Security Event Manager (SEM) 2019.4 is now available on your Customer Portal and solarwinds.com. The Release Notes are available here and steps to upgrade your existing SEM appliance here. The SEM online demo has also been updated and can be accessed from here and you can see the dashboard in action within this video.
Firstly, you'll probably notice our new versioning format. New releases for SEM going forward will now use year.quarter, taking a similar approach to Orion® Platform product modules. SEM versions will be named with the four-digit year in which they were released, followed by the quarter of release. If there's a Service Release in between major releases, it will appear in the third position following the quarter, e.g., 2019.4.1.
So, what's included in this SEM release? This release mainly focuses on our migration from Flash, with new functionality added to our HTML5 interface including dashboards, user-defined groups, and email templates.
As the saying goes, a picture paints a thousand words—which is particularly true when it comes to log data. The Events page in SEM allows you to interact with your logs via filtering and keyword searching, but it can be difficult to spot any unusual activity or suspicious trends. That's where a dashboard comes into play—being able to visualize thousands of logs and build a picture of what's happening on your network can be hugely valuable when detecting threats. We've included several out-of-the-box charts based on some of the most common use cases we hear from our customers, including change management, authentication, and network traffic widgets. You can easily create custom widgets based on any filter within the Events page and chart options include bar, pie, and donut, as well as line graphs for time-series data. Drilling into the log data behind each chart is vitally important when analyzing potential threats. You can easily view the corresponding log data within the Events page by clicking on a segment of a chart. Here's a glimpse at our new dashboard looks—I hope you like what we've done:
You can now build and manage these groups via the HTML5 interface. User-defined groups contain data specific to your environment, such as user and computer names, sensitive files, approved USB devices, and so on. These groups can also act as whitelists and blacklists for use in correlation rules and filters, for example, alerting you to attempted URL access to a URL that you've blacklisted. You can create these groups manually or import elements via a CSV file. You can also easily export group elements to a CSV too. To ensure our out-of-the-box content remains relevant to an ever-changing threat landscape, we've updated several of our predefined groups, including SQL Injection/XSS vectors, anonymizer websites, and remote desktop websites.
As part of the SEM 6.7 release, we introduced the ability to manage your correlation rules via the new interface, including the ability to select which email template you'd like to use as part of the alert. However, the creation and customization of those email templates still resided in the Flash console. SEM 2019.4 introduces the ability to build and customize these email templates within the new interface. These emails are incredibly valuable when it comes to adding context to email alerts as well as including information from log data within those alerts.
FILTER -> RULE
Your network is probably generating hundreds, if not thousands, of events every second, and trying to identify interesting logs from the deluge of log data is challenging. That's where filters come into play. You can rely on the predefined filters or create custom filters within SEM to home in on certain logs. But what if you want to create a correlation rule to alert or respond to those same events being generated on your network? Until now, you had to create a filter and then manually create a corresponding correlation rule. We've simplified this process and you can now send SEM filters to rule creation to quickly create new correlation rules based on a filter.
I really hope you like the direction we're going with Security Event Manager, especially the new user interface. As always, your feedback and ideas are always greatly appreciated, so please provide any feedback you may have within the comments section below or within the SEM Release Candidate forum.