• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 22 subscribers
  • Views 1306 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Infer Alert

byrona

I have noticed that a lot of the OOB rules in LEM have the Infer Alert action setup.  I may be a bit remedial for asking but I would love to see both the thought and/or some use cases behind the Infer Alert action.  If there is already some pre-existing documentation or videos on this I would be happy to use those if you can point me to them.

Thanks in advance for any pointers here!

  • FormerMember
    0 FormerMember

    The big use case for the infer alert action is to escalate normal activity to abnormal activity without generating email alerts and other actions.

    For example, the OOTB rules try to identify things like "excessive logon failures" and infer suspicious activity. You could then focus on suspicious activity, rather than focusing on all the logon failures (or building rules specifically for logon failures).

    PortScans are a good example - you get TCP traffic all the time, but when you see a certain quantity coming from a single IP to many ports on a single IP, that's scan behavior. Some devices (IDSes for example) will trigger a PortScan event directly and we have a PortScan event type in our taxonomy, but firewalls often just tell you everything (deny, deny, deny, deny, allow, deny, deny...) and we're able to "infer" that a PortScan has occurred based on the pattern.

    A related action is the Create Incident action - which is a way to filter semi-high priority or actionable events without receiving email on everything (or at the same time, so you know what was sent) making it easier to report on and audit just important stuff. Those tend to be business specific, but we have some OOTB rules that infer incidents as examples.

  • 0 in reply to FormerMember

    Interesting concepts.  I am glad you mentioned the Incident Action because I had never really noticed that before.  Now that you mentioned it I was able to go check it out and see how it correlates to those alerts in the taxonomy.

    LEM has so many clever concepts that are not immediately obvious.  I would love to sit in a room with you and just have a brain dump of LEM top to bottom to be able to understand all the thought and concepts behind the design of the product to be able to leverage it better.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.