SOLARWINDS LOG & EVENT MANAGER (LEM):USE CASESSIEM is an integral piece of any effective security plan and goes well beyond compliance purposes. SIEMtechnology provides critical insight into network activity to detect threats, thwart attacks, and respond tobreaches—external and internal. The goal of SIEM is to provide actionable intelligence to mitigate risks andremediate incidents as fast as possible, be it a security risk or IT operational issue.The purpose of this document is to highlight the many use cases of SolarWinds Log & Event Manager (LEM)—aSIEM and log management solution that provides log collection, analysis, and true real-time, in memory eventcorrelation to address an ever-increasing list of security threats, operational challenges, and compliancerequirements faced by network and security admins.Security MonitoringSolarWinds LEM collects log and event data from security devices and applications and provides real-time analysis and correlationto deliver immediate awareness of security related issues like viruses, unauthorized access, denial of service, and a plethora ofother security events. LEM has over 30 built-in automated responses, includingthe ability to disconnect an offending machinefrom the network at the NIC card level, start/stop services, kill applications, remove suspicious users from an administrativegroup, detect and prevent unapproved USB usage, and many more. Helpful resources to configure security devices and applications::- The complete list of Knowledge Base (KB) articles to configure connectors:Log and Event Manager Connector List- Commonly used connectors:Integrating Check Point with LEMIntegrating Juniper Firewalls with LEMConfiguring MSSQL Auditor on a LEM Agent How-to set up rules and take actions in real time:- LEM comes with a set of rules enabled by default. While none of these rules perform any action on the network,they do escalate events to security alerts, based upon inference- How-To KB: Creating Rules from LEM to take Automated Actions- How-To Video:Creating Rules in your LEM ConsoleActively Defending Your Network with LEM Custom Rules- List of KBs on how active responses work:LEM Active Responses- Commonly used Active Responses:How does the Disable Networking Active Response work?How do the Kill Processes Active Responses work?How does the Block IP Active Response work?Share:

ComplianceLEM provides complete report packages for nearly all of the regulated industries to include PCI, GPG13, ISO, SOX, GLBA, NIST/FISMA, NCUA, FERPA, NERC/CIP and more.LEM allows you to: Utilize over 300 built-in compliance report templates Filter information to customize reports for specific departments or recipients Produce graphical summaries to enhance your high-level reports Support forensic analysis findings with detailed reports Export reports to a variety of standard formatsGenerating reports with LEM is simple and easy. You can utilize over 300 built-in report templates for internal and externalregulatory compliance reports, such as: PCI DSS, GLBA, SOX, NERC CIP, or HIPAA, or create a custom report using LEM’sintuitive reporting console.Learn more about how to meet compliance requirements using LEM here: LEM PCI (Whitepaper) Compliance Security Simplified with LEM (Video) LEM Reports (Video)Change ManagementLEM can provide constant real-time awareness of change management activity across the enterprise. Customers can be alertedwhen changes occur on routers, switches, firewalls, user accounts, Active Directory , and more. Active Responses can beattached to correlation rules to automatically mitigate change activity like privilege escalation or de-escalation.Learn more about LEM’s change management features here: Creating Rules from your LEM Console to Take Automated Action (KB article) Creating Rules in your LEM Console (Video)Change-related rules that ship with LEM:Built-in change management reports:Share:

Application and Server MonitoringLEM provides the ability to monitor and control what applications can be utilized. It also provides visibility into critical serviceactivity in the network to ensure everything remains operational. Additionally, correlation rules can be applied to automaticallyrestart a critical service if it’s stopped. This can be accomplished by defining a “Group” by specifying which processes shouldbe running or which should not according to industry standards.Learn more about application and server monitoring with LEM here: Getting Started with User Defined Groups (KB article) Creating Rules from your LEM Console to Take Automated Actions (KB article) Configuring MSSQL Auditor on a LEM Agent (KB article) Integrating your Oracle Database with SolarWinds LEM (KB article)User Activity MonitoringLEM provides real-time visibility into a user’s behavior on the network, including Web usage, application usage, file access,and more.Why Should I Monitor Successful Logon Attempts?Although it may not seem intuitive to manage successful logon attempts, it’s good practice to keep an eye out for successfullogons that occur after multiple failed attempts. For example, if there are 50 failed attempts on a server or router followed by asuccessful logon, does it imply that the user simply remembered their credentials? Or does it mean that a hacker finally brokein and now has access? What about the case where a user logs on to the network at the headquarters and two hours later hasa successful logon from the other side of the world? Monitoring successful logons can be very beneficial when correlated withother log activity.User activity rules that ship with LEM:Available User-based Active Responses within LEM:Share:

File Activity MonitoringLEM provides real-time and historical visibility into file activity. Whether it’s the notification of inappropriate file access orsearching for that person who deleted an important document, LEM provides quick and easy access to the event data thatreflects file behavior and is essential for protecting sensitive information.Learn more about file activity monitoring with LEM here: Using the LEM Agent Installer for Windows (KB article) How to Enable File Auditing in Windows (KB article)Available reports on file auditing:Endpoint MonitoringAs system and security admins, we tend to monitor server logs in order to understand various system activities so we canisolate faults, security breaches, and policy violations. However, it’s also necessary to explore workstation logs for advancedsystem and user activity monitoring.Workstations are arguably one of the most vulnerable entities on your network. They process content from the Internet andemail, come in contact with infected files and external mass storage devices, and can connect to insecure networks overWi-Fi.Workstations generate a wealth of log data that provide detailed event information from the endpoint perspective. Whileserver logs remain paramount to monitoring system and user activity, monitoring workstation logs in addition to server logsmakes event analysis and user activity awareness even more comprehensive and actionable.Learn more about endpoint monitoring with LEM here:Why Workstation Log Management is Crucial for Network Security (Thwack article)USB Detection and PreventionLog & Event Manager includes built-in USB Defender technology that provides real-time notification when USB drives aredetected. This notification can be further correlated with network logs to identify potential malicious attacks coming fromUSB drives. With LEM’s USB Defender technology, you can take automated actions such as disabling user accounts, quarantiningworkstations, and automatically or manually ejecting USB devices. Additionally, LEM provides built-in reporting to audit USBusage over time.Learn more about USB detection and prevention with LEM here:How does the Detach USB Active Response work? (KB article)Share:

How to Allow USB Access for Select Devices on the NetworkLEM addresses the complexity of providing USB access to select USB devices with a few simple steps. Build a group of “Authorized” USB devices Identify “Authorized” devices Add “Authorized” USB devices to a User Defined GroupAdding “Authorized” USB Devices to User Defined Group in SolarWinds LEMHere’s a view of adding the group of authorized USB devices to a rule using LEM’s simple drag-and-drop interface:Troubleshooting and ForensicsLog & Event Manager includes built-in USB Defender technology that provides real-time notification when USB drives aredetected. Using real-time event monitoring, customers can gain visibility into issues that occur across the network. Eventsgenerated by operating systems and network and security equipment provide valuable information about overall networkhealth. LEM’s real-time correlation and notification can provide instant awareness and early indications of network issues.)Automate IT issue resolution and decrease incident response times. Address critical issues immediately by taking automated actions like quarantining infected machines, blocking IP addresses,disabling user accounts, killing unauthorized processes, restarting services, and more Leverage a library of built-in Active Responses to respond to operational issues and to jumpstart proactive defense ofyour environment right out of the boxLog & Event Manager provides a single interface to troubleshoot, investigate, analyze and respond to IT issues. Use ActiveReponses to automate actions that respond to events, avoid potential performance issues, and prevent problem recurrence.LEM includes an extensive library of built-in Active Responses that can be automatically executed, so you can start protectingyour infrastructure right out of the box.Share:

Built-in Active Responses include: Block an IP address Create, disable, or delete user accounts and user groups Kill processes by ID or name Log users off Remove user-defined group elements Reset user account passwords Restart or shutdown machines, send incident alerts, emails, popup messages, or SNMP trapsLearn more about troubleshooting and forensics features included in LEM here: Creating Rules for Real-Time Correlation and Response with LEM (Video) Defend your Network with LEM using Custom Rules (Video)IT ManagementInspired by You.SolarWinds (NYSE: SWI) provides powerful and affordable ITmanagement software to customers worldwide from Fortune 500enterprises to small businesses. In all of our market areas, our approachis consistent. We focus exclusively on IT Pros and strive to eliminatethe complexity that they have been forced to accept from traditionalenterprise software vendors. SolarWinds delivers on this commitmentwith unexpected simplicity through products that are easy to find, buy,use and maintain while providing the power to address any ITmanagement problem on any scale. Our solutions are rooted in ourdeep connection to our user base, which interacts in our onlinecommunity, thwack, to solve problems, share technology and bestpractices, and directly participate in our product development process.Learn more today at 11 S . MoPac E xpressway, Building Two, Austin, Texas 7874 6T: 866 . 530. 810 0 F: 512.682.9301 2013 SolarWinds Worldwide, LLC. All rights reserved. SOLARWINDS, SOLARWINDS & Design andother SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from timeto time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may beregistered or pending registration in other countries. All other SolarWinds trademarks may be commonlaw marks or registered or pending registration in the United States or in other countries. All othertrademarks or registered trademarks contained and/or mentioned herein are used for identificationpurposes only and may be trademarks or registered trademarks of their respective companies.