Documentation forSolarWinds Platform Self-Hosted

Integrate SolarWinds Observability Self-Hosted with SEM

You can integrate SolarWinds Observability Self-Hosted with SolarWinds Security Event Manager (SEM), to view security data in the SolarWinds Platform Web Console.

This integration provide a unified view of top security events and issues. You can also launch in-context into SEM, reducing the time necessary to identify and resolve issues.

Add SEM instances for monitoring

You can connect multiple SEM instances to SolarWinds Observability Self-Hosted for centralized monitoring.

If SEM uses the HTTPS protocol, ensure that the SSL certificate is trusted on the SolarWinds Observability Self-Hosted server before configuring the connection. If the certificate is not trusted (for example, when using a self-signed certificate), import the SEM HTTPS SSL certificate into the Trusted Root Certification Authorities store on the SolarWinds Observability Self-Hosted server.

  1. In SolarWinds Observability Self-Hosted, click My Dashboards > Security > SEM Summary.

  2. Click the Settings button.

  3. On Security Event Manager Settings, click Security Event Manager Connections. The page displays all connected SEM instances.

  4. Click Add Connection.

  5. On Specify SEM Web API URL:

    1. Type the base URL.

    2. Enter a display name for the connection.

    3. Click Next to test the connection between SolarWinds Observability Self-Hosted and the SEM server to ensure connectivity and verify SSL certificate status.

  6. On Credentials, enter the username and password for retrieving data from the SEM connection. Then, click Next.

    The SEM Summary dashboard now displays data from all connected SEM instances.

Manage connected SEM instances

You can edit or delete SEM connections in SolarWinds Observability Self-Hosted.

Edit connected SEM instances

  1. In SolarWinds Observability Self-Hosted, click My Dashboards > Security > SEM Summary.

  2. Click the Settings button.

  3. On Security Event Manager Settings, click Security Event Manager Connections. The page displays all connected SEM instances.

  4. Click the pencil button next to the connection you want to update. The Edit SEM Connection wizard opens.

  5. Update the credentials for the connection as needed.

  6. Complete the wizard to save your changes.

Delete connected SEM instances

  1. In SolarWinds Observability Self-Hosted, click My Dashboards > Security > SEM Summary.

  2. Click the Settings button.

  3. On Security Event Manager Settings, click Security Event Manager Connections. The page displays all connected SEM instances.

  4. Click the trash can icon next to the connection you want to remove.

  5. Confirm the deletion.

View a summary of SEM data in the SolarWinds Platform Web Console

After integrating SEM with SolarWinds Observability Self-Hosted, you can see SEM data in the following dashboards.

Security Summary

This dashboard provides an overview of security data from all integrated sources, including SEM or ARM.

To open the dashboard, click My Dashboards > Security > Security Summary. SEM widgets include Saved Searches Runs and Connected Instances.

  • Click the Saved Searches widget to go to the SEM Saved Searches Runs view with more details.
  • Click a severity to go to the SEM Saved Searches Runs view filtered by the severity.
  • Click an instance to go to the selected SEM Instance dashboard to view information related to the instance.

SEM Summary

The Security Event Manager dashboard displays only data from SEM.

  • Click on Connected Instances to go to Security Event Manager Connections for more details on monitored SEM instances or to add a new SEM connection.
  • Click on any other widget on this board to display the SEM Saved Searches Runs board.

Click My Dashboards > Security > SEM Summary, or click from a SEM widget on the Security Summary page, to open the Security Event Manager dashboard.

The dashboard displays:

  • A list of connected instances
  • A list of licenses
  • All saved searches by severity as a KPI widget and all saved searches in a table.
  • Tracked searches by severity as a KPI widget and all tracked saved searches in a table. Tracked searches are searches tracked using a tag. See View tracked saved searches from SEM.

SEM widgets display events from SEM Scheduled Queries with the appropriate tags. SEM widgets do not display data from Live Events.

 

View SEM data for individual nodes

By default, node details pages do not include SEM-specific widgets. You can manually add widgets to display SEM data for individual nodes.

The widgets are hidden on Node Details pages for non-SEM nodes.

Add SEM widgets

  1. On the node details page, click the pencil icon (Edit page).

  2. Click Add Widgets.

  3. In the Group by filter, select Type > Security or enter "SEM node" into the search box.

  4. Drag and drop the widget onto the page.

  5. Click Done Adding Widgets, then click Done Editing to save your changes.

View last events based on a custom SEM filter

  1. Add the Last Events based on Custom SEM widget to a node details page. See Add SEM widgets.

  2. Click Edit in the widget to change the information displayed.

    1. Set the maximum number of events.

    2. Specify the number of events per page.

    3. Adjust the time range.

    4. Select a predefined filter

    5. Click Save.

To view more details, click to access the associated data in SEM. You can also click Open in SEM to launch the SEM Live Events page.

View top events based on custom SEM filter

When you add the SEM server as a monitored node, you can add the Top Events based on a custom SEM filter widget.

  1. Add the Top Events based on Custom SEM widget to a node details page. See Add SEM widgets.

  2. Click Edit in the widget to change the information displayed.

    1. Adjust the maximum number of events and the number of events per page.

    2. Adjust the time period for the widget.

    3. Adjust how the events should be grouped.

  3. Select a predefined filter and save your changes.

To view more details, click to access the associated data in SEM. You can also click Open in SEM to launch the SEM Live Events page.

View tracked saved searches from SEM

You can display events from scheduled SEM queries, using tracked tags. Tracked searches are searches that have a tag assigned. To display tracked searches in SolarWinds Observability Self-Hosted:

  1. Review the requirements for tracked saved searches.

  2. Configure the queries in SEM.

  3. Add the tags in SolarWinds Observability Self-Hosted.

  4. Review the queries on the SEM Summary page, in the Tracked Search widgets.

The SEM dashboard widgets in the web console do not show events from Live Events.

Requirements for getting saved SEM searches to SolarWinds Observability Self-Hosted

  • The search query must have a scheduled report configured.

  • The report must have been run in SEM at least once.

  • The report must have a tag associated to it.

  • The associated tag must be added for tracking in SolarWinds Observability Self-Hosted.

Setup in SEM

  1. Create a new query or use an existing one. See Create a search query in SEM documentation.

  2. Apply tags to the query. See Apply tags to a query in SEM documentation.

  3. Schedule a report for the query. See Schedule a report in SEM documentation.

  4. Wait for at least one report to run.

Add tracked tags

Add the tracked tags for saved searches you want to see in SolarWinds Observability Self-Hosted.

  1. In SolarWinds Observability Self-Hosted, click My Dashboards > Security > SEM Summary.

  2. Click the Settings button.

  3. On Security Event Manager Settings, click Security Event Manager Tracked Tags. The page displays all tracked SEM tags in SolarWinds Observability Self-Hosted.

  4. Click Add.

  5. In the Add SEM Tracked Tag dialog:

    1. Select the SEM instance from which you want to add a tag.

    2. Select the Tag category.

    3. Select the Tag.

  6. Click Add to save the tag.

All tracked searches using the tag will be added to the tracked searches widgets.

Remove tracked searches

To remove tracked searches from the widgets, remove the tag they are associated with.

  1. Go to the Security Event Manager Tracked Tags page.

    • Click Settings > All Settings > Security Settings > Security Event Manager Settings > Security Event Manager Tracked Tags or

    • Click My Dashboards > Security > SEM Summary. Then click Settings > Security Event Manager Tracked Tags.

  2. Select a tag, click Delete, and confirm the deletion.

The tag is deleted and all saved searches associated with the tag will be deleted.

View information on tracked saved searches runs

Click My Dashboards > Security > SEM Summary.

Scroll down and review the widgets relevant for tracked searches.

  • Tracked Saved Searches Runs By Result Severity - KPI widget showing the number of tracked search runs with critical, warning, or OK severity.

    • Click the Saved Searches widget to go to the SEM Saved Searches Runs view with more SEM details.
    • Click a severity to go to the SEM Saved Searches Runs view filtered by the severity.

  • Tracked Saved Searches Runs - a table listing tracked saved search runs, grouped by severity, with more details, such as the events count, the related instance, or the last run time. Click an instance to go to the selected SEM Instance dashboard to view information related to the instance.