Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Table of contents
Created by Ezgi Muderrisoglu, last modified by MindTouch on Jun 23, 2016

Views: 62 Votes: 0 Revisions: 4

Overview

This article briefly goes over the differences between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM.

Environment

LEM 6.2

Detail

Authentication - Suspicious Authentication report:


This report extracts all the "AuthSuspicious" alerts which have been sent to LEM. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users and suspicious access to unauthorized services or information. These depend on the events that the device in question is sending to LEM. If a windows server for example sends event logs to LEM to do with unauthorized users attempting to log in multiple times, then this would fall under the suspicious authentication report.

 

See page 469 under Appendix B: Events of the LEM User Guide, under the section SuspiciousBehavior. Here you will find a list of events that would fall under this category.

 

While the Malicious Code report would concentrate on a more narrow field, strictly just for any events that are related to malicious attack attempts. That is, Windows machine with antivirus sends event logs to LEM in relation to virus like behavior, or other malicious activity.

 

In the Appendix B: Events section of the LEM User Guide, the events list this would fall more under the categories of AttackBehavior.

 

With suspicious authentication reports, you would have more events related to suspicious activity included in the report. While in the Malicious code report it would be more towards, attack related activity in the logs that arrive to LEM.

 

 

 

Last modified
19:58, 22 Jun 2016

Tags

Classifications

Public