Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > Use LEM to detect Malware and Security events

Use LEM to detect Malware and Security events

Table of contents
Created by Craig O’ Neill, last modified by MindTouch on Jun 23, 2016

Views: 934 Votes: 0 Revisions: 6

Overview

This article provides brief information on using LEM to detect Malware.

Environment

LEM version 6.2 or later

Detail

The name of the game is defense in depth, and while traditional malware detection, IDS and IPS, and other tools might not be enough alone, each one of them can play an important part in helping detect potential abuse or piecing together fingerprints during an investigation. Infected endpoints are a gateway to the interior of the network and not all of us are victims of zero-days but rather some kind of combination of existing malware and other techniques that gives us a good chance of detecting it somewhere along the way. With these feeds, you'll see things like:

 

  • Antivirus/anti-malware technology cleaning or having trouble cleaning potential infections
  • IDS and IPS systems detecting potentially unwanted payloads or symptoms of infections or even exfiltration
  • Triggers from any other security systems you've got to put to work for you that generate event streams - wireless security, data leak prevention, etc
  • System errors and crash reports - potential malware causing leaks to affect the system in unexpected ways

 

Look for the following LEM content:

  • Filters of interest include:
  • Security > Virus Attacks, IDS
  • IT Operations > Windows Error Events

LEM Malware filters

  • Rules of interest in the following categories:
  • Security > Malware
  • Devices > IDS and IPS (and related device types for your systems)

LEM Malware Rules

 

Threat Intelligence and Dynamic Feeds to Detect Malicious Traffic

We added the capability for LEM to dynamically download a list of known bad actors - potentially infected hosts, botnets, command and control networks, spammers, and general IPs up to no good - and automatically use that to detect communication on your network.

 

This is a really good way to see:

  • When someone internal is communicating with a potentially malicious host, which can indicate they've already been infected
  • When you're being probed, attacked, or otherwise communicated with externally by a potentially malicious host, which can indicate an incoming attempt
  • Communication to/from spam, denial of service, or similar hosts that can indicate phishing attempts, zombies on your network, or other security issues

 

 

 

 

 

Last modified
20:24, 22 Jun 2016

Tags

Classifications

Public