About LEM filters and filter categories
This section introduces filters and briefly describes the default filters included with LEM.
Filters capture events and alerts that take place on your network. (In LEM, the terms event and alert are interchangeable.)
The LEM console uses event filters to manage events. You can turn filters on and off, pause filters to sort or investigate events, perform actions to respond to events, and configure filters to notify you when they capture an event. Filters can also display widgets, which are charts and graphs that visually represent the event data.
Filter conditions can be broad or specific. For example, you can create a filter without conditions that captures all events, regardless of the source or event type, or you can create a filter that has one specific condition, such as "UserLogon Exists," which only captures user logon events.
Create filters when you want to group a type of event. For example, you can create filters to collect all events from your domain controllers, or all events for a specific type of user.
Create rules when you want LEM to take action in response to one or more events.
Use filters to group a type of event or to monitor specific events
You can create filters to collect:
- All events from your firewalls
- All events from your domain controllers
- All events for a specific type of user
- All events except for recurring, expected events
Create custom filters to monitor specific events, such as:
- Change Management filters to monitor configuration changes users create in your network.
- High Volume Event filters to monitor traffic spikes or unexpected off-peak traffic.
- General Interest filters to monitor log in failures and failed authentications.
A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time.
- Rule Scenario Event filters to determine if you have the appropriate events to create a rule for a specific scenario.
- Daily Problem Event filters to monitor basic operational problems (such as account lockouts) in real time.
About the default filters included with LEM
SolarWinds LEM ships with filters that support best practices in the security industry. You can modify these filters to meet your needs, or you can create an unlimited number of custom filters. A single set of filters can monitor data collected across multiple LEM Managers.
Find and view filters in Monitor view
To find a filter in LEM, open the Monitor tab in the LEM console, and click Filters in the top-left part of the screen to open the Filters sidebar. Expand a category to view its filters. To view a brief description of a filter, hover your cursor over it.
Filtered events are listed in the event grid, or you can view filtered event data using a variety of charts and graphs called widgets. Filters can also use the console to signal that they have captured an event by displaying a pop-up message, by playing a sound, or by using blinking text.
Filters are in the Filters pane, where they are grouped into different categories.
About LEM filter categories
By default, filters are grouped into the following seven categories in the Filters pane:
- IT Operations
- Change Management
- Endpoint Monitoring
You can also add, edit, rename, export, import, and delete filter categories. See Manage LEM filter categories: Add, edit, view, and more for details.
About the Filters sidebar
The number to the right of each filter name shows the number of events associated with that filter. Filters shown in gray italics are currently turned off. To move a filter from one category to another, click and drag it to its new location.
Default filters included with LEM
This section lists the default filters included with LEM.
|All Events||Displays all events from all sources.||On|
Filters events related to rules subscribed to the specified user.
|LEM Internal Events||Filters events related to LEM operations, including informational, warning, and audit events.||On|
|Rule Activity||Displays all activated rules.||On|
|Incidents||Filters all events categorized as Incidents.||On|
Filters events categorized as attack activity or potentially suspicious.
|Network Event Threats||Filters events with source or destination detected in the threat intelligence feed as potentially bad actors.||On|
|All Firewall Events||Filters events from firewall devices that match the targeted name.||On|
|All Threat Events||Filters all events with the source or destination detected in the threat intelligence feed as potentially bad actors.||On|
|Denied ACL Traffic||Filters events from network devices that indicate denied ACL activity.||Off|
|Unusual Network Traffic||Filters unusual network traffic and scans.||On|
|Blocked Web Traffic||Filters events from proxy servers or other web servers that blocked an attempt to access a URL.||On|
|Proxy Bypassers||Filters web traffic users who are bypassing your proxy server.||Off|
|Web Traffic - Spyware||Filters web traffic events to potential spyware sites.||Off|
|Virus Attacks||Filters events that indicate potential virus detection.||On|
|IDS Scan / Attack Activity||Filters security events detected by IDS tools (such as Snort).||On|
|Security Processes||Filters security-related process activities.||On|
|File Audit Failures||Filters events that indicate failed attempts to access files.||On|
IT Operations Filters
|All Domain Controller Events||Displays all traffic from machines in the Domain Controllers tool profile.||Off|
|All Web Traffic||
Filters all web traffic-related events from network devices, proxy servers, and web servers.
|Software Installation/Update||Filters events related to software installation and updates.||On|
|Service Events||Filters events related to starting and stopping services, as well as service warnings and information.||On|
|System Events||Filters events related to system availability and status information.||On|
|Error Events||Filters events from all sources that contain "error".||On|
|Warning Events||Filters events from all sources that contain "warning".||On|
|Windows Error Events||Filters events from Microsoft Windows event logs that contain "error".||On|
|Error Events for Device||Filters events from a specific device that contain "error".||Off|
|Web Traffic for Source Machine||Filters web traffic emanating from a certain source machine.||Off|
|All Network Traffic||Filters all network traffic-related events from all devices and systems.||On|
|FTP Traffic||Filters TCP traffic events between one or more FTP ports reported by any device or system.||On|
|SNMP Traffic||Filters UDP traffic events between one or more SNMP ports reported by any device or system.||
|SMTP Traffic||Filters UDP traffic events between one or more SMTP ports reported by any device or system.||On|
Change Management Filters
|General Change Management||Filters all events that indicate changes to devices, systems, users, groups, and domains.||On|
|User Account Changes||
Filters changes to existing user accounts.
|Machine Account Changes||Filters changes to existing machine accounts.||On|
|Group Changes||Filters creation, deletion, and changes to groups.||On|
|Domain & Membership Changes||Filters new and deleted domain accounts (including users/groups) and domain changes.||On|
|Device/System Policy Changes||Filters events related to policy changes on devices and systems.||On|
|All File Audit Activity||Filters events related to all types of audited file access.||On|
|USB File Auditing||Filters file-related alerts from Agents running USB Defender||On|
|User Logons||Filters all types of user logons.||On|
|Interactive User Logons||
Filters background network logon types.
|Remote User Logons||Filters events that indicate remote Windows system logons.||On|
|Failed Logons||Filters events that indicate failed logon attempts to devices and systems.||On|
|Account Lockouts||Filters events that indicate an account was locked out.||On|
|Authentication Event Threats||Filters authentication events with a source or destination detected in the threat intelligence feed as potentially bad actors.||On|
|Admin Account Authentication||Filters authentication events related to specified administrative accounts.||Off|
Endpoint Monitoring Filters
|Workstation Logon/Logon Failure Activity||Filters non-network workstation logon/logon failure to a domain or local account.||On|
|Local Account Authentication/Changes||
Filters any user-related audit events that are not to or from the corporate domain.
|Software Installed on Workstations||Filters software installations on workstation systems.||On|
|USB-Defender Events||Filters USB Defender events.||On|
|Workstation Events with Threats||Filters all events detected on endpoints with a source or destination detected in the threat intelligence feed as potentially bad actors.||On|
|Top PCI Events||Filters the most common PCI events of interest, which include change management, unexpected file access, incidents, and attacks.||Off|
|Top HIPAA Events||
Filters file activity, changes, and incidents related to HIPAA events.
|Top Banking Compliance Events||Filters common banking compliance events, including change management, users and groups, and potentially suspicious attack activity.||Off|