Open for Voting

Integrate LEM with UDP and IPAM

Good Afternoon,

I've been trying to get this scenario to work. An end user creates a file with a certain name in the file server (through a shared network drive). This file name triggers a rule in LEM that looks up the IP address of this user and blocks the IP immediately. The issue currently is by default, windows logs or FIM does not capture the IP address of the client who is creating this file on the file server. This limits the use of block IP. I have worked with different solarwinds engineers who eventually said that this cannot be done with the current version.

Usage: Malware/Ransomware infections. The normal sequence of an infection is it starts to encrypt files and every time it moves from a directory to another, it leaves an instruction note that leads to a website/tor network site or something. If we can create a trigger that'll block the IP as soon as one is created, it'll help with detection and immediate block on this IP from further causing damage.

Can LEM not look up the user name (that we see from the source on the log) in IPAM or UDT and find the IP, then block the IP?

Thanks and regards,

Dilip Joseph