Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.
So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.
What's in the Threat Intelligence Feed for me?
The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.
From Reactive to Proactive
LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.
We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.
Search and Filters and Rules - Oh my!
Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).
Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.
And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.
While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.
So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.