Submit a ticketCall us

WebinarUpcoming Webinar: Should I Move My Database to the Cloud?

So you’ve been running an on-premises SQL Server® for a while now. Maybe you’ve moved it from bare metal to a VM, and have seen some positive benefits. But, do you want to see more? If you said “YES!”, then this session is for you, as James Serra will review the many benefits that can be gained by moving your on-prem SQL Server to an Azure® VM (IaaS). He’ll also talk about the many hybrid approaches, so you can gradually move to the cloud. If you are interested in cost savings, additional features, ease of use, quick scaling, improved reliability, and ending the days of upgrading hardware, this is the session for you.

Register now.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Difference between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM

Table of contents
Created by Ezgi Muderrisoglu, last modified by MindTouch on Jun 23, 2016

Views: 924 Votes: 0 Revisions: 4


This article briefly goes over the differences between "Authentication - Suspicious Authentication" report and "Malicious Code" report in LEM.


LEM 6.2


Authentication - Suspicious Authentication report:

This report extracts all the "AuthSuspicious" alerts which have been sent to LEM. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users and suspicious access to unauthorized services or information. These depend on the events that the device in question is sending to LEM. If a windows server for example sends event logs to LEM to do with unauthorized users attempting to log in multiple times, then this would fall under the suspicious authentication report.


See page 469 under Appendix B: Events of the LEM User Guide, under the section SuspiciousBehavior. Here you will find a list of events that would fall under this category.


While the Malicious Code report would concentrate on a more narrow field, strictly just for any events that are related to malicious attack attempts. That is, Windows machine with antivirus sends event logs to LEM in relation to virus like behavior, or other malicious activity.


In the Appendix B: Events section of the LEM User Guide, the events list this would fall more under the categories of AttackBehavior.


With suspicious authentication reports, you would have more events related to suspicious activity included in the report. While in the Malicious code report it would be more towards, attack related activity in the logs that arrive to LEM.




Last modified