPT2003- As needed
System Audit status and modifications, including software changes, 09-020.rpt
system reboots, and system shutdowns.
Administrator Guide: Security Event Manager page 405
Default reports included with SEM
Title Description File Name Schedule
Machine Audit - Machine Audit events are used to track hardware or RPT2003- As needed
System Audit - software status and modifications. These events are 09-021.rpt
Machine Audit generally acceptable, but do indicate modifications to
the client system that may be noteworthy.
Machine Audit - SoftwareInstall events reflect modifications to the RPT2003- As needed
System Audit - system at a software level, generally at the operating 09-025.rpt
Software Install system level (or equivalent, in the case of a network
infrastructure device). These events are generated
when a user updates a system or launches system-
native methods to install third party applications.
Machine Audit - SoftwareUpdate is a specific type of SoftwareInstall RPT2003- As needed
System Audit - that reflects a more current version of software being 09-026.rpt
Software installed to replace an older version.
Update
Machine Audit - System Reboot events occur on monitored network RPT2003- As needed
System Audit - devices (servers, routers, etc.) and indicate that a 09-022.rpt
System Reboot system has restarted.
Machine Audit - System shutdown events occur on monitored network RPT2003- As needed
System Audit - devices (servers, routers, etc.) and indicate that a 09-023.rpt
System system has been shutdown.
Shutdown
Machine Audit - SystemStatus events reflect general system state RPT2003- As needed
System Audit - events. These events are generally normal and 09-024.rpt
System Status informational, however, they could potentially reflect a
failure or issue which should be addressed.
Machine Audit - This report tracks activity associated with USB- RPT2003- As needed
USB-Defender Defender, including insertion and removal events 09-050.rpt
related to USB Mass Storage devices.
Malicious Code This report tracks event activity associated with RPT2003- Weekly
malicious code such as virus, Trojans, and worms, 04.rpt
both on the network and on local machines, as
detected by anti-virus software.
Administrator Guide: Security Event Manager page 406
Default reports included with SEM
Title Description File Name Schedule
Malicious Code Members of the Service Process Attack tree are used RPT2003- As needed
- Service to define events centered on malicious or abusive 04-01.rpt
Process Attack usage of services or user processes. These events
include abuse or misuse of resources from malicious
code placed on the client system.
Malicious Code Trojan Command Access events reflect malicious or RPT2003- As needed
- Trojan abusive usage of network resources where the 04-05.rpt
Command intention, or the result, is gaining access to resources
Access through malicious code commonly known as Trojan
Horses. This event detects the communication related
to Trojans sending commands over the network
(infecting other clients, participating in a denial of
service activity, being controlled remotely by the
originator, etc.). Trojans are generally executables
that generally require no user intervention to spread
and contain malicious code that is placed on the
client system and used to exploit the client (and return
access to the originator of the attack) or exploit other
clients (used in attacks such as distributed denial of
service attacks).
Malicious Code Trojan Infection Access events reflect malicious or RPT2003- As needed
- Trojan abusive usage of network resources where the 04-04.rpt
Infection intention, or the result, is gaining access to resources
Access through malicious code commonly known as a Trojan
Horse. This event detects the infection traffic related
to a Trojan entering the network (generally with intent
to infect a client). Trojans are generally executables
that generally require no user intervention to spread
and contain malicious code that is placed on the
client system and used to exploit the client (and return
access to the originator of the attack) or exploit other
clients (used in attacks such as distributed denial of
service attacks).
Administrator Guide: Security Event Manager page 407
Default reports included with SEM
Title Description File Name Schedule
Malicious Code Trojan Traffic Access events reflect malicious or RPT2003- As needed
- Trojan Traffic abusive usage of network resources where the 04-02.rpt
Access intention, or the result, is gaining access to resources
through malicious code commonly known as a Trojan
Horse. This event detects the communication related
to Trojans over the network (generally, 'trojaned'
clients calling home to the originator). Trojans are
generally executables that generally require no user
intervention to spread and contain malicious code
that is placed on the client system and used to exploit
the client (and return access to the originator of the
attack) or exploit other clients (used in attacks such
as distributed denial of service attacks).
Malicious Code Trojan Traffic Denial events are a specific type of RPT2003- As needed
Report - Trojan Denial event where the transport of the malicious or 04-03.rpt
Traffic Denial abusive usage originates with malicious code on a
client system known as a Trojan. The intent, or the
result, of this activity is inappropriate or abusive
access to network resources through a denial of
service attack. Trojan Traffic Denial events may be
attempts to exploit weaknesses in software to gain
access to a host system, attempts to exploit
weaknesses in network infrastructure equipment to
enumerate or reconfigure devices, attempts to spread
the Trojan to other hosts, or other denial of service
activities.
Malicious Code Virus Attack events reflect malicious code placed on a RPT2003- As needed
Report - Virus client or server system, which may lead to system or 04-06.rpt
Attack other resource compromise and may lead to further
attack. The severity of this event will depend on the
ActionTaken field, which reflects whether the virus or
other malicious code was successfully removed.
Administrator Guide: Security Event Manager page 408
Default reports included with SEM
Title Description File Name Schedule
Malicious Code Virus Summary Attack events reflect malicious code RPT2003- As needed
Report - Virus placed on a client or server system, which may lead to 04-07.rpt
Summary system or other resource compromise and may lead
Attack to further attack. The severity of this event will depend
on the Action Taken field which reflects whether the
virus or other malicious code was successfully
removed. These events differ from Virus Attack in that
they may be a composite of virus events normally due
to a scheduled scan on the client system as opposed
to a real-time scan
Malicious Code Virus Traffic Access events reflect malicious or RPT2003- As needed
Report - Virus abusive usage of network resources where the 04-08.rpt
Traffic Access intention, or the result, is gaining access to resources
through malicious code commonly known as viruses.
This event detects the communication related to
viruses over the network (generally, the spread of a
virus infection or an incoming virus infection). Viruses
are generally executables that require user
intervention to spread, contain malicious code that is
placed on the client system, and are used to exploit
the client and possibly spread itself to other clients.
Network Events: This report tracks activity associated with top-level RPT2003- As needed
Attack Behavior NetworkAttack events. 11-00.rpt
Network Events: This report shows malicious asset access via the RPT2003- Weekly
Attack Behavior network. For example, attacks on FTP or Windows 11.rpt
- Access Network servers, malicious network database access,
abuses of services, or attempted unauthorized entry.
Network Events: Children of the Access tree define events centered on RPT2003- As needed
Attack Behavior malicious or abusive usage of network 11-01.rpt
- Access - bandwidth/traffic where the intention, or the result, is
Access inappropriate or abusive access to network resources.
Administrator Guide: Security Event Manager page 409
Default reports included with SEM
Title Description File Name Schedule
Network Events: Application Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-02.rpt
- Access - intention, or the result, is gaining access to resources
Application where the related data is mostly or all application-
Access layer. Generally, ApplicationAccess events will reflect
attempted exploitation of weaknesses in server or
client software, or information that is
restricted/prohibited by device access control or
policy.
Network Events: Configuration Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-03.rpt
- Access - intention, or the result, is gaining access to resources
Configuration via resource configuration traffic (using protocols
Access such as DHCP, BootP, and SNMP). Generally, these
events will reflect attempted exploitation of
weaknesses in the configuration server or client
software or attempts to gain system-level access to
configuration servers themselves. In the case of
SNMP and similar configuration protocols, it could
reflect an attempt to enumerate a device or devices
on the same network for further attack.
Network Events: Core Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-04.rpt
- Access - Core the result, is gaining access to resources where the
Access related data is mostly or all core protocols (TCP, UDP,
IP, ICMP). Generally, CoreAccess events will reflect
attempted exploitation of weaknesses in network
protocols or devices with intent to gain access to
servers, clients, or network infrastructure devices.
Network Events: Database Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-05.rpt
- Access - the result, is gaining access to resources via
Database application-layer database traffic. Generally, these
Access events will reflect attempted exploitation of
weaknesses in database server or client software.
Administrator Guide: Security Event Manager page 410
Default reports included with SEM
Title Description File Name Schedule
Network Events: File System Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-06.rpt
- Access - File intention, or the result, is gaining access to resources
System Access via remote file system traffic (using protocols such as
SMB and NFS). Generally, these events will reflect
attempted exploitation of weaknesses in the remote
file system server or client software or attempts to
gain system-level access to remote file system
servers themselves.
Network Events: File Transfer Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-07.rpt
- Access - File intention, or the result, is gaining access to resources
Transfer via application-layer file transfer traffic. Generally,
these events will reflect attempted exploitation of
weaknesses in file transfer server or client software.
Network Events: Link Control Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-08.rpt
- Access - Link intention, or the result, is gaining access to resources
Control Access where the related data is low-level link control (using
protocols such as ARP). Generally, Link Control
Access events will reflect attempted exploitation of
weaknesses in switching devices by usage of
malformed incoming or outgoing data, with intent to
enumerate or gain access to or through switching
devices, clients that are also on the switching device,
and entire networks attached to the switching device.
In some cases, a managed switch with restrictions on
port analyzing activity may be forced into an
unmanaged switch with no restrictions - allowing a
malicious client to sniff traffic and enumerate or
attack.
Network Events: Mail Access events reflect malicious or abusive usage RPT2003- As needed
Attack Behavior of network resources where the intention, or the 11-09.rpt
- Access - Mail result, is gaining access to resources via application-
Access layer mail transfer, retrieval, or service traffic.
Generally, these events will reflect attempted
exploitation of weaknesses in mail-related server or
client software.
Administrator Guide: Security Event Manager page 411
Default reports included with SEM
Title Description File Name Schedule
Network Events: Naming Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-10.rpt
- Access - the result, is gaining access to resources via
Naming Access application-layer naming service traffic (using
protocols such as DNS and WINS). Generally, these
events will reflect attempted exploitation of
weaknesses in the naming server or client software.
Network Events: News Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-11.rpt
- Access - News the result, is gaining access to resources via
Access application-layer news traffic (over protocols such as
NNTP). Generally, these events will reflect attempted
exploitation of weaknesses in the news server or
client software.
Network Events: Point To Point Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-12.rpt
- Access - Point intention, or the result, is gaining access to resources
to Point Access via point to point traffic (using protocols such as
PPTP). Generally, these events will reflect attempted
exploitation of weaknesses in point to point server or
client software, attempts to enumerate networks, or
attempts to further attack devices on trusted
networks.
Network Events: Printer Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-13.rpt
- Access - the result, is gaining access to resources via
Printer Access application-layer remote printer traffic. Generally,
these events will reflect attempted exploitation of
weaknesses in the remote printer server or client
software.
Network Events: Remote Console Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-14.rpt
- Access - intention, or the result, is gaining access to resources
Remote via application-layer remote console service traffic
Console Access (services such as telnet, SSH, and terminal services).
Generally, these events will reflect attempted
exploitation of weaknesses in the remote console
server or client software.
Administrator Guide: Security Event Manager page 412
Default reports included with SEM
Title Description File Name Schedule
Network Events: Remote Procedure Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-15.rpt
- Access - intention, or the result, is gaining access to resources
Remote via remote procedure call traffic (using protocols such
Procedure as the traditional RPC services, RMI, and CORBA).
Access Generally, these events will reflect attempted
exploitation of weaknesses in the remote procedure
server or client software or attempts to gain system-
level access to remote procedure servers themselves.
Network Events: Routing Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-16.rpt
- Access - the result, is gaining access to resources where the
Routing Access related data is routing-related protocols (RIP, IGMP,
etc.). Generally, Routing Access events will reflect
attempted exploitation of weaknesses in routing
protocols or devices with intent to enumerate or gain
access to or through routers, servers, clients, or other
network infrastructure devices. These routing
protocols are used to automate the routing process
between multiple devices that share or span
networks.
Network Events: Time Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-17.rpt
- Access - Time the result, is gaining access to resources via
Access application-layer remote time service traffic (using
protocols such as NTP). Generally, these events will
reflect attempted exploitation of weaknesses in the
remote time server or client software.
Network Events: Virus Traffic Access events reflect malicious or RPT2003- As needed
Attack Behavior abusive usage of network resources where the 11-19.rpt
- Access - Virus intention, or the result, is gaining access to resources
Traffic Access through malicious code commonly known as viruses.
Generally, these events will reflect attempted
exploitation of weaknesses in the web server or client
software.
Administrator Guide: Security Event Manager page 413
Default reports included with SEM
Title Description File Name Schedule
Network Events: Web Access events reflect malicious or abusive RPT2003- As needed
Attack Behavior usage of network resources where the intention, or 11-18.rpt
- Access - Web the result, is gaining access to resources via
Access application-layer WWW traffic. Generally, these events
will reflect attempted exploitation of weaknesses in
the web server or client software.
Network Events: Track activity associated with network denial or relay RPT2003- Weekly
Attack Behavior attack behaviors. This report shows malicious asset 12.rpt
- Denial / Relay relay attempts and denials of service via the network.
For example, FTP bouncing, Distributed Denial of
Service events, and many protocol abuses.
Network Events: Application Denial events are a specific type of Denial RPT2003- As needed
Attack Behavior event where the transport of the malicious or abusive 12-01.rpt
- Denial / Relay - usage is application-layer protocols. The intent, or the
Application result, of this activity is inappropriate or abusive
Denial access to network resources through a denial of
service attack. Application Denial events may be
attempts to exploit weaknesses in software to gain
access to a host system, attempts to exploit
weaknesses in network infrastructure equipment to
enumerate or reconfigure devices, or other denial of
service activities.
Network Events: Configuration Denial events are a specific type of RPT2003- As needed
Attack Behavior Denial event where the transport of the malicious or 12-02.rpt
- Denial / Relay - abusive usage is protocols related to configuration of
Configuration resources (DHCP, BootP, SNMP, etc.). The intent, or
Denial the result, of this activity is inappropriate or abusive
access to network resources through a denial of
service attack. ConfigurationDenial events may be
attempts to exploit weaknesses in configuration-
related software to gain access to a host system,
attempts to exploit weaknesses in network
infrastructure equipment to enumerate or reconfigure
devices, or other denial of service activities.
Administrator Guide: Security Event Manager page 414
Default reports included with SEM
Title Description File Name Schedule
Network Events: Core Denial events are a specific type of Denial event RPT2003- As needed
Attack Behavior where the transport of the malicious or abusive usage 12-03.rpt
- Denial / Relay - is core protocols (TCP, IP, ICMP, UDP). The intent, or
Core Denial the result, of this activity is inappropriate or abusive
access to network resources through a denial of
service attack. Core Denial events may be attempts to
exploit weaknesses in software to gain access to a
host system, attempts to exploit weaknesses in
network infrastructure equipment to enumerate or
reconfigure devices, or other denial of service
activities.
Network Events: Children of the Denial tree define events centered on RPT2003- As needed
Attack Behavior malicious or abusive usage of network 12-04.rpt
- Denial / Relay - bandwidth/traffic where the intention, or the result, is
Denial inappropriate or abusive access to network resources
through a denial of service attack.
Network Events: File System Denial events are a specific type of Denial RPT2003- As needed
Attack Behavior event where the transport of the malicious or abusive 12-05.rpt
- Denial / Relay - usage is remote file system-related protocols (NFS,
File System SMB, etc.). The intent, or the result, of this activity is
Denial inappropriate or abusive access to network resources
through a denial of service attack. File System Denial
events may be attempts to exploit weaknesses in
remote file system services or software to gain
access to a host system, attempts to exploit
weaknesses in network infrastructure equipment to
enumerate or reconfigure devices, or other denial of
service activities.
Network Events: File Transfer Denial events are a specific type of RPT2003- As needed
Attack Behavior Denial event where the transport of the malicious or 12-06.rpt
- Denial / Relay - abusive usage is application-layer file transfer-related
File Transfer protocols (FTP, TFTP, etc.). The intent, or the result, of
Denial this activity is inappropriate or abusive access to
network resources through a denial of service attack.
FileTransferDenial events may be attempts to exploit
weaknesses in file transfer-related software to gain
access to a host system, attempts to exploit
weaknesses in the software to enumerate or
reconfigure, or other denial of service activities.
Administrator Guide: Security Event Manager page 415
Default reports included with SEM
Title Description File Name Schedule
Network Events: Link Control Denial events are a specific type of Denial RPT2003- As needed
Attack Behavior event where the transport of the malicious or abusive 12-07.rpt
- Denial / Relay - usage is link level protocols (such as ARP). The intent,
Link Control or the result, of this activity is inappropriate or abusive
Denial access to network resources through a denial of
service attack. LinkControlDenial events may be
attempts to exploit weaknesses in link-level control
software to gain access to a host system, attempts to
exploit weaknesses in network infrastructure
equipment to enumerate or reconfigure devices, or
other denial of service activities.
Network Events: MailDenial events are a specific type of Denial event RPT2003- As needed
Attack Behavior where the transport of the malicious or abusive usage 12-08.rpt
- Denial / Relay - is application-layer mail-related protocols (SMTP,
Mail Denial IMAP, POP3, etc.) or services (majordomo, spam
filters, etc.). The intent, or the result, of this activity is
inappropriate or abusive access to network resources
through a denial of service attack. MailDenial events
may be attempts to exploit weaknesses in mail-
related software to gain access to a host system,
attempts to exploit weaknesses in the software to
enumerate or reconfigure, or other denial of service
activities.
Network Events: Children of the Relay tree define events centered on RPT2003- As needed
Attack Behavior malicious or abusive usage of network 12-09.rpt
- Denial / Relay - bandwidth/traffic where the intention, or the result, is
Relay relaying inappropriate or abusive access to other
network resources (either internal or external).
Generally, these attacks will have the perimeter or an
internal host as their point of origin. When sourced
from remote hosts, they may indicate a successful
exploit of an internal or perimeter host.
Administrator Guide: Security Event Manager page 416
Default reports included with SEM
Title Description File Name Schedule
Network Events: Remote Procedure Denial events are a specific type of RPT2003- As needed
Attack Behavior Denial event where the transport of the malicious or 12-10.rpt
- Denial / Relay - abusive usage is remote procedure-related protocols
Remote (traditional RPC, RMI, CORBA, etc.) or service
Procedure (portmapper, etc.). The intent, or the result, of this
Denial activity is inappropriate or abusive access to network
resources through a denial of service attack.
RemoteProcedureDenial events may be attempts to
exploit weaknesses in remote procedure services or
software to gain access to a host system, attempts to
exploit weaknesses in the software to enumerate or
reconfigure, or other denial of service activities.
Network Events: Routing Denial events are a specific type of Denial RPT2003- As needed
Attack Behavior event where the transport of the malicious or abusive 12-11.rpt
- Denial / Relay - usage is routing-related protocols (RIP, IGMP, etc.).
Routing Denial The intent, or the result, of this activity is inappropriate
or abusive access to network resources through a
denial of service attack. Routing Denial events may be
attempts to exploit weaknesses in routers or routing
software to gain access to a host system, attempts to
exploit weaknesses in the routing software or service
to enumerate or reconfigure, or other denial of service
activities.
Network Events: Web Denial events are a specific type of Denial event RPT2003- As needed
Attack Behavior where the transport of the malicious or abusive usage 12-12.rpt
- Denial / Relay - is application-layer web-related protocols (HTTP,
Web Denial HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or
the result, of this activity is inappropriate or abusive
access to network resources through a denial of
service attack. Web Denial events may be attempts to
exploit weaknesses in web-related software to gain
access to a host system, attempts to exploit
weaknesses in the software to enumerate or
reconfigure, or other denial of service activities.
Administrator Guide: Security Event Manager page 417
Default reports included with SEM
Title Description File Name Schedule
Network Events: Track activity associated with suspicious network RPT2003- Weekly
Suspicious behaviors such as reconnaissance or unusual traffic. 07.rpt
Behavior Specifically, this report shows potentially dangerous
activity, such as excessive authentication failures,
port scans, stack fingerprinting, and network
enumerations.
Network Events: Application Enumerate events reflect attempts to RPT2003- As needed
Suspicious gather information about target hosts, or services on 07-01.rpt
Behavior - target hosts, by sending active application-layer data
Application which will elicit responses that reveal information
Enumerate about the application or host. This enumeration may
be a command sent to the application to attempt to
fingerprint what is allowed or denied by the service,
requests to the application which may enable an
attacker to surmise the version and specific
application running, and other information gathering
tactics. These enumerations may result in information
being provided that can allow an attacker to craft a
specific attack against the host or application that
may work correctly the first time - enabling them to
modify their methodology to go on relatively
undetected.
Network Events: Banner Grabbing Enumerate events reflect attempts RPT2003- As needed
Suspicious to gather information about target hosts, or services 07-02.rpt
Behavior - on target hosts, by sending a request which will elicit
Banner a response containing the host or service's 'banner'.
Grabbing This 'banner' contains information that may provide a
Enumerate potential attacker with such details as the exact
application and version running behind a port. These
details could be used to craft specific attacks against
hosts or services that an attacker may know will work
correctly the first time - enabling them to modify their
methodology go on relatively undetected.
Administrator Guide: Security Event Manager page 418
Default reports included with SEM
Title Description File Name Schedule
Network Events: Core Scan events reflect attempts to gather RPT2003- As needed
Suspicious information about target networks, or specific target 07-03.rpt
Behavior - Core hosts, by sending scans over core network protocols
Scan (TCP, IP, ICMP, UDP) which will elicit responses that
reveal information about clients, servers, or other
network infrastructure devices. The originating source
of the scan is generally attempting to acquire
information that may reveal more than normal traffic
to the target would, information such as a list of
applications listening on ports, operating system
information, and other information that a probe may
discover without enumeration of the specific services
or performing attack attempts.
Network Events: Enumerate events reflect attempts to gather RPT2003- As needed
Suspicious information about target networks, or specific target 07-04.rpt
Behavior - hosts, by sending active data which will elicit
Enumerate responses that reveal information about clients,
servers, or other network infrastructure devices. The
originating source of the enumeration is generally
attempting to acquire information that may reveal
more than normal traffic to the target would.
Network Events: Footprint events reflect attempts to gather RPT2003- As needed
Suspicious information about target networks by tracing the 07-05.rpt
Behavior - network through routers, clients, servers, or other
Footprint network infrastructure devices. The originating source
of the footprint is generally attempting to acquire
information that may reveal more about network
behavior than normal traffic to the target would.
Network Events: General Security events are generated when a RPT2003- As needed
Suspicious supported product outputs data that has not yet been 07-17.rpt
Behavior - normalized into a specific event, but is known to be
General Security security issue-related.
Administrator Guide: Security Event Manager page 419
Default reports included with SEM
Title Description File Name Schedule
Network Events: Host Scan events reflect attempts to gather RPT2003- As needed
Suspicious information about specific target hosts by sending 07-06.rpt
Behavior - Host scans which will elicit responses that reveal
Scan information about clients, servers, or other network
infrastructure devices. The originating source of the
scan is generally attempting to acquire information
that may reveal more than normal traffic to the target
would, such as a list of applications on the host,
operating system information, and other information
that a probe may discover without enumeration of the
specific services or performing attack attempts.
These scans generally do not occur across entire
networks and generally have the intent of discovering
operating system and application information which
may be used for further attack preparation.
Network Events: ICMP Query events reflect attempts to gather RPT2003- As needed
Suspicious information about specific target hosts, or networks, 07-07.rpt
Behavior - ICMP by sending ICMP-based queries that will elicit
Query responses that reveal information about clients,
servers, or other network infrastructure devices. The
originating source of the scan is generally attempting
to acquire information that may reveal more than
normal traffic to the target would, such as operating
system information and other information that a
probe may discover without enumeration of the
specific services or performing attack attempts.
These scans generally do not occur across entire
networks, contain many sequential ICMP packets, and
generally have the intent of discovering operating
system and application information which may be
used for further attack preparation.
Administrator Guide: Security Event Manager page 420
Default reports included with SEM
Title Description File Name Schedule
Network Events: MS Networking Enumerate events reflect attempts to RPT2003- As needed
Suspicious gather information about target hosts, or services on 07-08.rpt
Behavior - MS target hosts, by sending active data to Microsoft
Network networking services (using protocols such as NetBIOS
Enumerate and SMB/CIFS) that will illicit responses that reveal
information about the application, host, or target
network. This enumeration may be a simple
command sent to the networking service to attempt
to fingerprint what is allowed or denied by a service,
requests to a service that may enable an attacker to
surmise the version and specific service running,
requests to a service that may enable an attacker to
fingerprint the target network, and other information
gathering tactics. These enumerations may result in
information being provided that can allow an attacker
to craft a specific attack against the networking
service, host, or application that may work correctly
the first time - enabling them to modify their
methodology to go on relatively undetected.
Network Events: Members of the NetworkSuspicious tree are used to RPT2003- As needed
Suspicious define events regarding suspicious usage of network 07-09.rpt
Behavior - bandwidth/traffic. These events include unusual
Network traffic and reconnaissance behavior detected on
Suspicious network resources.
Administrator Guide: Security Event Manager page 421
Default reports included with SEM
Title Description File Name Schedule
Network Events: Port Scan events reflect attempts to gather RPT2003- As needed
Suspicious information about target networks, or specific target 07-10.rpt
Behavior - Port hosts, by sending scans over core network protocols
Scan (TCP, IP, ICMP, UDP) that will elicit responses that
reveal information about clients, servers, or other
network infrastructure devices. The originating source
of the scan is generally attempting to acquire
information that may reveal more than normal traffic
to the target would, such as a list of applications
listening on ports, operating system information, and
other information that a probe may discover without
enumeration of the specific services or performing
attack attempts. Port Scans specifically operate by
sending probes to every port within a range,
attempting to identify open ports that may use
applications or services that are easy to enumerate
and attack.
Network Events: Children of the Recon tree reflect suspicious network RPT2003- As needed
Suspicious behavior with intent of gathering information about 07-11.rpt
Behavior - target clients, networks, or hosts. Reconnaissance
Recon behavior may be valid behavior on a network,
however, only as a controlled behavior in small
quantities. Invalid reconnaissance behavior may
reflect attempts to determine security flaws on
remote hosts, missing access control policies that
allow external hosts to penetrate networks, or other
suspicious behavior that results in general
information gathering without actively attacking.
Administrator Guide: Security Event Manager page 422
Default reports included with SEM
Title Description File Name Schedule
Network Events: Remote Procedure Enumerate events reflect attempts RPT2003- As needed
Suspicious to gather information about target hosts, or services 07-12.rpt
Behavior - on target hosts, by sending active data to Remote
Remote Procedure services (using protocols such as RMI,
Procedure CORBA, and traditional RPC) that will elicit responses
Enumerate that reveal information about the application or host.
This enumeration may be a simple command sent to
the remote procedure service to attempt to fingerprint
what is allowed or denied by the service, requests to
the remote procedure service that may enable an
attacker to surmise the version and specific service
running, and other information gathering tactics.
These enumerations may result in information being
provided that can allow an attacker to craft a specific
attack against the remote procedure service or
application that may work correctly the first time -
enabling them to modify their methodology to go on
relatively undetected.
Network Events: Scan events reflect attempts to gather information RPT2003- As needed
Suspicious about target networks, or specific target hosts, by 07-13.rpt
Behavior - Scan sending scans which will elicit responses that reveal
information about clients, servers, or other network
infrastructure devices. The originating source of the
scan is generally attempting to acquire information
that may reveal more than normal traffic to the target
would, information such as a list of applications
listening on ports, operating system information, and
other information that a probe may discover without
enumeration of the specific services or performing
attack attempts.
Administrator Guide: Security Event Manager page 423
Default reports included with SEM
Title Description File Name Schedule
Network Events: Stack Fingerprint events reflect attempts to gather RPT2003- As needed
Suspicious information about specific target hosts by sending a 07-14.rpt
Behavior - Stack certain set of packets to probe a device's network
Fingerprint stack, which will elicit responses that reveal
information about clients, servers, or other network
infrastructure devices. The originating source of the
scan is generally attempting to acquire information
that may reveal more than normal traffic to the target
would, such as operating system information
(including type and version) and other information
that a probe may discover without enumeration of the
specific services or performing attack attempts.
These scans generally do not occur across entire
networks and generally have the intent of discovering
operating system information which may be used for
further attack preparation.
Network Events: Trojan Scanner events reflect attempts of Trojans on RPT2003- As needed
Suspicious the network to gather information about target 07-15.rpt
Behavior - networks, or specific target hosts, by sending scans
Trojan Scanner which will elicit responses that reveal information
about the host. The originating Trojan source of the
scan is generally attempting to acquire information
that will reveal whether a target host or network has
open and available services for further exploitation,
whether the target host or network is alive, and how
much of the target network is visible. A Trojan may
run a scan before attempting an attack operation to
test potential effectiveness or targeting information.
Network Events: Unusual Traffic events reflect suspicious behavior on RPT2003- As needed
Suspicious network devices where the traffic may have no known 07-16.rpt
Behavior - exploit, but is unusual and could be potential
Unusual Traffic enumerations, probes, fingerprints, attempts to
confuse devices, or other abnormal traffic. Unusual
Traffic may have no impending response, however, it
could reflect a suspicious host that should be
monitored closely.
Administrator Guide: Security Event Manager page 424
Default reports included with SEM
Title Description File Name Schedule
Priority Event This report is no longer in use. The Priority Event RPT2003- As needed
(reference) report tracks those events that the user has identified 16.rpt
as a priority event. These events appear in the Priority
filter of the Console.
Priority Event By This report is no longer in use. This report mirrors the RPT2003- As needed
User (reference) standard Priority Event report but groups the events 17.rpt
received by Console User account. The same event
may be seen by many users, so this report tends to be
much larger than the standard Priority Event report.
Rule The Rule Subscriptions report tracks those events that RPT2006- Daily
Subscriptions the user has subscribed to monitor. 28-01.rpt
by User
SolarWinds The SolarWinds Action Report lists all commands or RPT2003- As needed
Actions actions initiated by SolarWinds Network Security. 18.rpt
Support reports included with SEM
Support Reports are diagnostic tools used by SolarWinds Customer Support. Only run these reports at
the request of SolarWinds. The reports are listed alphabetically by title.
Title Description File Name Schedule
Agent This report is a diagnostic tool used by Customer RPT2009- As
Connection Support, and generally run only at their request. This 33-1.rpt requested
Status report tracks internal Agent online and offline events.
Agent This report is a diagnostic tool used by Customer RPT2009- As
Connection Support, and generally run only at their request. This 33-2.rpt requested
Status by report tracks internal Agent online and offline events
Agent grouped by Agent.
Agent This report is a diagnostic tool used by Customer RPT2009- As
Connection Support, and generally run only at their request. This 33.rpt requested
Summary report shows high level summary information for when
Agents go online and offline.
Audit - Internal Audit - Internal Audit Report RPT2006- As
Audit Report 31-01.rpt requested
Administrator Guide: Security Event Manager page 425
Default reports included with SEM
Title Description File Name Schedule
Audit - Internal Internal Audit Report grouped by User RPT2006- As
Audit Report by 31-02.rpt requested
User
Agent This report is a diagnostic tool used by Customer RPT2007- As
Maintenance Support, and generally run only at their request. This 32.rpt requested
Report report displays internal event data for possible
misconfigured Agents.
Database This report is a diagnostic tool used by Customer RPT2006- As
Maintenance Support, and generally run only at their request. 26.rpt requested
Report
List of Rules This report lists available rules for the Rule RPT2006- As needed
for Rule Subscriptions. 29-02.rpt
Subscriptions
List of This report lists the rules that users have subscribed RPT2006- As needed
Subscription to. 29-03.rpt
Rules by User
List of Users This report lists each user entered. Currently, the users RPT2006- As needed
are only used for Rule Subscriptions. 29-01.rpt
Tool This report is a diagnostic tool used by Customer RPT2003- As needed
Maintenance Support, and generally run only at their request. List of 14.rpt
by Alias New Tool Data events based on Tool Alias.
Tool This report is a diagnostic tool used by Customer RPT2003- As needed
Maintenance Support, and generally run only at their request. List of 15.rpt
by Insertion New Tool Data events based on Agent InsertionIP.
Point
Tool This report is a diagnostic tool used by Customer RPT2003- As needed
Maintenance Support, and generally run only at their request. List of 13.rpt
by Provider New Tool Data events based on ProviderSID.
Tool This report is a diagnostic tool used by Customer RPT2003- As
Maintenance Support, and generally run only at their request. The 14.rpt requested
Detail Report report displays a summary of all SolarWinds error
messages received from various tools.
Administrator Guide: Security Event Manager page 426
Default reports included with SEM
Title Description File Name Schedule
Tool This report is a diagnostic tool used by Customer RPT2003- As
Maintenance Support, and generally run only at their request. The 13.rpt requested
Report report displays a summary of unique SolarWinds error
messages received from various tools.
Administrator Guide: Security Event Manager page 427
The SEM command-line interface: Using the CMC
The SEM command-line interface: Using the CMC
About the CMC command line
The CMC provides a command-line interface (CLI) for performing routine administrative tasks on a
SEM VM.
See Log in to the SEM CMC command line interface for login steps and information about
credentials and SSH access restrictions.
Use CMC commands for tasks such as:
l Upgrading the Manager software
l Manually applying connector updates
l Deploying new connector infrastructure to the Managers and Agents
l Rebooting or shutting down the network appliance
l Configuring trusted reporting hosts
l Configuring supplemental services on the Manager appliance
Special characters allowed in CMC commands and passwords
The following table lists the special characters you can use in your CMC commands and passwords.
Character Example
Capital letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lower-case letters abcdefghijklmnopqrstuvwxyz
Numerals 0123456789
Symbols _ ` ~ ! @ # $ % ^ & * ( ) - = + ' [ { ] } \ | ; : a " A , 1
< . > / ?
White spaces command1 command2 command3
SEM CMC main menu
The CMC main menu opens when you log in to the CMC command-line interface.
Administrator Guide: Security Event Manager page 428
SEM CMC main menu
See About the CMC command line in SEM for information about using the CMC command line.
Top-Level CMC commands
Commands are listed in order of appearance.
Command Description
appliance Displays the appliance menu to run network and system commands on the
SEM VM. You can activate the VM, configure network parameters, and change
the CMC password. See SEM CMC appliance menu for more information.
manager Displays the manager menu where you can run upgrade and debug commands
on the SEM Manager. You can install a SEM hotfix, start and stop the SEM
Manager service, and import a certificate used for desktop console
communication. See SEM CMC manager menu for more information.
service Displays the service menu to run restrictions and SSH. You can start and
stop the SSH Service and restrict access to the reports application by IP
address or host name. See SEM CMC service menu for more information.
rawlogs Displays the rawlogs menu to run nDepth configuration and maintenance
commands.
Administrator Guide: Security Event Manager page 429
SEM CMC appliance menu
Command Description
upgrade Installs the SEM upgrade package that you will use to upgrade your SEM VM.
This command functions the same as the hotfix command.
admin Opens the admin command-line interface in the Lynx text browser.
import Imports a keytab file from Active Directory into SEM. This file is required to
configure SEM for Active Directory single sign-on. See Set up single sign-on
(SSO) in SEM for details.
help Displays the Help menu.
exit Exits the CMC management console.
SEM CMC appliance menu
The cmc::appliance> menu includes commands for managing network and system settings.
See About the CMC command line in SEM for information about using the CMC command line.
Type the appliance command at the main menu to open the cmc::appliance> prompt. Commands
available from the appliance menu are listed in the following table in alphabetical order.
Y in the "Restart Required" column indicates that a command requires an automatic restart of the
SEM Manager service. See Starting and Stopping SEM components for help.
Command Description Restart
Required
activate Configures essential SEM features. This command should N
be run after you install the SEM license.
See Run the activate command to secure SEM and
configure network settings for documentation.
checklogs Shows the contents of the SEM log files from sources such N
as syslog and SNMP.
clearsyslog Removes all rotated and compressed local files. N
cleantemp Removes temporary files SEM created during normal N
operation. Run this command to recover used disk space,
or at the suggestion of SolarWinds Support.
dateconfig Sets/shows the SEM VM's date and time. N
Administrator Guide: Security Event Manager page 430
SEM CMC appliance menu
Command Description Restart
Required
dbdiskconfig Configures the database retention setting (that is, the Y
percentage of free space for the database). This command
requires an automatic restart of the SEM Manager service.
diskusage Checks disk usage consumed by the SEM Manager and N
several other internal components (such as the database or
log files), and provides a summary. This information is
included when you send SolarWinds Support information
using the support command.
diskusageconfig Sets the SEM Manager disk usage limit by the percentage N
of unavailable disk space or the amount of free disk space.
editbanner Edits the SSH login banner. N
exit Exits the appliance menu and returns to the main menu. N
exportsyslog Exports the system logs. N
hostname Changes the hostname of the SEM VM. N
import Imports the SIM or SEM backup to the SEM. N
limitsyslog Interrogates and/or changes the number of rotated log files N
to be kept.
multimanagerconfig Enables or disables the multimanager. N
If you enable multimanager, some security scanners
may generate cross-domain security warnings about
SEM. If this feature is not required, keep it disabled.
setlogrotate Sets the syslog rotation frequency to either hourly or daily. N
netconfig Configures network settings for the SEM VM, such as the IP N
address, subnet mask, and DNS server(s).
ntpconfig Configures the Network Time Protocol (NTP) service on the N
SEM VM for synchronization with a time server.
password Changes the CMC user password. N
ping Pings other IP addresses or host names from the SEM VM N
to verify network connectivity.
reboot Reboots the SEM VM. N
Administrator Guide: Security Event Manager page 431
SEM CMC manager menu
Command Description Restart
Required
shutdown Shuts down the SEM VM. N
top Displays and monitors CPU and memory usage, as well as N
per process information for the Manager Network
Appliance.
tzconfig Configure the SEM VM time zone information. N
viewnetconfig Displays the SEM VM network settings, such as the IP N
address, subnet mask, and DNS server(s).
exit Exits the appliance menu and returns to the main menu. N
SEM CMC manager menu
The cmc::manager> menu includes commands for upgrading and debugging SEM.
See About the CMC command line in SEM for information about using the CMC command line.
Type the manager command at the main menu to open the cmc::manager> prompt. Commands
available from the manager menu are listed in the following table in alphabetical order. Y in the
Restart Required column indicates a command requires an automatic restart of the SEM Manager
service. See Starting and Stopping SEM components for help.
Command Description Restart
Required?
archiveconfig Configures the SEM Manager appliance database N
archives to a remote file share on a daily, weekly, or
monthly schedule.
backupconfig Configures the SEM Manager appliance software N
and configuration backups to a remote file share on
a daily, weekly, or monthly schedule.
cleanagentconfig Reconfigures the Agent on the current SEM N
Manager instance to connect to a new SEM
Manager.
confselfsignedcert Configures the SEM Manager to use an nDepth N
server.
dbrestart Restarts the database. N
Administrator Guide: Security Event Manager page 432
SEM CMC manager menu
Command Description Restart
Required?
debug Sends debugging information from the SEM N
Manager to any given email address. The email
message contains a collection of data that can be
useful in diagnosing problems.
exit Exits the manager menu and returns to the main N
menu.
exportcert Exports the CA certificate so that you can import it N
into a computer running the SEM console or the
SEM reports application.
exportcertrequest Exports the SEM Manager certificate (along with its N
public and private key) so that your certificate
authority (CA) can sign it using PKI tools.
hotfix Installs a SEM hotfix. This command functions the N
same as the upgrade command.
importcert Imports a certificate signed by any certificate Y
authority (CA). A certificate is required to encrypt
communication with the SEM console or the SEM
reports application.
importl4ca Imports a CA of the other node in an L4 Y
configuration.
licenseupgrade Upgrades your SEM Manager license. Y
logbackupconfig Configures the Manager appliance remote log N
backups to a remote file share on a daily, weekly, or
monthly schedule.
resetadmin Resets the admin password to password. This Y
command does not affect other users on the
system, and all settings are preserved.
restart Restarts the SEM Manager service. This will take the Y
Manager offline for 1–3 minutes.
sensortoolupgrade Upgrades the SEM Manager’s Sensor Tools from the N
command line. This command does not support cd
rom and floppy options - only SB.
Administrator Guide: Security Event Manager page 433
SEM CMC service menu
Command Description Restart
Required?
showlog Allows you to page through the SEM Manager’s log N
file.
showmanagermem Displays the SEM Manager's configured memory N
utilization settings.
start Starts the SEM Manager service. If the Manager is N
already started, then nothing will happen.
stop Stops the SEM Manager service. This makes the Y
Manager inactive until it is started again.
support This command has been deprecated. Use the debug N
command.
viewsysinfo Displays appliance settings and other information N
that is useful for support and troubleshooting.
watchlog Displays 20 lines of the current SEM Manager log N
file and monitors the log for further updates. Any
new log entries appear as they are written to the log.
SEM CMC service menu
The cmc::service> menu includes commands for managing restrictions and SSH access.
See About the CMC command line in SEM for information about using the CMC command line.
Type the service command at the main menu to open the cmc::service> prompt. Commands
available from the service menu are listed in the following table in alphabetical order. Y in the "Restart
Required" column indicates that a command requires an automatic restart of the SEM Manager
service. See Starting and Stopping SEM components for help.
Command Description Restart
Required
disableflow Disables the flow Collection Service on the appliance (and in N
the SolarWinds Explorer).
enableflow Enables the flow Collection Service on the appliance (and in Y
the SolarWinds Explorer).
Administrator Guide: Security Event Manager page 434
SEM CMC service menu
Command Description Restart
Required
exit Exits the service menu and returns to the main menu. N
help Displays a brief description of each command within the N
service menu.
restartssh Restarts the SSH service. If the SSH service is running, this N
command stops and then restarts the service.
restrictconsole Restricts access to the SEM console to only certain IP N
addresses or hostnames. This command prompts you to
provide the IP addresses or hostnames that should be
allowed access. Once the restriction is in place, only the
listed IP addresses or hostnames can connect to the SEM
console. Also see unrestrictconsole.
restrictreports Restricts access to reports to only certain IP addresses or N
hostnames. This command prompts you to provide the IP
addresses or hostnames that should be allowed access.
Once the restriction is in place, only the listed IP addresses
or hostnames can create and view reports. Also see
unrestrictreports.
restrictssh Restrict the SSH service to only certain IP addresses. This N
command prompts you to provide the IP addresses that
should be allowed access. Once the restriction is in place,
only the listed IP address and user combinations can
connect to the SEM Manager using the SSH service. Also
see unrestrictssh.
snmp Configures the SNMP Services. N
l See Enable the SNMP Trap Logging Service in SEM to
configure SEM to receive SNMP traps.
l See Set up SEM to communicate with NPM and the
SolarWinds Platform Web Console using SNMP to
configure SEM and NPM to monitor SEM's CPU,
memory, and other critical components.
startssh Starts the SSH service. N
stopopsec Terminates any connections from the SEM Manager VM to N
Check Point® Open Platform for Security (OPSEC) hosts.
Administrator Guide: Security Event Manager page 435
SEM CMC rawlogs menu
Command Description Restart
Required
stopssh Stops the SSH service. If you issue this command, you can N
only access the SEM Manager with a keyboard and monitor
until you issue a reboot command.
To restrict access to the SSH service (outside of the user
name and password requirements), see the restrictssh
command.
unrestrictconsole Removes access restrictions placed on the SEM console. N
The only remaining protection is the user name and
password combination. This command removes all other
restrictions and allows system users with a user name and
password to connect to the console.
unrestrictreports Removes access restrictions placed on the SEM reports N
application. The only remaining protection is the user name
and password combination. This command removes all
other restrictions and allows anyone who has either the
reports application or any alternative database connection
software installed, to create and view reports and browse
the database, provided that they have a valid username and
password.
unrestrictssh Removes access restrictions placed on the SSH service. The N
only remaining protection is the user name and password
combination
SEM CMC rawlogs menu
See About the CMC command line in SEM for information about using the CMC command line.
Type the rawlogs command at the main menu to open the cmc::rawlogs> prompt. Commands
available from the rawlogs menu are listed in the following table in alphabetical order. Y in the
"Restart Required" column indicates that a command requires an automatic restart of the SEM
Manager service. See Starting and Stopping SEM components for help.
Command Description Restart
Required
configurerawlogs Configure the manager to use a Raw logs service. Y
Administrator Guide: Security Event Manager page 436
SEM CMC rawlogs menu
Command Description Restart
Required
logmarchiveconfig Sets the raw logs archive share settings. N
logmbackupconfig Sets the raw logs backup share settings. N
restart Restarts the raw logssearch/storage service. Y
showsearchanges Displays search ranges per search core N
start Starts theraw logs search/storage service. N
stop Stops the raw logs search/storage service. N
exit Exits the rawlogs menu and returns to the main menu. N
Administrator Guide: Security Event Manager page 437
SEM troubleshooting
SEM troubleshooting
Additional troubleshooting topics:
l SEM reboot for troubleshooting
l Troubleshoot Network Devices Logging to SEM
l How to Troubleshoot Syslog Nodes in SolarWinds Log & Event Manager - Video
l How-To Use Log & Event Manager to Troubleshoot Network Issues - Video
l Startup errors display after increasing the SEM disk size
Troubleshoot alerts on the SEM Console
This section describes how to troubleshoot unmatched data or internal new connector data alerts
that may appear in your SEM console.
Typically, unmatched data and internal new connector data alerts indicate that one or more of the
connectors on the SEM VM or appliance cannot properly normalize the associated log data.
1. Ensure that your syslog devices are sending logs to a syslog facility on your SEM appliance.
2. Determine which devices are logging to each facility, and whether those devices conflict with
each another.
3. Ensure that your SEM Agent connectors, such as Windows-based and database connectors are
running correctly.
4. Apply the latest connector update package.
5. Generate a syslog sample from the SEM appliance, and then open a ticket with SolarWinds
Technical Support for further assistance.
Task 1: Troubleshoot syslog devices
Complete the following troubleshooting procedures for devices that send logs to a syslog facility on
your SEM appliance.
1. Verify the connector and device are pointed at the same local facility.
2. Check the configuration on your device to determine what local facility it is logging to on your
SEM appliance. In some cases, you cannot modify this setting.
Administrator Guide: Security Event Manager page 438
Troubleshoot alerts on the SEM Console
For additional information, search for your device in the SolarWinds Success Center.
Except for CheckPoint firewall, the SEM receives UDP syslog data on port 514.
3. Verify that the connector is pointed to the same logging facility as the device.
a. On the SEM Console, navigate to Configure > Manager Connectors.
b. Under Configured connectors, locate the connector in the list.
c. Select the configured connector, and then click Edit.
d. View its details, and verify the Log File value matches the output value in the device
configuration.
4. If the device and connector configurations do not match, point the connector to the appropriate
location.
a. Select the configured connector, and then click Stop.
b. Click Edit, and then change the Log File value so it matches your device.
c. Click Save, and then click Start.
Task 2: Troubleshoot device logging
Certain devices (including Cisco devices) have similar logging formats that cause connector conflicts
when logging to the same facility on your SEM appliance. Use the following procedure and table to
determine what devices are logging to each facility, and whether those devices conflict with one
another.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, type appliance.
3. At the cmc::appliance> prompt, type checklogs.
4. Enter an item number to select and view a local facility.
5. To view the device sending the event, open the log facility.
The EPOCH timestamp (1427722392000) starts each event, which is the date and time in Unix
numeric format. The device sending the event follows. You will typically see ProviderSID
(ASA-1-106021), which is similar to an Event ID.
6. If two or more devices are logging to the same facility, see Troubleshoot conflicting devices"
below to determine whether those devices conflict with each other.
Administrator Guide: Security Event Manager page 439
Troubleshoot alerts on the SEM Console
Troubleshoot conflicting devices
Different firewall types should log to different facilities. For example, Cisco firewalls and Palo Alto
should log to different facilities. However, both devices should log to their own facilities. Ensure that
the devices in each of these groups are logging to distinct local facilities on your SEM VM. For
example, if a device in Group 1 is logging to local1, make sure a device in Group 2 is not also logging
to that facility.
SolarWinds recommends splitting the devices and vendors to different facilities. Having all
devices pointed at one facility with multiple connectors reading that facility will impact your
SEM performance.
Group Devices
Group 1 Cisco ASA
Cisco IOS
Cisco PIX
Group 2 Cisco Catalyst (CatOS)
Group 3 Cisco Wireless LAN Controller (WLC)
Group 4 Cisco Nexus
Group 5 Cisco VPN
Group 6 Dell PowerConnect
Task 3: Troubleshoot Agent devices and connectors
Complete the following procedure to troubleshoot SEM Agent connectors, such as Windows-based
and database connectors.
1. Verify the connector is pointing to the appropriate folder or event log.
2. Check the configuration on the host computer to determine which folder or event log it is
logging in to.
In some cases, you cannot modify this setting. For additional information, search the
SolarWinds Success Center for your device.
3. Verify that the connector is pointed to the same folder or event log as the device:
a. On the SEM Console, navigate to Configure > Nodes.
Administrator Guide: Security Event Manager page 440
Troubleshoot alerts on the SEM Console
b. Under Refine Results, expand the Type group, and then select the Agent check box.
c. Select the SEM Agent for the host computer, and then click Manage node connectors.
d. Locate the configured connector in the list.
e. Select the configured connector, and then click edit.
f. View its details, and ensure the Log File value matches the output value in the host
computer configuration.
4. If the host computer and connector configurations do not match, point the connector to the
appropriate location:
a. Select the configured connector, and then click Stop.
b. Click Edit, and then change the Log File value so it matches your device.
c. Click Save, and then click Start.
Task 4: Apply the latest connector update package
If you completed the procedures in this section and you still see the unmatched data or internal new
connector data alerts, apply the latest connector package before you contact Technical Support. See
Apply a SEM connector update package to learn how.
Task 5: Contact SolarWinds Technical Support
If you are unable to resolve your issue using this article, open a ticket with SolarWinds Technical
Support for further assistance. Be prepared to provide the following information to a support
technician:
l A copy of the SEM report (in Crystal Reports format) entitled Tool Maintenance by Alias for the
last 24 hours or the period during that the unmatched data was detected.
l (Syslog devices only). A sample of the logs currently sent to SEM for the affected connector. For
more information, see Export log files using the CMC exportsyslog command.
l (Windows connectors only). A copy of the entire event log in English and EVTX formats.
l (Database connectors only). A sample of the event table containing the unread events and the
details about these events.
l (Database connectors only). The database schema (if available).
Generate a syslog sample from the SEM appliance
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, type appliance.
Administrator Guide: Security Event Manager page 441
Troubleshoot SEM Agents and network devices
3. At the cmc::appliance> prompt, type exportsyslog.
4. Enter an item number to select a local facility to export.
5. Repeat the previous step to specify more than one facility.
6. Enter q to proceed.
7. Follow the on-screen instructions to complete the export.
Troubleshoot SEM Agents and network devices
If you do not see the events you expected to see on the SEM Console, use the following procedures to
troubleshoot your SEM Agents and network devices.
Determine if SEM is receiving data from the device that you are
troubleshooting
SolarWinds recommends starting with this task before moving on to the other troubleshooting tasks.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, enter:
appliance
3. At the cmc::appliance> prompt, type:
checklogs
4. To select a local facility to view, enter an item number.
5. Search for the specific device logging to this facility (such as the product name, device name, or
IP address).
See also:
l Troubleshoot devices not logging to a log file " below
l Troubleshoot devices logging to a log file " on the facing page
Troubleshoot devices not logging to a log file
Perform the following procedure for network devices that do not show data on the SEM appliance.
1. Ensure that the device is configured to log to the SEM appliance.
2. Ensure that the device is logging to the correct IP address for the SEM appliance.
Administrator Guide: Security Event Manager page 442
Troubleshoot SEM Agents and network devices
3. If the device sends SNMP traps to the SEM appliance, ensure that the SEM Manager is
configured to accept SNMP traps.
See Enable SEM to receive SNMP traps by turning on the SNMP Trap Logging Service for
details.
4. Ensure that a firewall is not blocking data communications between the device and the SEM
appliance.
Troubleshoot devices logging to a log file
Perform the following procedure for network devices that display data in SEM.
1. Ensure that the appropriate connector is configured on the SEM appliance.
2. Ensure that your configured connector is running.
3. If the connector is running, delete and recreate the connector instance.
Troubleshoot a SEM Agent
To begin, ensure that the SEM Agent is connected to the SEM appliance:
1. On the SEM Console, navigate to Configure > Nodes.
2. Under Refine Results, expand the type group, and then select the Agent check box.
3. In the Status column, note the status icon for the SEM Agent:
l If the SEM Agent does not appear in the Nodes list, see Troubleshoot a missing SEM
Agent.
l If the SEM Agent appears in the Nodes list with a Connected status , see Troubleshoot a
connected SEM Agent.
l If the SEM Agent appears in the Nodes list with a Disconnected status , see
Troubleshoot a disconnected SEM Agent.
See also:
l Troubleshoot SEM Agent connections, 64-bit in the SolarWinds Customer Success Center
l Troubleshoot SEM Agent connections, 32-bit in the SolarWinds Customer Success Center
Troubleshoot a missing SEM Agent
1. Verify that the SEM Agent is installed on the host computer.
2. Verify that the SEM Agent service is running on the host computer.
Administrator Guide: Security Event Manager page 443
Troubleshoot SEM Agents and network devices
Troubleshoot a disconnected SEM Agent
1. On the host computer, verify that the SEM Agent Service is running.
If the service is not running, start the service.
If the service is running, go to the next step.
2. On the host computer, ping the SEM VM or appliance by hostname.
If the ping is successful, clear the SEM Agent certificate.
If the ping is not successful, go to the next step.
3. On the host computer, ping the SEM VM or appliance by IP address.
If the ping is successful, the SEM Agent is connected. See Troubleshoot a connected SEM
Agent" on the next page.
If the ping is not successful:
a. Resolve any network or firewall issues between the SEM Agent and the SEM
VM/appliance.
b. Change your DNS settings so the SEM Agent computer can resolve the SEM appliance
hostname (recommended).
c. Edit or delete the spop.conf file (based on your system bit type) so that the SEM Agent
calls the SEM VM or appliance by its IP address instead of its hostname. See Edit or
delete the spop.conf file " on the next page.
Edit or delete the spop.conf file
Perform the following procedure so the SEM Agent calls the SEM appliance by its IP address
(Windows systems only).
1. Stop the SolarWinds Security Event Manager Agent service.
2. If you are running a 32-bit Windows system, delete the spop folder. Do not delete the
ContegoSPOP folder.
The folder is located at:
C:\Windows\System32\ContegoSPOP\spop
If you are running a 64-bit Windows system:
Administrator Guide: Security Event Manager page 444
Troubleshoot SEM Agents and network devices
a. Open the following directory:
C:\Windows\SysWOW64\ContegoSPOP\spop
b. Open the spop.conf file in a text editor.
c. Replace the ManagerAddress value with the SEM appliance IP address.
d. Save and close the file.
3. Start the SolarWinds Security Event Manager Agent service.
Troubleshoot a connected SEM Agent
1. Verify that you configured the appropriate connectors on the SEM Agent.
For example, the SEM Agent for Windows runs the connectors for the Windows Application and
Security Logs by default. However, you must configure the connector for the DNS server role.
2. Verify that all configured connectors are running properly.
3. If all configured connectors are running properly, delete and recreate the non-working
connectors.
Contact SolarWinds Customer Support
If events from your network device do not appear on the SEM Console after completing these
procedures, send a screen shot of the device logging configuration screens and the appropriate
system files to SolarWinds Customer Support:
https://support.solarwinds.com/Success_Center
If you are running a 32-bit Windows system, send the following files to SolarWinds Customer Support:
l C:\Windows\System32\ContegoSPOP\spoplog.txt (the most recent version)
l C:\Windows\ System32\ContegoSPOP\tools\readerState.xml
If you are running a 64-bit Windows system, send the following files to SolarWinds Customer Support:
l C:\Windows\SysWOW64\ContegoSPOP\spoplog.txt (the most recent version)
l C:\Windows\SysWOW64\ContegoSPOP\tools\readerState.xml
Administrator Guide: Security Event Manager page 445
Troubleshoot network device logging or syslog device logging in SEM
Troubleshoot network device logging or syslog device
logging in SEM
If a No Device Found error message appears in the widget, make sure that you configured the
device to send logs to the correct IP address. See Troubleshoot alerts on the SEM Console for
troubleshooting steps.
SEM console does not display syslog data
Verify that your devices are configured to forward syslog data to the SEM virtual appliance IP address.
If your appliance cannot receive logs, your device may not be supported.
If your devices are configured correctly and your SEM appliance is still not receiving syslog data,
identify the facilities that are collecting log data. When you complete this process, configure the
appropriate connector from the facility to the log device so Security Event Manager can normalize and
monitor this information in the SEM Manager.
Identify your syslog data facilities containing log data
Verify that Security Event Manager is receiving the raw data from your syslog devices.
See your hypervisor documentation for information about using the virtual console.
1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.
2. At the cmc> prompt, type Appliance.
3. At the cmc::appliance> prompt, type checklogs and press Enter.
Administrator Guide: Security Event Manager page 446
Troubleshoot network device logging or syslog device logging in SEM
The appliance displays all facilities receiving logs from syslog devices, such as firewalls,
routers, and switches.
In this example, 1, 12, and 18 are active syslog facilities because they contain stored log data.
Facilities 13, 15, 16, and 17 are inactive because their syslog log files are empty.
4. Match a facility with a monitored device.
a. Choose a facility number and record the local number (such as local2) for a future step.
b. Enter your chosen facility number (for example, 14 for local2), and then press Enter.
c. Enter b or E to view the beginning or end of the log file, respectively, and press Enter.
d. Enter the number of lines to display on your screen, and then press Enter.
Pressing Enter defaults the output to 500 lines.
e. Press Enter again.
The raw data appears on your screen.
f. Review and match the data to a monitored syslog device in your network.
5. Repeat steps 3 and 4 in this section to match additional facilities with log data to a monitored
syslog device in your network.
Syslog Facility Log File Path
local0 /var/log/local0.log
local1 /var/log/local1.log
Administrator Guide: Security Event Manager page 447
Troubleshoot the SEM reports application
Syslog Facility Log File Path
local2 /var/log/local2.log
local3 /var/log/local3.log
local4 /var/log/local4.log
local5 /var/log/local5.log
local6 /var/log/local6.log
local7 /var/log/local7.log
Troubleshoot the SEM reports application
This section provides information to help you troubleshoot SEM reports.
Troubleshoot the SEM reports application database connection
Use the following table to troubleshoot error messages that may occur with the ping test used to test
the connection between the SEM reports application and the data warehouse or the primary data
source.
Review the SEM reports requirements in the SEM Installation Guide.
Problem or Error Mes- Description Correction
sage
Manager ping The reports application was unable Confirm that you entered the
timed out. to connect to the SEM Manager warehouse host name properly and
host name or IP address. Confirm it matches a valid DNS entry. Try
the host name (or IP address) you entering the warehouse IP address
entered is correct. in the Host Name field.
Sending the Reports could resolve and connect Confirm that the host name (or IP
authentication packet to the IP address, but could not address) is correct and allows
failed. Could not flush authenticate to the database server connections from the location
socket buffer. at that location. where you are running the reports
application.
This error may also require you to
modify the report restrictions.
Administrator Guide: Security Event Manager page 448
Troubleshoot the SEM reports application
Problem or Error Mes- Description Correction
sage
Server ping test Reports could resolve, connect to Confirm that the host name (or IP
successful, but the IP address, and connect to SQL address) you specified contains the
database connection Server, but could not log in using SolarWinds database.
test failed. the reports user credentials.
The warehouse may require a
Login incorrect. password for reporting purposes. In
this case, click Security and enter
Login failed for user
the warehouse reporting password.
[user name].
Logon failed. The system running the SEM To resolve this issue, add the
Database Vendor reports application is not on the list system running the reports
Code 210 of authorized reporting computers. application to the list of authorized
reporting computers.
To allow specific systems to run the
SEM reports application, or to
remove all reporting restrictions, see
"Restrict access to the SEM reports
application.
Repair the SEM reports application
If you cannot open the SEM reports application or run reports, complete the following steps.
1. Uninstall SEM Reports and Crystal Reports v11 Runtime.
2. Log in as an administrator and reinstall both components.
3. Launch SEM Reports.
Administrator Guide: Security Event Manager page 449
Glossary of SEM terms
Glossary of SEM terms
Active response: An action that you or a SEM rule can take in response to suspicious activity or an
attack. Active response actions include the Block IP active response, the Disable Networking active
response, the Log off User active response, the Kill Process active response, the Detach USB Device
active response, and so on.
Actor: A connector sub-type that can perform an active response. The actor connector allows the
Agent to receive instructions from the SEM Manager and perform active responses locally on the
Agent computer, for example, sending pop-up messages or detaching USB devices. On the SEM
Console, an orange connector icon represents an actor connector. Also see sensor.
Agent: In SEM, a software application that collects and normalizes log data before it is sent to the
SEM Manager. The Agent runs as a standalone service and provides additional event alerting on
workstations and servers. An Agent is required for some active responses, including logging off a
user, shutting down a computer, and detaching a USB device. SEM Agents use Secure Socket
Layer/Transport Layer Security (SSL/TLS) to securely transmit log data. Also see connector.
Agent node: In SEM, a single Agent, syslog, or SMTP instance that sends events to SEM. For example,
an environment with 10 routers, 50 switches, 5 firewalls, 300 servers, and 500 workstations has 865
nodes sending data to SEM Manager.
Alert: See event.
Appliance: Originally, SEM was sold as a physical appliance that you deployed on your network.
Today, SEM is the virtual image of a Linux-based appliance.
CMC: A command-line interface you can use to interact with the SEM Manager VM to perform routine
administrative tasks without root access.
Connector: In SEM, a connector is a stand-alone file that allows SEM to monitor and interact with
third-party vendor products, for example a firewall, an anti-virus application, a router, and so on. Each
connector is named after the specific product that it is designed to support.
Connectors can reside either on a SEM Agent, or on the SEM VM. Connectors installed on an Agent
monitor local log files, but they can also monitor events sent from remote devices that cannot run an
Agent. Connectors can intercept syslog events sent by third-party network devices and translate them
into normalized events. Whereas SEM Agents actively send normalized log events to the SEM
Manager, connectors rely on the host system to send syslog events to the SEM Manager.
Connectors have two subtypes: sensors and actors. A sensor retrieves data from the product that the
connector supports, whereas an actor carries out active responses.
Correlation: See event correlation.
Administrator Guide: Security Event Manager page 450
Glossary of SEM terms
Directory service group: In SEM, directory service groups are Windows users and computer accounts
that SEM pulls from Active Directory. You can associate directory service groups with rules and filters.
Use directory service groups if Active Directory is available so that you do not have to manually
update lists of user and computer accounts in user-defined groups.
Event: Any alert or notification written to a log that is monitored by SEM. In SEM, the terms event and
alert are interchangeable.
Event correlation: The process of extracting useful and/or significant information from the large
number of events flowing in to SEM. Event correlation works by looking for and analyzing
relationships between different event sources.
Event distribution policy: SEM's event distribution policy controls how events are routed through the
system. By configuring the event distribution policy, you can disable (or exclude) specific event types
at the event level from being sent to the SEM console and/or the SEM database. Use the event
distribution policy to prevent events of little or no value from being processed by the console or
stored in the database.
Event group: A group type used to organize events for use with rules and filters. If you use an event
group in a rule, SEM fires the rule when any event in the group triggers an alert.
Event response: See active response.
Facility code: A numeric code specified by the syslog protocol to identify the type of program that is
logging the message. Sixteen facility codes, ranging from 0 (kernel messages) to 15 (clock daemon),
are reserved for known program types, whereas facility codes 16 through 23 are reserved for local use
(local use 0 up to local use 7). In SEM, facility codes are used to route vendor-specific events to
designated log files.
Filters: Filters capture events and alerts that take place on your network. Filter conditions can be
broad or specific. For example, you can create a filter without conditions that captures all events,
regardless of the source or event type, or you can create a filter that has one specific condition, such
as UserLogon Exists, which only captures user logon events. SEM ships with filters that support best
practices in the security industry. You can modify these filters to meet your needs.
Filter groups: Also called filter categories. Filter categories are used to organize filters in SEM. SEM
installs with seven default categories in the Filters pane: Overview, Security, IT Operations, Change
Management, Authentication, Endpoint Monitoring, and Compliance. Administrators can remove or
rename these categories, or add new categories as needed.
Administrator Guide: Security Event Manager page 451
Glossary of SEM terms
File Integrity Monitoring: Also called FIM. A SEM feature that monitors system and user file activity to
protect sensitive information from theft, loss, and malware. FIM detects changes to critical files and
registry keys to ensure that they are not accessed or modified by unauthorized users. FIM ensures
systems comply with regulatory regulations, including Payment Card Industry Data Security Standard
(PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley.
FIM is enabled either by adding a FIM connector to a node, or by adding FIM to an existing connector
profile.
Flat file log: Any log output to one or more ASCII-based text files. Systems that write to flat file logs
include Linux system logs, web server logs, DNS server logs, custom application logs, and others.
Groups: In SEM, groups organize related elements into logical units so that they can be used in rules
and filters. Various group types are used to group events, data elements (such as IP addresses, user
names, web site URLs, and so on), Active Directory users and computers, email templates, Agents and
connectors, and time-of-day sets.
Hypervisor: Computer software that runs virtual machines. The SEM VM can be installed on two
hypervisors: Microsoft Hyper-V Server, and VMware vSphere ESX 4.0 or ESXi 4.0 and later.
SEM Manager: The SEM component that collects and processes log messages sent by one or more
network systems. The SEM Manager consists of a syslog server, an optimized database, a web
server, a correlation engine, and a hardened Linux operating system. SEM Manager is deployed as a
single VM to a hypervisor (either Hyper-V or vSphere) running on Windows Server.
Local Agent Installer: A standalone installer that you or another administrator runs on a local host
system to install the SEM Agent. The Local Agent Installer can be used for attended or unattended
SEM Agent installations. Also see Remote Agent Installer.
Manager: See SEM Manager.
NCR: An initialism for New Connector Request. An NCR is a request for SolarWinds to create a
connector for a system or application that does not have one.
NCD: An initialism for New Connector Data. An NCD is a request for SolarWinds to update an existing
connector to receive data that is either being missed or is coming in as unmatched.
nDepth log retention: See Raw log retention.
nDepth search engine: The nDepth search engine can locate any event data, or any original log
message that passes through a particular SEM Manager instance. The log data is stored in real time
as it occurs from each host (network device) and source (application or tool) that is monitored by the
SEM Manager. You can use nDepth to conduct custom searches, investigate your search results with
graphical tools, investigate event data in other SEM explorer utilities, and take action on your findings.
Node: An Agent instance monitored by SEM. On the SEM Console, navigate to Configure > Nodes to
display the Agents monitored by each of your SEM Managers.
Administrator Guide: Security Event Manager page 452
Glossary of SEM terms
Normalization: The process by which SEM translates raw log data into a standard format prior to
storing the message in the database. The SEM Manager component and the SEM Agent component
are both capable of normalizing raw event messages received from devices on a network. If the
nDepth log retention feature is enabled, SEM also saves raw (unnormalized) log messages in a
separate nDepth data store.
Ops Center: See Ops Center view.
Ops Center view: In the web console, the user interface view that provides a dashboard made up of
multiple widgets to help identify trends and problem areas in the network. Administrators can
customize the dashboard by adding, editing, and removing widgets.
raw log retention: The raw log retention component in SEM is a separate data store to which you can
send raw (unnormalized) log messages. The database is an optional component that is disabled by
default. To save raw log messages, you need to enable it. (Prior to 2020.4 this was called nDepth log
retention. Note that, other than the name, the nDepth log retention component was unrelated to the
nDepth search engine.)
Remote Agent Installer: A standalone installer that pushes SEM Agents to Microsoft Windows hosts
across your network without the need to step through an installation wizard. The installer unzips the
installation files to a temporary folder of your choice, searches for Windows systems across the
network, and installs the SEM Agent one at a time to the targeted systems. Also see Local Agent
Installer.
Reports application: An optional SEM component that can schedule and execute over 300 audit-
proven reports. Install the reports application on either a workstation or a separate networked server.
The SEM reports application requires the free Crystal Reports runtime application.
Roles: SEM uses roles to restrict user access to sensitive data. Each SEM user account must be
assigned to one of six SEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports.
Rules: Rules monitor event traffic and automatically respond to events in real time. When an event (or
a series of events) meets a rule condition, the rule prompts the SEM Manager to carry out a response
action. A response action can be discreet, such as sending notifications to the appropriate users by
email; or it can be active, for example blocking an IP address or stopping a process.
Sensor: A connector sub-type that cannot perform an active response. On the SEM Console, a blue
connector icon represents a sensor connector. See also actor.
Severity: In the syslog protocol, severity is a numeric code used to specify the urgency of the
notification. Severity ranges from 0 (emergency: system is unusable) to 7 (debug: debug-level
messages).
SIEM: A category of software products and services that monitor and analyze security events
generated by applications and hardware devices on a network and send notifications when a set
threshold is reached. Security Event Manager (SEM) is a fully-featured SIEM solution. SIEM is an
initialism for security information and event management.
Administrator Guide: Security Event Manager page 453
Glossary of SEM terms
Single sign-on: SEM supports Active Directory single sign-on (SSO). When enabled, SEM does not
request a user name and password if the user is already logged in to Active Directory (AD). Instead,
AD authenticates the user in the background, and automatically logs the user in to SEM with the
appropriate user access rights.
SNMP, SNMP monitoring: Simple Network Management Protocol is used to collect information from
network devices. SEM can receive SNMP traps from SolarWinds solutions to correlate performance
alerts with SEM events. SEM can also send SNMP traps to SolarWinds solutions to enable NPM to
monitor CPU, memory, and other critical SEM components.
SSO: See single sign-on.
Syslog: A message logging protocol used by a wide range of devices, including most network devices,
such as routers, switches, and firewalls. Devices send event notification messages to a central
logging server (a syslog server) that consolidates logs from multiple sources. Syslog messages have
a numeric facility code that SEM uses to route messages to a log. to specify the type of program that
is logging the message, and a numeric severity level to specify the urgency of the notification.
Syslog server: A software application (such as Kiwi Syslog Server) that collects syslog messages and
SNMP traps from network devices (such as routers, switches, and firewalls).
USB defender: A free add-on for all SEM Agents installed on Windows computers. USB defender
tracks events related to USB mass storage devices like flash drives and smart phones, and allows the
SEM Manager to send commands to detach offending devices both manually and automatically.
User-defined group: User-defined groups are groups of data elements that can be used in rules and
filters to match, include, or exclude events, information, and data fields. Data elements can be IP
addresses, user names, email addresses, web site URLs, and so on.
Virtual appliance: A type of virtual machine that hosts a single application on a hypervisor. To keep
things simple, the SEM documentation refers to the SEM virtual appliance as the SEM virtual machine
(or the SEM VM). The SEM virtual appliance runs on a hardened, Linux-based software stack that
includes a database, a web server, a correlation engine, a syslog server and a SNMP trap receiver.
vSphere: A hypervisor distributed by VMware. The SEM virtual machine can be deployed on vSphere.
Widget: A user interface component that provides special dashboard functionality, such as displaying
real-time information about network activity, or providing tools for investigating events and related
details.
Administrator Guide: Security Event Manager page 454
You might also like
- The Hacker Playbook 3 Practical Guide To Penetration Testing 1st Edition Peter Kim instant downloadNo ratings yetThe Hacker Playbook 3 Practical Guide To Penetration Testing 1st Edition Peter Kim instant download68 pages
- En - Security Center Administrator Guide 5.10No ratings yetEn - Security Center Administrator Guide 5.101,521 pages
- EVERYTHING WINDOWS SERVER 2022 POWERSHELL Everything You Need to Know About Administering Windows Server 2022 PowerShell... (CARTY BINN) (Z-Library)100% (1)EVERYTHING WINDOWS SERVER 2022 POWERSHELL Everything You Need to Know About Administering Windows Server 2022 PowerShell... (CARTY BINN) (Z-Library)390 pages
- SMC Overview Next Generation Firewall 5.8No ratings yetSMC Overview Next Generation Firewall 5.823 pages
- Tenable Security Center Director-User GuideNo ratings yetTenable Security Center Director-User Guide472 pages
- Monitoring and Maintenance of Wireless NetworksNo ratings yetMonitoring and Maintenance of Wireless Networks46 pages
- Fundamentals of Administering Windows Server 2008No ratings yetFundamentals of Administering Windows Server 200838 pages
- Security Information and Event Management (SIEM) OrchestrationNo ratings yetSecurity Information and Event Management (SIEM) Orchestration28 pages
- Security Center Administrator Guide 5.8No ratings yetSecurity Center Administrator Guide 5.81,267 pages
- IT Security Event Management: Yahya MehdizadehNo ratings yetIT Security Event Management: Yahya Mehdizadeh14 pages
- Spring Security: Effectively secure your web apps, RESTful services, cloud apps, and microservice architecturesFrom EverandSpring Security: Effectively secure your web apps, RESTful services, cloud apps, and microservice architecturesNo ratings yet
- Data Protection Advisor Software Compatibility GuideNo ratings yetData Protection Advisor Software Compatibility Guide180 pages
- EN - Security Center Administrator Guide 5.9100% (1)EN - Security Center Administrator Guide 5.91,260 pages
- McAfee SMC Administrator's Guide 5.7 PDFNo ratings yetMcAfee SMC Administrator's Guide 5.7 PDF1,328 pages
- A Siem Solution Implementatio N: Splunk EnterpriseNo ratings yetA Siem Solution Implementatio N: Splunk Enterprise25 pages
- Improving Security Event Correlation and Analysis Using Intelligent AgentsNo ratings yetImproving Security Event Correlation and Analysis Using Intelligent Agents28 pages
- Tools Used in Computer Network and Computer System78% (9)Tools Used in Computer Network and Computer System43 pages
- Linux For Hackers - Linux System Administration Guide For Basic Configuration, Network and System Diagnostic Guide To Text Manipulation and Everything On Linux Operating System100% (1)Linux For Hackers - Linux System Administration Guide For Basic Configuration, Network and System Diagnostic Guide To Text Manipulation and Everything On Linux Operating System34 pages
- SteamOS Deployment and Configuration: Definitive Reference for Developers and EngineersFrom EverandSteamOS Deployment and Configuration: Definitive Reference for Developers and EngineersNo ratings yet
- Lab 08 Reconciliation and Post ProcessingNo ratings yetLab 08 Reconciliation and Post Processing57 pages
- Introduction To Livewire Systems Primer, V2.1 - AxiaNo ratings yetIntroduction To Livewire Systems Primer, V2.1 - Axia122 pages
- Microsoft Azure Security Technologies Practice Tests AZ-500From EverandMicrosoft Azure Security Technologies Practice Tests AZ-500No ratings yet
- Nurul Azizah - P27838123085 - P.16 DHT22No ratings yetNurul Azizah - P27838123085 - P.16 DHT2214 pages
- Vraj's Full Stack Web Developer Learning Path - Codedamn - CroppedNo ratings yetVraj's Full Stack Web Developer Learning Path - Codedamn - Cropped2 pages
- Step by Step Guide To Create BAPI in ABAP Hana100% (1)Step by Step Guide To Create BAPI in ABAP Hana37 pages
- Database Exercise: Primary KEY Field Name Data TypeNo ratings yetDatabase Exercise: Primary KEY Field Name Data Type3 pages
- Chapter 2. Introduction To Data ScienceNo ratings yetChapter 2. Introduction To Data Science40 pages
- Configure Log Forwarding From Panorama To External DestinationsNo ratings yetConfigure Log Forwarding From Panorama To External Destinations1 page
- Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed AnswersFrom EverandGoogle Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed AnswersNo ratings yet
- IBM WebSphere Application Server Interview Questions You'll Most Likely Be AskedFrom EverandIBM WebSphere Application Server Interview Questions You'll Most Likely Be AskedNo ratings yet
- Chapter 3 - Type B - Application Based QuestionsNo ratings yetChapter 3 - Type B - Application Based Questions8 pages