Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Use LEM to detect Malware and Security events

Use LEM to detect Malware and Security events

Table of contents
Created by Craig O’ Neill, last modified by MindTouch on Jun 23, 2016

Views: 2,089 Votes: 0 Revisions: 6


This article provides brief information on using LEM to detect Malware.


LEM version 6.2 or later


The name of the game is defense in depth, and while traditional malware detection, IDS and IPS, and other tools might not be enough alone, each one of them can play an important part in helping detect potential abuse or piecing together fingerprints during an investigation. Infected endpoints are a gateway to the interior of the network and not all of us are victims of zero-days but rather some kind of combination of existing malware and other techniques that gives us a good chance of detecting it somewhere along the way. With these feeds, you'll see things like:


  • Antivirus/anti-malware technology cleaning or having trouble cleaning potential infections
  • IDS and IPS systems detecting potentially unwanted payloads or symptoms of infections or even exfiltration
  • Triggers from any other security systems you've got to put to work for you that generate event streams - wireless security, data leak prevention, etc
  • System errors and crash reports - potential malware causing leaks to affect the system in unexpected ways


Look for the following LEM content:

  • Filters of interest include:
  • Security > Virus Attacks, IDS
  • IT Operations > Windows Error Events

LEM Malware filters

  • Rules of interest in the following categories:
  • Security > Malware
  • Devices > IDS and IPS (and related device types for your systems)

LEM Malware Rules


Threat Intelligence and Dynamic Feeds to Detect Malicious Traffic

We added the capability for LEM to dynamically download a list of known bad actors - potentially infected hosts, botnets, command and control networks, spammers, and general IPs up to no good - and automatically use that to detect communication on your network.


This is a really good way to see:

  • When someone internal is communicating with a potentially malicious host, which can indicate they've already been infected
  • When you're being probed, attacked, or otherwise communicated with externally by a potentially malicious host, which can indicate an incoming attempt
  • Communication to/from spam, denial of service, or similar hosts that can indicate phishing attempts, zombies on your network, or other security issues






Last modified