Documentation forSecurity Event Manager

Glossary of SEM terms

Active response: An action that you or a SEM rule can take in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response, the Detach USB Device active response, and so on.

Actor: A connector sub-type that can perform an active response. The actor connector allows the Agent to receive instructions from the SEM Manager and perform active responses locally on the Agent computer, for example, sending pop-up messages or detaching USB devices. On the SEM Console, an orange connector icon represents an actor connector. Also see sensor.

Agent: In SEM, a software application that collects and normalizes log data before it is sent to the SEM Manager. The Agent runs as a standalone service and provides additional event alerting on workstations and servers. An Agent is required for some active responses, including logging off a user, shutting down a computer, and detaching a USB device. SEM Agents use Secure Socket Layer/Transport Layer Security (SSL/TLS) to securely transmit log data. Also see connector.

Agent node: In SEM, a single Agent, syslog, or SMTP instance that sends events to SEM. For example, an environment with 10 routers, 50 switches, 5 firewalls, 300 servers, and 500 workstations has 865 nodes sending data to SEM Manager.

Alert: See event.

Appliance: Originally, SEM was sold as a physical appliance that you deployed on your network. Today, SEM is the virtual image of a Linux-based appliance.

CMC: A command-line interface you can use to interact with the SEM Manager VM to perform routine administrative tasks without root access.

Connector: In SEM, a connector is a stand-alone file that allows SEM to monitor and interact with third-party vendor products, for example a firewall, an anti-virus application, a router, and so on. Each connector is named after the specific product that it is designed to support.
Connectors can reside either on a SEM Agent, or on the SEM VM. Connectors installed on an Agent monitor local log files, but they can also monitor events sent from remote devices that cannot run an Agent. Connectors can intercept syslog events sent by third-party network devices and translate them into normalized events. Whereas SEM Agents actively send normalized log events to the SEM Manager, connectors rely on the host system to send syslog events to the SEM Manager.
Connectors have two subtypes: sensors and actors. A sensor retrieves data from the product that the connector supports, whereas an actor carries out active responses.

Correlation: See event correlation.

Directory service group: In SEM, directory service groups are Windows users and computer accounts that SEM pulls from Active Directory. You can associate directory service groups with rules and filters. Use directory service groups if Active Directory is available so that you do not have to manually update lists of user and computer accounts in user-defined groups.

Event: Any alert or notification written to a log that is monitored by SEM. In SEM, the terms event and alert are interchangeable.

Event correlation: The process of extracting useful and/or significant information from the large number of events flowing in to SEM. Event correlation works by looking for and analyzing relationships between different event sources.

Event distribution policy: SEM's event distribution policy controls how events are routed through the system. By configuring the event distribution policy, you can disable (or exclude) specific event types at the event level from being sent to the SEM console and/or the SEM database. Use the event distribution policy to prevent events of little or no value from being processed by the console or stored in the database.

Event group: A group type used to organize events for use with rules and filters. If you use an event group in a rule, SEM fires the rule when any event in the group triggers an alert.

Event response: See active response.

Facility code: A numeric code specified by the syslog protocol to identify the type of program that is logging the message. Sixteen facility codes, ranging from 0 (kernel messages) to 15 (clock daemon), are reserved for known program types, whereas facility codes 16 through 23 are reserved for local use (local use 0 up to local use 7). In SEM, facility codes are used to route vendor-specific events to designated log files.

Filters: Filters capture events and alerts that take place on your network. Filter conditions can be broad or specific. For example, you can create a filter without conditions that captures all events, regardless of the source or event type, or you can create a filter that has one specific condition, such as UserLogon Exists, which only captures user logon events. SEM ships with filters that support best practices in the security industry. You can modify these filters to meet your needs.

Filter groups: Also called filter categories. Filter categories are used to organize filters in SEM. SEM installs with seven default categories in the Filters pane: Overview, Security, IT Operations, Change Management, Authentication, Endpoint Monitoring, and Compliance. Administrators can remove or rename these categories, or add new categories as needed.

File Integrity Monitoring: Also called FIM. A SEM feature that monitors system and user file activity to protect sensitive information from theft, loss, and malware. FIM detects changes to critical files and registry keys to ensure that they are not accessed or modified by unauthorized users. FIM ensures systems comply with regulatory regulations, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Sarbanes-Oxley. FIM is enabled either by adding a FIM connector to a node, or by adding FIM to an existing connector profile.

Flat file log: Any log output to one or more ASCII-based text files. Systems that write to flat file logs include Linux system logs, web server logs, DNS server logs, custom application logs, and others.

Groups: In SEM, groups organize related elements into logical units so that they can be used in rules and filters. Various group types are used to group events, data elements (such as IP addresses, user names, web site URLs, and so on), Active Directory users and computers, email templates, Agents and connectors, and time-of-day sets.

Hypervisor: Computer software that runs virtual machines. The SEM VM can be installed on two hypervisors: Microsoft Hyper-V Server, and VMware vSphere ESX 4.0 or ESXi 4.0 and later.

SEM Manager: The SEM component that collects and processes log messages sent by one or more network systems. The SEM Manager consists of a syslog server, an optimized database, a web server, a correlation engine, and a hardened Linux operating system. SEM Manager is deployed as a single VM to a hypervisor (either Hyper-V or vSphere) running on Windows Server.

Local Agent Installer: A standalone installer that you or another administrator runs on a local host system to install the SEM Agent. The Local Agent Installer can be used for attended or unattended SEM Agent installations. Also see Remote Agent Installer.

Manager: See SEM Manager.

NCR: An initialism for New Connector Request. An NCR is a request for SolarWinds to create a connector for a system or application that does not have one.

NCD: An initialism for New Connector Data. An NCD is a request for SolarWinds to update an existing connector to receive data that is either being missed or is coming in as unmatched.

Node: An Agent instance monitored by SEM. On the SEM Console, navigate to Configure > Nodes to display the Agents monitored by each of your SEM Managers.

Normalization: The process by which SEM translates raw log data into a standard format prior to storing the message in the database. The SEM Manager component and the SEM Agent component are both capable of normalizing raw event messages received from devices on a network.

Ops Center: See Ops Center view.

Ops Center view: In the web console, the user interface view that provides a dashboard made up of multiple widgets to help identify trends and problem areas in the network. Administrators can customize the dashboard by adding, editing, and removing widgets.

raw log retention: The raw log retention component in SEM is a separate data store to which you can send raw (unnormalized) log messages. The database is an optional component that is disabled by default. To save raw log messages, you need to enable it.

Remote Agent Installer: A standalone installer that pushes SEM Agents to Microsoft Windows hosts across your network without the need to step through an installation wizard. The installer unzips the installation files to a temporary folder of your choice, searches for Windows systems across the network, and installs the SEM Agent one at a time to the targeted systems. Also see Local Agent Installer.

Roles: SEM uses roles to restrict user access to sensitive data. Each SEM user account must be assigned to one of six SEM role types: Administrator, Auditor, Monitor, Contact, Guest, and Reports.

Rules: Rules monitor event traffic and automatically respond to events in real time. When an event (or a series of events) meets a rule condition, the rule prompts the SEM Manager to carry out a response action. A response action can be discreet, such as sending notifications to the appropriate users by email; or it can be active, for example blocking an IP address or stopping a process.

Sensor: A connector sub-type that cannot perform an active response. On the SEM Console, a blue connector icon represents a sensor connector. See also actor.

Severity: In the syslog protocol, severity is a numeric code used to specify the urgency of the notification. Severity ranges from 0 (emergency: system is unusable) to 7 (debug: debug-level messages).

SIEM: A category of software products and services that monitor and analyze security events generated by applications and hardware devices on a network and send notifications when a set threshold is reached. Security Event Manager (SEM) is a fully-featured SIEM solution. SIEM is an initialism for security information and event management.

Single sign-on: SEM supports Active Directory single sign-on (SSO). When enabled, SEM does not request a user name and password if the user is already logged in to Active Directory (AD). Instead, AD authenticates the user in the background, and automatically logs the user in to SEM with the appropriate user access rights.

SNMP, SNMP monitoring: Simple Network Management Protocol is used to collect information from network devices. SEM can receive SNMP traps from SolarWinds solutions to correlate performance alerts with SEM events. SEM can also send SNMP traps to SolarWinds solutions to enable NPM to monitor CPU, memory, and other critical SEM components.

SSO: See single sign-on.

Syslog: A message logging protocol used by a wide range of devices, including most network devices, such as routers, switches, and firewalls. Devices send event notification messages to a central logging server (a syslog server) that consolidates logs from multiple sources. Syslog messages have a numeric facility code that SEM uses to route messages to a log. to specify the type of program that is logging the message, and a numeric severity level to specify the urgency of the notification.

Syslog server: A software application (such as Kiwi Syslog Server) that collects syslog messages and SNMP traps from network devices (such as routers, switches, and firewalls).

USB defender: A free add-on for all SEM Agents installed on Windows computers. USB defender tracks events related to USB mass storage devices like flash drives and smart phones, and allows the SEM Manager to send commands to detach offending devices both manually and automatically.

User-defined group: User-defined groups are groups of data elements that can be used in rules and filters to match, include, or exclude events, information, and data fields. Data elements can be IP addresses, user names, email addresses, web site URLs, and so on.

Virtual appliance: A type of virtual machine that hosts a single application on a hypervisor. To keep things simple, the SEM documentation refers to the SEM virtual appliance as the SEM virtual machine (or the SEM VM). The SEM virtual appliance runs on a hardened, Linux-based software stack that includes a database, a web server, a correlation engine, a syslog server and a SNMP trap receiver.

vSphere: A hypervisor distributed by VMware. The SEM virtual machine can be deployed on vSphere.

Widget: A user interface component that provides special dashboard functionality, such as displaying real-time information about network activity, or providing tools for investigating events and related details.