Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Table of contents
Created by Ezgi Muderrisoglu, last modified by MindTouch on Jun 23, 2016

Views: 60 Votes: 0 Revisions: 4


This article briefly goes over the differences between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM.


LEM 6.2


Authentication - Suspicious Authentication report:

This report extracts all the "AuthSuspicious" alerts which have been sent to LEM. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users and suspicious access to unauthorized services or information. These depend on the events that the device in question is sending to LEM. If a windows server for example sends event logs to LEM to do with unauthorized users attempting to log in multiple times, then this would fall under the suspicious authentication report.


See page 469 under Appendix B: Events of the LEM User Guide, under the section SuspiciousBehavior. Here you will find a list of events that would fall under this category.


While the Malicious Code report would concentrate on a more narrow field, strictly just for any events that are related to malicious attack attempts. That is, Windows machine with antivirus sends event logs to LEM in relation to virus like behavior, or other malicious activity.


In the Appendix B: Events section of the LEM User Guide, the events list this would fall more under the categories of AttackBehavior.


With suspicious authentication reports, you would have more events related to suspicious activity included in the report. While in the Malicious code report it would be more towards, attack related activity in the logs that arrive to LEM.




Last modified
19:58, 22 Jun 2016