Documentation forSecurity Event Manager

Anomalous Detection in SEM (Technical Preview)

During Tech Preview, SEM Anomalous Detection capabilities are included with trial and evaluation licenses and specific licensed customer for the purpose of testing and feedback. Once Anomalous Detection reaches General Availability, these features may require a specific license or additional charges for continued use.

You can securely link your on-premises instance of Security Event Manager to the SolarWinds Platform with Platform Connect, allowing you to use cloud-based AI and machine learning for anomalous event detection.

Advantages to using AI and machine-learning anomaly detection include:

  • Automatic detection of anomalies using learned baselines instead of static thresholds.

  • Reduction of alert noise as statistically unusual user, hose, and network activity is highlighted.

  • Access to future AI-powered security features for SEM, as they become available.

Requirements

  • A valid SEM license
  • Internet connectivity on your SEM appliance for connecting to the SolarWinds Observability SaaS

Installation and Status

During installation, you can review the data-sharing terms and connect SEM to your SolarWinds Platform account.

  1. Click Events > Anomaly Detection > Connect Securely.

  2. Select your cloud provider from the list.

  3. Enter your email address and click Agree and Connect.

  4. Wait for a connection to be established, which may take a couple of minutes. The Anomalous Events panel opens when you are connected.

In the top-right corner, a status icon alerts you to the current Platform Connect status.

  • Grey: Platform Connect is not yet configured.
  • Green: SEM is connected to Platform Connect and anomaly detection is running.
  • Blue: Platform Connect is turned off and anomaly detection is paused. No data is being sent to SolarWinds Platform.
  • Red: Platform Connect is unavailable and anomaly detection is paused.

Anomalous Events panel overview

The Anomalous Events panel can be accessed under the Events menu in SEM.

In the top-right corner, links are provided for reloading data if it does not load as expected, and for filtering data based on select time periods.

The left navigation pane displays a list of all available use cases. Hover over the info icon for a brief description. An icon to the right of a use case indicates no groups have been added to the use case. To add groups, see Manage use cases.

Manage use cases

Set up or change the monitoring scope for use cases by adding or removing user defined groups. Uses cases with an icon to the right of the name have no groups.

  1. Click the Manage Use Cases gear icon above the list of use cases.

  2. In Manage Detection Scope per Use Case, select the use case to edit.

  3. Expand the list and select the group(s) you want to monitor, or, click the X next to a group to remove it.

  4. Click Save.

  5. Review event and anomaly data displayed in the provided charts. It may take a few minutes for data to display.

    If the data does not appear, or it does not seem current/accurate, click Reload Data in the top-right corner.

  6. Expand a use case to see groups and the group's entities and event data.

  7. Click the time series filter next to Reload Data to view event data during a specific time period. You can choose from one of the provided time periods (Last 10 minutes, Last 1 hour, Last 7 days, etc.) or enter a specific start and end time.

    To zoom into a specific section of the timeline data, click and drag over the relevant section. Click Undo zoom to return to the standard timeline view.

Manage Platform Connect

To manage your Platform Connect connection, click the SEM settings gear icon in the top-right corner and click Updates.

If Platform Connect is not installed, the option Connect Securely replaces the above links. Click Connect Securely to begin the installation process.

If installed, the Platform Connect section includes version information, the email address used to connect the account, and the following options:

  • Uninstall: Removes Platform Connect and all associated data from the SEM instance, including PC agents and plugins, connection tokens, anomaly detection baselines, detected anomalies, and metrics series. Cloud-side data is retained per standard SolarWinds Observability Self-Hosted tenant retention policies.
  • Reinstall: Fixes common performance issues without removing your existing configuration.
  • Restart: Restarts Platform Connect services without removing existing configuration, when data is not loading as expected.

User roles

Users with administrator access can manage Platform Connect (enable, disable, restart, uninstall), adjust settings, view the connection status, and configure use cases.

Users with auditor access can view and query anomalous events when Platform Connect is enabled. If Platform Connect is not enabled and connected, event data cannot be viewed by auditors.

Users who are not auditors or administrators will not see the Anomalous Events feature in the Events menu, the settings, or the connection status.

Data Handling

Platform Connect is admin-enabled and fully under your control. You can choose which use cases to monitor and can stop monitoring at any time.

When establishing a connection with Platform Connect, SEM only sends the email used to enable the feature and the SEM license activation key. When using Platform Connect, raw logs and identifiers never leave your SEM appliance. Anonymized metric counts tied to an internal anonymous ID are sent, encrypted in transit using TLS 1.2 protocol with 2048-bit RSA. Data is stored in the database to create trend predictions.

If Platform Connect is disabled, your data remains in the database, but is encrypted at rest using AES-256 volume-level encryption. If Platform Connect is uninstalled, your data is removed from the database.

Prompts are not retained and data is not used for training purposes.

For more information about data retention periods, see Data retention periods for each data type.