cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Security Event Manager 6.7 is Now Available

Product Manager

Security Event Manager (SEM) 6.7 is now available on your Customer Portal​. You're probably wondering what exactly Security Event Manager is? It's the product formally known as Log and Event Manager (LEM). LEM has always been so much more than a tool for basic log collection and analysis. It offered so much more in terms of detecting and responding to cyberattacks as well as easing the burden of compliance reporting. SEM helps organizations across the globe to improve their security posture, and we believe the new name better reflects the capabilities of the tool.

FLASH - THE BEGINNING OF THE END

Moving away from Flash has been the top priority for SEM for some time. I'm excited to say that this release introduces a brand-new HTML5 user interface as the default interface for SEM. You can now perform most of your day-to-day tasks within this new interface, including searching, filtering and exporting logs, as well as configuring and managing correlation rules and nodes. The feedback on the new UI has been hugely positive thus far, with many users describing it as clean, modern and incredibly responsive. The Flash interface is still accessible and is required for tasks such as Group/User Management, E-Mail Templates and the Ops Center. However, we're by no means finished with the new user interface and will continue to make improvements and transition away from Flash.

Screenshot 2019-05-13 at 10.58.00.png

CORRELATION RULES

Correlation is one of the key components of any effective SIEM tool. As vast amounts of data are fed into Security Event Manager, the correlation engine identifies, alerts on, and responds to

potential security weaknesses or cyberattacks by comparing sequences of activity against a set of rules. This release includes a brand new Rule Builder which enables you to easily build new rules and adjust existing rules. We've made some improvements including drop down menus (as well as the traditional drag-and-drop) to create rules, auto-enablement of the rule after saving, easier association of Event Names and Active Response actions and the removal of the Activate Rules button

Screenshot 2019-05-20 at 09.18.59.png

Screenshot 2019-05-20 at 09.20.15.png

FILE INTEGRITY MONITORING

FIM was originally introduced way back in LEM 6.0 and has provided users with great insight into access and modifications to files, directories and registry keys ever since. With users constantly creating, accessing and modifying files, a huge amount of log data is generated which is often associated with excessive noise. In order to better enable you to split the signal from the noise, we've introduced File Exclusions within our redesigned FIM interface. If a particular machine is generating excessive noise based on a particular file types (I'm looking at you tmp files), you can now easily exclude file types at the node level.

Screenshot 2019-05-20 at 09.47.52.png

LOG EXPORT

When investigating a potential cyberattack or security incident, you'll often need to share share important log data with other teams, external vendors or attach the logs to a ticket/incident report. Exporting results to a CSV is now possible directly from the Events Console.

Screenshot 2019-05-20 at 10.09.02.png

AWS DEPLOYMENT

As organizations shift workloads to the cloud to lower costs and reduce management overhead, they require the flexibility to deploy tools in the cloud. In additional to the Azure deployment support included in LEM 6.5, this release adds support for AWS Deployment. Deployment is done via a private Amazon Machine Image and therefore you need to contacts SolarWinds Sales (for evaluation users) or Technical Support (for existing users) in order to gain access to the AMI. Please note that your AWS Account ID will be required in order to grant access.

I really hope you like the direction we're going with Security Event Manager, especially the new user interface. We're already hard at work on the next version of SEM, as you can see in the What We're Working On post. As always, your feedback and ideas are always greatly appreciated so please continue to do so in the Feature Requests area.

15 Comments
Level 12

This is cool. I also like the name change. Looking forward to upgrading our current version!

Level 12

I am doing my best to get used to this new interface, but it still has some work that needs to be done. Here are some of the things I have noted so far.

One of the big things missing from the "Nodes" screen is the ability to see what the current version of the connector is on the node. While this may seem minor, it does play an important role when doing upgrades. I have had situations in the past where a node failed to upgrade its agent and I had to manually intervene and remove it and install the new version. With the new UI we currently have no way to see what the version of the agent each node is running.

I really hope that the OPS Center will be getting converted as well, as this is where my screen lives most of the time for LEM/SEM right now.

Not sure if this was a result of the problems I had which forced me into the upgrade, or if it was a result of the upgrade itself, but I feel that I need to at least make note of it. All of my custom FIM rules are gone. Completely gone, and I have to rebuild them from scratch. As I said, I had some pretty serious issues with FIM and Connectors in general not working which required intervention from Support and resulted in multiple version upgrades. Not sure if the missing rules are a result of the upgrade or steps support took to get FIM and Connectors working again.

Other then that I have not had much time to work with it yet.

Product Manager
Product Manager

Thanks for taking the time to provide the great feedback.

Understand your point regarding the Agent Version, it's displayed when you click on a node (below) however I agree that it should be displayed on the main page for each node. I'll mark this is a request.

Screenshot 2019-05-28 at 15.55.13.png

OPS Center - This is something we are currently working and I would love to discuss further with you to understand how you are currently using the Ops Center and gather feedback on how we're approach the OPS Center in HTML5. I'll send you a DM to schedule some time.

FIM Rules - This is certainly not expected behaviour and I'm sorry for any inconvenience. I'm more than happy to investigate further and determine the root cause. Can you confirm if it's FIM rules or the FIM connector running on your agents that were lost during the upgrade?

Level 20

It's nice seeing the flash go...

Level 20

And much thanks for working these bugs out for me sparda963​  I'm kinda kidding and kinda not.

Level 12

The FIM stuff was likely self inflicted as a result of the problems we were having related to that and connectors in general.

Overall I like where the interface is going though. It is much more responsive then the flash based interface hands down.

Level 9

Upgrading now, one thing I was curious about:

We monitor service that are installed on servers, we do this through the SEM of course. When the SEM Agent gets upgraded I get an alert about a service installed called "swfsv2fltr."

Any idea what this is? Its something new I believe.

Product Manager
Product Manager

This is an updated File Integrity Monitoring driver on the SEM agent, it replaces the previous FIM driver.

Level 9

Just noticed the activate rule button is gone

Level 8

I upgraded to 6.7.2 and, over the last few months, found some pieces that I'm having trouble with.

1. I cannot find a place to update the groups (user Defined Groups, Email Templates), so I am going back into the old console constantly.

2. The search function, for me, doesn't work nearly as well as the old ndepth search. There is no way, that I have found yet, to filter a search with multiple terms (AND, OR, NOT). I am finding that I get too many results or not the right results. I like the Events screen, except when I am trying to find something that doesn't yet have a filter.

3. Can you add an option to add/remove columns from the events screen? Typically, I am usually clicking on an event only because I am looking at a specific field that's not on the screen.

Overall, happy with the updates. As mentioned, I'm still going back to the old console for ndepth and to build groups, but otherwise am finding the new console workable (not perfect).

Is there a way to publish the timeframe for updates? Is Solarwinds working on a quarterly release schedule or something different?

Product Manager
Product Manager

Thanks for proving incredibly valuable feedback. We're by no means done with our migration to HTML5 and we have lots of exciting updates to come.

1. We're currently working on both Email Templates and User Defined Groups.

2. Adding addition functionality to the Events page which incorporates some of the nDepth functionality is certainly on our radar. I'll certainly keep your point regarding the more complex searching in mind as we work through it.

3. This isn't something we are currently working on, but the request makes total sense and will create a Feature Request to track.

Based on your feedback, I'd love to speak with you further or possibly arrange a UX Session to discuss your thoughts on the new UI further. Will drop you a DM to schedule something.

Unfortunately I can't share any timeline for updates, however I'll make sure to let you know as soon as the Release Candidate for the next release is available.

Level 8

I am happy to see the big changes in 6.7.2.  I know you're busy adding the new features as you move everything to HTML5.

What I did not see yet that I'm hoping will be moved over are:

1. Will there still be Filter Actions?  My students in SEM 101 classes use them to test logic before they create a new rule.

2. Will you keep the filter creation link (funnel) in the event details window, bottom right?  Or something similar? This is the fastest way to create a filter and the associated widget.

thanks for the great progress!

jim

Product Manager
Product Manager

Glad to see your happy with the changes so far Jim

When you say Filter actions, do you mean the notification options within the filter builder or the 'Respond' actions you can take from the Monitor view?

We are currently working on ahead of creating a filter from an event, but that functionality is certainly on our radar as we work through the UI migration.

Level 8

You're welcome!  I would like to do as you suggest and have a UX session.  My requests are very specific to how I teach my students to use SEM in a workflow fashion.

Please do DM me to set it up.

Level 9

So happy to see flash finally getting plugged.

About the Author
I have been involved in the IT industry for more than 8 years, focusing on IT Audit, Compliance and Information Security. I have held various roles from IT Desktop and Server Support, IT Auditing and Risk Management and Pre-Sales Engineering with SolarWinds.