Some of our favorite moments with LEM have been the stuff that people had no idea was happening or to look for that they uncovered for the first time now that all their data was consolidated. Did you have one of these a-ha moments when you started looking at log data? What did you find?
A couple of of my faves:
- Hospital/clinic type environment had just installed LEM and was starting to monitor workstations/endpoint activity through the hospital/clinics (since their big issue is HIPAA). They also had their web proxy hooked up to LEM. Lo and behold, after a few minutes, someone started surfing inappropriate content - we're not talking borderline "oops, I got an ad", we're talking all out intentional stuff. Their policy dictated they had to confirm it, so they shadowed the session and sure enough... it was what they thought. So, they sent the guy a popup message using LEM's active response, and they literally watched him dismiss it. Sent a couple more about HR policies, watched him dismiss those, too. Sent one that said "IT is on their way"... suddenly he logged off and walked away.
- Semi-regulated environment (no public regs, only internal) had an uptime/SLA policy that required a designated service account could be accessed at any time - one of a few people with a key/card to access the datacenter could log on with these shared credentials to fix certain business-critical issues. This account was only supposed to be used in those scenarios. What did they find? Yeah, not that. It was being used to log in to workstations for admin privileges, install software on other servers... oops.
If you missed it, the first SolarWinds Lab episode featured an example that came from some of our experiences as well - a customer's firewall kept going down, network performance was at rock bottom, logs going nuts... it was a virus. Took them a bit but they were able to use the logs to identify new infections and confirm that systems were cleaned.
Doesn't have to be LEM specific, tell us what you've got