Security Event Manager (SEM) 6.7 is now available on your Customer Portal. You're probably wondering what exactly Security Event Manager is? It's the product formally known as Log and Event Manager (LEM). LEM has always been so much more than a tool for basic log collection and analysis. It offered so much more in terms of detecting and responding to cyberattacks as well as easing the burden of compliance reporting. SEM helps organizations across the globe to improve their security posture, and we believe the new name better reflects the capabilities of the tool.

 

FLASH - THE BEGINNING OF THE END

Moving away from Flash has been the top priority for SEM for some time. I'm excited to say that this release introduces a brand-new HTML5 user interface as the default interface for SEM. You can now perform most of your day-to-day tasks within this new interface, including searching, filtering and exporting logs, as well as configuring and managing correlation rules and nodes. The feedback on the new UI has been hugely positive thus far, with many users describing it as clean, modern and incredibly responsive. The Flash interface is still accessible and is required for tasks such as Group/User Management, E-Mail Templates and the Ops Center. However, we're by no means finished with the new user interface and will continue to make improvements and transition away from Flash.

 

 

CORRELATION RULES

Correlation is one of the key components of any effective SIEM tool. As vast amounts of data are fed into Security Event Manager, the correlation engine identifies, alerts on, and responds to

potential security weaknesses or cyberattacks by comparing sequences of activity against a set of rules. This release includes a brand new Rule Builder which enables you to easily build new rules and adjust existing rules. We've made some improvements including drop down menus (as well as the traditional drag-and-drop) to create rules, auto-enablement of the rule after saving, easier association of Event Names and Active Response actions and the removal of the Activate Rules button

 

 

 

FILE INTEGRITY MONITORING

FIM was originally introduced way back in LEM 6.0 and has provided users with great insight into access and modifications to files, directories and registry keys ever since. With users constantly creating, accessing and modifying files, a huge amount of log data is generated which is often associated with excessive noise. In order to better enable you to split the signal from the noise, we've introduced File Exclusions within our redesigned FIM interface. If a particular machine is generating excessive noise based on a particular file types (I'm looking at you tmp files), you can now easily exclude file types at the node level.

 

 

LOG EXPORT

When investigating a potential cyberattack or security incident, you'll often need to share share important log data with other teams, external vendors or attach the logs to a ticket/incident report. Exporting results to a CSV is now possible directly from the Events Console.

 

 

AWS DEPLOYMENT

As organizations shift workloads to the cloud to lower costs and reduce management overhead, they require the flexibility to deploy tools in the cloud. In additional to the Azure deployment support included in LEM 6.5, this release adds support for AWS Deployment. Deployment is done via a private Amazon Machine Image and therefore you need to contacts SolarWinds Sales (for evaluation users) or Technical Support (for existing users) in order to gain access to the AMI. Please note that your AWS Account ID will be required in order to grant access.

 

I really hope you like the direction we're going with Security Event Manager, especially the new user interface. We're already hard at work on the next version of SEM, as you can see in the What We're Working On post. As always, your feedback and ideas are always greatly appreciated so please continue to do so in the Feature Requests area.

SolarWinds® Access Rights Manager (ARM) 9.2 is available on the customer portalPlease refer to the release notes for a broad overview of this release.

 

Most of you are using cloud services in your IT environments today, living in and managing a hybrid world.

 

With the release of ARM 9.1 we already have taken this into consideration by complementing the existing access rights permission visibility into Active Directory, Exchange, and file servers by Microsoft® OneDrive and Microsoft® SharePoint Online.

Now with ARM 9.2 we round off our function set by introducing the ability to collect events from Microsoft® OneDrive and SharePoint Online allowing you to gain also visibility in activities within these platforms.

 

In addition to the functionality above, a lot of work was done under the hood to lay the foundation for coming features we will make available in the next releases.

 

What’s New in Access Rights Manager 9.2?

  • Microsoft OneDrive and SharePoint Online monitoring - Administrators need to be aware about certain events in their OneDrive and SharePoint Online infrastructure. ARM now enables the Administrator to retrieve events from the O365 environment and analyze them in reports.
  • UI - Design and layout optimizations to complete the SolarWinds look and feel.
  • Defect fixes - as with any release, we addressed product defects.

 

The SolarWinds product team is excited to make these features available to you.  We hope you enjoy them. 

Of course, please be sure to create new feature requests for any additional functionality you would like to see with ARM in general.

 

To help get you going quickly with this new version, below is a quick walk-through of the new monitoring capabilities for Microsoft® OneDrive and Microsoft® SharePoint Online.

 

Identify ACCESS to shared directories and files on OneDrive

OneDrive is an easy tool to let your employees share resources with each other and/or external users. ARM makes it easy for you to check which files an employee has shared internally or externally, and who actually accessed these.

 

Now let’s take a look how we can use OneDrive monitoring to answer the question “with whom outside the company do we share documents and files?” ARM allows you to easily generate a report for this.

 

1. Navigate to the Start screen in the ARM rich client and click on “OneDrive Logga Report” in the Security Monitoring section.

 

The configuration for the “OneDrive Logga Report“ opens.

2. Provide a title and comment that will be shown at the beginning of the report (optional). Select the time period analyzed for this report.

3. Click into “OneDrive Resources”

4. Select the target resources on the right side for this report by double clicking.

5. Click into “Operations”

6. As we are interested in who has shared the resources when and also if/what external users have accessed it we select the “AnonymousLinkCreated” and “AnonymousLinkUsed” operations on the right side for this report by double clicking.

7. Click on “Start” to create this report manually.

8. Click on “Show report” to view the report.

In the report created you get the information of who has invited external users when to access internal resources and if any external users have accessed these from what IP address.

Note: You can schedule this report to be sent periodically to your mailbox to stay on top what’s happening.

 

In the same way you can generate reports about the more than 180 other events available in SharePoint Online and OneDrive. Just follow the outlined steps and adapt in step 6 the operations to the ones you are interested in.

Other interesting events you might want to have a look at are file and folder related operations like FileDeleted/FolderDeleted or FileMoved/FolderMoved helping you with one of the classic use cases if employees complain about their disappearing files and folders.

 

On a side note, file/folder events on file servers are also captured in our monitoring and are available through the file server reports.

 

Conclusion

I hope that this quick summary gives you a good understanding of the new features in ARM and how you can utilize ARM to get better visibility and control over your hybrid IT environment. 

 

If you are reading this and not already using SolarWinds Access Rights Manager, we encourage you to check out the free download.  It’s free. It’s easy.  Give it a shot.

We are happy to announce the release of SolarWinds® Access Rights Auditor, a free tool, designed to scan your Active Directory and file system and evaluate possible security risks due to existing user access rights.

 

 

Ever hear of risks and threats due to unresolved SIDs, globally accessible directories, directories with direct access, or groups in recursion –  and wondered if you were affected?

 

Access Rights Auditor helps you answer this question by identifying use cases such as these and allows you to export the overall risk summary in an easy-to-understand PDF report to be shared.

 

Don’t know where to start?

 

Let’s walk through a typical use case assuming we want to check the permissions and risks associated with a sensitive folder from the Finance department.

We type the phrase “invoices” in the search box and press enter (1).

 

The “Search Results” view displays the search history and all hits of your current search in the different categories available like folders, users, and groups.

We select the folder we are interested in by clicking on “Invoices” (2).

 

Now we’re redirected to the “Folder Details” view and immediately get all “Folder Risks” displayed – in this example, three occurrences of “Unresolvable SIDs” and “Changed Access Permissions.”

But it doesn’t end here, because some risks are inherited by directories. For example, from inactive user accounts with continued access. These hidden risks are also listed here in the “Account Risks” section.

 

Now we validate who has access in the “User and groups” section below and realize that in our example the “System” account and the “Domain Admins” group have “full control” access on the folder.

To select members of the “Domain Admins” group, simply click on the group and you’ll be redirected to the “Group details” view.

 

 

Access Rights Auditor improves your visibility into permissions and risks with just a few clicks.

 

Can’t believe it’s free? Go ahead and give it a try.

 

For more detailed information, check the Quick Reference guide here on THWACK® at https://thwack.solarwinds.com/docs/DOC-204485.

Download SolarWinds Access Rights Auditor at https://www.solarwinds.com/free-tools/access-rights-auditor.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.