Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Table of contents
Created by Ezgi Muderrisoglu, last modified by MindTouch on Jun 23, 2016

Views: 881 Votes: 0 Revisions: 4

Overview

This article briefly goes over the differences between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM.

Environment

LEM 6.2

Detail

Authentication - Suspicious Authentication report:


This report extracts all the "AuthSuspicious" alerts which have been sent to LEM. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users and suspicious access to unauthorized services or information. These depend on the events that the device in question is sending to LEM. If a windows server for example sends event logs to LEM to do with unauthorized users attempting to log in multiple times, then this would fall under the suspicious authentication report.

 

See page 469 under Appendix B: Events of the LEM User Guide, under the section SuspiciousBehavior. Here you will find a list of events that would fall under this category.

 

While the Malicious Code report would concentrate on a more narrow field, strictly just for any events that are related to malicious attack attempts. That is, Windows machine with antivirus sends event logs to LEM in relation to virus like behavior, or other malicious activity.

 

In the Appendix B: Events section of the LEM User Guide, the events list this would fall more under the categories of AttackBehavior.

 

With suspicious authentication reports, you would have more events related to suspicious activity included in the report. While in the Malicious code report it would be more towards, attack related activity in the logs that arrive to LEM.

 

 

 

Last modified

Tags

Classifications

Public