Hide this message
Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at firstname.lastname@example.org
This article briefly goes over the differences between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM.
Authentication - Suspicious Authentication report:
This report extracts all the "AuthSuspicious" alerts which have been sent to LEM. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users and suspicious access to unauthorized services or information. These depend on the events that the device in question is sending to LEM. If a windows server for example sends event logs to LEM to do with unauthorized users attempting to log in multiple times, then this would fall under the suspicious authentication report.
See page 469 under Appendix B: Events of the LEM User Guide, under the section SuspiciousBehavior. Here you will find a list of events that would fall under this category.
While the Malicious Code report would concentrate on a more narrow field, strictly just for any events that are related to malicious attack attempts. That is, Windows machine with antivirus sends event logs to LEM in relation to virus like behavior, or other malicious activity.
In the Appendix B: Events section of the LEM User Guide, the events list this would fall more under the categories of AttackBehavior.
With suspicious authentication reports, you would have more events related to suspicious activity included in the report. While in the Malicious code report it would be more towards, attack related activity in the logs that arrive to LEM.