Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Archive > 2017October30 - LEM Deletes > Filters and filter groups

Filters and filter groups

Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 30, 2017

Views: 22 Votes: 1 Revisions: 6

A filter is a subset of events that focuses on specific types or groups of events. When you configure a filter, you can examine and use individual event properties to determine which events appear in a filter.

The LEM console uses event filters to manage events. You can turn filters on and off, pause filters to sort or investigate events, perform actions to respond to events, and configure filters to notify you when they capture a particular event. Filters can also display widgets, which are charts and graphs that visually represent the event data. When you implement filters in the LEM Console, they apply to all data sent from every manager monitored by the console.

SolarWinds LEM ships with many commonly used filters that support best practices in the security industry. You can also create your own custom filters or modify existing filters to meet your needs. The LEM console can store an unlimited number of filters.

Filters are managed in the Filters pane located in the Monitor view and stores all of the filters that can be applied to the Console's events grid.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/050/020/FiltersPane2_348x199.png

Filter Attributes

Each filter category contains multiple filters with corresponding values, and each value represents the total number of current events associated with the filter. When you hover your mouse pointer over a filter, a tooltip appears that describes the purpose of the filter (when available). Filters that appear in italics are currently turned off.

You can use the Filters pane to perform a variety of functions, such as creating filter groups for storing and organizing filters, enabling or pausing filters, moving filters between groups, and importing and exporting filters.

Standard LEM filters

LEM includes commonly-used filters that support best practices in the security industry. The filters are divided into seven filter groups in the Filters pane:

  • Overview
  • Security
  • IT Operations
  • Change Management
  • Authentication
  • Endpoint Monitoring
  • Compliance

The right column indicates if the filter is On (visible) or Off (hidden) by default.

To add your own custom filters, see Using the console.

If you are installing an upgrade, LEM automatically converts your existing filters into the new graphical format. See Using the console for details.

Overview

Name Description Default Status
All Events Displays all events from all sources. On
Subscriptions

Filters events related to rules that are subscribed to the specified user.

On
LEM Internal Events Filters events related to LEM operations, including informational, warning, and audit events. On
Rule Activity Displays all activated rules. On

Security

Name Description Default Status
Incidents Filters all events categorized as Incidents. On
Security Events

Filters events categorized as attack activity or potentially suspicious.

On
Network Event Threats Filters events with source or destination detected in the threat intelligence feed as potentially bad actors. On
All Firewall Events Filters events from firewall devices that match the targeted name. On
All Threat Events Filters all events with the source or destination detected in the threat intelligence feed as potentially bad actors. On
Denied ACL Traffic Filters events from network devices that indicate denied ACL activity. Off
Unusual Network Traffic Filters unusual network traffic and scans. On
Blocked Web Traffic Filters events from proxy servers or other web servers that blocked an attempt to access a URL. On
Proxy Bypassers Filters web traffic users who are bypassing your proxy server. Off
Web Traffic - Spyware Filters web traffic events to potential spyware sites. Off
Virus Attacks Filters events that indicate potential virus detection. On
IDS Scan / Attack Activity Filters security events detected by IDS tools (such as Snort). On
Security Processes Filters security-related process activities. On
File Audit Failures Filters events that indicate failed attempts to access files. On

IT Operations

Name Description Default Status
All Domain Controller Events Displays all traffic from machines in the Domain Controllers tool profile. Off
All Web Traffic

Filters all web traffic-related events from network devices, proxy servers, and web servers.

On
Software Installation/Update Filters events related to software installation and updates. On
Service Events Filters events related to starting and stopping services, as well as service warnings and information. On
System Events Filters events related to system availability and status information. On
Error Events Filters events from all sources that contain "error". On
Warning Events Filters events from all sources that contain "warning". On
Windows Error Events Filters events from Microsoft Windows event logs that contain "error". On
Error Events for Device Filters events from a specific device that contain "error". Off
Web Traffic for Source Machine Filters web traffic emanating from a certain source machine. Off
All Network Traffic Filters all network traffic-related events from all devices and systems. On
FTP Traffic Filters TCP traffic events between one or more FTP ports reported by any device or system. On
SNMP Traffic Filters UDP traffic events between one or more SNMP ports reported by any device or system.

On

SMTP Traffic Filters UDP traffic events between one or more SMTP ports reported by any device or system. On

Change Management

Name Description Default Status
General Change Management Filters all events that indicate changes to devices, systems, users, groups, and domains. On
User Account Changes

Filters changes to existing user accounts.

On
Machine Account Changes Filters changes to existing machine accounts. On
Group Changes Filters creation, deletion, and changes to groups. On
Domain & Membership Changes Filters new and deleted domain accounts (including users/groups) and domain changes. On
Device/System Policy Changes Filters events related to policy changes on devices and systems. On
All File Audit Activity Filters events related to all types of audited file access. On
USB File Auditing Filters file-related alerts from agents running USB Defender On

Authentication

Name Description Default Status
User Logons Filters all types of user logons. On
Interactive User Logons

Filters background network logon types.

On
Remote User Logons Filters events that indicate remote Windows system logons. On
Failed Logons Filters events that indicate failed logon attempts to devices and systems. On
Account Lockouts Filters events that indicate an account was locked out. On
Authentication Event Threats Filters authentication events with a source or destination detected in the threat intelligence feed as potentially bad actors. On
Admin Account Authentication Filters authentication events related to specified administrative accounts. Off

Endpoint Monitoring

Name Description Default Status
Workstation Logon/Logon Failure Activity Filters non-network workstation logon/logon failure to a domain or local account. On
Local Account Authentication/Changes

Filters any user-related audit events that are not to or from the corporate domain.

On
Software Installed on Workstations Filters software installations on workstation systems. On
USB-Defender Events Filters USB Defender events. On
Workstation Events with Threats Filters all events detected on endpoints with a source or destination detected in the threat intelligence feed as potentially bad actors. On

Compliance

Name Description Default Status
Top PCI Events Filters the most common PCI events of interest, which include change management, unexpected file access, incidents, and attacks. Off
Top HIPAA Events

Filters file activity, changes, and incidents related to HIPAA events.

Off
Top Banking Compliance Events Filters common banking compliance events, including change management, users and groups, and potentially suspicious attack activity. Off

 

 
Last modified

Tags

Classifications

Public