This guided tour will show you the functionality in SolarWinds Security Event Manager (SEM) that enables proactive monitoring of your infrastructure. SEM has over 700 built-in correlation rules and hundreds of active responses that allow you to respond in real time to security issues that could compromise data in your environment.
This is Rob Johnson, SolarWinds Sales Engineer. This is a guided tour of Security Event Manager, or LEM. SEM allows you to easily use log data for real-time analysis, forensics, active response, correlation and automated reporting. LEM is a virtual appliance that operates on VMware vSphere versions 4.0 or later, as well as Microsoft Hyper-V 2008 and 2012. The SEM appliance comes complete with the operating system, database, and all of the necessary tools for a quick and easy implementation. Let's get started in the SEM console with real-time log analysis. The Ops Center Dashboard is a graphical representation of your log data which includes a number of widgets that help you get started with LEM, identify problem areas and show trends. You can select from the widget library or add custom widgets to create a dashboard reflective of your log activity. If you want to drill into detailed events from a specific widget, simply click on the particular point of interest. For example, in the Top 10 Users by # of Events widget, there is a large amount of data coming from the Administrator account. To see more details, simply click on the username for a list of events. The monitor section allows you to view events in real-time as they are happening on your network. If you want to look at a particular event's details, simply click on the event, and the details will be located in the lower right-hand side of the console. If you want to focus on specific types of events, use filtering. Filters are located on the left-hand side and can be used for different types of activity that you want to monitor on your network. SEM includes a number of pre-configured filters that are organized in groups such as Security, IT Operations, Compliance and more. Within the Monitor section, you can also create a visual representation of the data. These widgets are designed to surface trends or anomalies that may otherwise go unnoticed. These widgets can also be added to your Ops Center dashboard. Correlation is the key to effective log analysis. LEM automatically enables a number of correlation rules to capture common situations like excessive traffic or failed logons. Similar to the Monitor section, an extensive rule library includes hundreds of additional rules for common security, operations and compliance needs. You may also want to create your own rules that automatically alert you to certain types of events or sequences, based on what you discover in the Monitor or Ops Center sections of the console. To locate rules within LEM, just type in a keyword in the search utility here. For example, type in "user", and it will immediately locate all the user-based rules. It is very easy to edit existing rules or even create new rules using LEM's drag-and-drop interface. For example, this rule detects any user account that is being created within the network. If it sees that behavior, it will automatically alert you with an email message. You can also expand the capabilities of this rule by allowing it to take an action. There are dozens of actions to choose from, such as blocking an IP address, disabling user accounts, detaching USB devices and many more. To disable an account that is creating additional users, drag-and-drop the Disable Domain User Account to the Actions area of the rule. Now, not only will this rule alert someone of this activity, but it will stop the user from creating any additional accounts. You can also build more complex rules that include thresholds to correlate activity from single or multiple sources. For example, you could detect several accounts being created and/or deleted within a specific time frame. nDepth can be used for forensics, historical analysis and ad-hoc reporting. Let's look at the log data over the last 10 minutes. As you can see, not only does SEM provide the search results but it visually surfaces useful activity patterns. For example, in this histogram, we see an unusual spike of events within a block of time that may warrant further investigation. The Word Cloud below identifies that a single system is generating the majority of the event data in the query. Additional charts and graphs provide useful analysis in an attempt to surface. Finally, the event data is broken into several categories here on the left making it easy for you to identify the individual events and counts, log sources, IP addresses and host names, user names and more. If you wish to investigate further you can easily click or double-click to drill down into the details. For example, clicking on the system name within the Word Cloud adds it to the search bar. Then, clicking the search button will rerun the search, and narrow the results. The row of icons at the bottom the console allow you to visually organize the data and view the results of your analysis. If you wish to provide this data as a report simply click on the gear icon here on the right and select "Export" to design and save your report. For automated reporting, SEM provides hundreds of built-in reports covering all areas of your log data. Reports can also be used as a living archive for immediate access to historical information. For compliance purposes, SEM provides packages of audit-proven reports that meet requirements for federal, financial, retail and health care industries. To view all the reports for a particular category, select and click "Okay." You can schedule reports to run on a regular basis and automatically export them in a number of formats including TXT, PDF, HTML, DOC and more. For more information on Security Event Manager and to download a free 30-day trial, please visit www.solarwinds.com. Please. Visit the website.