Professional Documents
Culture Documents
Copyright 1995-2012 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The SolarWinds, the SolarWinds & Design, ipMonitor, LANsurveyor, Orion, and other SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. Microsoft, Windows, and SQL Server are registered trademarks of Microsoft Corporation in the United States and/or other countries.
1 3
3 4 5 6 7 7 8 9 11 13
17
17 17 18 19 20 20 20 21 22 22 22 23 24 24
Troubleshooting Additional Information Verifying Data Which Do I Pick? nDepth: A Fully Integrated IT Search Solution LEM Reports: For Compliance and Historical Reporting Needs Troubleshooting Additional Information nDepth External resources: Additional Information LEM Reports Adding Filters Which Do I Pick? Use the Default Filters as Examples Other Filter Scenarios Example: Change Management Troubleshooting Additional Information Adding Rules Use Pre-configured Rules to Get Started Example: Change Management Other Rule Scenarios Troubleshooting Additional Information Analyzing Data Analyze Data Which Do I Pick? nDepth: A Fully Integrated IT Search Solution LEM Reports: For Compliance and Historical Reporting Needs Troubleshooting
25 26 27 27 28 29 30 31 31 31 32 32 33 33 34 34 35 36 36 37 39 39 40 41 41 41 42 43 44
ii
Table of Contents
45 45
47
47 48 55 59 60 60 61 62 65 68
70
70 71 72 72 72 73 74 74
iii
74
75
76 77 77 79 84 85 85 87 88 88 89
Chapter 7: Monitor
Monitor View Features Filters and Filter Groups Standard LEM Filters Filter Creation Features of Filter Creation Alerts Applying a Filter to the Alert Grid Sorting the Alert Grid Highlighting Alerts Copying Alert Data to the Clipboard Marking Alerts as Read and Unread Removing Alerts
90
90 92 93 96 97 98 98 99 99 101 102 103
iv
Table of Contents
103 105
Chapter 8: Explore
nDepth nDepth's visual tools nDepth's Primary Uses Exploring Alerts vs. Log Messages Opening nDepth Opening nDepth From Another Data Source nDepth key features nDepth's Search Bar nDepth Explorer Toolbar nDepth's History Pane Using the nDepth Histogram Histogram Features Searching the Activity Associated with a Particular Histogram Bar Moving the Search Period Changing the Period's Start and End Time Using Result Details Interpreting Search Results in Alerts Mode Interpreting Search Results in Log Messages Mode Adding Search Strings from Result Details Using Explorers with Result Details Responding to Result Details Exporting Result Details Data to a Spreadsheet Common nDepth Data Fields Common Data Fields Categories in Alerts Mode Common Data Field Categories in Log Messages Mode
107
107 108 108 109 109 110 110 112 114 116 117 117 119 119 120 121 122 122 124 125 126 127 127 127 128
Using the Word Cloud Opening the Word Cloud Viewing Statistics in the Word Cloud Filtering the contents of the Word Cloud Exploring Items in the Word Cloud Using the Tree Map Opening the Tree Map Resizing Tree Map Categories Exploring items in the Tree Map Using nDepth widgets Default nDepth chart widgets nDepth explorer and widget icons Viewing a widget's details Creating a search string from a widget item Adding new nDepth Widgets Editing nDepth idgets Adding a chart widget to the nDepth Dashboard Adding a main nDepth view to the nDepth Dashboard Using Search Builder Opening Search Builder Switching from the search bar to Search Builder Search Builder features Configuring a Search with Search Builder Utilities Explorer Types NSLookup Explorer Traceroute Explorer Whois Explorer Manually Exploring an Item
129 130 130 130 131 132 133 133 133 134 134 135 136 136 137 138 138 139 139 141 141 142 145 147 147 149 150 151 151
vi
Table of Contents
Chapter 9: Build
Groups Group types Groups View Features Refining the Groups Grid Rules Rules View Features Rules Grid Columns Refine Results Form Users Users View Features Users Grid Columns Refining the Users Grid Viewing a Users System Privileges
153
153 153 155 156 157 157 157 159 160 160 161 161 162
164
164 165 167 168 168 169 170 172 173 174 175 175 177
179
181
181 186 187 187
189
189 189 191 195 199
Creating a New Filter Editing an existing filter Cloning an Existing Filter Pausing Filters Resuming Paused Filters Turning Filters On and Off Copying a Filter Importing a Filter Exporting a Filter Deleting a Filter Managing Filter Groups Adding a New Filter Group Renaming a Filter Group Rearranging Filter Groups Moving a Filter From One Group to Another
199 200 200 202 203 204 204 205 206 206 207 207 208 208 208
viii
Table of Contents
Deleting a Filter Group Responding to Alerts Using the Respond Forms Drag and Drop Functionality Event Explorer Opening the Event Explorer Event Explorer Features Exploring Alerts Using the Event Map Reading an Event Map Event Map Legend Using the Event Grid Viewing information in the event grid Exploring From the Event Grid Using the Alert Details Pane Opening and Closing the Alert Details Pane Viewing an Events Alert Details Exploring From the Alert Details Pane Performing nDepth Searches Creating Search Conditions Deleting Items From Search Strings Creating Custom Timeframes Saving a Search Using a Saved Search Making Changes to a Saved Search Exporting nDepth Search Results to PDF Exploring Search Results from Graphical Views Taking Action on Alert Details Deleting a Saved Search Creating Search Conditions
209 210 211 213 213 214 215 216 216 217 218 218 219 219 220 220 221 222 224 225 226 227 228 228 229 230 231 231 232
ix
Deleting Items From Search Strings Creating Custom Timeframes Managing Tools Opening the Tool Configuration Form Adding new tool instances Starting a Tool Instance Stopping a Tool Instance Editing a Tool Instance Deleting a Tool Instance Creating Tool Profiles to Manage and Monitor LEM Agents Managing Widgets Opening and Closing the Widget Manager Creating New Master Widgets Editing Master Widgets Adding Widgets to the Dashboard Deleting Master Widgets Editing a Dashboard Widget Deleting Dashboard Widgets
234 234 236 236 237 239 240 240 241 242 243 243 244 244 245 246 247 247
249
249 249 249 251 252 252 253 253
Table of Contents
Managing Groups Adding a new Group Editing a Group Cloning a Group Importing a Group Exporting a Group Deleting a Group Configuring Alert Groups Configuring an Alert Group Alert List Features Configuring Directory Services Groups How to use Directory Services Groups Synchronizing Directory Service Groups with LEM Viewing a Directory Services Group members Directory Services Group Grid Columns Deleting DS Groups Configuring Email Templates Step 1: Creating the email template Step 2: Adding message parameters Step 3: Creating the message Managing email template folders Configuring State Variables Adding new State Variable fields Editing State Variable fields Deleting State Variable fields Managing State Variable Folders Configuring Time of Day Sets Configuring a Time of Day Set Selecting periods in the time grid
254 254 254 255 256 257 258 258 258 259 261 261 261 263 264 264 264 265 266 267 267 268 268 270 270 271 271 271 273
xi
Configuring User-Defined Groups Examples of User-Defined Groups Configuring a User-Defined Group Adding data elements to a User-Defined Group Editing a data element in a User-Defined Group Deleting a data element from a User-Defined Group Configuring Tool Profiles Tool Profile rules Creating a Tool Profile (general procedure) Step 1: Selecting a template for the profile Step 2: Selecting the Agents that are members of the profile Editing a Tool Profiles Tool Settings Opening a Tool Profiles tool settings Adding a new tool instance Editing a Tool Profiles tool settings Managing Rules Rule Creation Rule Creation Features Advanced Thresholds Opening the Set Advanced Threshold form Setting an advanced threshold Adding a threshold field Editing threshold fields Deleting a threshold field Using the Actions box Using constants and fields to make actions flexible Configuring a rules actions Adding a New Rule Rule Window Features
273 274 274 275 277 277 279 280 280 280 282 283 284 284 285 286 286 287 288 288 289 289 290 291 291 291 292 293 294
xii
Table of Contents
Correlations box features Editing Rules Subscribing to a rule Enabling a rule Placing rules in test mode Activating rules Disabling a rule Cloning rules Importing a rule Exporting rules Deleting Rules Tool Configuration features Tools Grid Columns Tools grid icons Refining the Tools grid
299 301 302 304 305 308 309 310 311 311 313 313 315 315 317
319 321
321 321 322 322 322 323 323 324 325
xiii
326
326 326 327 328 328 329 329 330 331
xiv
Table of Contents
332
xv
Appendix B: Alerts
Types of Alerts Asset Alerts Audit Alerts Incident Alerts Internal Alerts Security Alerts
336
336 337 341 359 360 365
Appendix C: Appendix Alert Data Fields Appendix D: Connector Categories Appendix E: CMC Commands
Logging on to CMC Using the CMC 'appliance' menu Using the CMC'manager' menu Using the CMC 'ndepth' menu Using the CMC 'service' menu
438
438 458 474 476
477
477 477 482
xvi
Table of Contents
486 488
491
491 493 494 495 495 498 498 499 499
503
503 506 506 507 509 509
Index
523
xvii
Chapter 1: Introduction
SolarWinds Log & Event Manager (LEM) is a state-of-the-art virtual appliance that adds value to existing security products and increases efficiencies in administering, managing and monitoring security policies and safeguards on your network. SolarWinds LEM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network to several points of presence that work together to protect and defend your network. SolarWinds LEM responds effectively with focus and speed to a wide variety of threats, attacks, and other vulnerabilities. SolarWinds LEM collects, stores and normalizes log data from a variety of sources and displays that data in an easy to use desktop or web console for monitoring, searching, and active response. Data is also available for scheduled and ad hoc reporting from both the LEM Console and standalone LEM Reports console. Some common use cases for SolarWinds LEM include the following:
l
Correlating network traffic from a variety of sources using filters and rules. Visualizing log data in dynamic graphs, charts and other widgets. Monitoring USB mass storage device activity on network Agents. Responding to countless threats, attacks and other vulnerabilities with easy to use point-and-click and automated active responses.
Searching normalized log data for events of interest. Change Management and other security-related reporting for management and auditors.
Chapter 1: Introduction
security products include anti-virus software, network-based intrusion detection systems, and logs from operating systems. When an Agent cannot be installed on a device, that device can be set to send its log data to the LEM Manager for normalization and processing. Examples of devices that cannot host Agent software include firewalls, routers, and other networking devices. Once normalized, log data is processed by the LEM Manager, which provides a secure management clearinghouse for normalized data. The Managers policy engine correlates data based on user defined rules and local alert filters, and initiates the associated actions when applicable. These actions can include notifying users both locally in the Console and by email, blocking an IP address, shutting down or rebooting a workstation, and passing the alerts on to the LEM database for future analysis and reporting within the Reports application. The following diagram illustrates the basic flow of data from Node and non-Node devices to the LEM Manager and, finally, to the LEM database and desktop console for storage and monitoring, respectively.
The virtual appliance to collect and process log and event information The desktop software which allows you to view the information from a desktop or laptop
Requirements
This section discusses software and hardware requirements. Before installing, make sure your hardware and software meet these minimum requirements. The following table provides the minimum installation requirements for the SolarWinds LEM virtual appliance: Software/Hardware Virtualization Platform
n
2 GHZ 8 GB 250 GB
The following table provides the minimum installation requirements for the SolarWinds LEM desktop console software and reports: Software/Hardware Operating System Desktop Console & Reports CPUSpeed Memory Hard Drive Space Environment Variables
n n n
1 GHz Pentium III or equivalent 1 GB 5GB The ability to install all software with administrator rights
The following table provides the minimum installation requirements for the SolarWinds LEM web console: Software/Hardware Adobe Flash Supported Browsers Flash Player 11
n n n
Requirements
Internet Explorer 8 and later Mozila Firefox 10 and later Google Chrome 17 and later
Port 25
Type TCP
Description Traffic from the virtual appliance to your email server for automated email notifications
139, 445
TCP
Standard Windows file sharing ports used for the LEM Remote Agent Installer and traffic from the virtual appliance to a Windows destination for exporting functions
162 389
TCP TCP
Traffic from devices sending SNMP trap messages to the virtual appliance Traffic -from the virtual appliance to a designated server (usually a domain controller) for use with the Directory Service tool
514
TCP or UDP
UDP Traffic from devices sending NetFlow to the virtual appliance TCP TCP Traffic from LEM Reports to the virtual appliance Non-secure traffic from the LEM Console to the LEM appliance; used during the evaluation period
8443
TCP
Secure traffic from the LEM Console to the virtual appliance; used once LEM is activated
TCP TCP
Non-standard port for SSH traffic to the virtual appliance Traffic from LEM Agents to the virtual appliance
TCP
3. Click Browse to open the SolarWinds Log and Event Manager folder extracted to the desktop during installation. 4. Select the SolarWinds Log & Event Manager folder. 5. Click Select Folder. 6. Select Copy the virtual machine (create a new unique ID) and Duplicate all files so the same virtual machine can be imported again on the Import Virtual Machine window and then click Import. 7. Select the newly created SolarWinds Log & Event Manager virtual appliance and then click Action > Connect. 8. In the virtual console window, click Action > Start and wait for the virtual appliance to start. 9. To start the LEM web console, launch a web browser and enter the Web Console URL shown in the Virtual Machine Connection screen.
To access the web console: 1. To start the LEM web console, launch a web browser and enter the Web Console URL provided during the configuration of VMware vSphere or Microsoft Hyper-V. 2. Click Connect. Note: The default credentials are admin and password. 3. Accept the End User License Agreement, and then click OK. 4. After logging in, the LEM web console requires that you change your LEM password after installation. Note: This password must be between 6 and 40 characters, and must contain at least one capital letter and one number. 5. Click OK
Note: The LEM desktop software requires that you change your LEM password after installation. This password must be between 6 and 40 characters, and must contain at least one capital letter and one number. 9. Click OK.
The following table provides a list of all of the ports needed for communication with the LEM Agent: Port 139, 445 Type Description
TCP Standard Windows file sharing ports used for the LEM Remote Agent Installer and traffic from the virtual appliance to a Windows destination for exporting functions
37890 TCP Traffic from LEM Agents to the virtual appliance -37892 37893 TCP Return traffic from the virtual appliance to LEM Agents 37896
Installation
For best results, close all other programs on the workstation before you proceed with this installation. If needed, you can exit this installer at any time during the installation by clicking Cancel. You can also use the Previous button to go back to prior pages of the installer to verify or change your settings. To install a LEM Agent: 1. Download the SolarWinds LEM Agent installer for Windows. a. If you are a licensed LEM customer, download the installer from the SolarWinds customer portal. b. If you are an evaluation LEM customer, see the "Additional Evaluation Downloads" KB article. 2. Extract the contents of the installer ZIP file to a local or network location. 3. Run Setup.exe.
10
4. Click Next to start the installation wizard. 5. Accept the End User License Agreement and click Next. You cannot continue with the installer until you accept the License Agreement. 6. Enter the hostname of your LEM Manager in the Manager Name field and click Next. Do not change the default port values. 7. Confirm the Manager Communication settings and click Next.
11
Description Forwards messages that require immediate attention. Forwards messages that should be reviewed as soon as possible and might be early warning signs of further problems.
3 4 5
Forwards messages that might indicate a problem. Forwards messages that should receive attention and might be errors. Forwards messages that are considered to be important information, but that are not error conditions.
Informational 6 Debug 7
9. Enter logging on to enable logging with these settings. 10. Enter exit to return to the previous prompt. 11. Enter copy run start to ensure the firewall reboots with the new configuration. To configure the Cisco PIX and IOS tool: 1. Navigate to the Manage > Appliances view in the LEM Console and log onto the LEM Manager on which you want to configure the tool. 2. Click the gear button next to the LEM Manager, and select Tools.
3. In the Tool Configuration window, enter Cisco in the search box at the top of the Refine Results pane. 4. Click the gear button next to the Cisco PIX and IOS tool, and select New.
5. Replace the Alias value with a more descriptive tool alias. For example, PIX Firewall. 6. Verify the Log File value matches the local facility defined in Step 7 above. 7. Click Save when you are finished configuring the tool. button next to the new tool, and select Start. The Status icon turns 8. Click the gear green to indicate the tool has started. 9. Click Close to close the Tool Configuration window.
12
10. Once the tool is running, the default Firewall filter displays alerts from your Cisco PIX or ASA firewall. Note: The conditions for the default firewall filter read, Any Alert.ToolAlias = *Firewall*, where the asterisks serve as wildcard characters. If the tool alias does not contain the word "firewall," the default filter will not work until it has been edited to match the alias you defined.
An email server that allows the LEM Manager to relay email messages through it IP address or hostname of your email server A return email address for bounced messages and replies User credentials for your email server only if your email server requires internal users to authenticate to send email
To configure the Email Active Response tool: 1. Log into the LEM Manager to be configured. 2. Select Manage>Appliance from your LEM Console. 3. Click the gear button next to your LEM Manager and select Tools.
4. Enter Email Active Response in the search box on the Refine Results pane. 5. Click the gear button next to the master tool and select New.
13
1. Log into the LEM Manager to be configured. 2. Select Manage>Appliance from your LEM Console. 3. Click the gear button next to your LEM Manager and select Tools.
4. Enter Email Active Response in the search box on the Refine Results pane. 5. Click the gear button next to the master tool and select New.
6. Complete the Email Active Response tool form. Note: If you use a hostname for the Mail Host value, your Manager must be able to resolve it. 6. Enter a valid email address in the Test E-mail Address field. Once the tool is saved and started, the button next to this field generates a test email to be sent to this address from your Manager. 7. Click Save. 8. Locate the new instance of the tool. It will have a grey icon in the Status column. button next to the new tool. A green icon in the Status 9. Select Start from the gear column indicates that the tool is running and the Test Email button can be used to test your settings.
Fully qualified domain name of your directory service server IP address or hostname of your directory service server Domain credentials for an account that can be used by the Directory Service Query tool Fully qualified domain name of your directory service server IP address or hostname of your directory service server Domain credentials for an account that can be used by the Directory Service Query tool
14
To configure the Directory Service Query tool: 1. Log into the LEM Manager on which you want to configure the tool from the Manage > Appliance view of your LEM Console. 2. Click the gear button next to your LEM Manager and select Tools.
3. Enter Directory Service Query in the search box on the Refine Results pane. 4. Click the gear button next to the master tool and select New.
5. Complete the Directory Service Query tool form. 6. Enter the fully qualified domain name for your directory service server in the Domain Name field. For example, solarwinds.com. 7. Enter the IP address or hostname of your directory service server in the Directo ry Service Server field. 8. Enter the domain credentials for a user account that is not under password requirements. We recommend using a service account. This account does not need elevated privileges. Note: The Test Domain Connection button only works once the tool has been configured and started. 9. Click Save. 10. Locate the new instance of the tool. It will have a grey icon in the Status column. button next to the new tool and select Start. A green icon in the 11. Click the gear Status column indicates that the tool is running and the Test Domain Connection button can be used to test your settings. This operation displays its results as an alert in the SolarWinds Alerts filter.
15
3. In the details pane at the bottom of the LEM Console window, select a group category from the folder tree on the left to populate the Available Groups pane on the right. 4. Select the boxes next to the groups you want to import into your LEM Manager. 5. Repeat Steps 3 and 4 until you have selected all of the groups you want to import into your Manager. 6. Click Save. 7. The system synchronizes your directory service groups with the LEM Manager and continues to do so every 5 minutes as long as the tool is running.
16
Ops Center
Use the Ops Center tab as a real-time graphical overview of the events on your network. The Ops Center includes the following useful components:
l
A customizable dashboard with several default charts and graphs, called widgets The Widget Manager to browse, edit, add, and pin widgets Informational widgets with links to videos, documents, and other resources
To add a widget to the Ops Center dashboard: 1. In the LEM Console, click the Ops Center tab. 2. Click Widget Manager in the upper-left corner. 3. Find and select the filter on which the widget is based in the Categories list. 4. In the Widgets pane, scroll through the available widgets to put the widget you want in the main preview position. 5. Click Add to Dashboard in the upper-right corner. 6. To re-position the widgets on the dashboard, drag and drop them into a new position.
17
To create a new widget using Widget Manager: 1. In the LEM Console, select the Ops Center tab. 2. Click Widget Manager in the upper-left corner. 3. Click the plus button at the top of the Categories list.
4. Complete the Widget Builder form. 5. To pin the new widget to the dashboard, select Save to Dashboard. 6. Click Save.
Monitor
Use the Monitor tab to view all of the monitored events on your network in real time. Monitor includes the following useful components:
l
A real-time alert stream to which you can apply alert filters The Alert Details pane, which displays the details for any alert you highlight in the alert stream
A Widgets pane, which displays a graphical representation of the current filter, if available
Several default filters to refine the data you see in the alert stream A GUI filter editor, called Filter Creation, to create and edit alert filters
To apply a filter to the Monitor alert stream, select a default or custom filter from the Filters list. To view the Alert Details for a specific alert in the alert stream, select the alert in the alert stream. To change the widget the Widgets pane displays for a filter: 1. In the LEM Console, select the Monitor tab. 2. Select the filter you want to modify in the Filters pane. 3. Click the menu at the top of the Widgets pane, and then select the widget you want that filter to display.
18
Explore
Explore
Use the Explore tab menu to access several analysis utilities to get additional information about the events you see in the LEM Console. Use the nDepth option in the Explore menu to search and analyze the events on your network. nDepth includes the following useful components:
l
A variety of clickable charts and utilities to view and refine search results A comprehensive toolbar to switch between multiple utilities and views A Result Details utility to view all of your search results in text format A PDF export utility to configure and export custom reports
Use the Utilities option in the Explore menu to access several IT analysis utilities, including:
l
To execute a WhoIs, NSLookup, or Traceroute task from an alert or search result in the LEM Console: 1. Find the alert or search result you want to explore further, and then select it. 2. Click the Explore menu on the Alert Grid or nDepth title bar (next to Respond), and then select the utility you want to use. To execute a blank WhoIs, NSLookup, or Traceroute task in the LEM Console: 1. Click the Explore tab on the navigation bar, and then select Utilities. 2. Click the Explore menu on the Utilities title bar (next to Respond), and then select the utility you want to use. 3. Complete the form for the utility, and then click Search. For information about using the Flow task in the Explore > Utilities view, see the KB article, "Use your LEM appliance as a Flow collector".
19
Build
Use the Build tab menu options to customize LEM behavior. The Build menu consists of the following options:
l
Groups: Create and manage lists of users, computers, and information. Users: Create and manage LEM Console users. Rules: Create and manage rules that correlate events from different systems and instruct the LEM appliance to respond accordingly.
For additional information about the Users and Groups options in the Build menu, see the following KB articles:
l
"Getting Started with User-Defined Groups" "Creating Users in the LEM Console"
A GUI editor, just like Filter Creation A community rule set, organized by event-centric categories 35 active responses to assign to custom or pre-configured rules
Manage
Use the Manage tab menu to access details about your LEM architecture. The Manage menu consists of the following options:
l
Appliances: Add LEM appliances to monitor in the LEM Console, view your LEM license details, and configure global settings.
Nodes: View and manage LEM nodes, including remote logging devices and LEM Agents.
20
Analyze
To set your LEM Console authentication preferences: 1. In the LEM Console, click the Manage tab, and then select Appliances. 2. Click the Login tab on the Properties pane. 3. If you want your LEM Console to authenticate to your LEM appliance upon launch, enter your LEM Username and Password. 4. If you want your LEM Console to ask you for your LEM Password upon launch, enter just your LEM Username. 5. Select Login Automatically Next Time. 6. Select Save Credentials. 7. Click Save. To set the global password policy for LEM users: 1. In the LEM Console, click the Manage tab, and then select Appliances. 2. Click the Settings tab on the Properties pane. 3. Adjust the Minimum Password Length according to your preference. 4. If you want to require complex passwords for LEM users, select Must Meet Complexity Requirements. Note: Complex passwords must include any three of the following four character types:
l
5. Click Save.
Analyze
The Analyze tab is a placeholder for things to come. Additional functionality will be integrated into this area of the LEM Console in a future release.
21
Additional Information
For additional information about how to use the LEM Console, consult the following resources:
l
"Introduction to the Console" on page 70. "Ops Center" on page 75. "Monitor" on page 90. "Explore" on page 107 "Build" on page 153. "Manage" on page 164.
Adding Devices
Click the video icon to view the corresponding tutorial. Configure your IT devices to work with LEM using one of two options:
l
Install the LEM Agent and connectors directly on the device Set the device to log to LEM and then configure the appropriate connectors directly on the LEM appliance.
Which Do I Pick?
Install the LEM Agent on computers that allow third party software. SolarWinds provides LEM Agents for these operating systems:
l
Microsoft Windows (local and remote installers) Linux Mac OS X Solaris on Intel Solaris on Sparc HPUX on PA
22
Agent Installation
Configure other devices, such as firewalls, routers, or switches to send logs directly to the LEM appliance using syslog or SNMP traps. For a complete list of supported devices, see the "Comprehensive Data Source Support for All Your Logs & Events" page.
Agent Installation
The LEM Agent is a necessary component to monitor local events on the computers on your network. Install the LEM Agent on servers, domain controllers, and workstations. The LEM Agent then captures log information from sources such as Windows Event Logs, a variety of database logs, and local antivirus logs. The LEM Agent also allows LEM to take specific actions that you use rules to define. You can also trigger actions manually from the LEM Console using the Respond menu. To install a LEM Agent: 1. Click the DOWNLOAD: Agents link in the LEM Console Getting Started widget, or visit the SolarWinds Customer Portal for a complete list of available downloads. 2. Download the appropriate installer, and then run it on the computer(s) you want to monitor Note: If you are deploying LEMAgents to Windows computers, you can use the Remote Agent Installer for a faster deployment. View and manage installed LEM Agents in the Nodes view of the LEM Console. The LEM Agent for Windows includes several pre-configured connectors (also called "tools") so you immediately start to see data from these computers after you have installed the LEM Agent. By default, the LEM Agent for Windows includes the following pre-configured connectors:
l
Windows Security Log (for the host OS version) Windows Active Response Windows Application Log Windows System Log
For other operating systems, or for broader coverage on your Windows computers, configure specific connectors to get exactly what you are looking for.
23
6. Complete the Tool Configuration form according to the device you're configuring. The following fields/descriptions are common for most connectors:
l
Alias: a "user friendly" label for your connectors Log File: the location of the log file the connector will normalize; this is a location on either the local computer (Agents) or LEM appliance (non-Agent devices)
24
Troubleshooting
Output, nDepth Host, and nDepth Port: values used specifically for LEM environments that are configured to store original log messages; for additional information, consult the resources at the end of this section
7. After completing the form, click Save. button next to the new connector (denoted by an 8. In the Tools list, click the gear icon in the Status column), and then select Start. 9. After starting the connector, verify that it is working by checking for alerts on the Monitor tab: a. Click the Monitor tab on the Console navigation bar. b. Check the SolarWinds Alerts filter to verify the connector started. c. Check or create a relevant filter for alerts corresponding to the new connector. For example, check the default Firewall filter after configuring a connector for your firewall. Note: The default Firewall filter is based on an Alias containing the word, "firewall." If you designate a non-conforming alias in your connector, modify the default filter accordingly.
Troubleshooting
If you have configured a device to log to the LEM appliance, but you cannot determine the exact logging location, check the logging facilities on the LEM appliance to determine where your data is going. To check the logging facilities on the LEM appliance: 1. Connect to your LEM appliance using the VMware console view, or an SSH client such as PuTTY. 2. If you are connecting to your appliance through SSH,log in as the CMC user, and provide the appropriate password. 3. If you are connecting to your appliance using VMware,selectAdvanced Configurationon the main console screen, and then pressEnterto get to the command prompt.
25
4. At thecmc>prompt, enterappliance. 5. At thecmc::acm#prompt, enterchecklogs. 6. Enter an item number to select a local facility to view. 7. Look for indications of specific devices logging to this facility, such as the product name, device name, or IP address. 8. After you have determined the facility your device is logging to, configure the connector with the corresponding Log File value. For additional troubleshooting tips related to LEM Agents or remote logging devices, see the following KB articles:
l
"Troubleshooting LEM Agent Connections" "Troubleshooting 'Unmatched Data' or 'Internal New Tool Data' alerts in your LEM Console"
Additional Information
For additional information about configuring devices to monitor with LEM, consult the following resources.
"Using the SolarWinds LEM Agent Installer for Windows" "Using the SolarWinds LEM Remote Agent Installer" "Using the SolarWinds LEM Agent Installer non-interactively" "Using the SolarWinds LEM Agent Installer for Linux" "Using the SolarWinds LEM Agent Installer for Mac OS X"
For additional information about how to tune Windows logging for your LEM deployment, see the following KB articles:
26
Verifying Data
"Audit Policy and Best Practice" "LEM Manager crashes after receiving a high number of alerts from Windows 7 or Windows Server 2008"
For additional information about how to monitor and configure groups of LEM Agents using Tool Profiles, see the KB article, "How to create Tool Profiles to manage and monitor LEM Agents." For a list of supported Agent and non-Agent devices, see the "Comprehensive Data Source Support for All Your Logs & Events." For additional information about configuring connectors for specific devices, search the "Connectors" category of the LEM Knowledge Base. For additional information about configuring LEM and your connectors to store original log messages, see the following KB articles:
l
"Configuring Your LEM Appliance for Log Message Storage and nDepth Search" "Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data"
For additional information about creating filters for specific devices, see the KB article, "How can I see all traffic from a specific device in my LEM Console?"
Verifying Data
Click the video icon to view the corresponding tutorial. Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your data. Use the stand-alone LEM Reports application to report on your data.
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:
27
Search your log data interactively Search for specific variables, such as user names, IP addresses, or specific events Perform root-cause analysis Troubleshoot specific issues Explore data and produce custom PDF reports
Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes or to:
l
Automate reporting Produce compliance reports View reports based on specific regulatory compliance initiatives Provide proof that you are auditing log and event data to auditors Schedule formatted reports for LEM Reports to run and export automatically
3. Click the Explore tab from anywhere in the LEM Console, and then select nDepth. Consult nDepth for several analytical tools that it summarizes on both its dashboard and toolbar. Use this view to:
l
Search original log messages (AKA "raw logs") or normalized alerts View search results in several charts and graphs, and add values from these visuals directly to your search just by clicking them
Refine the timeframe of your searches using pre-defined or custom ranges View the text output of your search results using the Result Details tool on the nDepth toolbar
28
Export your search results in CSV or fully-customizable PDF format Save searches for future use
Run hundreds of pre-configured compliance and security reports Schedule reports for LEM Reports to run automatically Filter the reports list by industry or requirement Run Master, Detail, or Top level reports according to how much information you need Use Select Expert to filter your report data by specific values, such as computer name, IP address, or user name
Export reports into several formats, including PDF, CSV, and RPT
To get started with LEM Reports, filter the reports listing by the industries or requirements relevant to your network. Then, the next time you open LEM Reports, access your custom list of reports by clicking Industry Reports on the main view. To filter the reports list by industry or requirement: 1. Open LEM Reports. 2. On the Settings tab, click Manage, and then select Manage Categories. 3. Select your industries and requirements in the left pane. Mix and match as necessary. For example, if you are a school that accepts credit card payments, select Education, FERPA, and PCI. 4. Click OK. 5. To view the filtered list of reports, click the Category menu back on the Settings tab, and then select Industry Reports. Select which reports to run based on their values in the Level column on the Settings tab:
29
Master: Reports at this level contain all of the data for their category. For example, the master-level Authentication report contains all authentication-related data.
Detail: Reports at this level contain information related to a specific type of event. For example, the Authentication Failed Authentications detail-level report only contains data related to "Failed Authentication" events.
Top: Reports at this level display the top number of occurrences for a specific type of event. Use the default top number, or Top N, of 10, or customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run reports, complete the following procedures to troubleshoot the issue. To troubleshoot application launch errors on computers running Windows Vista, Windows7, and Windows Server 2008: 1. Uninstall LEM Reports and Crystal Reports v11 Runtime. 2. Reinstall both components as Administrator. 3. Adjust the LEM Reports properties to run the program in Windows XP compatibility mode and as an administrator: a. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event Manager program group in your Windows Start menu, and then select Properties. b. Click the Compatibility tab. c. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack 3). d. Select Run this program as an administrator. e. Click OK. 4. Launch LEM Reports.
30
To address "Logon failed. Database Vendor Code 210" errors: Add the computer running LEM Reports to the list of authorized reporting computers. By default, the LEM appliance restricts all access to LEM Reports. To allow specific computers to run LEM Reports or remove all reporting restrictions, complete the procedures in the KB article, "Configuring Report Restrictions."
External resources:
For examples of how to execute nDepth searches, see the following KB articles:
l
"How to create an nDepth query for all activity by a single user" "Sending Filters to nDepth for Historical Search"
For additional information about how to save nDepth searches for future use, see the KB article, "Save nDepth searches to quickly execute frequent queries." For additional information about how to export nDepth search results in CSV or PDF format, see the KB article, "Export nDepth results in custom or text formats for retention and ad hoc reporting." For additional information about configuring your LEM appliance to store and search original log data, see the following KB articles:
l
"Configuring Your LEM Appliance for Log Message Storage and nDepth Search" "Using your LEM Console to view and search original log messages" "Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data"
31
For information about how to install LEM Reports on computers without the LEM Console, see the KB article, "Configuring LEM Reports on Computers Without the LEM Console." For information about how to schedule several best practice compliance and security reports, see the following KB articles:
l
"Configuring Default Batch Reports on XP/2003 Computers" "Configuring Default Batch Reports on Vista/7/2008 Computers" "Report Formats and their corresponding numbers listed in a LEM scheduled report ini file"
For additional information about working with individual reports in LEM Reports, see the following KB article
l
Adding Filters
Click the video icon to view the corresponding tutorial. Filters group and display events that your LEM Agents and remote logging devices send to LEM. They are based on alerts, which are the normalized version of these network events. For LEM, the terms "events" and "alerts" are interchangeable. View these alerts in real time on the Monitor tab in the LEM Console.
Which Do I Pick?
Create filters when you want to group a particular type of event. The following are just a few examples of what you might create a filter to catch:
l
All events from your firewalls All events from your domain controllers
32
All events for a specific type of user All events except for recurring, expected events
Create rules when you want LEM to take some kind of action in response to one or more events. In many cases, you base rules on several alerts that LEM correlates to trigger an action, but you can also configure a rule to look for a single event. Rule actions include, but are not limited to:
l
Sending an email Logging a user off Shutting down a computer Deleting an Active Directory group Blocking an IP address
All Alerts: This filter does not have any specific conditions, so it captures all events, regardless of the source or alert type.
User Logons: This filter has a single condition that means, "UserLogon Exists." It captures all events with the alert type "UserLogon" and nothing else not user log offs, not user logon failures.
To view the conditions of a default filter: 1. In the LEM Console, click the Monitor tab. 2. Select the filter you want to examine in the Filters pane. 3. Click the gear button at the top of the Filters pane, and then select Edit.
4. If you make any changes to the filter, click Save. Otherwise, click Cancel.
33
Change management events: Monitor configuration changes made to your network. High volume events: Watch for spikes of traffic, or unexpected off-peak traffic. Events of general interest: Keep track of logon failures and failed authentications.
Note: A failed authentication is an alert triggered by three logon failures by the same account within an extremely short period of time.
l
Rule scenarios: Determine whether you have the right alerts to create a rule for a specific scenario.
Daily problems: Get a head start on operational problems like account lockouts by seeing the alerts in real time.
3. Enter an appropriate name for the filter, such as Change Management Events. 4. Fill the filter's Conditions box with an appropriate alert or alert group. For this example, use an Alert Group Exists condition to capture all events from a certain group: a. Click Alert Groups on the left pane. b. Find the Change Management Events alert group, and drag it into the Conditions box. 5. Click Save.The LEM Console takes you to the new filter on the Monitor tab. Examine the alerts here, and click an alert to see more information in the Alert Details pane.
Troubleshooting
If you have created a filter, but it is not capturing the expected alerts, check the All Alerts filter to
34
Additional Information
ensure the alerts are making it to the LEM Console. To use the All Alerts filter to troubleshoot custom filters: 1. In the LEM Console, click the Monitor tab. 2. Click All Alerts in the Filters pane. 3. Locate an alert you expected to see in your custom filter. If necessary, pause the filter and sort it by any of the column headers. 4. If you locate a related alert, verify the field-value combinations in the alert match the ones you used in your filter. For example, if your filter is looking for *firewall* in the ToolAlias field, ensure the Tool Alias field in your alert contains the word firewall. 5. If you cannot locate a related alert, verify one of your monitored devices is logging the event, and that the device is sending its events to LEM. For example, create another filter to show all events from the specific device using the ToolAlias or DetectionIP alert field, as illustrated in the KB article, "How can I see all traffic from a specific device in my LEM Console?".
Additional Information
For additional information about how to create filters in the LEM Console to monitor events of interest, consult the following resources.
l
[cross reference to Monitor chapter]"Monitor" on page 90. [cross reference to Filters topic] [cross reference to Alert Types appendix]"Appendix Alert Data Fields" on page 411.
For a general procedure and video addressing how to create filters in the LEM Console, see the KB article, "Creating Filters for Real-time Monitoring in Your LEM Console." For additional information about how to create filters for specific alerts, devices, or time frames, see the following KB articles:
l
"Quickly Creating a Filter for a Specific Alert Type" "How can I see all traffic from a specific device in my LEM Console?"
35
"Use Time of Day Sets to pinpoint specific time frames in filters and rules"
For additional information about advanced options related to filters and the Monitor view, see the following KB articles:
l
"Disabling Windows Noise Alerts Using Alert Distribution Policy " "Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy" "Modifying Filters for 'Monitor' Users" "Modifying AND and OR Relationships in Filters and Rules Using Nested Groups" "Filters with an AND relationship between conditions with different alert types do not return any results"
Adding Rules
Click the video icon to view the corresponding tutorial. Rules correlate events that your LEM Agents and remote logging devices send to LEM, and assign automatic actions or responses to those events. These actions differentiate filters from rules: filters only display events, while rules instruct LEM to take action. Rule actions include, but are not limited to:
l
Sending an email Logging a user off Shutting down a computer Deleting an Active Directory group Blocking an IP address
36
rule that you want to utilize, clone it from the NATO5 Rules library, and then enable to take its specific action. To clone and enable a NATO5 Rule for use on your network: 1. In the LEM Console, click the Build tab, and then select Rules. 2. Click NATO5 Rules in the Folders pane in the lower-left corner. 3. Use the Folders list or the Refine Results pane to browse, search, or filter for specific rules or scenarios. 4. After you find a rule you want to clone, click the gear select Clone. button next to it, and then
5. On the Clone Rule dialog, select a Custom Rules folder and rename the rule if you wish, and then click OK. 6. In the Rule Creation view, customize the rule further if necessary, select Enable at the top of the form, and then click Save. 7. Back in the main Rules view, click Activate Rules to sync your local changes with the LEM appliance. For more detailed information about how to clone and enable NATO5 Rules, see the KB article, "Cloning, Enabling, and Activating NATO5 Rules."
Adding, changing, or deleting users in Active Directory Installing software on monitored computers Changing firewall policy
Create a general change management rule, similar to the filter illustrated in the previous section, to instruct LEM to notify you anytime any user makes a configuration change, or create a more specific rule to only fire for specific users, groups, or types of changes.
37
Note: An important rule of thumb is, "If you can see it in your LEM Console, you can build a rule for it." Remember to use your filters as a starting-place as you consider creating custom rules. To create a rule that sends you an email anytime someone adds a user to an administrative group: 1. In the LEM Console, click the Build tab, and then select Rules. 2. Click the plus button in the upper-right corner.
3. Enter an appropriate name for the rule, such as New Admin User. 4. Populate the rule's Correlations box with an appropriate alert or alert group. For this example, use a NewGroupMember.EventInfo Equals *admin* condition to fire anytime LEM gets a NewGroupMember alert with the text, "admin" anywhere in the EventInfo field: a. Click Alerts on the left pane. b. At the top of the Alerts list, enter NewGroupMember to search for that alert, and then select it in the list. c. In the Fields: NewGroupMemeber list, find EventInfo, and then drag it into the Correlations box. d. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word "administrator." 5. Leave the Correlation Time box as-is so your rule fires anytime LEM captures this type of event. 6. Add the Send Email Message action to the Actions box: a. Click Actions on the left pane. b. Find Send Email Message, and then drag it into the Actions box. c. Select a template from the Email Template menu. d. Select a LEM user from the Recipients menu.
38
e. Drag and drop alert fields or constants from the left pane into the Send Email Message form to complete the action. Note: Always use alert fields for the alert(s) present in the Correlations box. For example, use NewGroupMember.DetectionTime to populate the DetectionTime field in this example. 7. Select Enable at the top of the Rule Creation form, and then click Save. 8. To sync your local changes with the LEM appliance, click Activate Rules back in the main Rules view. After you enable and activate this rule, the LEM appliance sends an email anytime someone adds a user to any group in Active Directory that contains the text, "admin" in its name. For more detailed information about how to create LEM rules to take action on your network, see the KB article, "Creating Rules from Your LEM Console to Take Automated Action."
Respond to other change management events with the Send Email Message action. Respond to port scanning events with the Block IP action. Respond to isolated spikes in network traffic with the Send Email Message or Disable Networking action.
Respond to users playing games on monitored computers with the Send Popup Message or Kill Process action.
Respond to users attaching unauthorized USB devices to monitored computers using the Detach USB Device action.
Basically, any activity or event that can pose a threat to your network might warrant a LEM rule.
Troubleshooting
If you have created a rule, but you are not getting the expected results, verify the following to track down the root cause:
39
1. Check for the requisite alerts on the Monitor tab. For example, if your rule is based on the NewGroupMember alert, see if you can find one in the All Alerts or default Change Management filter. 2. If you do not see the requisite alerts, troubleshoot your devices and connectors to get the events into LEM. Otherwise, continue troubleshooting here. 3. Check for an InternalRuleFired alert in the SolarWinds Alerts filter. 4. If you do not see an InternalRuleFired alert for your rule, check the following to continue troubleshooting. Otherwise, skip to Step 5 to continue. 1. Is your rule enabled? 2. Did you modify the Correlation Time or Response Window in your rule? 3. Did you click Activate Rules after saving your rule? 4. Is the time on your device more than 5 minutes off from the time on your LEM appliance? 5. If you see an InternalRuleFired alert for your rule, but the rule LEM does not respond as expected, check the following, according to the action you configured: 1. Send Email Message: Verify you have configured and started the Email Active Response connector on the LEM appliance. 2. Send Email Message: Verify you have associated an email address for the LEM user you selected as your email recipient. 3. Agent-based Actions: Verify you have installed the LEM Agent on the computer you want LEM to respond to. 4. Block IP: Verify you have configured the active response connector for the firewall you want to use to take this action. The active response connector is separate from the data gathering connector. For more detailed information about how to troubleshoot LEM rules and active responses, see the KB article, "Troubleshooting LEM Rules and Email Responses."
Additional Information
For a general procedure and video addressing how to create and clone rules in the LEM Console, see
40
Analyzing Data
"Creating Rules from Your LEM Console to Take Automated Action" "Cloning, Enabling, and Activating NATO5 Rules"
For additional information about the active responses available for LEM rules, see the following KB articles:
l
"How does the Block IP active response work?" "How does the Detach USB Device active response work?" "How does the Append Text To File active response work?" "How do the computer-based active responses work?" "How do the user-based active responses work?" "How do the Kill Process active responses work?" "How does the Disable Networking active response work?"
Analyzing Data
Analyze Data
Click the video icon to view the corresponding tutorial.
Now that LEM is collecting your log data, use nDepth and LEM Reports to search, analyze, and report on that data. In most cases, use the nDepth Explorer in the LEM Console to search and analyze your data. Use the stand-alone LEM Reports application to report on your data.
Which Do I Pick?
Use nDepth if you want to perform immediate search or analysis tasks, or create specific custom PDF reports. Use nDepth to:
l
Search your log data interactively Search for specific variables, such as user names, IP addresses, or specific events Perform root-cause analysis
41
Troubleshoot specific issues Explore data and produce custom PDF reports
Use LEM Reports if you want to view or schedule fixed reports for regulatory and compliance purposes. Use LEM Reports to:
l
Automate reporting Produce compliance reports View reports based on specific regulatory compliance initiatives Provide proof that you are auditing log and event data to auditors Schedule formatted reports for LEM Reports to run and export automatically
3. Click the Explore tab from anywhere in the LEM Console, and then select nDepth. Consult nDepth for several analytical tools that it summarizes on both its dashboard and toolbar. Use this view to:
l
Search original log messages (AKA "raw logs") or normalized alerts View search results in several charts and graphs, and add values from these visuals directly to your search just by clicking them
Refine the timeframe of your searches using pre-defined or custom ranges View the text output of your search results using the Result Details tool on the nDepth toolbar
Export your search results in CSV or fully-customizable PDF format Save searches for future use
42
Run hundreds of pre-configured compliance and security reports Schedule reports for LEM Reports to run automatically Filter the reports list by industry or requirement Run Master, Detail, or Top level reports according to how much information you need Use Select Expert to filter your report data by specific values, such as computer name, IP address, or user name
Export reports into several formats, including PDF, CSV, and RPT
To get started with LEM Reports, filter the reports listing by the industries or requirements relevant to your network. Then, the next time you open LEM Reports, access your custom list of reports by clicking Industry Reports on the main view. To filter the reports list by industry or requirement: 1. Open LEM Reports. 2. On the Settings tab, click Manage, and then select Manage Categories. 3. Select your industries and requirements in the left pane. Mix and match as necessary. For example, if you are a school that accepts credit card payments, select Education, FERPA, and PCI. 4. Click OK. 5. To view the filtered list of reports, click the Category menu back on the Settings tab, and then select Industry Reports. Select which reports to run based on their values in the Level column on the Settings tab:
l
Master: Reports at this level contain all of the data for their category. For example, the master-level Authentication report contains all authentication-related data.
43
Detail: Reports at this level contain information related to a specific type of event. For example, the Authentication Failed Authentications detail-level report only contains data related to "Failed Authentication" events.
Top: Reports at this level display the top number of occurrences for a specific type of event. Use the default top number, or Top N, of 10, or customize this when you run the report.
Troubleshooting
If you have installed LEM Reports, but are unable to open the application or run reports, complete the following procedures to troubleshoot. To troubleshoot application launch errors on computers running Windows Vista, Windows7, and Windows Server 2008: 1. Uninstall LEM Reports and Crystal Reports v11 Runtime. 2. Reinstall both components as Administrator. 3. Adjust the LEM Reports properties to run the program in Windows XP compatibility mode and as an administrator: 1. Right-click the LEM Reports shortcut on your desktop or in the SolarWinds Log and Event Manager program group in your Windows Start menu, and then select Properties. 2. Click the Compatibility tab. 3. Select Run this program in compatibility mode for, and then select Windows XP (Service Pack 3). 4. Select Run this program as an administrator. 5. Click OK. 4. Launch LEM Reports. To address "Logon failed. Database Vendor Code 210" errors: Add the computer running LEM Reports to the list of authorized reporting computers. By default, the LEM appliance restricts all access to LEM Reports. To allow specific computers to run LEM Reports
44
or remove all reporting restrictions, complete the procedures in the KB article, "Configuring Report Restrictions."
For examples of how to execute nDepth searches, see the following KB articles:
l
"How to create an nDepth query for all activity by a single user" "Sending Filters to nDepth for Historical Search"
For additional information about how to save nDepth searches for future use, see the KB article, "Save nDepth searches to quickly execute frequent queries." For additional information about how to export nDepth search results in CSV or PDF format, see the KB article, "Export nDepth results in custom or text formats for retention and ad hoc reporting". For additional information about configuring your LEM appliance to store and search original log data, see the following KB articles:
l
"Configuring Your LEM Appliance for Log Message Storage and nDepth Search" "Using your LEM Console to view and search original log messages" "Do not modify the Output, nDepth Host, or nDepth Port fields when configuring LEM connectors unless your appliance is set up to store original log data"
45
For information about how to install LEM Reports on computers without the LEM Console, see the KB article, "Configuring LEM Reports on Computers Without the LEM Console." For information about how to schedule several best practice compliance and security reports, see the following KB articles:
l
"Configuring Default Batch Reports on XP/2003 Computers" "Configuring Default Batch Reports on Vista/7/2008 Computers" "Report Formats and their corresponding numbers listed in a LEM scheduled report ini file"
For additional information about working with individual reports in LEM Reports, see the following KB articles:
l
46
"Leveraging LEM" on page 47 "Monitoring Firewalls for Port Scans and Malformed Packets" on page 55 "Monitoring Antivirus Software for Viruses that are Not Cleaned" on page 59. "Monitoring Proxy Servers for Suspicious URL Access" on page 62. "Monitoring Microsoft SQL Databases for Changes to Tables and Schema" on page 65 "Leveraging the Incidents Report in Security Audits" on page 68.
"Configuring the SolarWinds LEM Agent" on page 48 "Using Tool Profiles to Maintain and Monitor Multiple Domain Controller Agents" on page 49
47
"Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts" on page 52
48
9. Confirm the settings on the Pre-Installation Summary and click Install. 10. Once the installer finishes, click Next to start the LEM Agent service. 11. Inspect the Agent Log for any errors and click Next. 12. Click Done to exit the installer. The SolarWinds LEM Agent continues running on your computer until you uninstall or manually stop it. It begins sending alerts to your SolarWinds LEM Manager immediately. To configure additional tools on your SolarWinds LEM Agent: 1. Open your SolarWinds LEM Console and log into your SolarWinds LEM Manager as an administrator. 2. Click the Manage tab, and then click Nodes. 3. Locate the LEM Agent in the list. Use the Refine Results pane on the left if necessary. 4. Click the gear Tools. button next to the -SolarWinds LEM Agent (left), and then click
5. Locate the tool you want to configure in the list. Use the Refine Results pane on the left if necessary. 6. Click the gear button next to the tool (left), and then click New.
7. Modify the tool if necessary and then click Save. button next to the new instance of the tool, indicated by an icon in 8. Click the gear the Status column, and then click Start. 9. Click Close to close the Tool Configuration window. 10. Configure the following additional tools on your Windows domain controllers, as applicable.
l
Windows Directory Service Log Windows DNS Server Log Windows DHCP Server version
Using Tool Profiles to Maintain and Monitor Multiple Domain Controller Agents
Use Tool Profiles to maintain and monitor multiple domain controllers in the LEM Console. Tool
49
Profiles allows you to configure and modify tool settings at the profile level, and they also provide a group by which you can filter your alert traffic coming into your SolarWinds LEM Console from your SolarWinds LEM Agents. Use the procedures below to create a Tool Profile based on a single SolarWinds LEM Agent and a corresponding filter to monitor activity on the computers in that profile. Note: Microsoft changed the way Windows computers log security events with their latest operating system releases. For that reason, SolarWinds LEM Agents on computers running Windows Server 2008, Windows Vista, or Windows 7 require different tools than those Agents on computers running older operating systems. If you are running both old and new versions of these Windows operating systems in your environment, create a Tool Profile for each operating system. To create a Tool Profile based on a single SolarWinds LEM Agent: 1. Install the SolarWinds LEM Agent software on all of the computers you want to end up in your new Tool Profile. 2. Configure a single SolarWinds LEM Agent to serve as the template for your Tool Profile. For more information, see "Configuring the SolarWinds LEM Agent" on page 48. 3. In the LEM Console, select the Build tab, and then click Groups. 4. Click the button in the upper right, and then click Tool Profile.
5. Enter a Name and Description for the Tool Profile. 6. Select the recently configured SolarWinds LEM Agent from the Template list. 7. Click Save. 8. Locate your new Tool Profile in the Groups list. Use the Refine Results pane on the left if necessary. 9. Click the gear button next to your Tool Profile (left), and then click Edit.
10. Locate the SolarWinds LEM Agents you want to add to your Tool Profile in the Available Agents pane, and click the arrow next to them to add them to the Contained Agents pane. 11. If you are finished adding SolarWinds LEM Agents to your Tool Profile, click Save. 1. Install the SolarWinds LEM Agent software on all of the computers you want to end up in your new Tool Profile.
50
2. Configure a single SolarWinds LEM Agent to serve as the template for your Tool Profile. For more information, see "Configuring the SolarWinds LEM Agent" on page 48. 3. In the LEM Console, select the Build tab, and then click Groups. 4. Click the button in the upper right, and then click Tool Profile.
5. Enter a Name and Description for the Tool Profile. 6. Select the recently configured SolarWinds LEM Agent from the Template list. 7. Click Save. 8. Locate your new Tool Profile in the Groups list. Use the Refine Results pane on the left if necessary. 9. Click the gear button next to your Tool Profile (left), and then click Edit.
10. Locate the SolarWinds LEM Agents you want to add to your Tool Profile in the Available Agents pane, and click the arrow next to them to add them to the Contained Agents pane. 11. If you are finished adding SolarWinds LEM Agents to your Tool Profile, click Save. To create a filter for all activity from the computers in a Tool Profile: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator or auditor. 2. Click Monitor. 3. Click the button on the Filters pane (left), and then click New Filter.
4. Enter a Name and Description for the filter. 5. Click Alert Groups on the components list (left). 6. Click Any Alert. 7. In the Fields: Any Alert list below, click and drag DetectionIP into the Conditions box (right). 8. Click Tool Profiles on the components list (left).
51
9. Click and drag your Tool Profile into the Conditions box (right), replacing the Text Constant field, which is denoted by a pencil icon. 10. Click Save. 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator or auditor. 2. Click Monitor. 3. Click the button on the Filters pane (left), and then click New Filter.
4. Enter a Name and Description for the filter. 5. Click Alert Groups on the components list (left). 6. Click Any Alert. 7. In the Fields: Any Alert list below, click and drag DetectionIP into the Conditions box (right). 8. Click Tool Profiles on the components list (left). 9. Click and drag your Tool Profile into the Conditions box (right), replacing the Text Constant field, which is denoted by a pencil icon. 10. Click Save.
52
4. Enter Critical Account Logon Failures in the search box at the top of the Refine Results pane. 5. Click the gear button next to the rule (left), and then click Clone.
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Click Save. 9. Back on the main Rules screen, click Activate Rules. 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Click the Build tab, and then click Rules. 3. Click NATO5 Rules on the Refine Results pane (left). 4. Enter Critical Account Logon Failures in the search box at the top of the Refine Results pane. 5. Click the gear button next to the rule (left), and then click Clone.
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Click Save. 9. Back on the main Rules screen, click Activate Rules.
53
Policy Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events
Success Failure Not Defined Success Failure Not defined Yes Yes Yes Yes Not defined
Yes
Yes
Yes Yes
No Yes
54
Policy Audit process tracking Audit system events Policy Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access1 Audit policy change Audit privilege use Audit process tracking Audit system events
Success Failure Success Failure Yes Yes Yes Yes Yes Yes
Yes
Yes Yes
Yes
Yes Yes
Yes Yes
Yes Yes
is required for file auditing. For more information, see the How to enable file
auditing in Windows KB article For more information about the policies discussed above and how to configure their auditing, see the Audit Policy and Best Practice KB article
55
network. Configure your firewalls to log to your SolarWinds LEM appliance and set up the appropriate tool on your SolarWinds LEM Manager. View the events in the default Firewall filter in your SolarWinds LEM Console, and create custom filters to show traffic to or from specific computers. This section contains the following procedures.
l
"Setting a Firewall to Log to a LEM Appliance" on page 56 "Configuring a Firewall Tool on a LEM Manager" on page 56 "Viewing Network Traffic from Specific Computers" on page 57 "Creating a LEM Rule to Notify of Potential Port Scanning Traffic" on page 58
"Configuring a Cisco PIX or ASA Firewall to Log to Your LEM Appliance" "Integrating Check Point with SolarWinds LEM " "Integrating Juniper Firewalls with SolarWinds LEM "
If your firewall vendor is not listed here, search for your vendor in the SolarWinds LEM Knowledge Base. If documentation is not available, please contact Support.
56
To configure the Cisco PIX and IOS tool on your SolarWinds LEM Manager: 1. Open tthe SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Click the Manage tab, and then click Appliances. 3. Click the gear Tools. button next to the SolarWinds LEM Manager (left), and then click
4. In the Tool Configuration window, enter Cisco PIX in the search box at the top of the Refine Results pane. 5. Click the gear button next to the Cisco PIX and IOS tool, and then click New.
6. Replace the Alias value with a more descriptive tool alias. For example, PIX Firewall. 1. Use firewall somewhere in the Alias field to ensure the default Firewall filter captures your firewall data. 7. Verify the Log File value matches the local facility defined in your firewall settings. 8. Click Save. button next to the new instance of the tool, indicated by an icon in 9. Click the gear the Status column, and then click Start. 10. Click Close to close the Tool Configuration window.
57
5. Click Alert Groups on the components list (left). 6. Click Network Audit Alerts. 7. In the Fields: Network Audit Alerts list below, click and drag SourceMachine into the Conditions box (right). 8. Enter the computer's name into the Text Constant field, which is denoted by a pencil icon. Use a wildcard character (*) after the computer name to avoid having to enter the computer's fully qualified domain name. Note: Use a Tool Profile instead of a Text Constant to filter for all network traffic coming from a group of similar computers. 9. Click Save.
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Optionally, to tune the rule to be more appropriate for your environment, consider the following:
58
1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Click the Build tab, and then click Rules. 3. Click NATO5 Rules on the Refine Results pane (left). 4. Enter PortScans (one word) in the search box at the top of the Refine Results pane. 5. Click the gear button next to the rule (left), and then click Clone.
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Optionally, to tune the rule to be more appropriate for your environment, consider the following:
l
Subscribe to the rule to track its activity in the Subscriptions report. Increase the number of alerts in the Correlation Time box to modify how frequently the rule fires.
Omit vulnerability scanners from the Correlations by changing the TCPTrafficAudit "exists" condition to TCPTrafficAudit .SourceMachine = Your Scanners, where Your Scanners is a User-Defined Group, Tool Profile, or Directory Service Group that represents that group of computers.
Modify the default action or add additional actions to do things such as send an email message, or block an IP address.
Note: For more information about working with SolarWinds LEM rules, see the Rules section of the SolarWinds Knowledge Base. 9. If you are finished configuring your rule, click Save. 10. Back on the main Rules screen, click Activate Rules.
59
up the appropriate tool on your SolarWinds LEM Manager. View the events in the default Virus Attack filter in your SolarWinds LEM Console. This section contains the following procedures.
l
"Setting Antivirus Software to Log to a LEM Appliance" on page 60 "Configuring the Antivirus Tool on a LEM Manager" on page 60 "Creating a LEM Rule to Track When Viruses Are Not Cleaned" on page 61
If your antivirus vendor is not listed here, search for your vendor in the SolarWinds LEM Knowledge Base. If documentation is not available, please contact Support.
60
3. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 4. Select the Manage tab, and then click Appliances. 5. Click the gear Tools. button next to your SolarWinds LEM Manager (left), and then click
6. In the Tool Configuration window, enter Symantec Endpoint Protection in the search box at the top of the Refine Results pane. 7. Click the gear then click New. button next to the Symantec Endpoint Protection 11 tool, and
Note: For Symantec Endpoint Protection (SEP), the Log Facility is equal to the local facility on your SolarWinds LEM appliance plus 16. So, the default Log File value of /var/log/local6.log on your SolarWinds LEM appliance actually corresponds to Log Facility 22 in your SEP11 settings. 8. Click Save. button next to the new instance of the tool, indicated by an icon in 9. Click the gear the Status column, and then click Start. 10. Click Close to close the Tool Configuration window.
61
2. Select the Build tab, and then click Rules. 3. Click NATO5 Rules on the Refine Results pane (left). 4. Enter Virus Attack Bad State in the search box at the top of the Refine Results pane. 5. Click the gear button next to the rule (left), and then click Clone.
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Click Save. 9. Back on the main Rules screen, click Activate Rules.
""Setting Proxy Server to Log to a SolarWinds LEM Appliance" on page 62 "Configuring a Proxy Server Tool on a SolarWinds LEM Manager" on page 63 "Creating a SolarWinds LEM Rule to Notify of Suspicious URL Attempts" on page 64
62
If your firewall vendor is not listed here, search for your vendor in the SolarWinds LEM Knowledge Base. If documentation is not available, please contact Support.
4. In the Tool Configuration window, enter Websense Web Filter in the search box at the top of the Refine Results pane. button next to the Websense Web Filter and Websense Web 5. Click the gear Security tool, and then click New. 6. Replace the Alias value with a custom alias or accept the default. 7. Click Save. button next to the new instance of the tool, indicated by an icon in 8. Click the gear the Status column, and then click Start. 9. Click Close to close the Tool Configuration window. 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Select the Manage tab, and then click Appliances. 3. Click the gear Tools. button next to your SolarWinds LEM Manager (left), and then click
63
4. In the Tool Configuration window, enter Websense Web Filter in the search box at the top of the Refine Results pane. button next to the Websense Web Filter and Websense Web 5. Click the gear Security tool, and then click New. 6. Replace the Alias value with a custom alias or accept the default. 7. Click Save. button next to the new instance of the tool, indicated by an icon in 8. Click the gear the Status column, and then click Start. 9. Click Close to close the Tool Configuration window.
64
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Click Save. 9. Back on the main Rules screen, click Activate Rules.
"Configuring Database Servers" on page 65 "Configuring the MSSQL Auditor Tool on a SolarWinds LEM Agent" on page 66 "Creating a SolarWinds LEM Rule to Send Notifications of Microsoft SQL Database Change Attempts" on page 67
Microsoft SQL 2005 or 2008 Profiler Microsoft .NET 2.0 Framework SolarWinds LEM Agent for Windows
To install MSSQL Auditor on a SolarWinds LEM Agent: 1. DownloadSolarWinds-LEM-v5.3-MSSQLAuditor.zipfrom the SolarWinds customer portal under Additional Components. 2. Runmssqlaudsetup.exe. 3. ClickNextto start the wizard.
65
4. Accept the End User License Agreement, and then clickNext. 5. ClickChangeto specify an installation folder, or accept the default, and then click Next. 6. ClickInstall. 7. When the installation is finished, selectLaunch SolarWinds MSSQL Auditor, and then clickFinish. To configure MSSQL Auditor for use with your servers: Note: If you did not selectLaunch SolarWinds MSSQL Auditorafter installing the application, you can launch it from theSolarWinds Log and Event Managerprogram group in yourStartmenu. 1. Enter the name of the SQL server to be monitored in theSQL Server\Instancefield, and clickAdd Server. Note: To specify an instance other than the default, enter your server name in the following format:Server\Instance. 2. Repeat this step for all of the servers to be monitored. 3. To use an account other than the Local System Account to run MSSQL Auditor on your database server,selectThis Accountin theRun Service Assection, and provide the appropriate credentials. Note: We recommend you use an account in the "sysadmin" role on your database, though the account only needs to haveExecutepermissions for any stored procedures with thexp_traceprefix. 4. Click Start Auditor Service, which is denoted by a green "Play" icon, in theManage Auditor Servicesection. 5. Click OK.
66
3. Locate the SolarWinds LEM Agent for your database server and verify it is connected to your LEM Manager. 4. Click thegear button next to the SolarWinds LEM Agent, and then clickTools.
5. EnterMSSQLin the search box at the top of theRefine Resultspane. button next to theSolarWinds Log and Event Manager MSSQL 6. Click thegear Auditortool, and then clickNew. 7. Give the new tool a customAlias, or accept the default. 8. Verify that the value in theLog Filefield matches the folder in which the logs are stored on your database server, and then clickSave. button next to the new instance of the tool, indicated by an icon in 9. Click the gear the Status column, and then click Start. 10. Repeat these steps for theMSSQL 2000 Application Logtool. 11. ClickCloseto close the Tool Configuration window.
Creating a SolarWinds LEM Rule to Send Notifications of Microsoft SQL Database Change Attempts
Clone and enable the MSSQL Database Change Attempt rule to track when users attempt to change properties on a monitored Microsoft SQL database. The default action for this rule is to generate a HostIncident alert, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. For more information about scheduling and leveraging the Incidents report, see ""Leveraging the Incidents Report in Security Audits" on page 68. Clone and enable the MSSQL Database Change Attempt rule to track when users attempt to change properties on a monitored Microsoft SQL database. The default action for this rule is to generate a HostIncident alert, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network. For more information about scheduling and leveraging the Incidents report, see ""Leveraging the Incidents Report in Security Audits" on page 68.
67
To clone and enable the MSSQL Database Change Attempt rule: 1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator. 2. Select the Build tab, and then click Rules. 3. Click NATO5 Rules on the Refine Results pane (left). 4. Enter MSSQL Database Change Attempt in the search box at the top of the Refine Results pane. 5. Click the gear button next to the rule (left), and then click Clone.
6. Select the folder where you want to save the cloned rule, and then click OK. 7. Select Enable at the top of the Rule Creation window, next to the Description field. 8. Click Save. 9. Back on the main Rules screen, click Activate Rules.
"Configuring Default Batch Reports on XP/2003 Computers" "Configuring Default Batch Reports on Vista/7/2008 Computers"
To maintain a paper trail for your security audits using the daily Incidents report: 1. Open the Incidents report every day for the previous day. 2. Print the report and review its contents.
68
3. Document any action you took as a result of the report on the printed report and sign it. 4. File the printed and signed report in a safe location for your next security audit.
69
In Ops Center, you'll find a dashboard view that presents visual representations of your data.
In Monitor, you'll filter and view alert details. In Explore, you'll find utilities for investigating alerts and their details. In Build, you'll create critical components of LEM that function on a Manager for processing process data.
In Manage, you'll manage properties associated with Agents and Managers, and configure data sources to integrate your network security data with LEM.
Reports is a separate application. Its reporting tools let you run or schedule reports about the data that is stored in your LEM database.
The following topics briefly explain the role of each view of the Console, the views primary uses, and where to get information on performing key tasks within that view. Topics are arranged here in an order that will help you understand the most fundamental items first, such as alerts, alert filters, and widgets. They then progress to more advanced features, such as exploring alerts, and creating Groups and rules.
70
Click Start > All Programs > SolarWinds Log and Event Manager > Log and Event Manager Console.
Double-click the SolarWinds Log &Event Manager desktop icon. After a moment, LEM Console appears. When you start the Console for the first time, the Manage>Appliances view appears, so you can configure and log in to a Manager. Otherwise, the Console restores the view that was open the last time you closed the Console.
To open the Ops Center view (to work with widgets), click Ops Center . To open the Monitor view (to view, manage, and create filters), click Monitor. To open the Explore view (to work with explorers), click Explore . To open the Exlplore view (to search or view alert data or log messages), click Explore and then select nDepth.
To open the Exlplore view (to view additional utilities), click Explore and then select Utilities.
To open the Groups view (to build and manage Groups), click Build and then select Groups.
To open the Rules view (to build and manage policy rules), click Build and then select Rules.
To open the Users view (to add and manage Console users), click Build and then select Users.
To open the Appliances view (to add and manage appliances), click Manage and then select Appliances.
71
To open the Nodes view (to add and manage Agents), click Manage and then select Nodes.
72
To sort a grid:
l
Click one of the grids column headers to sort the grid by that column. If the column header shows an upward arrow, it means the column data is sorted in ascending order (alphabetically, or from lowest to highest: A to Z, 1 to 0). If the column header shows a downward arrow, it means the column data is sorted in descending order (reverse alphabetical, or from highest to lowest: Z to A, 0 to 1).
Click the column header again to sort the grid by the same column, but in reverse order.
Press and hold the Ctrl key; then click another column header. You can tell how the table is sorted by the small and arrows in the column headers, and by the little numbers (1 and 2) that appear next to them. An up arrow means the column is sorted in ascending order. A down arrow means it is sorted in descending order. Then numbers state the column sort order. 1 is the first sort, 2 is the second sort, and so on.
If a secondary columns sort order is in the wrong direction, press the Ctrl key and click the column header again. This will reverse the columns sort order. By pressing Ctrl and then clicking the Name column, you can also sort the tool names in ascending or descending order. In the example shown here, the Name column was sorted in ascending order, so the specific tools would appear in alphabetical order within each tool category.
73
and then select Logout. After a moment, a icon appears in the Managers Status column, indicating that you are no longer logged on to that Manager.
74
75
The following table describes the key features of the Ops Center view. Name Widget Description Click this button to alternately open and close the Widget Manager. The Widget
Manager Manager includes two panesthe Categories pane and the Widgets pane. Getting Started Data Sim- Plays back different kinds of simulated network data ulator Help Links to different resources to help you learn more about LEM Tips and shortcuts to get you started configuring and exploring LEM
76
Widgets
Widgets
Each widget represents a high-level graphical view of specific network activity. Widgets are designed to present important high-level information at a glance. Most widgets are filter-driventhat is, a filter is the data source for what you are graphing in the widget. Widgets appear in two areasthe Ops Center and in the Monitor views Widgets pane:
l
In the Ops Center, master widgets always reside in the Widget Managers Categories list. Dashboard widgets always reside on the dashboard. Dashboard widgets cannot be saved in the Widget Manager.
In the Monitor view, each master widget appears in the Widgets pane for the filter that acts as its data source. Dashboard widgets do not appear in the Monitor views Widgets pane.
Widget Manager
77
Description Widgets are organized by filter. You can use the Filters pane to view, add, and edit the master widgets that are associated with each filter, and to create dashboard widgets from each master widget. The Name column lists each filter that has one or more master widgets. The Count column states how many master widgets are associated with each filter. You can also sort the columns of the Filters pane. Opens the Widget Builder, so you can add a new master widget to the selected category. Opens the Widget Builder for the widget that is currently selected in the Widgets pane. The Widget Builder lets you edit the widgets settings.
Widgets pane
The Widgets pane is used to view the master widgets that are associated with each filter. You can also use this pane to create dashboard widgets and to delete master widgets from the selected filter.
Add to
This button adds a copy of the master widget that is currently shown in the Widgets
Dashboard pane to the dashboard. Delete Widget This button deletes the master widget that is currently shown in the Widgets pane. Deleting a master widget does not delete any of the dashboard widgets that came from that widget.
78
The following table explains how use each field on the Widget Builder. Field Name Description Type a name for the widget. This name will appear in the widgets title bar.
79
Field Filter
Description Select the filter that is to be the widget's data source. If a filter name appears in italics, it means the filter is currently turned off. When creating a widget from the Monitor view, this field defaults to the filter that is currently active. If you select a different filter, the widget will be associated with that filter, not the active filter. When creating a widget from the Ops Center, this field defaults to the first option in the list. Note: If you create a widget from a filter that is turned off, the widget will not display any chart information until the filter is turned back on.
Description
Type a brief description of the information this widget is reporting. You may use up to 80 characters.
Visual Configuration Visualization Select the type of chart or graph you wantPie, Bar, Line, Table, etc. Select Type Table for those times when a table of values is a useful way to view the data. You can display a widget with any of these display types at any time. However, some display types may not make sense for some widgets, depending on the widgets content. Color/ Color Palette X-Axis Label If desired, type a label for the chart or graphs horizontal axis. Y-Axis Label If desired, type a label for the chart or graphs vertical axis. Preview The Preview section shows what the widget will look like, based on the options you have selected in the Visual Configuration section. Data Configuration Field Select a data field you want reported from those that are available in the selected data source. Select a color palette for the chart or graph.
80
Field Show
Count: (default) This option counts each occurrence of the selected Field value. For example, if the Field you select is AlertID, you are counting the number of alerts. As a practical matter, no matter which field you select, you are counting alerts. But it is best to think of the widget as counting occurrences of the field.
Distinct Count: This option does not count repeating Field values. Instead, it counts each time a distinctly different event occurs. For example, if you select a Field value like Alert Name or Detection IP, the widget will count each specific value only once. When used in a single-dimension chart, the Distinct Count option reports all values as 1, so this option is best used with multi-dimensional charts.
Sort
Descending (default) order is from highest to lowest (Z to A, or 0 to 1, etc.). Ascending order is from lowest to highest (A to Z, or 1 to 0, etc.).
Sorting only applies when your Versus value is something other than Time. Versus If you want a second dimension in the chart, select another data field from those that are available in the selected data source. This fields sort order is ascending. Split By If you want a third dimension in the chart, select another data field from those that are available in the selected data source. This fields sort order is ascending. Limit Most filters contain a data span that exceeds what is practical to chart. The Limit value limits the number of items that will be seen. Select a limit for the number of items that are to be charted. The default value is 5. For example, this can represent your Top 5 or Bottom 5, depending on how you sort the data.
81
Field Scope
Description Select a value for the scope. This is the timeframe reported by the chart or graph. The scope is always measured backward from the moment the chart is refreshed. For example, a scope of 30 minutes means the last 30 minutes. The scope can be measured in Seconds, Minutes (default), Hours, or Days. For events that happen frequently, choose a narrow scope. For events that happen rarely, choose a large scope.
Resolution
Select the time value that defines the tick marks that are to be used on the charts horizontal X-axis. This field is required when Versus is a Time Field. For example, if you are looking at 30 minutes of data, a Resolution of 5 Minutes means the bars or line chart data points are drawn in 5 minute increments. In charts with wider scope, the resolution could be hours or even days. This option is disabled for widgets that are not reporting time-based data.
Refresh
Select the rate at which you want the widget to refresh its visual display. This is necessary because the Console is monitoring real-time data. Therefore, you need to periodically refresh the chart.
Save and cancel Save to Dashboard Save Select this option to save the new or updated widget to the bottom of the Ops Center dashboard. Click Save to save the new or revised master widget. Upon saving, the new widget configuration immediately appears in the Op CenterWidget Manager and in the Monitor view's Widget pane. Cancel Click Cancel to cancel your changes close the Widget Builder.
Widgets act as shortcuts to the alert filters that are their data sources. This means you can open the source filter directly from a widget. You do this by clicking the specific line, bar, or pie wedge of chart that interests you. The corresponding filter then opens in the Monitor view. The filter lists only the events that correspond with the chart item selected.
82
To open a filter from a dashboard widget: 1. Open the Ops Center view. 2. In the dashboard, locate the widget you want to work with. 3. On the widget, click the specific line, bar, or pie wedge that interests you.
4. The Monitor view appears, with the alert grid showing the filter that is the widgets data source. Note that the alert grid lists only those events that correspond to the line, bar, or pie wedge that you clicked. Also note that the filter is paused. Click Resume on the alert grid toolbar to begin running the filter again. Note: It is possible for you to select an item in the widget that is no longer shown in the Monitor's alert grid. That is, the filter may actually show fewer events than appear in the widget. This can happen if the widget's scope is broader than the filter's scope. In this case, the filter may no longer have some of the data shown by the widget, because the filter has had to make room for new data. Remember, the widget's scope can be different than the filter's scope. The widget tracks statistics about alerts that occurred over time (and perhaps a very large timeframe). The filter tracks only a certain quantity of events for a timeframe that may be much smaller than the widget's scope. To think about it another way: the Console filters are aware of 10,000 alerts at a time. With every
83
refresh interval, a widget looks at those 10,000 alerts to draw a line, bar, or wedge that matches the right count for that time. Those 10,000 alerts are also displayed in the corresponding filter. But when the Console gets to 10,000 alerts, the widget doesn't "erase" any data points it has already drawn, but the filter has to remove the oldest alerts from the grid to make room for new data. The following table describes the function of each button on a widget toolbar. All of these buttons are on the widget toolbar, except for the legend button, which appears in the lower-left corner of the widget. Button Function Opens the widget in the Widget Builder, so you can edit its settings. Flips the widget, so you can configure its presentation format. Refreshes the widgets data. Expands (maximizes) the widget to fill the desktop. Restores the widget from its maximized size to its default size. This button has two functions:
n
In normal dashboard mode, this button deletes the widget from the dashboard. When you are editing a flipped widget, this button closes the widgets edit mode, and returns it to its normal desktop view.
84
85
Note: It is possible for you to select an item in the widget that is no longer shown in the Monitor's alert grid. That is, the filter may actually show fewer events than appear in the widget. This can happen if the widget's scope is broader than the filter's scope. In this case, the filter may no longer have some of the data shown by the widget, because the filter has had to make room for new data. Remember, the widget's scope can be different than the filter's scope. The widget tracks statistics about alerts that occurred over time (and perhaps a very large timeframe). The filter tracks only a certain quantity of events for a timeframe that may be much smaller than the widget's scope. To think about it another way: the Console filters are aware of 10,000 alerts at a time. With every refresh interval, a widget looks at those 10,000 alerts to draw a line, bar, or wedge that matches the right count for that time. Those 10,000 alerts are also displayed in the corresponding filter. But when the Console gets to 10,000 alerts, the widget doesn't "erase" any data points it has already drawn, but the filter has to remove the oldest alerts from the grid to make room for new data.
86
3. The widget flips over to display its configuration options, as shown here.
4. Configure the widget, according to its configuration options. These options are a subset of the fields on the Widget Builder. To arrange widgets on the dashboard: 1. Open the Ops Center view. 2. If needed, click Widget Manager to close the Categories and Widgets panes. This provides the most space for arranging your widgets. 3. In the dashboard, drag a widgets title bar to move that widget into a new position on the dashboard. As you move the widget around the dashboard, the other widgets rearrange
87
themselves and make room for your widget. Upon releasing the mouse button, the widget snaps into place.
Resizing a Widget
You can view widgets in full-screen mode or in their normal size. You can also change the size of a widget to make it taller or wider. However, the widgets different sizes must conform to the dashboards standard geometry. To resize a widget: In the Ops Center dashboard, drag the lower-right corner of the widget in any direction. As you resize the widget, the surrounding widgets rearrange themselves to make room for the larger one. Upon releasing the mouse button, the widget snaps to the closest size allowed by the desktops geometry. To show a widget in full-screen mode: In the Ops Center dashboard, click the Maximize takes up the entire dashboard. To restore a widget to its normal size: In the Ops Center dashboard, click the Minimize returns to its normal size. button on the widgets toolbar. The widget button on the widgets toolbar. The widget
88
Widget Storage
Widget Storage
Widgets appear in two areasthe Ops Center and in the Monitor views Widgets pane:
l
In the Ops Center, master widgets always reside in the Widget Managers Categories list. Dashboard widgets always reside on the dashboard. Dashboard widgets cannot be saved in the Widget Manager.
In the Monitor view, each master widget appears in the Widgets pane for the filter that acts as its data source. Dashboard widgets do not appear in the Monitor views Widgets pane.
89
Chapter 7: Monitor
The Monitor view is the heart of the LEM Console. As the name implies, it is used for monitoring your network activity. In Monitor, you create filters and widgets that group and display different alerts that come from your Agents, Managers, and network devices. Alerts are messages created from Agent, Manager, and network device log entries. These log entries are processed (or normalized) to extract information and display the data in a common column/fieldbased format, rather than the often convoluted format you see in the source data. These normalized alerts are sent from the Agent to the Manager for processing. At the Manager, the alerts are processed against your Rules, sent to your Database for archiving, and sent to the LEM Console for monitoring.
Click a filter name to apply that filter to the alert grid. The alert grid refreshes to show only the incoming alerts allowed by the filters conditions.
Use the panes gear button to edit, pause, resume, turn on, turn off, import, export, or delete filters.
90
Chapter 7: Monitor
Description Agents monitor each configured data source on your network. The Agents then send alerts to your Managers. The Console's alert grid displays every alert that is logged to each Manager the Console is connected to. The grids title bar displays the name of that filter that is currently applied. By default, incoming alerts always appear at the top of the grid. This allows the Console to always show the most recent alert activity first.
Respond menu Use this menu to actively respond to a particular alert message. For example, you can choose to block an IP address, or restart or shut down machine that is the source of the alert activity. Explore menu Use this menu to explore a particular alert message or one of its specific data elements with an explorer. The menu is context-sensitive. The contents of the selected cell (called a string) determines which explorers you may choose from. Pause/Resume This button toggles to pause or resume the alert traffic that is currently being reported by the filter. This button lets you highlight rows in the alert grid with a particular color. Highlighting can serve as a helpful visual reference point for marking and locating specific alerts in the grid. The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. You can use these commands to mark messages as read or unread, to remove messages, or to copy alert information. Sort ( ) When a filter is paused, you can click the column headers to sort the grid in ascending () or descending () order by each of its columns Filter Notifications pane The Filter Notifications pane summarizes the alert activity from each of your active notification filtersthese are filters that use blink, popup, or sound notifications. Click a filter name in this tab to view the alerts associated with that filter. This pane behaves exactly like the status bar's Notifications tab.
91
Description This pane displays the widgets associated with the filter that is currently applied to the alert grid. Widgets automatically refresh themselves to reflect changes in alert grid filtering. You can use this pane view the different widgets associated with the filter, change a widgets visualization type (bar chart, pie chart, line graph, etc.), create a new widget, edit an existing widget, or save a widget to the Ops Center dashboard.
Alert Details and Alert Description are two views of the same pane. This pane displays detailed information about the last alert to be selected in the grid.
n
The Alert Details view displays specific technical details about the alert. You can also use this view to create a filter based on the selected alert, or to scroll through the contents of the alert grid.
The Alert Description view displays a written description of the alert that is currently selected.
Notifications
The Notifications tab summarizes the alert activity from each of your active notification filtersthese are filters that use blink, popup, or sound notifications. Click a filter name in this tab to view the alerts associated with that filter.
92
Chapter 7: Monitor
However, you can create your own custom filters, or modify existing filters to meet your needs. There is no limit to the number of filters a LEMConsole can contain. Filters are managed in the Filters pane. The Filters pane stores all of the filters that can be applied to the Consoles alert grid. (missing or bad snippet) Filter attributes The number next to each filter shows the total number of alerts that are currently associated with that filter. Positioning your pointer over a filter displays a ToolTip that briefly describes the purpose of each filter, when such a description is available. Any filters that appear in italics are currently turned off. You can use the Filters pane to do any of the following tasks:
l
Create your own custom filters and reconfigure existing filters to meet your needs.
Create filter groups for storing and organizing your filters. Turn filters on and off, and pause them to stop the flow of alert traffic. Move filters from one filter group to another. Copy filters. Rename filters and filter groups. Import and export filters. Delete obsolete filters and filter groups.
93
Note: If you are installing an upgrade, LEM automatically converts your existing filters into the new graphical format described in see "Utilizing the Console" on page 189. Default Filter Admin Account Authentication All Alerts Change Management Denied ACL Traffic Domain Controllers (all) Failed Logons Displays failed logon attempts. File Audit Failures Firewall FTP Traffic Displays FileAuditFailure alerts, which show failed attempts to access audited files. Displays all alerts from firewall devices. Displays TCP Traffic to and from ports 20 and 21, indicating file transfer activity on the network. IDS Incidents Network Alerts Displays all alerts from network intrusion detection devices. Displays all Incident Alerts. Displays all alerts in the NetworkAudit category of the alert tree. On On On On On On Off Displays all alerts from domain controller devices. Off Displays alerts for network traffic that has been administratively denied. Off Displays all alerts from all sources. Displays alerts for changes made to users, groups, and devices. On On Description Displays alerts for authentication to administrative-level accounts. status Off
94
Chapter 7: Monitor
Default Filter Proxy Bypassers Description Displays WebTrafficAudit alerts that are not from a proxy server. This can indicates an internal machine attempting to access the Web directly, rather than by using the proxy server. Rule Activity Displays InternalRuleFired and InternalTestRule alerts, which indicate that Rules have been triggered. Security Alerts Security Processes Displays ProcessStart and ProcessStop alerts related to critical security On processes running on machines. These processes include anti-virus, antispyware, and firewall processes. SMTP Traffic Displays TCP traffic to and from port 25. It can also identify potentially infected hosts. SNMP Traffic Displays network traffic to and from port 161. This filter can be used to discover network scan attempts and normal network monitoring tools. Subscriptions Alerts Unusual Network Traffic USB File Auditing USBDefender User Logon (interactive) Displays alerts from USB-Defender technology that are related to insertion and removal of USB devices. Displays UserLogon alerts where the logon type indicates a user physically logging on at a machine, or interactively logging on to a remote desktop. On On Displays alerts from user rule subscriptions. Displays all alerts in the InternalAlert category of the alert tree. Displays alerts in the NetworkSuspicious branch of the alert tree, which indicate that potentially suspicious or unusual network activity may be occurring. Displays file-related alerts from Agents with USB-Defender installed. On On On On On On Displays all alerts in the SecurityAlert category of the alert tree. On On status Off
95
Filter Creation
Default Filter User Logons Description Displays all UserLogon alerts from all sources, indicating varying types of user authentication and access. Virus Attacks Displays all VirusAttack alerts. VirusAttack alerts are created when virus scanners detect potentially malicious virus activity. Web Traffic for Source Machine Web Traffic Spyware Displays WebTrafficAudit activity to and from URLs that are indicated by the Spyware Sites User-Defined Group to be potentially malicious websites. Off Displays WebTrafficAudit alerts that match a specific source machine. This filter can be used to track a single machines web activity to discover potentially abusive activity. Off Off status On
Filter Creation
The Monitor view has a Filter Creation tool that lets you create and edit your own custom alert filters, as well as edit any existing filters. You can use this form to name, describe, configure, and verify your filters. Alert filters are based on specific Alerts or Alert Groups. You configure them by dragging and dropping the filters Alert attributes into configuration boxes. When an Agent or Manager reports an event that conforms to the alert filters conditions, the alert message appears in the alert grid, whenever that filter is active. Each filter you create is added to the Filters pane. Selecting the filter causes it to become the active filter in the alert grid. As with other filters, the alert grid show only those alert messages that meet your filters requirements. The possibilities for alert filters are endless, so this section describes how to create filters in general terms. This section is not intended to be a tutorial, but rather a reference for you to fall back on if you are unclear about how any of the custom filter forms elements, commands, or functions perform. The tools in Filter Creation are very similar to those found in Rule Creation. Filters report event occurrences, so there is no harm if you create a filter that is unusual or has logic problems. But this is not the case when building rulescreating an incorrect rule can have unpleasant consequences.
96
Chapter 7: Monitor
Therefore, creating filters with Filter Creation is an excellent way to familiarize yourself with the logic and tools needed to create well crafted rules.
Use the top part of the form to name and describe the filter, so you can quickly identify it.
Click >to view a list of warning and error messages. Click a message flag to provide detailed information about the nature of that problem.
Click a message to highlight the specific area or field that is the source of that problem.
Conditions box
Use this box to define the conditions for the data that is to be reported by the filter. You configure conditions by dragging items from the list pane into the Conditions box.
Notifications Use this box to define how the Console is to alert users of alert events, such as box sound, pop-up message, etc.
97
Alerts
Name Undo/Redo
Description Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps. Click the Redo button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps. You can only use Undo or Redo for any steps you made since the last time you clicked Save.
Save/Cancel Click Save to save your changes to a filter, close Filter Creation, and return to the alert grid. Click the Cancel button to cancel any changes you have made to a filter since the last time you clicked Save, exit Filter Creation, and return to the alert grid. If you have any unsaved changes, the system prompts you to confirm that you want to cancel.
Alerts
The topics in this section explain how to use the alert grid to apply filters to incoming alert traffic. It also explains how to use the alert grid to pause, sort, highlight, copy, read, remove, explore, and respond to alerts to take preventive or corrective action.
98
Chapter 7: Monitor
3. Select the filter you want to apply to the alert grid. The alert grid title bar displays the name of the filter you have selected, and the grid refreshes to display only those alerts that meet the special conditions of that filter.
Highlighting Alerts
In the Monitor views alert grid, you can highlight alerts to call attention to them or mark them for future reference. This allows the alerts to really stand out as you scroll through the contents of the grid. You can highlight multiple alerts at the same time. You can also choose the color you want for each set of alerts you are highlighting.
99
Highlighting Alerts
To highlight alerts: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. On the alert grid toolbar, click Pause to temporarily stop any incoming alerts. Note: It is not required to pause a filter to highlight its alerts; however, it is convenient. Pausing temporarily stops the flow of alert traffic (freezing any alert movement in the grid) so you can easily select each item. 4. In the alert grid, click to select the alerts you want highlighted. 5. On the alert grid toolbar, click the arrow next to the highlight button.
6. Use the color picker to select the highlight color you want. You can also type the hexadecimal value of any color in the Web-safe color palette. In the grid, the selected alerts become highlighted in the color you chose.
7. Click Resume to continue the flow of incoming alert traffic. To highlight more alerts with the same color: 1. In the alert grid, click to select the alerts you want highlighted. 2. Click the "marker" part of the alert grids highlight become highlighted with the marker color. button. The selected alerts
100
Chapter 7: Monitor
To turn an alerts highlighting off: 1. (Optional) On the alert grid toolbar, click Pause to temporarily stop any incoming alerts. 2. In the alert grid, select the alerts for which you want to remove highlighting. 3. On the alert grid toolbar, click the arrow next to the highlight the No Color button. The highlighting is removed from the alerts. button. Then click
101
button and then click Copy. The selected alert details are 5. Click the alert grids gear now copied to your clipboard (as text), where it can be pasted into another application.
Description Select this command to mark the selected alerts as unread. This means you have not looked at them yet. Unread alerts appear in bold text. When a filter has the read/unread feature turned on, any of its alerts that are captured by other filters will appear as unread in those filters, too.
Select this command to mark the selected alerts as having been read. Alerts marked as read appear in normal text, rather than bold text. Select this command to mark all of the alerts in the active filter as unread. This means you have not looked at them yet. Unread alerts appear in bold text.
Select this command to mark all of the alerts in the active filter as having been read. Alerts marked as read appear in normal text, rather than bold text.
102
Chapter 7: Monitor
Removing Alerts
When needed, you can remove individual alerts from a filter, or all of the alerts from a filter. You may want to do this to clean a filter of historical information that is no longer important to you. To remove individual alerts: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, select the alerts you want to remove. 4. Click the alert grids gear removed from the grid. To remove all alerts: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. button, and then click Remove All. All of the filters 3. Click the alert grids gear existing alerts are removed from the grid. The filter will now show only new incoming alerts. button, and then click Remove. The selected alerts are
The Alert Details view displays detailed information about the alert that is currently selected in the grid. If more than one alert is selected, it shows the properties of the last
103
alert to be selected.
l
The Alert Description view displays a written description of the last alert to be selected in the grid.
You can also use this pane to create a filter based on the selected alert, or to scroll through the contents of the alert grid.
Button
Description Click this button to create a new filter that captures the currently selected alert type. Upon doing so, the Monitor view opens, with the new filter open in the alert grid. The new filter appears in the Filters pane, under the last selected filter. If needed, you can edit the filter so it captures alerts of an even more specific nature.
104
Chapter 7: Monitor
Button
Description Click these buttons to move up and down among the alerts in the alert event grid. The pane shows detailed technical information about each alert that is selected. This lets you view the technical details and written descriptions of each alert in the grid. Remember, you can also use your keyboard's up () and down () arrow keys:
n
To cycle through the alerts in the alert grid, click anywhere in the alert event grid. Then use your up and down arrow keys.
To cycle through the fields in the Alert Details pane, click anywhere in the Alert Details grid. Then use your up and down arrow keys.
Click this button to open the panes Alert Details view. This view shows detailed information about each of the selected alert's data fields. The actual fields that appear here vary, according to the alert type that is currently selected. For example, network-oriented alerts show fields for IP addresses and ports. Account-oriented alerts show account names and domains. Click this button to open the panes Alert Description view, which provides a detailed written description of the alert type that is currently selected. Click the Print button to print this information from either view.
105
Level 4
Suspicious
6 7
Threatening Critical
Indicates that investigation is needed and possibly an action. Indicates that immediate action is needed.
106
Chapter 8: Explore
The Console's Explore area has two views:
l
The nDepth view contains a powerful search engine that lets you search all of the alert data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager. nDepth summarizes and displays search results with several different visual tools that can also be combined into a customizable dashboard. The tools are intuitive and interactiveyou can point and click to view information or refine your searches. Each graphical tool provides an alternative view of the same data, so you can examine your data from several perspectives. You can also view and explore a text-based view of the actual data. nDepth employs drag-and-drop tools that let you configure simple or even complex search criteria. You can use these tools to dig deeper into your findings by adding search conditions, or by appending text to existing search strings. nDepth also includes a tool called Search Builder that lets you configure complex search criteria using the same sort of drag-and-drop interface found in Filter Creation. Many of the explorers are utilities used for finding out more about alert specific details, such as looking up IP addresses, domain names, and host names. The Event explorer lets you view all of the events related to an alert message. It is designed to help you visualize how the alert occurred and the system's response to that alert. You can follow the chain of events that caused the alert, and help determine its root cause.
The Utilities view contains several utilities, called explorers. You can think of this view as a center for investigating alerts and their details.
nDepth
nDepth is a powerful search engine that lets you search all of the alert data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the
107
Chapter 8: Explore
Manager. You can use nDepth to conduct custom searches, investigate your search results with a graphical tools, investigate alert data in other explorers, and take action on your findings.
Search either normalized alert data or the original log messages. You can also use nDepth to explore log messages that are stored on a separate nDepth appliance.
Intuitively view, explore, and search significant alert activity. nDepth summarizes alert activity with simple visual tools that you can use to easily select and investigate areas of interest.
Use existing filter criteria from the Monitor view to quickly create similar searches. Create your own custom widgets for the nDepth Dashboard. Conduct custom searches. You can also create complex searches with the Search Builder, which is a tool that behaves just like the Filter Builder. You can also save any search, and then reuse it at any time by clicking it.
108
Export your findings to a printable report in PDF format, or your search results to a spreadsheet file in CSV format.
Use the Explore menu to investigate nDepth search results with other explorers. Use the Respond menu to take action on any of your findings. Export your findings to a report in PDFformat.
In Alerts mode, nDepth summarizes and explores your alert data. This is the normalized data that appears in the Monitor view and is stored in the LEM database.
In Log Messages mode, nDepth summarizes and explores the raw log messages that are going into nDepth Log Storage from the original event logs. This mode is intended for customers who have specific data analysis needs, and who fully understand how to interpret the raw log messages that are generated by their network devices and tools.
Note: The virtual appliance must be configured to store log message data. For more information, see the following KB article, "Configuring Your LEM Appliance for Log Message Storage." Be aware that data storage is limited. If you have not configured a CMCoption for archiving data, LEM will delete the oldest data to make room for new data. The topics in this chapter explain how to perform a basic searches with nDepth, how to use nDepth's graphical tools, how to use nDepth with other explorers, and how to respond to your findings.
Opening nDepth
You can open nDepth several ways. You can open the Explore >nDepth view directly to conduct custom searches. Or you can open nDepth from an existing data source, such as an alert field or another explorer (NSLookup, Whois, and Traceroute, and Flow), to search for similar events or data.
109
Chapter 8: Explore
By default, the nDepth search time is for the last 10 minutes (the end time is now, and the start time is 10 minutes ago).
In the Monitor views alert grid, select the alert row or field you want to explore.
In the Event explorers Alert Details pane, event map, or event grid, click the item or field you want to explore.
2. In the Explore menu on the Alert grid, click nDepth. The Explore >nDepth view appears, and the nDepth search box contains the alert or alert field you are exploring. When you initiate an nDepth search from the Monitor view, nDepth automatically searches all hosts and sources for every instance of the selected alert field that has occurred within a ten-minute period around the event you are exploring. This way, you can identify similar events that occurred before and after the event you are exploring.
History but- Alternately hides and opens the History and Saved Searches panes. ton History pane Shows recent Explore activity. This pane is shared between the Utilities view and the nDepth view.For more information, see "Using the History pane" on page 1.
110
Description Lists any searches that you have saved. To begin using one of these searches, click it to run that search. You can edit and save changes to your saved searches. You can also save variations on these searches as new searches. Use this window to create and run your searches, and to view, explore, and respond to your search results.
Undo/Redo Click the Undo button to undo your last action. You can undo up to 20 actions. Click the Redo button to redo a step that you have undone. You can redo up to 20 actions. Respond Explore Use this menu to initiate a response to a particular alert, event, or data field. Use this menu to explore a particular data field with another explorer. Click the gear
n
Click Save As to save the search for later use. Click Save to save any changes to the current search. Click Export to export nDepth's current search results to a PDF document.
Search bar
Select the type of data you want to explorealert data (default)or the original log messages.
Select the mode for configuring searchesdrag and drop, or text entry. Configure and select the search's timeframe. Run the search. Stop a search that is in progress.
For detailed information on the search bar, see "nDepth's Search Bar" on page 112.
111
Chapter 8: Explore
Description The list pane is the accordion list on nDepth's left side. It contains categorized lists of items that you can use when configuring search conditions. To use a list item as a search condition, double-click it, or drag it from the list into the search bar. You can also drag these items into the Search Builder to quickly configure complex searches. Two of these lists appear only in nDepth:
n
The Refine Fields list categorizes and lists the primary data details that are found in your nDepth search results. You can use these details to create, refine, or append nDepth searches.
The Managers list includes each Manager and appliance that can be used with nDepth for searching data.
Histogram
This histogram shows the number of alerts or log messages that were reported within a particular period. You can expand or reduce this period, as needed. You can also zoom in to a period to take a closer look, or zoom out to see high-level activity.
Explorer
The explorer section shows different graphical and text-based views of your search results, as well as a Dashboard view and the SearchBuilder. You can click items in each graphical view to search for those specific items. The title bar states which view is open, and the icon on the title bar indicates which type of data you are exploring: means you are exploring alert data. means you are exploring log messages.
Toolbar
Use the toolbar to select the nDepth explorer view you want to work with.
112
The following table describes the key features of nDepth's search bar. Name Mode selector Description Use this toggle switch to select how you intend to enter the search string for your queries:
n
Select Drag & Drop Mode (upper position) to drag items from the list pane or the Result Details view directly into the search box. This is the recommended position, as it is it the easiest to use.
Select Text Input Mode (lower position) to type a search string directly in the search box. In this mode, the search box also shows the text version (or search string) of any search that is being run or configured in Search Builder or the Saved Searches pane.
Search box
This box contains your search conditions. You can enter search conditions a number of different ways. Click a delete button next to a condition or a group to remove that condition or group from the current search configuration.
AND OR
The search bar includes AND and OR operators. These operators let you include AND and ORrelationships between conditions and groups of conditions, when you have multiple conditions in your search string. Click the operator icon to toggle between ANDand OR relationships.
Group
When you have a group of conditions, the search bar displays the conditions as a sumcondition in the group. Click this Delete All button to delete the entire contents of the search box, so you can begin a new search. Click this button to begin a search, or to stop a search that is in progress.
n
summary mary. To see the actual conditions, point to them. A ToolTip appears that shows each
Click
Time selector
In the time selector, select a timeframe for the search. If needed, you can create your own custom timeframe
113
Chapter 8: Explore
Description Use this toggle switch to choose the data you want to nDepth to explore: Select Alerts (left position) to search LEM's normalized alert data. This is the alert data that appears in the Monitor view.
n
Select Log Messages (right position) to search the actual log entries that are recorded on your network products' log files. If Log Messages is disabled, it means your equipment is either disabled, or it does not have the capacity to store and search the original log messages. However, you can still search the data in the Alerts position.
The following table describes the function of each option on the nDepth explorer toolbar. Each option provides a different view of the data from nDepth's most recent search. Tool View Description
Dashboard Opens the nDepth Dashboard. This is nDepth's default view. It shows each nDepth view of the current search data as a small widget. You can minimize and maximize each widget, as needed. You can also edit the chart widgets to change their appearance.* Word Cloud Opens the Word Cloud, which shows keyword phrases that appear in your alert data. Phrases appear in a size and color that relates to their frequency. You can filter this view to zero in on a range of activity. You can also click a phrase to create or append a search based on that phrase.
114
Tool
Description Opens the Tree Map, which shows the items that appear most often in the data as a series of categorized boxes. The box categories correspond with the those data categories found in the Refine Fields list. The size of a box within each category is associated with its relative frequency. The more often an item occurs, the larger its box appears. If a box is small, you can point to it to open a ToolTip that shows its contents. You can also click a box to create or append a search based on that item.
Bar Charts Opens the Bar Charts* view, which is a group of widgets that shows your most frequent data items as a series of bar charts. The size of each bar corresponds with the item's relative frequency. The more often an item occurs, the larger its bar appears. You can point to a bar to show information about it. You can also click a bar to create or append a search based on that item. Line Charts Opens the Line Charts* view, which is a group of widgets that shows your most frequent data items as a series of line graphs. The height of point on the graph corresponds with the item's relative frequency. The more often an item occurs, the higher the point appears on the graph. You can point to a item on the graph to show information about it. You can also click a point on the graph to create or append a search based on that item. Pie Charts Opens the Pie Charts* view, which is a group of widgets that shows your most frequent data items as a series pie charts. The size of each pie wedge corresponds with the item's relative frequency. The more often an item occurs, the larger its wedge appears. You can point to a wedge to show information about it. You can also click a wedge to create or append a search based on that item. Bubble Charts Opens the Bubble Charts* view, which is a group of widgets that shows your most frequent data items as a series of circles or "bubbles." The size of each bubble corresponds with the item's relative frequency. The more often an item occurs, the larger its bubble appears. You can point to a bubble to show information about it. You can also click a bubble to create or append a search based on that item.
115
Chapter 8: Explore
Tool
Description Opens the Result Details view, which is a text-based view of all of the data you are investigating. This view also supports nDepth's search capabilities by letting you create or refine searches by dragging and dropping search strings from the data into the search box.
Search Builder
Opens nDepth's Search Builder, which is a graphical interface used to create and refine complex searches. You can drag items from the nDepth's list pane directly into Search Builder's Conditions box to quickly configure complex searches. With a few minor differences, Search Builder behaves just like the Filter Creation tool.
*In any explorer view, if a particular chart configuration does not logically apply to the data you are exploring, that chart will be disabled.
A new search always adds a history item. If you click an earlier history item, the system takes you
116
back to that search; it does not make a new item. As soon as you change something in nDepth and perform a new search, that search becomes a new history item.
nDepth's histogram summarizes alert activity within a particular period. This histogram is for a search of the last 10 minutes of alert activity. The bright zone shows the period that is currently being reported. The gray zones show activity outside of the reported period.
This example shows the histogram for a search that covers a recent 10-minute period of activity. For this search, the bottom time bar is divided into one-minute intervals. The bar above that is divided into half-minute (30-second) intervals. The histogram displays a separate bar for each 30-second interval.
Histogram Features
The histogram has the following features:
l
The title bar shows the total number of events that were reported by the search, as well as the search's timeframe.
The gray zones preview results that are outside the search's timeframe.
117
Chapter 8: Explore
Each vertical bar in the histogram shows the total number of events that happened within the corresponding period.
Time is provided in 24-hour (military) time. Pointing to a bar shows the total number of events in that interval, as shown above. Clicking a bar opens a pop-up window that shows a histogram for that bar's interval. Depending on range of the search's timeframe, these intervals can be as little as 5seconds. Pointing to a bar shows the total number of events that occurred in that interval.
Clicking a bar opens a pop-up window to show a histogram for that bar's interval
When you are in the Result Details view, the histogram shows two dashed vertical lines. These lines are markers that indicate where you are in the histogram for each page of the search results. The lines show the times of the first and last event on the current Result Details page. By default, the pointer shows the time of the first result on the page. If you select an event in the Result Details box, the pointer shows the time of that event. Example: If you are looking at the search results of events number 1-200, the left line
118
shows the time of event number 1, and the right line shows the time of event number 200. If you click event number 150, the pointer shows the time that event occurred.
In the histogram, double-click a vertical bar.nDepth automatically refines the search and refreshes the data to show only the events from the timeframe associated with that bar.
119
Chapter 8: Explore
Drag the slider to the left to move the period to an earlier starting point. Drag the slider to the right to move the period to a later starting point.
As you move the slider, a ToolTip displays the period's midpoint time. to run the search for the new timeframe.nDepth automatically refines the 3. Click search and refreshes the data to show only the events from the new timeframe. Moving the period automatically changes the search bar's time selector to Custom. 4. If desired, click to restore the previous timeframe.
120
Drag the left slider to change the timeframe's start time. When you release the slider, a ToolTip shows the new start time.
Drag the right slider to change the timeframe's end time. When you release the slider, a ToolTip shows the new end time.
to run the search for the new timeframe.nDepth automatically refines the 3. Click search and refreshes the data to show only the events from the new timeframe. Changing the timeframe automatically changes the search bar's time selector to Custom. 4. If desired, click to restore the previous timeframe.
121
Chapter 8: Explore
The following topics describe the key features of the Result Details view, as well as how to perform the primary tasks associated with this view.
number results. Each alert gets its own number. Each row represents a different alert. To make viewing easier, each alert appears with an alternating gray or white background. The number of alerts that appear depend entirely on your search conditions. Data and time stamp Alert name Alert details The rest of the information in the box is made up of alert details. You can select these details to refine your nDepth search, to explore them with other explorers, or to respond to them with an active response. The name of the alert that occurred. The time and date the alert occurred.
122
The following table explains how to interpret search results of data in Log Messages mode. Item Name Event number Description The number to the far left is a counter for each log message (or event)that is reported in the nDepth search results. Each event gets its own number. Each row represents a different event.To make viewing easier, each event appears with an alternating gray or white background. The number of events that appear depend entirely on your search conditions. Data and The time and date the alert occurred. time stamp Log mes- The first line of event displays the actual log message that matched your search sage Host criteria. The network device the message came from (that is, the Manager or appliance that is storing the message). ToolId The actual product or tool that generated the message.
ToolType SolarWinds's tool category for the tool that generated the message. Note: Tool IDs and Tool Types match SolarWindss tool configuration categories.
123
Chapter 8: Explore
2. Add a new search condition by using any of the techniques in this table.
124
Do this Select a character string in the data. Then double-click the selected string to add it to the search box. Select a character string in the data; then drag it into the search box.
Copy and paste a character string from Result Details data into the search box
1. Change the search bar to Text Input Mode. 2. Select a character string in the data. 3. Press Ctrl+C to copy the search string. 4. Click the search box, and then press Ctrl+V to paste the character string in the text box.
Type a search string in the search box Add conditions to an existing search
1. Change the search bar to Text Input Mode. 2. Type the search string directly in the search box. 1. In the data, select the character string you want to append to the existing search conditions. 2. Do either of the following:
n
Double-click the selected string. Drag the string into the search box.
You can select specific values, and pass them into the value-based explorers, such as Whois, NSLookup, and Traceroute. For example, you could investigate a suspicious IPaddress with these explorers to learn more about that IP address.
125
Chapter 8: Explore
When you are viewing data in Alerts mode, each row in the search results represents the data for an individual alert. You can select the row for an alert you want to explore, and then pass the row into the Event Explorer to explore that event.
To explore details in search results: 1. In the Result Details view, select the item you want to explore:
l
Select the character string you want to investigate. When selected properly, the character string is surrounded by an orange box.
If you are viewing data in Alerts mode, you can select the row that you want to explore in the Event Explorer. When you select a row, an orange highlight bar appears to the left of the row.
2. In the Explore menu, select the explorer you want to use. The Explore >Utilities view appears, and the system passes the selected data to the explorer you selected. 3. Click Search or Analyze, as applicable, to explorer the string.
126
4. Select the folder in which you want to save the file. 5. In the File name box, type a name for the file, if you want one different from the default name given. 6. Click Save. The Console exports the data to a .csv file, in the folder you selected. To stop this operation, you can click Cancel at any time before the data export is complete. Once exported, you may open the file in a spreadsheet application.
127
Chapter 8: Explore
Description
Detection The network node that is the originating source of the alert data. This is usually a IP Manager or an Agent and is the same as the Insertion IP field, but can also be a network device such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol. Inference The name of the correlation that caused the alert. The Inference Rule field will Rule generally be blank, but in cases where the alert was related to a rule, it displays the rule name. Insertion The Manager or Agent that first created the alert. This is the source that first read the log IP IP Address Manager data from a file or other source. The IP address associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the IPaddresses that appear in alert data. The name of the Manager that received the alert. For data generated from an Agent, this is the Manager the Agent is connected to. Provider SID A unique identifier for the original data. Generally, the Provider SID field includes information that can be used in researching information on the alert in the originating network device vendor's documentation. Severity Tool Alias User Name The user name associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the places that user names appear in alert data. The severity (07) of the alert The Alias Name entered when configuring the tool on the Manager or Agent.
128
The fields are listed here alphabetically. Field Host Description The node the log message came from (that is, the LEM or Agent that collected the message for forwarding to nDepth). HostFromData The originating network device (if different than the node) that the message came from. Normally, Host and HostFromData are the same, but in the case of a remote logging device (such as a firewall) this field reports the original remote device's address. ToolId ToolType The actual tool that generated the log message. Tool category for the tool that generated the log message.
nDepth's Word Cloud. You can use the sliders on the lower bar to filter the items shown in the World Cloud.
nDepth's Word Cloud summarizes your alert activity by showing the top 100 keyword phrases that appear in your alert messages. Phrases appear in a size and color that relates to their frequency:
l
Phrases that appear in warmer colors (red, orange, and yellow)and in larger print represent the phases that occur most frequently. You can think of these as your "hot"
129
Chapter 8: Explore
items.
l
Phrases that appear in cooler colors (green and blue) and in smaller print are those that occur with the least frequency. You can think of them as "cool" items. Cool items may still be important; they just occur far less frequently than "hot" items.
icon.
Point to a phrase in the Word Cloud. A ToolTip appears showing the keyword phrase, its count (the number of times it occurs in the reported period), and its percentage. The percentage is based on the phrase's relative frequency, compared to the other reported phrases.
The top bar is a color gradient that goes from red (hot)to blue (cool). These colors correspond with the colors of the phrases shown in the Word Cloud.
The lower bar controls which parts of the gradient the Word Cloud is allowed to show. You can use this bar to filter the World Cloud so that it only shows that section of the gradient you want to see. By default, the Word Cloud shows everything associated with the entire gradientall items that are hot, cool, and in between.
By default, the Word Cloud displays the top 100 phrases, and the sliders are automatically adjusted
130
to this width. If you manually adjust the sliders, nDepth remembers the left position and automatically adjusts the right position so the Word Cloud displays up to 100 phrases between the left and right positions. If all 100 phrases can be shown within the positions you've selected, the sliders will stay in place. Slider settings are remembered with each Word Cloud. This means you can create Word Clouds for the Dashboard that are adjusted differently from the primary Word Cloud view. To filter the contents of the World Cloud:
l
To hide hot items, drag the lower bar's left-hand slider to the right. To hide cool items, drag the lower bar's right-hand slider to the left. To restore the Word Cloud, drag the sliders back to their far-left and far-right positions.
131
Chapter 8: Explore
The items that appear in nDepth's Tree Map view are the same data field categories and values that are listed in the Refine Fields list (at the top of the list pane).
l
When you are working with alerts, the Tree Map organizes itself into categories based on common alert data fields. Most categories correspond with actual alert fields, as they appear in the Monitor view.
When you are working with log messages, the Tree Map organizes itself into categories based on common log message data fields.
Note: Some data categories may not always be present. If there is no alert activity associated with a particular data category or field, it will not appear in the Tree Map. The size of each box corresponds with the relative frequency of its occurrence. So the more often a detail occurs, the larger its box appears. Click to select an item from the Tree Map as a search condition. If a box is too small to show its contents, point to it to open a ToolTip that shows its contents.
132
icon.
Note: Even when maximized, a Tree Map category can show very small items within it. Don't forget, if a box is too small to show its contents, you can point to it to open a ToolTip that shows its contents. To restore a category to its proportional size:
l
Click the
133
Chapter 8: Explore
button. After a moment, nDepth refreshes to 2. On the search bar, click the search show the results associated with your search.
You can use nDepth's explorer views to create new widgets, change the look of existing widgets, add widgets to the nDepth Dashboard, and remove widgets you no longer user.
134
135
Chapter 8: Explore
nDepth widgets behave a lot like widgets in the Ops Center. To view a widget's details, point to that widget, or click an item on that widget to view details and statistics about that item, like in the pie chart widget show here.
136
Click an item on a widget. In the search box, a new search string associated with the widget item is appended to the existing search string.
137
Chapter 8: Explore
138
To add a widget to the nDepth Dashboard from a chart view: 1. Open the Explore >nDepth view. 2. Use the nDepth explorer toolbar to open the chart view you want to work with. 3. In the view, locate the chart widget you want to add to the Dashboard. 4. On the widget, click the Add to Dashboard button.
1. Open the Explore >nDepth view. 2. On the nDepth explorer toolbar, click the view you want to add to the Dashboard. 3. On the view's title bar, click the gear icon, and then click Add to Dashboard.
4. The view now appears as a widget at the bottom of the nDepth Dashboard.
139
Chapter 8: Explore
search by selecting the conditions you want to search for, and then dragging and dropping those items into Search Builder's Conditions box. For example, if you want to search for activity among your Admin Accounts, you don't have to type a search with a long list of account names. Instead, you can just drag the appropriate User-Defined Group or Directory Service Group into the Conditions box. Search Builder lets you group search items, show AND/OR relationships between search items, select specific values for search items, and select the appropriate operators for specific values.
140
The search bar and the Search Builder show different views of the same search configuration
Double-click the search bar. Search Builder appears, showing the configuration of the search that is in the search bar.
141
Chapter 8: Explore
Search Builder
142
The following table describes each main features of Search Builder. Item Name Description
Undo/Redo Click the Undo button to undo your last action. You can undo up to 50 steps. Click the Redo button to redo a step that you have undone. You can redo up to 50 steps. Search bar The search box shows the current state of the search you are building. If you have a complex search, the search box shows its configuration as a "summary."If you want to view the complete text of the search, switch the search bar to Text Input Mode, which shows the current search configuration as a search string. List pane This accordion pane is called the list pane. It contains categorized lists of the alerts, alert groups, alert variables, groups, profiles, and constants that you can use when creating conditions for your filters. Two of the lists apply only to nDepth:
n
The Refine Fields list summarizes all of the primary alert details from your search results. Rather than typing this information as a search string, it is much easier (and less prone to error) to drag this information from the Refine Fields list into the search box.
The Managers list includes each Manager and appliance that can be used with nDepth for searching data.
Histogram pane
Use the histogram to investigate a particular interval, to move the period, to zoom in to a period to take a closer look, or zoom out to see high-level activity. After configuring the search, click to begin the search.
143
Chapter 8: Explore
Item
Name
Description
Conditions Use this box to define the conditions for the data that is to be reported by the box filter. You configure conditions by dragging items from the list pane into the Conditions box. For more information, see "Configuring filter conditions" on page 1. This is the Add Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Delete button. It appears at the top of every Group box. When you point to a condition, it also appears next to that condition. Click this button to delete a condition or a group. Deleting a group also deletes any groups that are nested within that group. Group Individual groups (and the entire Conditions box) can be expanded or collapsed to show or hide their settings:
n
Click to >expand a collapsed group. Click to collapse an expanded group. The number that appears in parentheses indicates how many conditions are contained in the group.
Once a group is properly configured, you may want to collapse it to avoid accidentally changing it. AND OR
n
The Conditions box includes AND and OR operators, so you can include AND and ORrelationships between your search conditions. Click the operator icon to toggle between ANDand OR conditions.
144
Drag the item from the list pane into the Conditions box. Double-click the item to add it to the Conditions box.
Note: By default, the Conditions box includes a "this item exists" condition. To use it, type or paste the search string you want to search for into the text box. Or you can replace this condition by dragging an item from the list pane on top of it. 4. If the list item contains a variable field (such as a field for an IP address, a constant value, or an empty text box), type the specific value you want to search for. Note: Search Builder will show you if a particular configuration is invalid. If a condition field is yellow (left), it means the search's current configuration is invalid. If a condition field is red (right), it means the condition does not apply to the type of data you are currently searching. For example, perhaps you are trying to search log messages with conditions that are meant for alert data.
145
Chapter 8: Explore
A red condition means the search configuration does not apply to the type of data you are searching.
5. Click
6. Repeat Steps 2 and 3, dragging new items into the appropriate group boxes, as needed. 7. Select the appropriate AND and ORoperators for each group to configure the search to your needs. 8. When you are satisfied with the search conditions, click You can click to run the search.
After a few moments, nDepth returns the search results. To see the search results, do one of the following:
l
Select an option from the nDepth explorer toolbar to view a graphical version of the search results.
Open the Refine Fields list to see a categorized summary of the search data.
Open the Result Details view to examine and explore the actual data.
146
Utilities
Utilities
The following table describes the key features of the Explore >Utilities view. Name History pane Description The History pane displays a record of your explorer viewing history. Selecting an item in the history list displays the corresponding explorer event in the Explorer pane. Click the History button to alternately show and hide the History pane. When needed, you can delete individual history items from the history list. The Reset button lets you remove all items from the history list. Utilities pane Cascade button The Utilities pane shows the explorers that are currently open. You can have multiple explorers open at the same time. This button arranges the open explorer windows so they appear in an organized cascade. Their title bars are all visible, but the windows are all stacked, one on top of another. The active explorer is at the front of the stack. Respond menu This menu lets you take action to respond to the alert or alert field that is the subject of the active explorer. You can also use the Respond menu to take action even when no explorer windows are open or active. This menu behaves exactly as it does in the Monitor views alert grid. Explore menu This menu contains options to open the other explorers. You can use it to further explore the alert message or alert field that is the subject of the active explorer. Or you can open a blank explorer to manually enter the item you want to explore. Explorer windows Minimized explorers The explorers you are working with appear as individual windows within the Utilities pane. You can minimize, resize, and close each explorer window, as needed. Any explorers that you have minimized appear at the bottom of the Utilities pane as a title bar. Click a title bar to reopen that explorer.
>buttons Beginning from the active explorer window, you can use these buttons to cycle through the other open explorer windows. Click to go to the previous window. Click >to go to the next window.
Explorer Types
The Console contains the following explorers. 147
Chapter 8: Explore
Explorer Event
Description The Event explorer, which can only be opened from the Monitor view, allows you to view all of the events that are related to the alert that is currently selected in the Console. The Event explorer displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the alert occurred. You can also monitor events in real time, to see where they came from and where they are going. Use this explorer when you need to know what caused the rule to fire.
Whois
The Whois explorer identifies the source of an IP address or domain name based on how it is registered with domain and network authorities. It can tell you where something is located physically in the world, and who actually owns the device you're searching for. For example, use this explorer if you need to know who owns a domain that corresponds to the IP that caused that rule to fire.
NSLookup The NSLookup explorer resolves IP addresses to host names, and host names to IP addresses. Use this explorer to determine more information about a source or destination IP address. For example, use this explorer when you need to know a name that corresponds to that IP address that caused the rule to fire (it resolves a name like SolarWinds.com to an IP address). Traceroute The Traceroute explorer traces the network links from your host computer to the destination you specify. That is, it shows you the hops between your computer and the IP address of the destination. For example, use this explorer to determine the network connections between yourself and an IP that caused the rule to fire. Flow explorer The Flow explorer lets you perform flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. You can also analyze the volume of data (in bytes or packets) that is transferring to or from a given IP address or port number on your network. The explorer reports this information in easy-to-read graphs and tables. For example, if you see a strange IP address at the top of the Flow explorers activity list, you can select the desired bar on the graph or a row in the table, and then choose the Whois explorer from the Explore menu to find out what that the IP address is and why it is transmitting so much data.
148
NSLookup Explorer
Explorer nDepth
Description nDepth is a powerful search engine that lets you search all of the alert data or the original log messages that pass through a particular Manager. The log data is stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager.
Both Explore views have a Respond menu and an Explore menu that you can use with any of the explorers:
l
The Respond menu lets you take corrective action on an alert or other information presented in an explorer, such as shutting down a workstation when you see a problem reported in the Console.
The Explore menu lets you explore use any of the other explorers to investigate a particular alert, alert detail, nDepth search result, or other explorer finding.
NSLookup Explorer
The NSLookup explorer is a network utility that is designed to resolve IP addresses to host names, and host names to IP addresses. Use this explorer whenever you need to know a name that corresponds to the IP address that caused the rule to fire. For example, it resolves a name like SolarWinds.com to an IP address.
In the example shown here, we opened the NSLookup explorer for an alert field that has an IP
149
Chapter 8: Explore
address of 192.168.168.10 (which appears in the Search field). The explorer retrieved the corresponding host name, which is grendel.corp.SolarWinds.com. Opening the NSLookup explorer adds an item to the Explore views History pane. The new item has a NSLookup explorer icon.
Traceroute Explorer
The Traceroute explorer is a network utility that is designed to trace the network links from your host computer to the destination you specify. Use this explorer whenever you need to determine the network connections between yourself and the IP address that caused the rule to fire.
In the example shown here, we used the Traceroute explorer on the IP address of 192.168.167.1. It shows you the hops between your computer and that IP address. In this example, connecting to that IP address required two hops. Opening the Traceroute Explorer adds an item to the Explore views History pane. The new item has a Traceroute explorer icon.
150
Whois Explorer
Whois Explorer
The Whois explorer is a network utility that is designed to identify the source of an IP address or domain name based on how it is registered with domain and network authorities. This explorer contacts the central databases for IP addresses and domain names and returns the results of any of your searches. It can tell you where something is located physically in the world, and who actually owns the device youre searching for. For example, use this explorer if you need to know who owns a domain that corresponds to the IP address that caused a rule to fire.
The example on the left shows the results for an IP address. The example on the right shows the results for the SolarWinds domain name, SolarWinds.com. From these, you can find out who owns the IP address and where the server is hosted. Opening the Whois Explorer adds an item to the Explore views History pane. The new item has a Whois explorer icon.
151
Chapter 8: Explore
open.
152
Chapter 9: Build
The Build menu contains three views: Groups, Rules, and Users. Use these views to configure the related components on the LEM appliance. Since these components reside on the appliance, they are universal and available to all console users from any computer. The sections in this chapter address the features of each Build view in detail.
Groups
The Build >Groups view is used to create, name, configure, and organize groups of parameters. You may then choose from these Groups when configuring filters (in Filter Creation) and rules (in Rule Creation) to include or exclude the specific elements defined within each Group. Each Group you create only applies to the Manager that is selected when you create the Group. If you need a similar Group for another Manager, you must create it separately with that other Manager; or you must export the Group, and then import it from the other Managers Groups grid.
Group types
You can use the Build >Groups view to create any of the Groups listed in the following table. Group type Alert Groups Description Alert Groups are custom families of alerts that you can save as a Group. You can then associate the Alert Group with your rules and filters. For example, you might create an Alert Group made up of similar alerts that all need to trigger the same response from the Console. When you apply the Alert Group to a rule, the Console implements the same rule when any one of the alerts in the Group occurs.
153
Chapter 9: Build
Directory If you use a directory service, such as Active Directory, you can connect LEM to the Service Groups server that stores your existing directory service (DS) Groups. Once connected, you can synchronize your DS Groups with LEM and apply them to your rules and filters. DS Groups allow you to match, include, or exclude events to specific users or computers, based on their DS Group membership. In most cases, DS Groups are used in rules and filters as a type of white list or blacklist for choosing which users or computers to include or to ignore. When used by a filter, a DS Group lets you limit the scope of the alerts included in the filter to those users or computers that have membership in a particular Group. Email Email Templates allow you to create pre-formatted email messages that your rules can
Template use to notify you of an alert event. State State Variables are used in rules. They represent temporary or transitional states. For setting it to a different value depending on whether the system comes online or goes offline. Time of Time of Day Sets are specific groups of hours that you can associate with rules and
Variables example, you can create a State Variable to track the state of a particular system,
Day Sets filters. Time of Day Sets allow them to take different actions at different times of day. For example, if you define two different Time of Day Sets for Working Hours and Outside Working Hours, you can assign different rules to each of these Time of Day Sets. For instance, you may want a rule that automatically shuts down the offending computer and alerts your system administrator via email. Tool Profiles Tool Profiles are groups of Agents that have common tool configurations. Most Agents in a network have only a few different network security tool configurations. Tool Profiles allow you to group Agents by their common tool configurations. You can then have your rules and filters include or exclude the Agents associated with a particular profile.
154
Group type UserDefined Groups Description User-Defined Groups are groups of preferences that are used in rules and filters. They allow you to match, include, or exclude events, information, or data fields based on their membership in a particular Group. In most cases, User-Defined Groups are used in rules and filters as a type of white list or blacklist for choosing which events to include or to ignore.
Description Displays a description of the Group. Pointing to this field displays the complete description as a ToolTip. Created By Displays the name of the Console user who created the Group. Created Date Modified By Displays the name of the Console user who last modified the Group. Displays the date the Group was created.
155
Chapter 9: Build
Description Displays the date on which the Groups was last modified.
156
Rules
Description Type or select a date range to have the grid display only Groups that were created on or within that date range.
Modified Select the name of the Console user who last modified the Group to have the grid By display only Groups modified by that user.
Modified Type or select a date range to have the grid display only Groups that were modified on or Date Range within that date range.
Rules
The Consoles Build Rules view is used to create, configure, and manage your rules. Rules are used to monitor and respond to alert traffic. They allow you to automatically notify or respond to security events in real time, whether you are monitoring the Console or not. When an alert (or a series of alerts) meets a rule's conditions, the rule automatically prompts the Manager to take action, such as notifying the appropriate users, or performing a particular active response (such as blocking the IP address or stopping a particular process). The Console ships with a set of pre-configured rules that you can begin using immediately. However, you can use the view's Rule Creation tool to create your own custom rules and your own variations on any existing rules.
157
Chapter 9: Build
The following table describes the meaning of each column in the Rules grid. Columns are listed in their default order, from left to right. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. These commands let you edit, enable, disable, test, clone, and delete the selected rule. Enabled Indicates whether or not the rule is enabled and ready for use with your policies. means the rule is enabled and is in active use. means the rule is disabled, and is not in use. Test Indicates whether or not the rule is in test mode. When a rule is in test mode, it causes alerts to appear in the Console, but it cannot perform any active responses. This lets you see how the rule would behave when it is fully enabled, but without risking any negative unintended consequences. means the rule is in test mode. means the rule is not in test mode. Note: A rule must be Enabled before you can test it. Name The name of the rule.
Description A description of the rule. Pointing to this field displays the complete description as a ToolTip. Folder The name of the folder (in the Folders pane) in which the rule is stored.
Created By The name of the Console user who created the rule. Created Date Modified By Modified Date Manager The Manager the rule is associated with. The date and time on which the rule was last modified. The name of the Console user who last modified the rule. The date the rule was created.
158
159
Chapter 9: Build
Field
Description
Modified Type or select the begin and end date range to have the grid display only rules that were Date Range The tools in Rule Creation are very similar to those found in Filter Creation. However, filters report event occurrences; rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes unpleasant consequences if they are not configured exactly as you intend them to be. Inexperienced users should use caution when creating rules. Creating filters is an excellent way to familiarize yourself with the logic and tools needed to create well crafted rules. You should only begin configuring rules after you are at ease with configuring filters. Even then, always test your rules before implementing them. modified on or within that date range.
Users
The Users view is used to manage the system users who are associated with each Manager. By adding email addresses for each user, the Console can notify users of alert conditions by email. This topics in this section describe the key features of the Users view, the meaning of each column in the Users grid, and how to refine the Users grid.
160
Name User
Description This pane displays detailed information about the user who is currently selected in When editing a user, the User Information pane turns into an editable form.
Information the grid, including the users role, password information, and contact information.
Description
Use the Edit command to edit the users settings and contact information. Use the Delete command to delete the user.
Status
Indicates if the user is currently logged on to the Console: means the user is logged on. means the user is not logged on.
User Name First Name Last Name Role Description Manager Last Login
Displays the name the user uses to log on to the Manager. Displays the users first name. Displays the users last name. Displays the user role that has been assigned to the user. Displays a brief description of the users job function or responsibility. States which Manager the user is associated with. States the date and time the user last logged on to the system.
161
Chapter 9: Build
Field Reset
Description Click Reset to return the form and the Users grid to their default settings.
Manager Select the Manager you want to work with. By default, the grid displays All Managers. Role Last Login Date Range Select the user role you want to work with. By default, the grid displays All roles. Type or select the begin and end date range to display the users who have logged in within that date range.
162
3. Click the View Role button. The Privileges form appears, showing the users system privileges for his or her assigned role. This information is provided here for reference purposes and cannot be changed. 4. When you are finished viewing the roles privileges, click Close to return to the Console.
163
This is primarily concerned with Managers, even though other appliances may appear in your appliance list. Once a Manager is in place, you can use the Appliances view to do the following:
l
Use the Console to connect to and disconnect from a particular Manager. Add a Managers Agents. Configure rules, policies, and network security tools that apply to each Manager. Note: Commands in the Appliances view can take a while to execute, because they must remotely access the Manager or network appliance.
164
Name
Description
Appliances This grid lists all of the Managers and other network appliances that are monitored by grid LEM. You can use this grid to add, configure, or remove appliances, to configure Manager tools and Manager policy, and to connect to and disconnect from Managers. Click this button to add a new Manager or network appliance to the Console. The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. Click this button to copy the grid's information about your Managers to the clipboard, so you can paste it elsewhere, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. Details The Details pane displays an image of the appliance, as well as basic properties about that appliance, such as its name, connection status, etc. LEM provides the images for the last few (and next) generation of appliances. When you add or configure a Manager, one of the options is to identify the model. Your choice determines which picture, if any, is shown. Properties The Properties form is used to configure each Manager. It records the Managers configuration settings, such as its login options, Agent licenses, its password settings, and its ability to automatically send software updates to Agents. Note: This form is only used for Managers. It is disabled for other types of appliances.
165
Column
Description The gear button in each row opens a menu of commands that you can perform on the appliance that is currently selected in the grid, such as Login, Logout, Configure, Tools (for connecting products to the appliance), Policy (for assigning alert distribution policy), and Delete. The Login, Logout, Tools, and Policy options apply only when you have a Manager selected. If you have a Manager selected but are not connected, only the Login, Configure, and Delete commands are available.
Status
The appliances current connection status: means Connected/Logged In. means Disconnected/Logged Off.
Used to differentiate between multiple Managers in the nDepth view. The name of the Manager or the appliance. The type of applianceManager, Database, Logging Server, or Network Sensor.
Version States the version of the LEM Manager software. Level The model number for the appliance. It is directly related to the capacity and performance of the appliance, ranging from Level to Level 4. IP Address Port The port number the Console is using to communicate with the Manager, the network appliance, or the database. Service Tag Model User The Dell serial number or registration number for this appliance. It uniquely identifies this piece of equipment and its specific configuration properties. For Managers, states the model number. For Managers, this column displays the user name that is currently logged on to that Manager. States the Managers or the appliances IP address.
166
Details Pane
The Details pane displays essential information about an appliance, such as its name, connection status, IP address, etc. The image area can also display an image for each appliance, if you choose to provide them. To view an appliances details: 1. Open the Manage >Appliances view. 2. If needed, log into the Manager you want to work with. 3. In the Appliances grid, click to select the Manager or appliance you want to work with. 4. If the Details/Properties pane is not already open, click the open pane button at the bottom of the window.
167
The Details pane displays information about the Manager or appliance you have selected. Field Image area Status Name Type Description Displays an image of the Manager that is currently selected in the Appliances grid, if the model number is known and an image is available. Displays the Managers or the appliances current connection status. Displays the Managers or the appliances name. Indicates the appliance typeManager, Database Server, nDepth, Logging Server, or Network Sensor. Version Displays the version of the Manager software. Level IP Address Port Displays the port number that the Console uses to communicate with the Manager or the appliance. Service Tag Model Displays Dells assigned serial number for the Manager appliance. You can find this number on the Manager information sheet that is provided with the appliance. When applicable, this field displays the Managers model number. If the model is unknown, the model may be Other. If the appliance is not a Manager, this field is empty. Displays the specific Manager appliance configuration level you have purchased. Displays the Managers or the appliances IP address.
168
Many data sources generate alerts that are difficult to control at a granular level; or, they generate alerts of little or no value. You are better off removing these alerts from the system to reduce the volume and noise being sent to your Console and database. By configuring alert distribution policy, you can disable (exclude) specific alert types, at the alert level, from being sent to any or all of these destinations. The data sources will continue to generate these alerts, so you can always enable them at any time. Until then, the selected system destinations will ignore them.
There may be alerts that you want to monitor in the LEM Console, but do not need for long-term storage and reporting. In this case, you can use alert distribution policy to disable database storage for certain alerts, while enabling processing by the Console.
Click Yes at the prompt to break the users lock and take over the policy. You may now edit the policy.
169
Click No at the prompt to view the policy in read-only mode. The Save and Apply commands will be disabled, and you will not be able to make policy changes.
The following table describes the key features of the Alert Distribution Policy window.
170
Item
Description The windows grid is a hierarchical node tree. The Alert/Field column lists alert categories and alert types. Opening an alert category node displays the lower-level alert types that are associated with that category. Click a node to open it, showing its lower-level alert type nodes. Click the node again to close it, hiding its lower-level alert type nodes. The check boxes in the grids Console, Database, Warehouse, and Rules columns indicate whether or not a particular alert type (or entire alert category) is to be sent to the LEM Console, or to the local database. A check mark means the alert type will be routed to that particular destination. An empty check box means the alert type will not be routed to that destination. The Export button exports a Managers alert policy to a spreadsheet file. Click the gear button to use the Apply State to Branch command. This command
pushes, or propagates, the selected alert nodes check box settings down to the related, lower-level alert types in the node tree hierarchy. The Description box provides a description of the alert type or alert category that is currently selected in the grid. The OK, Apply, and Cancel buttons let you save or cancel changes to your alert distribution policies.
171
In the Alert/Field list, click any node to show its lower-level alert type nodes.
In the Alert/Field list, double-click any alert type row to show its lowerlevel alert type nodes.
3. Once you have found the alert type you want, configure it as follows:
l
Select the rows Console check box to have that alert type appear in the LEM Console.
Select the rows Database check box to have that alert type stored in the local database.
Clear a check box to exclude the alert type from that particular destination.
Click OK to save your alert distribution policy changes, close the window, and return to the Console.
Click Apply to save your changes, but keep the window open so you can continue working.
172
Click Cancel to close the window without saving your changes and return to the Console.
Upon saving, the Applying Changes status bar appears. Updating the Manager with the new alert policy configuration changes can take anywhere from 30 seconds to several minutes.
The Console pushes, or propagates, the parent rows check box settings down to each of its lower-level alert types in the node tree hierarchy.
l
If you select one or more of the parent rows check boxes, the Console selects the same check box settings for each related lower-level alert type in the node tree. Upon saving, the policy begins sending the child alert types to the selected destinations.
173
If you clear any of the parent rows check boxes, the Console disables the same check box settings from each related lower-level alert type in the node tree. Upon saving, the policy stops sending those alert types to those destinations.
4. Click OK to save your changes. The Console immediately implements the new policy.
You can view and manipulate the policy information in a spreadsheet application, such as Microsoft Excel.
You can provide SolarWinds with a copy of your policy information for technical support or troubleshooting purposes.
To export a Managers policy: 1. Open the Alert Distribution Policy window for the Manager you want to work with. 2. At the top of the window, click Export. The Save As form appears. 3. In the Save In box, select the folder you want to export to. 4. In the File Name box, type a name and file type for the exported file. In the file name, include a file type of .xls to save the file as a Microsoft Excel spreadsheet. 5. Click Save to save the file. The Console saves the file to the folder and with the file name you specified. You may now view the Managers policy information in a spreadsheet file, such as Excel.
174
Nodes
The Manage >Nodes view displays the Agents that are monitored by each of your Managers. Once you have installed the Agents on your client PCs, you can use the Nodes view to do the following:
l
Integrate the Agents network security tools with the LEM system. You are actually integrating the Agents themselves, but the Agents forward messages from the network security tools to the Manager for alert processing.
Connect an Agent to a Manager. View the name, connection status, alert status, and IP address of each Agent. Determine whether or not the Agent is using USB-Defender. View an Agents properties. Control an Agents automatic update settings for installing new software from the Manager.
Actively respond to events that affect Agents. Copy Agent information to the clipboard for use with the Remote Agent Installer, or for analysis with programs such as Microsoft Excel.
175
The following table describes the key features of the Manage >Nodes view. Name Sidebar Refine Results pane Description Click the Sidebar button to alternately hide and open the Refine Results pane. By default, the Agents grid shows all Agents that are associated with all of your Managers. The Refine Results pane lets you apply filters to the Agents grid to reduce the number of Agents it shows. This way, you can show only those Agents that are associated with a particular Manager, Tool Profile, status, etc. Nodes grid The Nodes grid lists all of the Agent and Non-Agent nodes that are associated with each Manager and appliance that is monitored by the LEM Console.
Respond Use the Respond menu to perform an action on a particular Agent. For example, you menu can send an Agent a pop-up message, or shut the computer down. This menu behaves exactly as it does in the Monitor views alert grid. Remote Updates menu This menu lets you control the Agents automatic update status. Remote updates are a way for the Agent to automatically accept updated Agent software from the Manager when new software becomes available. The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. It includes commands for copying Agent information and for deleting Agents.
176
The Tools command lets you configure the Agents tools. The Delete command lets you delete Agent licenses from a Manager. The Copy command lets you copy Agent information to the clipboard for use with the Remote Agent Installer, or for analysis in another program, such as Microsoft Excel.
Status
The Agents current connection status: means the Agent is Connected to a Manager. means Agent is Not Connected to a Manager (that is, it is an open license).
The Nodes IP address. The name of the system where the Node is installed. Typically, this is the computer name or host name assigned to the Note. The LEM Manager or Agent on which the node's logs are stored. Note: This column is blank for LEM Agents. The Agents current USB-Defender status. An icon ( ) means USB-Defender is installed on the Agent. If no icon is present, USB-Defender is not installed on the Agent. Note: This column is blank for non-Agent nodes.
Version
The version number of the Agent software. Note: This column is blank for non-Agent nodes.
177
Column OS
Description The operating system of the computer where the Agent is installed. Note: This column is blank for non-Agent nodes.
Profile
The Tool Profile associated with the Agent, if applicable. Note: This column is blank for non-Agent nodes.
Updates Enabled
This field indicates whether or not the Agent is enabled for receiving remote updates. Icon Status Enabled Disabled Description The Node is enabled for receiving remote updates. The Node is disabled from receiving remote updates.
Update Status
This field indicates the Agents current software update status. Icon Status Current Description The Agent's software is current.
Outdated The Manager has an update newer than the version being used by this Agent. Updating The Manager is currently sending an update to this Agent. Queued The Agent is waiting to be updated while other Agents get updated. The number of Agents that can be updated at one time is determined by the Maximum Concurrent Updates setting in the Appliances view's Settings tab. Unknown The Manager does not yet know the Agents software status. Canceled The user canceled updating during update process. Error ID An error has occurred while updating.
178
Column Manager
Description The Manager that this Agent is connected to. An Agent can only be connected to one Manager.
The time and date the Agents was first installed and connected to the Manager.
The time and date the Agent was last connected to the Manager.
179
Field Profile
Description Select the Tool Profile profile you want to work with. Select All to include Agents from every Tool Profile.
Node Status
Select whether you want to view Agent or Non-Agent nodes. Select the connection status of the Agents you want to work with (Connected or Not Connected). Select All to include both.
Version
Select the version of the software on the Agent. Select All to include Agents of every version.
OS
Select the operating system (OS) of the computer the Agent is installed on. Select All to include all operating systems.
USB
Select the Agents USB-Defender status (Installed or Not Installed). Select All to include both.
180
181
3. Complete the User Information form, as described in the following table. Field Manager list Description In the upper-right corner of the form, select the Manager this user will be associated with.
User Name Type the users system user name. This is the name the user will use when logging into the Manager. First Name Type the users first name. Last Name Password Type the users last name. Type the users system password. This is the password the user will use when logging into the Manager. This can be an initial system password or a temporary password that is assigned to replace a forgotten password. If you have the Must Meet Complexity Requirements option checked in the Appliances view's Settings tab, the Console enforces the following password policy:
n
Passwords must have a minimum of six characters. Spaces are not allowed.
At least one special character At least one number A mix of lowercase and uppercase letters.
Confirm Password
Type the password a second time to verify that you entered it correctly.
182
Field Role
Administrators are users who have full access to the system, and can view and modify everything.
Auditors are users who have extensive view rights to the system, but cannot modify anything other than their own filters.
Monitors are users who can access the Console, but cannot view or modify anything, and must be provided a set of filters.
Contacts are users who cannot access the Console, but do receive external notification.
Guest are users who can access the Console, but cannot view or modify anything, and must be provided a set of filters.
View Role
After selecting a user role, you can click the View Role button to open the Privilegesform, which shows the system privileges for that role. This information is provided here for reference purposes and cannot be changed.
Description Type a brief description (up to 50 characters) of the users title, position, or area of responsibility.
183
Field Contact
Description Use this section to record the users email addresses, so the Manager many email addresses as you need for each user. It is always a good idea to test each email address to confirm that it has been entered correctly and that it works properly. To add the users email address: 1. Click the add button. 2. In the box that appears (shown here), type the users email address and then click Save.
Information can notify users of network security events by email. You can add as
3. The email address appears in the Contact Information section. 4. Repeat this procedure as needed, to record each email address that applies to the user. To test an email address: In the User Information forms Contact Information area, click the test button for the email address you want to test.
Verify that the user has received the email test message. If the message was not received, you may need to edit email address. Note: In order for the Managers notification system to work, you must have the Managers Email Tool Settings set up properly.. Never Expires Select this check box if the users password does not expire. This means the user will not be required to periodically change his or her password. Clear this check box if the user is required to change his or her password
184
Field
Description
Must Reset Select this check box if the user is required to change his or her Password on Login password after logging onto the system for the first time with a temporary password.
4. When you are finished, click Save to save the new user; otherwise, click Cancel. To create a user from an Active Directory user: 1. Open your LEM console and log in to your LEM appliance. 2. Configure the Directory Service Query tool on your LEM appliance if you haven't already. For additional information, see the KB article "How to Configure the Directory Service Query Tool". 3. Click Build and then select Users. 4. Click the plus button, and then select Directory Service User.
5. Select the Organizational Unit and Group where you want to add the user. 6. Select the user you want to add from the Available Users column, and then click Select User. 7. Select a LEM Role in the User Information form. Click View Role to see details about each role. 8. Enter a user description if you want. If you change the Description field, your changes only apply to the LEM user account, not the Active Directory account. 9. Click Save. To create users from an Active Directory group: 1. Open your LEM console and authenticate to your LEM appliance. 2. Configure the Directory Service Query tool on your LEM appliance if you haven't already. For additional information, see the KB article "How to Configure the Directory Service Query Tool". 3. Click Build , and then select Users. 4. Click the plus button, and then select Directory Service Group.
5. Select the Organizational Unit to which the group you want to add belongs.
185
6. Select the group you want to add from the Available Groups column, and then click Select Group. 7. Select a LEM Role in the User Information form. Click View Role to see details about each role. Note: If you want members of this group to have different LEM user roles, change their roles individually after you complete this procedure. 8. Enter a description for these users if you want. If you change the Description field, your changes only apply to the LEM user accounts, not the Active Directory accounts. 9. Click Save.
Double-click the user you want to work with. Click to select the user you want to work with. Then click the rows gear button and click Edit.
Below the grid, the User Information pane displays the users current settings and becomes an editable form. 3. Make the necessary changes to the User Information form. 4. Click Save.
186
Deleting Users
To delete a users email address: 1. Open the Build >Users view. 2. In the Users grid, click to select the user you want to work with. 3. Click the rows gear button and then click Edit.
4. In the User Information forms Contact Information section, click the delete button next to each email address you want to delete. The system removes that particular contact information. 5. Click Save.
Deleting Users
Follow this procedure to delete a user from a Manager. To delete a user: 1. Open the Build >Users view. 2. In the Users grid, click to select the user you want to delete. 3. Click the gear button and then click Delete.
Note: You cannot delete the admin user from the system. 4. At the Confirmation prompt, click Yes to delete the user; otherwise, click No. The user is removed from the Users list. This user is no longer authorized to use the Manager.
187
To configure your LEM Manager to allow specific computers to run LEM Reports: 1. Log in to your LEM virtual appliance using either the vSphere "console" view, or an SSH client such as PuTTY. 2. At the cmc> prompt, enter service. 3. At the cmc::scm# prompt, enter restrictreports. 4. Press Enter. 5. Separate each IP address of the computers you want to run LEM Reports with a space. Note: Your entry overrides any previous entries, so ensure the list you provide is complete. 6. Enter y to confirm your entry. 7. Enter exit to return to the cmc> prompt. 8. Enter exit to log out of your LEM virtual appliance. To remove all LEM Reports restrictions: 1. Log in to your LEM virtual appliance using either the vSphere "console" view, or an SSH client such as PuTTY. 2. At the cmc> prompt, enter service. 3. At the cmc::scm# prompt, enter unrestrictreports. 4. Press Enter. Note: Unrestricting LEM Reports make the LEM database accessible on any computer on your network running LEM Reports. 5. Enter exit to return to the cmc> prompt. 6. Enter exit to log out of your LEM virtual appliance.
188
Filters
The topics in this section explain how to create and manage alert filters.
Alerts: Drag a single Alert into your Conditions to filter for any instance of the Alert you specify. This type of Condition does not require a value.The field at the top of the Alerts list is a search box.
189
Alert fields: Drag an Alert field into your Conditions to filter for any Alert that contains the value you specify.
7. If your Condition defined above requires a value, populate the value in one of the following ways:
l
Enter a static text value in the Text Constant field (denoted by a pencil icon). Note: Use asterisks (*) as wildcard characters to account for any number of characters before, within, or after your text value.
Drag a Group from the list pane on the left over to replace the Text Constant field. The most commonly used Groups include User Defined Groups, Tool Profiles, Directory Service Groups, and Time Of Day Sets.
Drag an Alert field from an Alert already present in your Conditions over to replace the Text Constant field. This will result in a condition that states whether values from different Alerts in your Conditions should match.
190
8. If you want to change the operators in your Conditions, click the operator until you find the one you want. There are two types of operators.
l
Condition operators: These are found between your Alerts, etc. and their values. Examples include Equals, Does Not Equal, Contains, and Does Not Contain. Filter Creation only displays the operators that are available for the values in your Conditions.
Group operators: These are found on the outside (right) of your Condition Groups. The two options are And (blue) and Or (orange).
9. Repeat Steps 6, 7, and 8 for any additional Conditions you want to configure for your filter. 10. Add a Notification to your filter using the Notifications list on the left. 11. If the Filter Status below the Description field contains an error or warning, click the status indicator to view additional details and address the issue. 12. Click Save.
191
particular view, then it will not appear in that view. List Refine Fields Description This list only appears with nDepth. It categorizes and lists the top 100 data details for each listed field found within your nDepth search results. The details change, depending on whether you are searching alert data or log messages. You can use these details to create, refine, or append nDepth search conditions.
n
Click All to collapse all of the category nodes. Click >All to open all of the category nodes. Click >next to a category to open that category. Click next to a category to close that category. The number in parentheses next to each category indicates how many unique details are in that category.
The number next to each detail indicates how many times that detail is reported in the search result's data.
Click the ABC button to sort the details within each category alphabetically. Click the 321 button to sort the details within each category by frequencythe items that occur most often appear first within each category.
Double-click a detail to add that detail to the search string. Drag a detail into the search bar to include that item in the search string. When using Search Builder, drag a detail into the Conditions box to add that item to the search string.
192
List Managers
Description This list only appears in nDepth. It includes the various appliances that are being monitored by the Console. Use this list to select the Manager on which you want to perform an nDepth search. If you are storing the original event log data on a separate nDepth appliance, then you would select that appliance here when you want to search that data.
n
In Drag & Drop Mode, you can drag an item from this list into the search box to include that item in the search string.
When using Search Builder, you can drag an item from this list into the Conditions box.
Alerts
The Alerts list includes all of the Consoles alert types. You can show the alerts either of two waysas a hierarchical node tree, or as an alphabetized list. Both views contains the same alertsthey are just presented differently. You can search either view. To do so, begin typing a word or phrase in the box at the top of the list. The Alerts list will refresh to show any alert types that include your word or phrase. Then use the list to select each alert type that you want to include as a filter condition or a rule correlation. In the Alerts list, click this button to display the list as a hierarchical node tree. This is the Alerts list's default view. This view also has the following attributes:
n
Lower-level alert types are hidden by nodes in the alert tree. To open a node, click the >icon. This displays the nodes next level of alerts.
Using the search box displays the alert and its parent alert types, so you can see how the alert appears in the alert hierarchy.
In the Alerts list, click this button to list alert types alphabetically, regardless of their position in the hierarchy. Alert Groups The Alert Groups list displays preconfigured groups of alerts that can be used to initiate a particular alert filter condition or rule correlation. The top box lists the names of Alert Groups. The Fields list displays those fields that apply to the Alert Group that is currently selected.
193
List Fields
Description The Fields list displays those data fields that apply to whichever alert is selected in the Alerts or Alert Groups list.
UserDefined Groups
This list displays the different preconfigured User-Defined Groups that apply to the Managers. User-Defined Groups are groups of preferences used in rules and alert filters that allow you to match, include, or exclude events, information, or data fields based on their membership with a particular Group. In most cases, User-Defined Groups are used in rules as a type of white list or blacklist for choosing which events to include or to ignore. User-Defined Groups are created in the Group Builder.
Tool Profiles This list displays all the different Tool Profiles that apply to the Managers. Tool Profiles are groups of Agents that have common tool configurations. You can use them to have your rules and filters include or exclude the Agents associated with a particular profile. Tool Profiles are created in the Groups grid. Directory Service Groups This list displays the Directory Service Groups that are synchronized with the Managers. Directory Service Groups are preconfigured groups of network computers and system users that you can use in rules and filters. They allow you to match, include, or exclude events to specific users or computers based on their Group membership. Directory service groups are synchronized to LEM through the Groups grid. . Time Of Day This list displays all of the different Time Of Day Sets that apply to the Managers. Sets Time Of Day Sets are specific groups of hours that you can associate with rules and alert filters. You can use them to have your filters include or exclude messages that occur during the hours associated with a particular Time of Day Set, or to have your rules take different actions at different times of day. Time of Day Sets are created in the Groups grid. Note: This list does not appear in nDepth.
194
Description This list displays all of the different State Variables that apply to this Manager. The upper box lists the names of State Variables. The lower box lists the various fields that apply to whichever State Variable is selected in the upper box. State Variables are created within the Groups grid. Note: This list only applies to rules.
Subscription This list displays all of the Console user names, and the Manager each user is Groups currently associated with. Each name in the list represents the list of rules that each individual user is subscribed to. By adding a Subscription Group to a filter, you can build the filter so that it only displays alerts messages that are related to specific rules that a particular user is interested in (or subscribed to). Note: This list only applies to filters and nDepth searches. Constants This list displays the three types of constants that rules and filters can use for comparing alert datatext, number, or time. Actions This list displays all of the active responses that a rule can initiate, such as sending an email message, sending a pop-up message, blocking an IP address, etc. Note: This list only applies to rules. Notifications This list includes the various notification methods the Console can use to announce an alert message for the filter. You can have the Console display a pop-up message, display the new alert as unread, play a sound, or have the filter name blink. If needed, you can configure multiple notification methods for the same filter. Note: This list only applies to filters.
195
are to compare to other items, such as Time Of Day sets, Tool Profiles, User-defined Groups, Constants, and other alert fields. You can also compare groups with AND/OR conditions. AND conditions state which alerts must all occur together before the filter shows an alert. OR conditions state that if any one of several conditions occur, the filter shows the alert. The combined conditions dictate when the alert filter is to display an alert. The filter ignores (and does not display)any alerts that do not meet these conditions. The Conditions tools allow you to configure relationships between events in the Conditions box, and to establish conditions for when the alert filter is to display the alert message. The following table describes each item condition tool.
196
Item
Name
Description Individual groups (and the entire Conditions box) can be expanded or collapsed to show or hide their settings:
n
Click to >expand a collapsed group. Click to collapse an expanded group. The number that appears in parentheses indicates how many conditions are contained in the group.
Once a group is properly configured, you may want to collapse it to avoid accidentally changing it. This is the Add Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Delete button. It appears at the top of every Group box. When you point to a condition, it also appears next to that condition. Click this button to delete a condition or a group. Deleting a group also deletes any groups that are nested within that group. Alert variable From the Alerts, Alert Groups, or Fields list, drag an alert, Alert Group, or alert field into the Conditions box. This is called the alert variable. You can think of an alert variable as the subject of each group of conditions. As alert messages stream into the Console, the filter analyzes the values associated with each alert variable to determine if the alert message meets the filters conditions.
197
Item
Name
Description
Operators Whenever you drag a list item or a field next to alert variable, an operator icon appears between them. The operator states how the filter is to compare the alert variable to the other item to determine if the alert meets the filters conditions.
n
Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use.
Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use.
List item
List items are the various non-alert items from the list pane. You drag and drop them into groups to define conditions based on your Time Of Day Sets, Tool Profiles, User-Defined Groups, Constants, etc. Some alert variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to add a specific value for the constant. For example, clicking a text Constant turns the field into an editable text box so you can type specific text. The text field also allows wildcard characters. Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your filters conditions.
Nested group
A group within a group is called a nested group. You may drag alert variables and other items from the list pane into the nested group boxes. By using nested groups, you can refine conditions by combining or comparing one group of conditions to another. This allows you to create the logic for highly complex and exact conditions. This example above shows one nested group. It represents a set of conditions within a higher-level group. Conditions (and groups of conditions) are subject to AND and ORcomparisons.
AND OR
198
199
problems with the filters logic. When finished, the new filter appears in the filter group you selected in Step 2.
button and then click Clone. The newly cloned filter appears in
200
the filter group, just below the original filter. A clone always uses the same name as the filter it was cloned from, followed by the word Clone. For example, a clone of the Virus Attacks filter would is called Virus Attacks Clone. A second clone of the Virus Attacks filter is called Virus Attacks Clone 2, and so on. 5. Edit the cloned Group, as needed, to give it its own name and to assign its own specific settings.
201
Pausing Filters
At any time, you can pause a filter to stop the stream of alert messages that are appearing on that filter. This allows you to inspect a set of alert messages without being interrupted by new incoming messages. You can pause each filter independently, or you can pause every filter on the Console. To pause a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to pause. The alert grid changes to display the filter you selected. 3. Do either of the following:
l
On the alert grids title bar, click Pause. On the Filters pane, click the gear Pause/Resume. button and then click
In the Filters pane, the word Paused appears next to the filter. To pause all filters: 1. Open the Monitor view. 2. On the Filters pane, click the gear button and then click Pause All.
In the Filters pane, the word Paused appears next to every filter, except those that have been turned off.
202
On the alert grids title bar, click Resume. On the Filters pane, click the gear Pause/Resume. button and then click
In the Filters pane, the word Paused is replaced by the number of alerts that are currently associated with the filter. To resume running all filters: 1. Open the Monitor view. button and then click Resume All. In the 2. On the Filters pane, click the gear Filters pane, the word Paused is replaced by the number of alerts that are currently associated with each filter.
203
Copying a Filter
You can copy a filter. This allows you to quickly create variations on existing filters, or the same the
204
Importing a Filter
same filter in multiple filter groups. To copy a filter: 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to copy. 3. Now open the filter group that is to receive the copied filter. 4. In the first folder, click the filter you want to copy. Then press Ctrl while dragging the filter to the group that is to receive the copy. A copy of the filter appears in the new filter group. To create a variation of the original filter: 1. In the Filters pane, click the select the newly copied filter. 2. Click the Filters pane gear button and then click Edit.
3. In Filter Creation, rename and reconfigure the filter, as desired. 4. Click Save.
Importing a Filter
Alert filters are saved on the workstation that is running the Console. If you move to another workstation, the filters will not follow. However, you can export the filters from one workstation and import them into another workstation. This allows you to move filters from one Console to another, so that another user can use the same filters on their Console, too. It also allows you to import filters that are provided by SolarWinds You may import more than one filter at a time. To import a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter group that is receive the new filters. button and then click Import Filters. The 3. On the Filters pane, click the gear Select Filter File(s) to Import form appears.
205
4. In the Look In box, browse to the folder that contains the filters you want to import. 5. Select the filter files you want to import, and then click Open. To select multiple files, press Ctrl key while clicking each file you want to import. The imported filters appears in the filter group you selected in Step 2.
Exporting a Filter
When needed, you can export a filter. Exporting does not remove the filter; it copies the filter to another location. Exporting filters is useful for the following reasons:
l
You can move filters from one Console workstation to another, so that another Console users can use the same filters.
You can save a export your filters to a computer folder or network folder for archival purposes.
You can provide SolarWinds with a copy of a filter for technical support or troubleshooting purposes.
Filters are exported from the Filters pane. You may export only one filter at a time. To export a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to export. 3. On the Filters pane, click the gear button and then click Export Filter.
4. In the Browse For Folder form, browse to the folder in which you want to save the exported file. If needed, you can click Make New Folder to create a new folder for the file. 5. Click OK. The system exports the folder file to the folder.
Deleting a Filter
When needed, you can delete a filter, which removes the filter from the both the alert grid and the Filters pane. Deleting a filter also deletes all of the widgets associated with that filter. Use caution when deleting a filter. The only way to restore it and its widgets is to recreate them.
206
To delete a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to delete. 3. Do either of the following:
l
button.
4. At the confirmation prompt, click Yes. The filter is deleted and no longer appears in the Filters pane.
3. A new filter group appears, and its title bar is an editable text box. 4. Type a name for the new group and then press Enter. 5. The new filter group appears in the Filters list. Filter groups are listed in the order in which you create them. However, you can rearrange them, as desired.
207
Double-click the title bar of the filter group you want to rename. Click to select the title bar of the filter group you want to rename. Click the Filters pane gear button and then click Edit.
The filter groups title bar changes to an editable text box. 3. Type a new name for the filter group and then press Enter.
208
Click the filter you want to move; then drag and drop it just below the title bar of the group that is to receive the filter.
Open the filter group that is to receive the filter. Then drag the filter from its original group into position in the new group.
button.
209
4. At the confirmation prompt, click Yes. The filter group and all of its filters are deleted and no longer appear in the Filters pane.
Responding to Alerts
The alert grids Respond menu lets you take direct action on a particular alert message. Each Respond command opens the Respond form. The Respond form includes data from the field you selected and options for customizing the action, just as you would configure a rules active response in Rule Creation. The Respond menu is context-sensitive. The alert type or cell that is currently selected in the alert grid determines which responses you may choose from. 1. In the Monitor views alert grid, click the specific cell of the alert message you want to respond to. 2. Click the alert grids Respond menu, and then select the type of response you want to make. You can choose between All Actions and a list of commonly used actions. The Respond form appears, which has three main sections:
The top of the form shows the Manager that is affected by the action you are taking, and the specific action you are going to take. If you selected All Actions , the form displays the default action of Send Popup Message. In either case, you can select a different action from the forms Action list.
210
The list includes many of the actions found in Rule Creation, and you configure them the same way.
l
The middle of the form displays the configuration fields that apply to the action you have selected, and the contents of the cell you selected in Step 1. You will use this section to customize the action you want to take. This cell data from Step 1 appears in the appropriate configuration field of the Respond form. For example, if you selected an alert rows InsertionIP cell and then selected a response of Send Popup Message, the value of the InsertionIP cell appears in the Action forms Agent field.
The bottom contains an alert information grid. This grid displays the same detailed alert information as the Alert Details pane. You can drag information from this section into the forms configuration fields.
3. In the middle of the form, complete the actions configuration fields. You can do this by typing text into each field, by dragging and dropping information from the forms alert information section, or some combination of the two. 4. Click OK to execute the action. Otherwise, click Cancel.
add content to a blank field replace the content of a field add to the content that is already in a field.
You can also use a combination of typing and drag and drop to configure an action. To place alert information into a field: Follow this procedure to add content to a blank configuration field or to replace the content of an
211
existing configuration field. 1. In the Respond forms alert information grid, scroll to locate the field that contains the data element needed to configure the action. 2. Click the data and then drag it into the appropriate action configuration field (in the middle of the Respond form). The the new data element appears in the configuration field.
To add to the contents of a field from the alert information: Follow this procedure to add new field information to a configuration box, rather than replace it. Typically, you will use this procedure to add multiple data elements to the Message box. 1. In the Respond forms alert information section, scroll to locate the field that contains the data element you want to add to the configuration field. 2. Select the information fields contents by clicking its data in the Information column.
212
Event Explorer
3. Press Ctrl, then drag the data into the appropriate action configuration field (in the middle of the form) to add the new data element to the configuration field.
Event Explorer
The Event explorer, which can only be opened from the Monitor view, lets you view all of the events that are related to the alert message currently selected in the Console. The Event explorer displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the alert message occurred. You can also monitor events in real time, to see where they came from and where they are going. You can explore events for any alert in the Console. When you explore an alert, the Console makes a request to the Manager to determine which events are related to that alert. The Event explorer then displays a summary of events that occurred before, during, and after the system issued the alert. The Event explorer shows only those events that relate to the alert that you selected. That is, it shows the event that triggered the alert, and any events that occurred because of that alert (such as a response, notification, other alert, etc.). With its straightforward graphical display, the Event explorer can help you visualize how an alert occurred and the systems response to that alert. You can follow the chain of events that caused the alert, and help determine its root cause.
213
It provides detailed information about the event. It displays a written definition of the alert. It allows you to create a new filter based on the alert. You can also copy text from this pane and paste it into explorers to explore specific data.
This pane works exactly like Alert Details pane in the Monitor view. Event map The event map displays a graphical view of the event you are exploring, as well as the related events that came before and after the central event. The event you are exploring appears in the middle. Prior events appear to the left. Events that follow appear to the right. You can double-click any event to move that event to the middle, which allows you to view its relationship with other events. Stop Click Stop to cancel an explorer lookup at any time.
Next/Previous You can step through the events in the map by clicking the Next and Previous buttons. Pane divider Drag this bar up or down to resize the event map and event grid panes.
214
Exploring Alerts
Description The event grid provides a tabular version of the event map. The events are listed chronologically, from earliest to latest. Clicking an event in the grid highlights the corresponding item in the event map. The information pane also changes to show information about the event you have selected. You can sort the alert grid by each of its columns, so long as you click Pause first.
Scroll bars
The vertical and horizontal scroll bars let you quickly scroll through the information pane, larger event maps, and the event grid. For example, you can use the event grids scroll bars to view the full range of events and all of the data associated with each event.
Exploring Alerts
The alert grids Explore menu lets you use an explorer to investigate a particular alert or one of its data fields.For example, if you select an InsertionIP cell, your explorer options include the Whois, Traceroute, and NSLookup explorers. If you click the EventInfo cell, your only explorer options is nDepth, because only that explorer can search the raw data for a random string. To explore an alert: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, click the row (or cell) you want to explore. 4. In the filter's Explore menu, select the explorer you want to work with. The Explore view appears, showing the explorer you selected. The explorer contains the data for the cell you selected.
215
Read the map from left to right. The Event explorer always places the event you are currently exploring in the middle of the map.
Related events prior to the central event appear to the left. These events caused the event you are exploring. If there are no prior events, this appears as a box labeled None.
Related events that follow the central event appear to the right. These events followed or were caused by the central event. These are the various system responses (if any) that were triggered by the central event. If there are no events that follow, this appears as a box labeled None.
If the same event occurs multiple times, they appear together in a box, like the one shown above for the prior events. In this example, WebTrafficAudit occurred 10 times before triggering the rule, so they are grouped together. You can use the scroll bar to view each event. You can also select each event in the box to view information about it in the information pane.
Click an event in the event map to highlight the corresponding item in the event grid.
216
Double-click an event in the event map to move that event to the center position. The map then displays the related events that came before and after the new central event. As before, events prior to the central event appear to the left; events that follow the central event appear to the right. When you select a new central event, the information pane changes to show information about that event. The event grid also refreshes to reflect the new central event.
Click Prev (previous) to move the previous event in the map to the center position. Click Next to move the next event in the map to the center position. Click Stop to cancel an explorer lookup at any time.
217
Click an event in the grid to highlight the corresponding item in the event map. The information pane also changes to show information about the event you have selected.
When needed, you can use the vertical scroll bar to view all of the events. Use the horizontal scroll bar to view all of the data fields associated with a particular event. This same data also appears in the information pane, but as text.
Click an individual cell in the grid to explore that field. Point to an individual cell in the grid to see a ToolTip that displays the complete contents of the cell.
218
To respond from the event grid: 1. In the event map or the event grid, select the event you want to respond to. 2. In the event grid, select the specific field you want to respond to. 3. In the Respond menu, select the response you want. 4. Complete the Respond form. See the "Actions table" on page 1 for details on configuring each response.
The Alert Details view displays detailed information about the alert that is currently selected in the grid. If more than one alert is selected, it shows the properties of the last alert to be selected.
The Alert Description view displays a written description of the last alert to be selected in the grid.
You can also use this pane to create a filter based on the selected alert, to scroll
219
through the contents of the event grid, or to explore specific alert data with other explorers.
Click the event maps Alert Details button. Position your pointer over two thin lines next to the Alert Details pane (or if the pane is closed, next to the left side of the event map). When the pointer turns into a double-headed arrow, double-click to open or close the pane. When the Alert Details pane opens, it shows information about the alert that is currently selected in the event map or event grid.
Click the event in the event map. Click the event in the event grid.
The Alert Details pane displays information about the event you selected.
220
To cycle through the alerts in the alert grid, click anywhere in the alert event grid. Then use your up and down arrow keys.
To cycle through the fields in the Alert Details pane, click anywhere in the Alert Details grid. Then use your up and down arrow keys.
Click this button to open the panes Alert Details view. This view shows detailed information about each of the selected alert's data fields. The actual fields that appear here vary, according to the alert type that is currently selected. For example, network-oriented alerts show fields for IP addresses and ports. Account-oriented alerts show account names and domains. Click this button to open the panes Alert Description view, which provides a detailed written description of the alert type that is currently selected. 2. In the event map or the event grid, select the event you want to explore. 3. In the Alert Details pane's Information column, click the alert field you want to explore. 4. In the Explore list, select the explorer you want to work with.
221
The explorer appears, with the field data you selected appearing the Search box. 5. If you are using the nDepth Explorer, click Search. The other explorers begin searching automatically.
Select Alerts (left position) to search the normalized alert data that appears in the Monitor view.
Select Log Messages (right position) to search the actual log entries that are recorded on your network products' log files. If this position is disabled, it means your equipment does not have the capacity to store and search the original log messages.
222
3. Use the search bar's far-left toggle switch to select how you want to enter the search string:
l
Select Drag & Drop Mode (upper position) to drag items from the list pane or the Result Details view directly into the search box. This is the recommended position, as it is it the easiest to use and the best way to avoid mistakes.
Select Text Input Mode (lower position) to type search strings directly in the search box.
4. In the search box, enter your search string. By default, the search box includes a "this item exists" condition, so you can begin searching right away, without having to drag and drop anything. To use this condition, click an item on one of nDepth's graphical tools, or type or paste a search string directly in the text box. In Drag & Drop Mode, the search box indicates when a particular configuration is invalid:
l
If a condition field is yellow, it means the search's configuration is invalid. If a condition field is red , it means the search conditions do not apply to the type of data you are currently searching. For example, you are searching log messages with conditions that are meant for alert data.
5. If you select more than one condition, determine the AND/OR relationship between each condition. Click the operator icon to toggle between ANDand OR relationships. By default, searches use AND operators for each condition in the search string. But there is one exceptionif you are selecting multiple items from a widget, it defaults to an ORrelationship for the group of items from that widget. 6. In the time selector, select the timeframe for which you want to search the data. By default, nDepth reports your network alert activity over the last 10 minutes (the end time is now, and the start time is 10 minutes ago). See create your own custom timeframe.Be aware that the longer the timeframe, the more numerous your search results will be.
223
button to run the search. If needed, you can stop a search at any 7. Click the Search time by clicking .After a moment, nDepth's graphical tools summarize your search results. The Result Details view shows the actual data.
to clear the
224
Configure a search with Search Builder. Search Builder automatically populates the search bar with its search configuration. This is because the search bar and the Search Builder are different views of the same search.
Select a character string from the data. Then doubleclick the string to add it to the search box.
Select a character string from the data, and then drag it into the search box. Select a character string from the data. Then copy (Ctrl+C) the search string and paste (Ctrl+V) it in the text box.
Type a search string directly in the search box. On the search bar, click .
225
Use this method to delete Severity = 4. To delete a group of conditions Example: Use this method to delete the OR group containing the two Insertion IPs. Delete the entire search string Example: Use this method when you want to delete the entire search string to begin a new search. Click the round Delete All button (next to the Search) button. Click the button at the far right of the search box
226
Saving a Search
To Pick a date in the month shown Go to an earlier month Go to a later month Go to an earlier year Go to a later year Select a different time Click . Click . Click . Click . Click the date.
Do this
Type a new time directly in the time box. Or in the hour, minute, and second fields, click for an earlier value, or click for a later value, respectively.
Note: You can use your keyboards up, down, right, and left arrows to move within the calendar and to select a time. 3. To close the calendar, click anywhere outside of its boundary.
Saving a Search
You can save any search that you create so you can reuse it at any time. Saved searches include your entire search string as well as the timeframe you have selected. To save a search: 1. In nDepth, perform a search as described above, until your results are satisfactory. 2. Click the gear appears. button and then click Save As. The Save This Search form
227
3. In the Search Name box, type a name that will easily help you remember the focus of this search. You can type up to 200 characters. 4. Click OK. Your search appears in the Saved Searches pane. Saved searches use the following icons: represents a search for alert data. represents a search for original log messages.
228
To save your changes to a search: 1. Open the Explore >nDepth view. 2. If the Saved Searches pane is not visible, click the History button to open it. 3. In the Saved Searches pane, click the name of the search you want to perform. 4. Use the search bar to reconfigure the search, as needed. button and then click Save. The search is now saved with the new 5. Click the gear configuration. The next time you run it from the Saved Searches pane, it will run with this configuration.
3. Customize your report in the nDepth Export window using the following options. a. Use the navigation bar at the bottom to preview your search results in the default format. b. Use Insert Page Before Current Page on the navigation bar to add a blank report page. c. Use Toggleorientation on the navigation bar or on an individual report page
229
thumbnail to switch between portrait and landscape page orientation. d. Click Items on the left to open a list of report items that you can drag into your report body. e. Click Saved Layouts on the right to open a list of options related to saving and applying report layouts. f. Hover over report pages and other elements, such as titles, graphs, and text, to access additional configuration options. Options to clear all page contents, enter static text, and delete pages or other elements appear as you hover over each element. g. Drag charts and graphs to rearrange them in the report body. 4. Click Export to PDF to export the report in the Preview pane. 5. In the Save PDF As window, choose a destination and file name for your report. 6. Click Save.
230
To explore details with other explorers: 1. From any of nDepth's graphical views, click the Explore menu. Then select the explorer you want to use to explore the alert detail. The Explore >Utilities view appears. 2. Type the alert detail into the appropriate explorer field. 3. Click Search or Analyze, as applicable to the explorer.
231
3. In the Saved Searches pane, point to the search you want to delete; then click the icon next to the search. 4. At the confirmation prompt, click Yes.
2. Add new search conditions by using any of the techniques in this table.
Use any of the techniques listed in this table. nDepth automatically adds new search conditions to the search string.
Add a search Click an item in a graphical tool to add that item to the search box. condition from a widget or other graphical tool Add a search In the Refine Fields list, double-click an item. condition from the list pane
232
Mode To Do this In any list, select the item you want to work with, then drag that item directly into the search box. Add a search Configure a search with Search Builder. Search Builder automatically from Search Builder populates the search bar with its search configuration. This is because the search bar and the Search Builder are different views of the same search. D&D Text
Add a search Select a character string from the data. Then double-click the string to condition from add it to the search box. the Result Details view Select a character string from the data, and then drag it into the search box. Select a character string from the data. Then copy (Ctrl+C) the search string and paste (Ctrl+V) it in the text box. Type a search Type a search string directly in the search box. string Perform the search On the search bar, click .
233
The following table explains how to delete search conditions directly from the search bar. For the examples in this table, suppose you have a set of search conditions that looks like this: Severity = 4 AND ( InsertionIP = SolarWinds-demo50 OR InsertionIP = intrepid )
Item
Use this method to delete Severity = 4. To delete a group of conditions Example: Use this method to delete the OR group containing the two Insertion IPs. Delete the entire search string Example: Use this method when you want to delete the entire search string to begin a new search. Click the round Delete All button (next to the Search) button. Click the button at the far right of the search box
234
To create a custom timeframe: 1. In the search bar's time selector list, click Custom range. You can use these calendars to set your From and To date and time range. By default, the custom timeframe shows the timeframe of your last search. 2. Use the two calendars to select the start (From) date and time, and the end (To)date and time, as described in the following table. To Pick a date in the month shown Go to an earlier month Go to a later month Go to an earlier year Go to a later year Select a different time Click . Type a new time directly in the time box. Or in the hour, minute, and second fields, click for an earlier value, or click for a later value, respectively. Note: You can use your keyboards up, down, right, and left arrows to move within the calendar and to select a time. 3. To close the calendar, click anywhere outside of its boundary. Click . Click . Click . Click the date. Do this
235
Managing Tools
Opening the Tool Configuration Form
Use the following procedure whenever you need to open the Tool Configuration form. This form is used for the following reasons:
l
To configure and manage a Managers sensor, actor, and notification tools. To configure and manage an Agents sensor and actor tools. To change the tools configured in an Agents Tool Profile. Note: To change a Tool Profile's membership and properties, edit the Tool Profile in the Build >Groups view.
Opening a Managers Tool Configuration form: 1. On the LEM Console, click Manage >Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. If needed, log in to the Manager. To do so, click the gear Login. button and then click
button and then click Tools. The Tool Configuration for 4. Click the gear [Manager] form appears. You may now add the tool instances for each network security product or device this Manager is to monitor or interact with on the Manager computer. Opening an Agents Tool Configuration form: 1. If needed, log in to the Manager you want to work with. 2. On the LEM Console, click Manage >Agents. 3. In the Agents grid, click to select the Agent you want to work with.
236
button and then click Tools. If the Agent is not in a Tool Profile, the Tool Configuration for [Agent] form appears. You may now add the tool instances for each network security product or device this Agent is to monitor or interact with on the Agents computer.
If the Agent is in a Tool Profile, the Agent Tool Configuration prompt appears. Aprompt warns you that the Agent belongs to a Tool Profile. You can choose to edit the Tool Profile, which affects every Agent in that profile; or you can remove the Agent from the profile to configure the Agent separately.
To edit the Tool Profile, click Tool Profile. The Tool Configuration for [Tool Profile] form appears. You may now begin adding, editing, or deleting the tool instances associated with that Tool Profile.
To remove the Agent from the Tool Profile and configure its tools separately, click Agent Tool Configuration. The Tool Configuration for [Agent] form appears. You may now add the tool instances for each network security product or device this Agent is to monitor or interact with on the Agents computer.
Configure the tool settings for each sensor that is to gather data from a network security products event logs.
237
Configure the tool settings for each actor that is to initiate an active response from a network security product or device.
Each configuration of a sensor or actor tool is called a tool instance. Most products typically write to only one log source. For these products, a single tool instance will suffice. However, some products write to more than one log. For these products, you will need to create separate tool instancesone instance for each log source. When a product requires more than one instance, you can differentiate between them by assigning each instance a unique name, called an alias. To add a new tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. If desired, use the Refine Results pane to select the tool Category you want to work with. 3. In the Tools grid, click to select the tool you want to configure.
l
The The
icon means the tool is for a sensor. icon means the tool is for an actor.
At the top of the Tools grid, click New. Click the tool rows gear button and then click New.
The Properties pane opens as an editable form. The fields that appear on the form vary from one tool to another, in order to support the product or device you are configuring. For new instances, the form displays the default tool settings needed to configure the associated product or device. In most cases, you can save the tool with its default settings; however, you can change the settings, as needed. 5. Complete the Properties form, as needed. To assist you, we have prepared some reference tables that explain the meaning of each field you may encounter in the Properties form. 6. Click Save to save the tool configuration as a new tool instance; otherwise, click Cancel. Upon saving, the following things happen in the Tools grid:
238
If you configured a sensor, a sensor tool instance the tool you are working with. If you configured an actor, an actor tool instance the tool you are working with.
The icon in the Status column means the tool instance is stopped. All new tool instances automatically have a status of Stopped. To begin using the tool, you must start it.
the system starts the tool instance. Upon starting, the tools Status icon changes to . The selected tool instance is now running. 8. If needed, repeat Steps 37 for each additional tool instance that is required to fully integrate this product or device with the LEM.
After a moment, the system starts the tool instance. Upon starting, the tools Status icon changes to . The selected tool instance is now running.
Common problems with starting tool instances If the tool fails to start, the Console will display a Warning or a Failure alert that states the problem. Normally, tools fail to start for either of the following reasons:
239
The network security devices log file does not exist. The Agent does not have permission to access the file.
After a moment, the system stops the tool instance. When the tools Status icon changes to , it means the tool has stopped.
Once a tool instance has been stopped, it can be edited, deleted, or restarted, as needed. The tool instance will remain stopped until you restart it.
240
To edit a tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. In the Tools grid, click to select the tool instance you want to edit. 3. Click the tool instances gear button and then click Stop. After a moment, the , it means
system stops the tool instance. When the tools Status icon changes to the tool has stopped. 4. To edit the tool, click the gear button and then click Edit.
5. In the Properties form, update the tool settings, as needed: To assist you, we have prepared some reference tables that explain the meaning of each field you may encounter in the Properties form. 6. Click Save to save your changes. 7. When you are finished, restart the tool instance by clicking the gear clicking Start. button and then
system stops the tool instance. When the tools Status icon changes to the tool has stopped. 4. Click the tool instances button and then click Delete.
241
5. At the confirmation prompt, click Yes to delete the tool instance. After a moment, the tool instance disappears from the Tools grid.
Configure and manage tools at the profile level to reduce the amount of work you have to do for large LEM Agent deployments.
Create filters, rules, and searches using your Tool Profiles as Groups of LEM Agents. For example, create a filter to show you all Web traffic from computers in your Domain Controller Tool Profile.
Complete the two procedures below to create a Tool Profile using a single LEM Agent as its template.
To create a Tool Profile using a LEM Agent as a template: 1. Configure the tools on the LEM Agent to be used as the template for the new Tool Profile. These tools are applied to any LEM Agents that are later added to the Tool Profile. 2. Click Build , and then select Groups. 3. Click the button, and then select Tool Profile.
4. Enter a name and description for the Tool Profile. 5. Select the desired LEM Agent template from the Template list next to the Description field. 6. Click Save. To add LEM Agents to your new Tool Profile: 1. Locate the new Tool Profile in the Build > Groups view. 2. Click the gear button next to your Tool Profile, and then select Edit.
3. Move LEM Agents from the Available Agents list to the Tool Profile by clicking the arrow next to them.
242
Managing Widgets
4. If you are finished adding LEM Agents to your Tool Profile, click Save. 5. The tool configurations set for the template agent will be applied to any agent added to the Tool Profile. Using an Agent to edit a Tool Profile You can use an Agent that is a member of a Tool Profile as a vehicle for editing that profiles tool settings. You can add new tool instances to the profile, or edit or delete its existing instances. Use caution when editing a Tool Profile. The changes you make will apply to every Agent that is a member of that profile. You can also edit a ToolProfile's tool settings from the Manage > Agents view. To use an Agent to edit a Tool Profiles tool settings 1. Open the Manage >Agents view. 2. In the Agents grid, click to select the Agent that is in the Tool Profile you want to edit. button and then click Tools. The Agent Tool Configuration prompt 3. Click the gear appears to warn you that the Agent belongs to a Tool Profile. 4. Click Tool Profile. The Tool Configuration for [Tool Profile] form appears. You may now begin adding, editing, or deleting the tool instances that are associated with that Tool Profile.
Managing Widgets
The topics in this section explain how to use the Widget Manager to create and manage your widgets.
At the top of the Ops Manager view, click Widget Manager to alternately open and close the Widget Manager. The Widget Manager includes the Filters pane and the Widgets pane.
243
4. Complete the Widget Builder. 5. Select the Save to Dashboard check box if you want to save a copy of the new widget to the Ops Center dashboard. 6. When you are finished, click Save. Upon saving the new widget, several things happen:
l
In the Filters pane, the Count value of the associated filter increases by one to account for the new widget.
The new widget appears in the Widgets pane for the associated filter. The next time you open the widgets source filter in the Monitor view, the new widget will appear in the Widgets panes widget list.
If you selected the Save to Dashboard option, a copy of the widget also appears in the Ops Center dashboard.
244
Once saved, an updated master widget appears with its new configuration in the Ops Centers Widget Manager and in the Monitor views Widgets pane. Once created, each dashboard widget operates independently of the master widget it was created from. Therefore, editing a master widget does not affect any previous copies (dashboard widgets) that were created from that master. This independence lets you use a master widget as a template for creating variations of the same widget for the Ops Center dashboard. To edit a master widget in the Ops Center: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters and Widgets panes. 3. In the Filters pane, select the filter you want to work with.The widgets associated with this filter appear in the Widgets pane. 4. Drag the panes scroll bar left or right to browse the filter's widgets. 5. When you find the widget you want to edit, click the Filters pane gear Widget Builder appears. 6. Use the Widget Builder to reconfigure the widget, as needed. 7. Select Save to Dashboard if you want to save a copy of the reconfigured master widget to the Ops Center dashboard. 8. Click Save to save your changes to the widget. The master widgets new configuration appears in the Widgets pane. If you selected the Save to Dashboard option, a copy of the newly configured widget also appears in the Ops Center dashboard. button. The
245
To add a widget from the Widgets pane to the dashboard: 1. Open the Ops Center view. 2. Click Widget Manager to open the Filters and Widgets panes. 3. In the Filters pane, select the filter you want to work with.The widgets associated with this filter appear in the Widgets pane. 4. To preview the widgets in the Widgets pane, do one of the following:
l
Drag the panes scroll bar left or right to browse the filter's widgets. Click any widget to move it to the front of the pane.
5. When you find the widget you want to add to the dashboard, do either of the following:
l
Click Add to Dashboard. Click anywhere on the widget. Drag it to the dashboard, and then drop it in the position you want.
To add a widget to the dashboard from the Widget Builder: 1. When creating or editing a master widget with the Widget Builder, configure the form so the widget appears the way you want it to on the dashboard. 2. Select the Save to Dashboard check box. 3. Click Save. A copy of the widget appears at the bottom of the Ops Center dashboard.
246
To delete a master widget: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters list and the Widgets pane. 3. In the Filters list, select the filter that contains the widget you want to delete. 4. In the Widgets pane, use the scroll bar to select the widget you want to delete. 5. Click Delete Widget. 6. At the confirmation prompt, click Yes.
3. Make the necessary changes to the Widget Builder. 4. When you are finished, click Save. The widget appears in the dashboard with its new configuration.
247
To delete a widget from the dashboard: 1. Open the Ops Center view. 2. In the dashboard, locate the widget you want to delete. 3. Click the delete button on the widget toolbar.
4. At the confirmation prompt, click Yes. The widget is deleted from the dashboard. Note: If needed, you can readily recreate the dashboard widget, so long as you do not delete the master widget it came from.
248
On the Console, open the Manage > Appliances view. Add a Manager to the Console. Log on to the Manager through the Console. Configure the Managers properties with the Properties form. Configure the Managers tools with the Tool Configuration window. (Optional) Assign the Managers alert distribution policy with the Alert Distribution Policy window.
249
Description Enter the username used to connect to the virtual appliance. Enter the password for the virtual appliance. Select the appliance type you are addingManager, Database Server, nDepth, Logging Server, or Network Sensor.
Connection Type the port number the Console must use to communicate with the Port Manager network appliance or the database. The secure port number is 8443. This value will default to 8080 for virtual appliances in the evalutation phase. Note: This field only applies when the Appliance Type field is set to Manager. Model Select the appliance's appropriate model. If you are uncertain which model you have, select Unknown. If you know your model but it is not listed, select Other. Your selection here has no affect on the Managers operation. If you selected any of the specific models, a picture of the appliance appears at the top of the Details pane. Level The appliances level. Its level is directly related to the appliance's capacity and performance, ranging from Level 1 to Level 4. If you are uncertain which level the Manager belongs to, select Unknown. If you are adding a Database Server, Level 4 is automatically selected. This option is disabled if you are using a virtual appliance. Service Tag Type the Dell serial number or registration number found on the appliance. It uniquely identifies this piece of equipment and its specific configuration properties. Icon Color Reset Select the desired color for your icon. At any time, you can click Reset to reset the form to its default settings. 5. Click Connect to add the appliance and close the form. Otherwise, click Cancel to return to the Console without adding the appliance.
250
Removing an appliance
6. Enter the IP Address of the virtual appliance and then click Connect. Note: The LEM desktop software requires that you change your LEM password after installation. This password must be between 6 and 40 characters, and must contain at least one capital letter and one number. The default username/password is Admin/Password. 7. Click OK.
1. If needed, you can copy your the data from the Appliances grid to your clipboard. This allows you to page the data into another application, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. You can copy the data for a single appliance, multiple appliances, or for every appliance in the grid. 2. To copy data for a single appliance: 3. 1. Open the Manage >Appliances view. 2. In the Appliances grid, select the appliances you want to copy. 3. Click the
l
button, and then do one of the following: Click Copy Selected to copy the data for the selected appliances.
l
Click Copy All to copy the data for every appliance in the grid.
The appliance data is now copied to your clipboard, where it can be pasted into another application.
4.
Removing an appliance
5. When needed, you can remove a Manager or other network appliance from the
251
Console. 6. To remove an appliance: 7. 1. At the top of the Console, click Manage, and then click Appliances. 2. In the Appliances grid, click to select the appliance you want to remove. 3. Click the gear button and then click Delete.
4. At the confirmation prompt, click Yes to remove the appliance. Otherwise, click No to return to the Console without removing the appliance. The appliance disappears from the Appliances grid.
Managing Connectors
Configuring Manager tools (general procedure)
Follow this procedure to configure a Managers tools (sensors and actors). It lets the Manager monitor and interact with the supported security products or devices that are installed on or remotely logging to the Manager computer. To configure a Managers tools: 1. Start the LEM Console. 2. Open the Manage >Appliances view. 3. If you have not already done so, add and configure each Manager you will be using with your network. 4. Log on to the Manager you want to work with. 5. Open the Tool Configuration for [Manager] form. 6. Add a tool instance for each of the products event log sources.
252
7. When you are finished, start the tool instance. See "Advanced Configurations" on page 249. 8. Repeat Steps 6 and 7 for each product or device that is logging to the Manager computer. 9. Repeat Steps 48 for each Manager, until you have configured tools for each point on your network.
253
once by updating only the Tool Profiles tool configuration. The system then propagates your changes to all of the Agents in the profile. By using Tool Profiles, you can greatly speed up the process of connecting your network security products to LEM. If you do not use Tool Profiles, you will have to create at least one tool instance for every product that you intend to integrate with LEM, and then repeat this process for every one of your Agents. A well-planned set of Tool Profiles provides you with a versatile and efficient method for configuring and maintaining your Agents tool configurations.
Managing Groups
The topics in this section explain how to create and manage Groups
The Group Details pane opens to show an editable form for the Group type you have selected. 3. In the Name box, type a name for Group. 4. In the Description box, type a brief description of the Group and its intended use. 5. In the Manager list, select the Manager on which the Group is to reside. 6. When you are finished, click Save. The new Group appears in the Groups grid.
Editing a Group
Editing a Group is very much like creating a new one. The only difference is that you are reconfiguring an existing item.
254
Cloning a Group
To edit a Group: 1. Open the Build >Groups view. 2. In the Groups grid, do one of the following:
l
Double-click the Group you want to edit. Click the gear button for the Group you want to edit and click Edit.
The Edit pane opens as an editable form, showing the selected Groups current configuration. 3. Make any necessary changes to the Edit form to reconfigure the Group. 4. When you are finished, click Save. The revised Group is applied to the Manager and appears in the Groups grid.
Cloning a Group
Cloning a Group lets you copy an existing Group, but save it with a new name. Cloning allows you to quickly create variations on existing Groups for use with your rules, filters, and Agents. Cloned Groups must be for the same Manager as the original Group. That is, you cannot clone a Group from one Manager for use with another Manager. To clone a Group: 1. Open the Build >Groups view. 2. In the Groups grid, click to select the Group you want to clone. button and then click Clone. The newly cloned Group appears 3. Click the rows gear in the Groups grid in the row just below the original Group. A clone always uses the same name as the Group it was cloned from, followed by the word Clone. For example, a clone of the Disk Warning Group would be called Disk
255
Warning Clone. A second clone of the Disk Warning Group would be called Disk Warning Clone 2, and so on. 4. Edit the cloned Group, as needed, to give it its own name and to assign its own specific settings.
Importing a Group
You can import Groups from a remote source into the Groups grid. You can import a Group that you have exported from another Manager, or you can import Groups that are provided by SolarWinds. You may import only one Group at a time. To import a Group: 1. Open the Build >Groups view. 2. On the Groups grid toolbar, click the gear form appears. button and then click Import.The Open
3. In the Look In box, browse to the folder that contains the Group file you want to import. 4. Do either of the following:
l
Double-click the file to open it. Click to select the file you want to import, and then click Open.
The Group appears in the Groups grid and in the Group Details form for editing. 5. In the Group Details form, select the Manager this Group is to be assigned to. 6. Make any other desired changes in the GroupDetails form. 7. Click Save to send the Group to the Manager. 8. If you are working with Email Templates or State Variables, drag the new Group from the Groups grid into the folder (in the Folders pane) that is to store the Group.
256
Exporting a Group
Exporting a Group
When needed, you can export Groups. Exporting Groups is useful for three reasons:
l
Once exported, you can import the Group into another Manager. You can save a copy off of the Manager for any reason. You can provide SolarWinds with a copy of your Group for technical support or troubleshooting purposes.
You may export only one Group at a time. To export a Group: 1. Open the Build >Groups view. 2. In the Groups grid, click to select the Group you want to export. 3. Click the rows gear button and then click Export.
4. After a moment, the Save As form appears. 5. Use the Save As form to select the folder in which you want to save the exported Group. 6. In the File name box, type a name for the exported Group. 7. Click Save to export and save the Group; otherwise, click Cancel. You can now import the Group for use with another Manager.
257
Deleting a Group
When needed, you can delete any of your Groups. To delete a Group: 1. Open the Build >Groups view. 2. In the Groups grid, select the Group you want to delete. 3. Click the rows gear button and then click Delete.
4. At the confirmation prompt, click Yes to delete the Group. The item disappears from the Groups grid.
258
4. In the Description box, type a brief description of the Alert Groups contents. 5. In the Manager list, select the Manager on which this Group is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. Now you will configure the Alert Group by selecting the alerts you want in the Group.
The Alerts box lists alerts in a hierarchical tree. You may need to open the nodes in the alert tree to see the alert you are looking for. 6. In the Alerts list, select each alert that you want to include in this Group.
l
To choose an alert, click its check box. To remove an alert, clear its check box.
Note: In the node-tree view, you can Ctrl+Click to select (or clear)an alert and all of the alerts below that item (that is, its child alerts). For example, press Ctrl and click Security Alert to select Security Alert and all of its child alerts. 7. Click Save. The new Alert Group appears in the Groups grid.
259
Icon
Description Click this button to display the Alerts list as a hierarchical node tree. Then use the list to select each alert type that you want to include in this Group. This is the default view. This view also has the following attributes:
n
Lower-level alert types are hidden by nodes in the alert tree. To open a node, click the >icon. This displays the nodes next level of alerts.
Using the search box displays the alert and its parent alert types, so you can see how the alert appears in the alert hierarchy.
You can Ctrl+Click to select (or clear)an alert and all of the alerts below that item (that is, its child alerts). For example, if you press Ctrl and click Security Alert, you will select Security Alert and all of its child alerts.
Click this button to list alert types alphabetically, regardless of their position in the hierarchy. Then use the list to select each alert type that you want to include in this Group. You can use this box to search either view of the Alerts list. To do so, type a word or phrase in the text box. The Alerts list will refresh to show any alerts that include your word or phrase. This icon represents a closed (or collapsed) alert node in the alert tree hierarchy. Each time you see this icon, it means the alert node contains lower-level alerts. To open a node, click it. Opening the node expands the alert tree, displaying the next level of related alerts. This icon represents an open (or expanded) alert node in the alert tree hierarchy. Each time you see this icon, the node is displaying its related lower-level alerts. To close (or collapse) the node, click it. This collapses the alert tree at that level, hiding its lower-level alerts. This item has not been selected; nor have any of its lower-level items. This item has been selected; but not any of its lower-level items. This item has not been selected, but one or more if its lower-level items has been selected. This item has been selected, and so have one or more of its lower-level items.
260
261
information from any Groups that are not currently synchronized with LEM. You can also use this procedure to remove DS Groups that no longer require synchronization. Note: To use DSGroups, first make sure the Directory Service Query Tool is configured and running on the LEM Manager for which you want to use DS Groups. DS Groups only apply to Managers that are connected to them. If you need a similar DS Group for another Manager, you must connect to the directory service with the other Manager. To retrieve DS Group data from your directory service: 1. Open the Build >Groups view. 2. On the Groups grid, click and then click Directory Services Group.
The Select Directory Services Group form appears. You will use this form to select which directory service Groups you want to synchronize for use with LEM.
3. In the Manager list (the upper-right drop-down list), select the Manager that is going to use the DSGroups. 4. In the other drop-down list, select the directory services domain you want to work with. The form displays the actual contents (folders and Group categories) of your directory service system:
262
Each folder to the left contains the Group categories that are associated with that area of your directory service. You can click a folder node () to display the Group categories contained within that folder.
The Available Groups box lists a different set of Group categories with each folder you select. For example, clicking the Users folder shows a different set of Group categories than if you click the Laptops folder.
5. In the folder list, click the Group category you want to work with. 6. In the Available Groups list, do the following:
l
Click the check box for each Group you want to synchronize with LEM. Clear the check box for each Group you want to remove from synchronization.
7. Repeat Steps 5 and 6 until you have selected all of the DS Groups you want synchronized with LEM. 8. Click Save. The system synchronizes the DS Groups to LEM and adds them to the Groups grid. The DS Groups are now ready for use with your rules and filters.
263
Description Displays the description associated with the group member in directory services. SAM Name Displays the account name of the member. Principal Name Distinguish Displays the complete distinguished name of the member. Name Date Email Displays the email address of the member. Displays the principal name of the member.
Deleting DS Groups
You can delete DS Groups from the Console, just as you would any other Group. Deleting a DS Group does not remove the Group from your original directory service. You can restore a DS Group at any time if you ever need to use it again.
264
You create and manage templates in the Build >Groups views Email Template form. As with rules, you can add, edit, clone, and delete templates, and you can organize them in folders.
Click
The Email Template form appears. If you are editing an existing template, the form shows any parameters that have already been configured for the template.
3. In the Manager list, select the Manager on which this template resides. If you are editing an existing template, this field shows the Manager this template is associated with.
265
4. In the Name box, type a name for the template. This should be a name that makes it easy to identify the type of event that has occurred, or where or to whom the email message is going. 5. In the From box, type whom the message is from. Typically, this is SolarWinds or Manager. 6. In the Subject line, type a subject for the message. Typically, you will want a subject that indicates the nature of the alert event. 7. Click Save to save the template.
3. Repeat Steps 1 and 2 for each parameter you want to capture in this message. 4. Click Save so save your changes to the template. To delete a parameter: 1. In the Parameters list, select the parameter you want to delete. 2. Click the Delete button.
266
3. The parameter disappears from the Parameters list. 4. Click Save to permanently delete the parameter.
2. In the Parameters list, select a parameter. Then drag it to the appropriate spot in the message text. The parameters serve as placeholders for information that the Manager will fill in. 3. Repeat Step 2 for each parameter. 4. When you have finished with the template, click Save. The new template appears in Groups grid.
267
Double-click the State Variable you want to edit. Click the gear click Edit. icon for the State Variable you want to edit, and then
The State Variables pane opens as an editable form. If you are editing an existing State Variable, the form shows any fields that have already been configured.
268
3. In the Name box, type a name for the State Variable. 4. In the Manager list, select the Manager on which this State Variable is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. Now add the State Variable fields that make up the Group. Adding State Variable fields is a straightforward process. You name the field, and then select what the variable representstext, a number, or time. 5. Click the Add button. The Add Variable Field form becomes active.
6. In the Name box, type a name for the State Variable field. 7. In the Type list, select the type of State Variable the field representsText, Number, or Time. 8. Click the left Save button to save the field; otherwise, click Cancel. The new State Variable field appears in the State Variables grid, showing the fields name and comparison type. 9. Repeat Steps 58 for each field you want to add to the State Variable. 10. Click the rightmost Save button to save the State Variable settings.The new State Variable appears in the Groups grid and the Rule Builders State Variables list. You can now incorporate this State Variable whenever you add or edit a rule.
269
Double-click the State Variable you want to edit. Click the gear click Edit. icon for the State Variable you want to edit, and then
The State Variables pane opens as an editable form. 3. In the fields grid, select the State Variable field you want to edit. The Add Variable Field form becomes active, showing the fields current configuration. 4. Make the necessary changes to the fields Name or Type. 5. Click the forms Save button to apply your changes to the field. The updated field appears in the fields grid. 6. Click the rightmost Save button to save your changes to the State Variable.
Double-click the State Variable you want to edit. Click the gear click Edit. icon for the State Variable you want to edit, and then
The State Variables pane opens as an editable form. 3. In the fields grid, select the field you want to delete. 4. Click the Delete button. The field disappears from the fields grid.
270
271
The Edit pane opens, showing the Time of Day Set form.
3. In the Name box, type a name for the new Time of Day Set. 4. In the Description box, type a brief description of the Time of Day Set and its intended use. 5. In the Manager list, select the Manager on which this Time of Day Set is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. The form has a time grid that lets you define a Time of Day Set for the Manager. The time grid is based on a one-week period, and is organized as follows:
l
It has seven rows, where each row represents one day of the week. It has 24 numbered columns, where each column represents one hour of the day. The white column headers represent morning hours (midnight to noon). The shaded column headers represent evening hours (noon to midnight).
272
Each column has two check boxes that divide each hour into two halfhour (30-minute) periods.
Together, the rows, columns, and check boxes divide an entire week into 30-minute periods. 6. In the time grid, click to select the half-hour periods that are to define this Time of Day Set. For assistance, see the table in the topic, below. 7. Click Save. The new Time of Day Set appears in the Groups grid.
Click Activate to apply your changes to every Agent associated with the Tool Profile.
Click Discard to discard your changes and reload the tools previous configuration.
273
274
The Edit pane opens, showing the User-Defined Group form. If you are editing an existing User-Defined Group, the form shows any parameters that have already been configured for the Group.
3. In the Name box, type a name for the Group. 4. In the Description box, type a brief description of the Group and its intended use. 5. In the Manager list, select the Manager on which this Group resides. If you are editing an existing Group, this field shows the Manager on which it resides. 6. Make any necessary additions, changes, or deletions to the Groups Element Details grid, 7. Click Save to save your changes to the User-Defined Group.
275
To add a User-Defined Groups data elements: 1. Open the Build >Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with. The Edit pane opens, showing the Groups current configuration. 3. At the bottom of the Edit pane, click the Add The Element Details form becomes active. 4. Complete the Element Details form as described in the following table. Field Name Data Description Type a name for the data element. Type the specific data element that you want to include or ignore in your rules and filters. You can use an asterisk ( * ) as a wildcard to include all similar data elements. Description Type a detailed description of the data element and its intended use, if appropriate. In this example, the data elements are a list of anti-virus firewall processes. 5. Click Save. The new element appears in the data element grid. Note that the table displays each elements name, data element, and description. button.
276
6. Repeat Steps 35 for each data element you want to add to the Group.
277
Edit pane opens, showing the Groups current configuration. 3. In the forms data element grid, select the data element you want to delete. 4. Click the Delete grid. button. The element is removed from the Groups data element
The following table explains how to select periods in the Time of Day Sets time grid. To Select a period Select a group of periods Move a block of selected hours Duplicating Press the Ctrl key. Then click the block of hours you want to copy, holding down the a block of selected hours mouse button so the pointer turns into a grabbing hand. Then drag a copy of the hour block into position. Click the block of hours you want to move, holding down the mouse button so the pointer turns into a grabbing hand. Then drag the hour block into its new position. Click and drag to select a range of periods. You can drag up, down, or diagonally. Do this Click an individual check box to select that period.
278
To
Do this
Invert your Click the Invert button to select the opposite hours of the ones you have manually selection selected This feature is useful when you want to select all but a few hours of the day. You can select the hours that do not apply to the Time of Day Set, and then click Invert to automatically select all of the hours that do apply to the Time of Day Set. For example, if you have your business hours selected, clicking Invert would select everything outside of your business hours. Delete a selected period Click the check box to clear that selection. You can also click and drag over a range of selected periods to clear those selections.
279
An Agent can only be a member of one Tool Profile. It cannot be in multiple profiles. Each Tool Profile you create only applies to the Manager that is selected when you create it. If you need a similar Tool Profile for another Manager, you must create it separately for the other Manager.
280
To create a Tool Profile: 1. Open the Build >Groups view. 2. On the Groups grid toolbar, click The Tool Profile form appears. and then click Tool Profile.
3. In the Name box, type a name for the Tool Profile. 4. In the Description box, type a brief description of the Tool Profile and its intended use. 5. In the Manager list, select the Manager on which this Tool Profile is to reside. If you are editing an existing Group, this field shows the Manager on which its resides. Note: If the Manager you want is not listed, go to Manage >Appliances and log on to that Manager. You must be logged on to a Manager before you can create Groups for it. 6. In the Template list, select the Agent with the tool configuration this profile is to be based on. If you do not want to use a template, select None. Note: For best results, always select a template when creating a new Tool Profile. Otherwise, the profile will delete the tools on every Agent in the profile. If you do not want to use a template, then be sure click Edit Tools and add tools to the profile before you add Agents and save the profile. If you do not, there will be no tools in
281
the profile; and upon saving, any Agents in that profile will have their tools deleted. 7. Click Save. The new Tool Profile appears in the Groups grid.
282
Button
Function Removes the selected Agent from the Selected Agents list to the Available Agents list (and out of the profile). Removes all Agents from the Selected Agents list to the Available Agents list (and out of the profile).
5. Click Save to save the Tool Profile. Upon saving, the system applies the template Agents tool configuration to every other Agent that you added to the profile. Note: If you remove an Agent from a Tool Profile (that was previously saved with that profile), the Agent retains the profile's tool configuration, but will no longer have membership in the profile. Troubleshooting tip At times, not all of the Agents in a Tool Profile will use the same logging path for a particular tool. You can verify this by checking the Agents configured tool status. If a tool has a status of Running), it is likely that tool has a different logging path. (Not
To correct this problem, you may want to add another tool instance to the profiles tool catalog that points to the alternative logging path. Or, you can create a new profile that has the alternative logging path.
283
configuration, you do not need to stop or start each tool instances. However, you must still activate the changes. This difference is because any time you edit a Tool Profiles tool configuration, you are working on the profiles configuration data, not an actual Agent. When editing a Tool Profile, you do not actually change the Agents that are members of the profile until you click Activate. Upon activating, the system automatically sends the changes out to every Agent that is a member of that profile, stops each tool instance, makes the changes, and then restarts each tool instance.
Double-click the Tool Profile you want to edit. Click the gear button and then click Edit.
The Tool Profile pane opens, showing the Agents that are in the profile. 4. At the bottom of the Tool Profile pane, form, click Edit Tools. The Tool Configuration for [Tool Profile] form appears. The forms Tools grid contains all of the tool instances that define the Tool Profile.
284
Click Activate to apply your changes to every Agent associated with the Tool Profile.
Click Discard to discard your changes and reload the tools previous configuration.
3. In the Properties form, update the tool settings, as needed: 4. Click Save. 5. Do one of the following:
l
Click Activate to apply your changes to every Agent associated with the Tool Profile.
Click Discard to discard your changes and reload the tools previous configuration.
At times, not all of the Agents in a profile will use the same logging path for a particular tool. You can verify this by checking the Agents configured tool status. If a tool has a status of (Not Running), it is likely that tool has a different logging path.
To correct this problem, you may want to add another tool instance to the profiles tool catalog that points to the alternative logging path. Or, you can create a new profile that has the alternative logging path. 6. Repeat this procedure for each tool instance you want to reconfigure. 7. Click Close to return to the Groups grid.
285
Managing Rules
The topics in this section explain how to manage your rules. Many management tasks can be done from the Rules grid, or in Rule Builder as you are configuring a rule.
Rule Creation
In the Build > Rules view, the Rule Creation tool is used to configure new rules and to edit existing rules. Like filters, you create rules by configuring conditions between alert variables other components, such as Time of Day Sets, User-Defined Groups, Constants, etc. However, rules go a step further. They let you correlate alert variables with other alerts and their alert variables. By correlate, we mean you can specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule is to initiate an active response. You can configure rules to fire after multiple alerts occur. The Manager will remember alerts if they meet the rule's basic conditions. It waits for the other conditions to be met, too. If they are, the Manager fires the rule. The rule does not take action until the alerts meet all of the conditions and correlations defined for that rule. The possibilities for rules are endless. Therefore, this section describes how to create rules only in very general terms. This section is not intended to be a tutorial, but rather a reference for you to fall back on if you are unclear about how any part of Rule Creation works. Note: Each rule you create only applies to the Manager that is selected when you created the rule. If you need a similar rule for another Manager, you must create it separately on the other Manager; or you can export the rule, and then import it from the other Managers Rules grid. Caution: Practice with filters before creating rules The tools in Rule Creation are very similar to those found in Filter Creation. However, filters report event occurrences; rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes unpleasant consequences if they are not configured exactly as you intend them to be. Inexperienced users should use caution when creating rules. Creating filters is an excellent way to
286
familiarize yourself with the logic and tools needed to create well crafted rules. You should only begin configuring rules after you are at ease with configuring filters. Even then, always test your rules before implementing them.
The Rule Creation view is a different view of the Rules view that allows you to configure and edit policy rules.
The rule window is the window that you will use to view, configure, and edit your policy rules.
The Correlations box is a component of the rule window that is used to configure the specific correlations that define the rule.
The following table descries the key features of the Rule Creation tool. The topics that follow discuss some of these features in greater detail. Name Back to Rules Listing Description Click this button to hide Rule Creation and return to the Rules grid. Rule Creation remains open in the background, so you can return to it to continue working on your rules. In the Rules grid, clicking Back to Rule Creation will return you to Rule Creation. List pane The list pane is the accordion list to the left. It contains categorized lists of the components you can use when configuring policy rules. It behaves exactly like the list pane in Filter Creation. To view the contents of a component list, click its title bar. To add a component to a rule, select it from its list and then drag it into the appropriate correlation box. (missing or bad snippet)
287
Description Each rule you create or edit appears in its own rule window. This is where you configure name, describe, configure, edit, test, verify, and enable each rule. You can have multiple rule windows open at the same time. You can also minimize, maximize, resize, and close each window, as needed.
Minimized Any minimized rule windows appear in the bar at the bottom of the Rule Creation rule window bar pane, behind the active rule window. Each minimized window shows the name of its rule. Clicking a minimized rule opens that rule in the Rule Creation pane.
Advanced Thresholds
Whenever a Group threshold or the Correlation Time forms Alerts within box has a value greater than 1, the Set Advanced Thresholds button becomes enabled. This button opens the Set Advanced Thresholds form, so you can define an alert event threshold and the re-inference period for that threshold. The threshold tells the Manager which specific alert fields to monitor to determine if a valid alert event has occurred (i.e., when to count the alert). For example:
l
Threshold event x must occur multiple times on the same destination computer with the frequency defined in the Correlation Time box.
Or, threshold event y must occur on different destination computers with the frequency defined in the Correlation Time box.
When the threshold event counter increases to the number shown in the Alerts box, the threshold itself becomes true and triggers the next set of conditions in the rule.
288
button.
2. At the bottom of the form, click Add. The Available Fields pane has two boxes. The top box lists all of the alerts that have been applied to the rules Correlations box. The bottom box lists the alert fields associated with whichever alert is currently selected in the top box. 3. In the top Available Fields box, select an alert. The fields associated with that alert appear in the lower Available Fields box. 4. In the lower Available Fields box, select the alert field that is to help define the alert threshold.
289
5. Below the Available Fields boxes, there is a drop-down list. It is called the Select Modifier list. In the Select Modifier list, select the appropriate option:
l
Select Same if the threshold is to be defined by the selected field being the same multiple times.
Select Distinct if the threshold is to be defined by the selected field being different each time.
6. Click
The field and its modifier appear in the Selected Fields grid. 7. Repeat Steps 2 6 for any additional threshold fields. 8. Click OK to save the fields to the threshold and close the form; otherwise, click Cancel.These fields now raise the threshold for the correlation event and its active response to occur.
3. In the Available Fields list, select the appropriate alert, and then the alert field. 4. in the Select Modifier list, select the new modifier for the field (Same or Distinct). 5. Click .
290
The corrected field and its modifier appear in the Selected Fields box. 6. Click OK to close the form.
2. In the Selected Fields list, select the field you want to delete. 3. Click the Delete button.
The threshold field disappears from the Selected Fields list. 4. Click OK to close the form.
291
provide actions with a great deal of flexibility. Say you have two network users: Bob and Jane. To disable Bobs user account, you could assign a constant to the rule that explicitly represents Bobs account. But doing so limits the rule to Bob's account. Now if you assign a field to the rule, the rule can be interpreted as follows: When user activity meets the conditions in the Correlations box to prompt the Disable Domain User Account action, use the alert's UserDisable.SourceAccount field to determine which user account to disable. If Bob triggered the rule, the Manager disables Bobs account. But if Jane also triggers the rule, the Manager can disable her account, too.
The top left of the Actions box shows the name the action that is to be taken. In most cases, the Actions form will prompt you for specific parameters about the computer, IP address, port, alert, user, etc., that is to receive the action.
292
3. Use the list pane to assign the appropriate alert field or constant to each parameter:
l
In the Alerts or Alert Groups lists, select an appropriate alert field for each parameter, and drag it to the appropriate parameter box in the Actions form.
When needed, in the Constants list, select a constant for a parameter, and then drag it to the appropriate parameter box in the Actions form. Typically, you will select a text constant. Once the constant is in place, double-click the parameter box to edit the constant.
293
6. In the Description box, type a complete description of the rule, such its use, purpose, or behavior. 7. Configure the rule's correlations.. 8. If needed, configure the rule's correlation time and advanced threshold. . 9. Configure the rule's active response. 10. Apply the appropriate Enabled, Test, and Subscription settings.
l
To assign rule subscribers, click the Subscribe list, and then click the check box for each user who is to subscribe to the rule.
If you want to use the rule immediately upon saving it, select the Enabled check box.
If you want to operate the rule in test mode before fully activating it, select the Test check box. It is highly recommended that you operate each new rule in test mode to confirm that the rule behaves as expected.
11. When you are satisfied with the rules configuration, click Save. Note: You can also click Apply to save your changes without closing the form. The Rules grid appears. The new rule appears in the Rules grid and in the Folders pane, in the folder you designated for the rule. 12. To begin using (or testing) the revised rule, click Activate Rules.
294
295
The following table describes each key feature and field of a rule window. Item Name Title bar Description Each rule you create or edit appears in its own configuration window. Upon naming a rule, the windows title bar displays the name of the rule. You can also use the title bar to minimize, maximize, and resize rule window. Minimized rule windows appear at the bottom of the Rule Creation pane. Name on Type a name for the rule. When creating a new rule, use this list to select which Manager the rule is to be associated with. Otherwise, when editing a rule, this field displays which Manager the rule is associated with. in Description Select the folder (in the Folders pane) in which the rule is to be stored. Type a description of what the rule does, or the situation for which the rule is intended. If the description extends beyond the visible area of the text box, a larger text box appears, so you can type a detailed description of the rule, its logic, its expected behavior, and its active response. When you are done typing, either press Tab or click anywhere outside the text box to close it. Enable Select this check box to enable the rule. Clear this check box to disable the rule. Test Select this check box to place the rule in test mode. Clear this check box to take the rule out of test mode. Note: You must enable a rule before you can test it. Subscribe Use this list to select which Console users are to subscribe to the rule. This means the system will notify the subscribing users' Consoles each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid.
296
Item
Description The Rule Status bar lists warnings and error messages about your rule's current configuration logic.
n
Click >to view a list of warning and error messages. Click a message flag to provide detailed information about the nature of that problem.
Click a message to highlight the specific area or field that is the source of that problem.
Correlations Use the Correlations box to configure correlations between groups of alert events. You can coordinate multiple alert events into a set of conditions that will prompt the Manager to issue a particular active response. You set up correlations by dragging items from the Alerts and Alert Groups lists into this box, and then setting the specific conditions or for the alert that are to prompt action. The Correlations toolbar lets you group alert conditions, and determine if they must all apply (an AND correlation) or if any of them may apply (an OR correlation) to prompt a response. Correlation Time Use the Correlation Time box to establish the allowable frequency and time span in which the correlation events must occur before the rule applies. The Advanced section lets you define an alert event threshold, and to define the re-inference period for the threshold. The threshold tells the Manager which specific fields to monitor to determine if a valid alert event has occurred (i.e., when to count the alert). The boxs Advanced section lets you define a Response Window that lets the rule ignore any events that occur outside (past or future) of the established period.
297
Item
Name Actions
Description Use the Actions box to dictate which actions the rule is to execute when the events described in the Correlations and Correlation Time boxes occur. Examples of actions include sending an email message to your system administrator, or blocking an IP address.
Undo/Redo
Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps. Click the Red button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps. You can only use Undo or Redo for any steps you made since the last time you clicked Apply.
Click Save to save your changes to a rule and close the rule window. Click the Cancel button to cancel any changes you have made to a rule since the last time you clicked Save, and close the rule window. If you have any unsaved changes, the system will prompt you to save or discard them.
Click Apply to save your changes to a rule, but keep the rule window open so you can continue working. You can click Apply at any time.
298
Once a group is configured properly, you may want to collapse it to avoid accidentally changing it. This is the Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. You may then drag alert variables and other items from the list pane into the nested group box. By using nested groups, you can refine correlations by combining or comparing one group of correlations to another to create the logic for complex correlations. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Threshold button, which opens the Threshold form for a group. The Threshold form is described below. This is the Delete button. It appears at the top of every Group box and every correlation. Click this button to delete a correlation or a particular group. Deleting a group also deletes any groups that are nested within that group.
299
Description From the Alerts, Alert Groups, or Fields list, drag an alert, Alert Group, or alert field into the Correlations box. This is called the alert variable. A rule can have multiple alerts and Alert Groups in its correlation configuration. You can think of an alert variable as the subject of each group of correlations. As alerts stream through the Manager, the rule analyzes the values associated with each alert variable to determine if the alert meets the rules conditions. If so, the Manager either initiates an active response, or stores the alert for comparison with other alerts that may occur within the rule's allotted timeframe.
Operators Whenever you drag a list item or a field next to alert variable, an operator icon appears between them. The operator states how the filter is to compare the alert variable to the other item to determine if the alert meets the rules conditions.
n
Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use.
Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use.
List item
List items are the various non-alert items from the list pane. You drag and drop them into groups to define rule correlations based on your Time Of Day Sets, Tool Profiles, UserDefined Groups, Constants, etc. Some alert variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to type or select a specific value for the constant. Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your ruless correlations.
Threshold The Threshold section lets you define a threshold for the correlations in a Group box. You can think of a threshold as a correlation frequency for the grouping; that is, the number of times the events defined by the group must occur within a specified period before the rule takes effect.
300
Editing Rules
Name
Description This is the Set Advanced Threshold button. Whenever a group thresholds number of Alerts within [time] is greater than 1, this button becomes enabled so you can open the Set Advanced Thresholds form. This form lets you specify advanced threshold fields and define an advanced response window for the alert fields within the grouping. Rule correlations and groups of correlations are subject to AND and OR comparisons.
AND OR
Editing Rules
Whenever you need to edit a rules name or configuration, you use the Rule Creation tool to make the necessary changes to the rule. When needed, you can edit multiple rules at the same time. It is not necessary to disable a rule before editing it. When you edit a rule, you are editing a local copy until you save and activate it. If the rule was enabled when you began editing it, it will continue to be enabled while you work on the new version. When you save the new version and then click Activate Rules, the Manager replaces the original rule with the new version. To open rules for editing: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rules you want to edit. The Rules grid displays the rules associated with the selected folder and its subfolders. 3. In the Rules grid, click to select the rule (or rules) you want to edit. 4. Open the rules for editing as follows:
l
To edit a single rule, either double-click the rule, or click the row's gear button and then click Edit.
301
To edit multiple rules, click the grid's gear then click Edit.
Rule Creation appears, showing the rules current configuration. If you opened multiple rules, they all appear as "cascaded"windows. You may now edit the rules. Locked rules If a prompt like the one shown here appears, it means another user is already editing one of the selected rules and has those rules "locked." In this case, you can do either of two things:
l
You can proceed in a read-only fashion, which allows you to see the details of a rule. You can break the lock and take control over the rule, which means the other person will not be able to save any changes he or she makes to the rule.
To edit the rule: 1. Use Rule Creation to make any necessary changes to the rules name, Manager, folder, description, enabled status, test-mode state, correlations, correlation time, or actions.
l
If you want to use the rule immediately upon saving it, select the Enable check box.
If you want to try the rule in test mode, select the Test check box.
2. Click Save. The Rules grid appears. 3. To begin using (or testing) the rules new configuration, click Activate Rules.
Subscribing to a rule
You can assign rules to specific Console users, which means those users will subscribe to those rules. This means the system will notify the subscribing users' Consoles each time one of the
302
Subscribing to a rule
subscribed-to rules triggers an alert. The alerts will appear in their Monitor views alert grid. Rule subscriptions can be used in conjunction with filters and reports to monitor activity for specific rules. Each user can subscribe to as many different rules as needed. You can assign subscriptions in Rule Creation while you are creating the rule, or anytime later directly from the Rules grid. To manage rule subscribers from the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rule you want to work with. 3. In the Rules grid, select the rules you want to work with. 4. On the Rules grid toolbar, click Subscribe. The Subscribe list opens. It only includes those Console uses who are associated with the same Manager as the selected rule. A check box with a gray background means the user already subscribes to one or more of the selected rules, but not all of them. 5. Select the check box for each Console user who is to subscribe to the selected rules:
l
Select an empty user's check box to have that user subscribe to all of the selected rules.
Clear a gray user's check box to remove the user's subscription to all of the selected rules.
Clear a gray user's check box and then select it again, to have that user subscribe to all of the selected rules. Remember, these users are already subscribed to some rules, but not all of them. This procedure assigns all of the selected rules to that user.
As you can see, if you have multiple rules selected, each subscription change affects every selected rule.
303
6. Click Subscribe again to close the list. The selected Console users now subscribe to the selected rules. To add rule subscribers from Rule Creation: 1. With a rule open in Rule Creation, click Subscribe. The Subscribe list opens. It only includes those Console uses who are associated with the same Manager as the selected rule. 2. Manage the rule's subscribers as follows:
l
Select the check box for each Console user who is to subscribe to this rule.
Clear the check box for each subscriber who is no longer to subscribe to this rule.
3. Click Subscribe again to close the list. 4. Click Save. The selected Console users now subscribe to the rule.
Enabling a rule
The Manager only uses rules that are enabled. It ignores all other rules. Therefore, the Manager cannot use rules until you enable them. You can enable rules from the Rules grid, or directly from Rule Creation. In either case, the Enable check box lets you turn a rule on and off. Note: In the Rules grid, you can enable multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is disabled and another is enabled, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would become enabled, and the second would become disabled. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Enabled/Disabled state.
304
To enable rules from the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to enable. 3. In the Rules grid, select the rule (or rules) you want to enable. 4. Enable the rules as follows:
l
To enable a single rule, click the row's gear Enable. To enable multiple rules, click the grid's gear Enable.
In the Rules grid, the rules Enabled icons become active, which means the rules are now enabled. However, the Manager cannot begin using these rules until you activate them. 5. Click Activate Rules to begin using the rule. To enable a rule from Rule Creation: 1. With a rule open in Rule Creation, select the Enable check box. 2. When you are finished configuring the rule, click Save. The Rules grid appears, with the icon appearing in the rule's Enabled column. This icon means the rule is now enabled. However, the Manager cannot begin using the rule until you activate it. 3. Click Activate Rules to begin using the rule.
305
Note: In the Rules grid, you can change the test mode of multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is in test mode and another isn't, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would move out of test mode, and the second would move into test mode. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Test On/Test Off state. To place rules in test mode in the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to test. 3. Check the rules' Enabled status. If any of the rules you want to test show a "disabled" icon), then they need to be enabled. You can do this by clicking the row's gear button and then clicking Enable. In the Rules grid, the rule has been enabled. icon appears in the rules Enabled column to indicate that the
4. In the Rules grid, select the rule (or rules)you want to test. 5. Place the rules in test mode as follows:
l
To put a single rule in test mode, click the row's gear click Test On. To put multiple rules in test mode, click the grid's gear then click Test On.
button and
In the Rules grid, the rules are in test mode. 6. Click Activate Rules.
306
To remove a rule from test mode in the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to work with. 3. In the Rules grid, select the rule (or rules)you want to work with. 4. Remove the rules from test mode as follows:
l
To remove a single rule from test mode, click the row's gear and then click Test Off. To remove multiple rules from test mode, click the grid's gear and then click Test Off.
button
button
In the Rules grid, the "disabled" icon appears in the rules Test column to indicate that the rules are no longer in test mode. 5. Click Activate Rules. The rules are now fully functional. To place a rule in test mode from Rule Creation: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rule you want to test. 3. In the Rules grid, click to select the rule you want to test. 4. On the Rules grid toolbar, click Edit.Rule Creation appears, showing the rules current configuration. 5. Select the Enable check box. 6. Select the Test check box. Note: To test a rule, you must have both Enable and Test checked. If only Enable is checked, the rule is completely enabled (that is, it is fully in use). If only Test is checked, the rule will not be enabled, which means the Manager will not be able to use it for testing.
307
7. Click Save. The Rules grid appears. 8. Click Activate Rules.The rule is now in test mode. To fully activate a rule from in Rule Creation: 1. Open the rule in Rule Creation, as described above. 2. Clear the Test check box. 3. Click Save. 4. On the Rule Builder toolbar, click Activate Rules. The rule is now fully functional.
Activating rules
Whenever you create a new rule or change an existing rule, you are working on a local copy of the rule. The Manager has no way of using the rule change until you activate it. Activating a rule tells the Manager to reload the enabled rules it is working on, which allows it to upload up the changes you just made. You must activate rules whenever you create a new rule, edit an existing rule, or make changes to a rules Enabled/Disabled or Test On/Test Off status. Otherwise, the Manager will not recognize the change. To activate rule changes, both the Rules grid and Rule Creation have an Activate Rules command. This command sends any new rule changes to the Manager for immediate use. In Rule Creation, the Activate Rules command leaves Rule Creation open so you can continue working. To activate rules from the Rules grid: 1. Open the Build >Rules view. 2. Many any necessary changes to your rules. 3. On the Rules grid toolbar, click Activate Rules. The Manager activates any new rule changes and begins processing all enabled rules.
308
Disabling a rule
At any time, in Rule Creation, click Activate Rules. The Manager activates any new rule changes and begins processing all enabled rules. However, Rule Creation stays open so you can continue working. The rule you are currently working on is not activated. It cannot be activated until it is first saved.
Disabling a rule
The Manager will continue to use any active rules, so long as they are enabled. If needed, you can easily turn off rules by disabling them. However, the Manager will continue to use those rules until you activate their new disabled status with the Activate Rules command. Note: In the Rules grid, you can disable multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is disabled and another is enabled, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would become enabled, and the second would become disabled. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Enabled/Disabled state. To disable rules from the Rules grid: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rules you want to disable. 3. In the Rules grid, select the rule (or rules)you want to disable. 4. Disable the rules as follows:
l
To disable a single rule, click the row's gear Disable. To disable multiple rules, click the grid's gear Disable.
309
In the Rules grid, the Enabled column for each rule shows a disabled indicate the rules are now inactive. 5. Click Activate Rules. The Manager stops processing the disabled rules. To disable a rule from Rule Creation: 1. Open the rule you want to disable in Rule Creation. 2. Clear the Enable check box. 3. Click Save. The Rules grid appears. 4. Click Activate Rules. The Manager stops processing the disabled rule.
icon to
Cloning rules
The Clone command lets you copy any existing rule, make changes to the copy, and then save the copy with a new name in one of your Custom Rules sub-folders. The benefit of cloning is that you can quickly create variations on existing rules. You clone a preconfigured rule, such as a rule from the Rules or NATO5 Rules folder, and then adjust the cloned copy to suit your specific needs. Note: A cloned rule must be for the same Manager as the original rule. That is, you cannot clone a rule from one Manager and save it for another Manager. To clone rules: 1. Open the Build >Rules view. 2. In the Folders pane, click the folder that contains the rule you want to clone. 3. In the Rules grid, click to select the rule you want to clone. 4. Click the row's gear button and then click Clone. The Clone Rule form appears.
5. In the Clone Name box, type a name for the cloned rule. 6. In the Folders list, select which Custom Rules folder is to store the cloned rule.
310
Importing a rule
7. Click OK to save the cloned rule; otherwise, click Cancel. The newly cloned copy of the rule automatically opens in Rule Creation so you can begin making changes.
Importing a rule
You can import a rule from a remote source into a particular rule folder. For example, you may want to import a rule from one Manager to another. Or you can import a rule that is provided by SolarWinds. You may only import one rule at a time. To import a rule to a rule folder: 1. Open the Build >Rules view. 2. On the Rules grid toolbar, click and then click Import. The Open form appears.
3. In the Look In box, browse to and open the folder that contains the rule you want to import. 4. Select the rule file you want to import.Rrule files are always .xml files.The file you selected appears in the File Name box. 5. Click Open to import the file; otherwise, click Cancel. The Import Rules form appears. 6. In the Manager list, select which Manager the imported rule is to be associated with. 7. In the Folders list, click to select the rule folder that is to store the imported rule. You will need to click a folders >icon to view its sub-folders. 8. Click Import. The system imports the rules into the designated rule folder.
Exporting rules
Exporting rules is useful for three reasons:
311
You can export a rule from one Manager and import it into another Manager. You can export rules to save archived copies in a safe place. You can export rules to provide SolarWinds with a copy of your rule for technical support or troubleshooting purposes.
You can export multiple rules at the same time. The rules will be saved to a new folder that contains each rule. To export rules: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rule you want to export. The Rules grid displays the rules in that folder. 3. In the Rules grid, select the rules you want to export. 4. On the Rules grid toolbar, click Export Rule to form appears. and then click Export.The Select Directory to
5. In the Save in box, locate the general area in which you want to save the exported rule folder. 6. In the File name box, type a name for the folder that is to contain the exported rules. Note: Rules are saved as .xml files. 7. Click Save. The rules are exported and saved in the folder you specified. Each exported rule retains its name and the date and time on which it was exported. If an Export Error message appears, it means one or more of the rules failed to export. If you are exporting multiple rules, the system exports as many as it can, and the message lists which rules failed to export and which ones succeeded. Click OK to close the form.
312
Deleting Rules
Deleting Rules
When needed, you can easily delete rules. You can delete one rule at a time, or you can delete multiple rules. Deleting a rule is permanent. Once a rule is deleted, it can only be restored by recreating it or by importing a previously exported rule. To delete rules: 1. Open the Build >Rules view. 2. In the Folders pane, select the folder that contains the rule you want to delete.The Rules grid displays the rules in that folder. 3. In the Rules grid, select the rule (or rules) you want to delete. 4. Delete the rules as follows:
l
To delete a single rule, click the row's gear Delete. To delete multiple rules, click the grid's gear Delete.
5. At the Confirm Delete prompt, click Yes to delete the rules; otherwise, click No. The rules disappear from the Rules grid. 6. Click Activate Rules to notify the Manager that the rules were deleted.
313
monitor log files, as well as data that is logged to the Agents computer from remove devices that cannot have their own Agents. An Agents active response tools (actors) allow the Agent to receive instructions from the Manager and perform active responses locally, on the Agents computer, such as sending pop-up messages or detaching USB devices. Once you understand how the tools work, the following procedures guides you through the tool configuration process needed to integrate LEM with your network security products and devices. The Tool Configuration form has similar features, whether you are configuring or editing a Manager, an Agent, or a Tool Profile. The following table describes the key features of the Tool Configuration form. Name Sidebar button Refine Results pane By default, the Tools grid shows all of the products that are supported. The Refine Results pane lets you apply filters to the grid to reduce the number of products it shows. This way, you can show only those products that are configured for use with this Agent, or that are associated with a particular product category or status (Running or Stopped). Tools grid The Tools grid lists all of the sensor and actor tools that are available to each Agent. These tools are what allowLEM to monitor and interact with your network security products and devices. Tools are organized by category and product name. Each tool is named after the thirdparty product it is designed to configure for use with LEM. Click this button to create a new tool instance the sensor or actor that is currently selected in the Tools grid. Description Click the Sidebar button to alternately hide and open the forms Refine Results pane.
314
Name
Description
Properties This pane displays detailed information about the tool that is currently selected in the pane Tools grid.
n
If the tool is not configured, this pane displays a description of the tool. If the tool is configured, this pane displays the tools configuration settings as readonly information.
Whenever you add or edit a tool, this pane turns into an editable form for recording the tools configuration settings.
315
Icon
Description A blue tool icon represents a sensor for a particular product. The sensor displays the name of the product it is designed to monitor. Each tool instance (or alias) that is currently configured to monitor that product is listed below the tool. If no tool instances are listed, it means the product, on this Agent computer, has not been configured for use with LEM. Whenever you select a sensor in the grid, the lower pane displays the tools name and a description of the sensor, when available. The orange tool icon represents an actor for a product that can perform an active response. The actor displays the name of the product it is designed to interact with. Each tool instance (or alias) that is currently configured to initiate an active response on that product is listed below the tool. If no tool instances are listed, it means the product, on this Agent computer, has not been configured for use with LEM. Whenever you select an actor in the grid, the lower pane displays the tools name and a description of the actor, when available. This icon represents a configured instance of a sensor tool. Each sensor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured tool instance appears below its tool. Whenever you select a sensor tool instance in the grid, the lower pane displays the sensor tools name, and the tool instances name (or alias) and configuration settings. The Status column displays each instances current statusStopped ( ) or Running ( ). This icon represents a configured instance of an actor tool. Each actor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured tool instance appears below its tool. Whenever you select an actor tool instance in the grid, the lower pane displays the actor tools name, and the tool instances name (or alias) and configuration settings. The Status column displays each instances current statusStopped ( ) or Running ( ).
316
317
Field Status
Description Select Running to list all of the tools that are currently running on the Manager or Agent you are working with. Select Stopped to list all of the tools that are currently stopped on the Manager or Agent you are working with.
318
319
Name
Description
View tab Upon opening or running a report, the Ribbon automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, and viewing the report. If you click the View tab without having opened a report, the Preview pane shows a blank page. If you click the View tab and you have run a report, the Preview pane displays the contents of the report. Grouping You can use the yellow bar above the grid to group, sort, and organize the reports list.. bar Report list/ Preview pane By default, this section is a grid that displays a list of SolarWindss Standard Reports. Upon selecting a different report category, the grid changes to list the reports that are in that category. You use this grid to select report that you want to run or schedule. You can also filter and sort the grid to quickly find the reports you want to work with. Upon opening or running a report, this section changes into a report Preview pane that displays the report. In Ribbon also automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, or viewing the report.
320
Setting up the nDepth Appliance (if you are using a separate nDepth Appliance to store original log messages).
Configuring your network tools (sensors)for use with nDepth to store original log messages.
321
How many days of live data will the LEM database store? The number of days' worth of live data that the LEM database will store varies for every implementation. The information below should help you determine this number for your environment, while also promoting a more detailed understanding of how the database works in general.
This article contains the following sections. What the LEM Database Stores Where to Find the Numbers
322
Syslog/SNMP data from devices logging to the LEM appliance; Normalized Alert data; and Original, or "raw," log data, if enabled.
For the sake of this article, we'll call #1 the Syslog store. The Syslog store consists of all Syslog/SNMP log data that is sent to the LEM appliance. The LEM appliance reads and processes the data in real time, and then sends it to the Alert store for long-term storage. The LEM appliance stores the original data for 50 days in its original format, just in case you need to review it, and compresses and rotates the data in the Syslog store daily, maintaining a consistent 50 days' worth of data. The amount of data being stored here should level off at around the 50-day mark. The Alert store, #2 above, consists of all of the normalized Alerts generated by the LEM Manager and LEM Agents. Data in this store is compressed at a ratio of 40:1 to 60:1, which equates to an average compression rate of about 95-98%. LEM Reports and nDepth query this store for Alert data whenever they're run. Finally, the original log store, #3 above, is an optional store for original, or "raw," log messages, which is searchable using Log Message queries in nDepth. The data in this store can come from LEM Agents or other devices that are logging to the LEM appliance. You can define whether data is sent to this store at the tool level, so not all devices have to log in this manner. For more information, see Configuring Your LEM Appliance for Log Message Storage and nDepth Search in the SolarWinds Knowledge Base.
323
also generate an ad hoc Disk Usage summary by running the diskusage command from the cmc::acm# (cmc > appliance) prompt. The two lines to note here are: Logs/Data: This figure represents the total space being utilized by your LEM database. This value is presented in the percent% (usedG/allocatedG) format, where percent is the percent of the allocated space that is currently being used, used is the actual amount of space that is currently being used, and allocated is the total amount of space that is currently allocated to the LEM database. Logs: This figure represents the amount of space being utilized by the Syslog store. This figure is included in the used figure noted above. To figure out how much space is currently being utilized by your Alert store, subtract the Logs value from the used value. Note: If you are storing original log messages in your LEM database, the calculation above will show you the combined space being utilized by both your Alert and original log stores. Database Maintenance Report Run the Database Maintenance Report in LEM Reports to see a snapshot of your current database utilization. For the sake of this discussion, note the following sections: Disk Usage Summary: This section provides disk usage figures as percentages of the space allocated to the LEM database. Disk Usage Details: This section provides the actual amounts related to the percentages in the Disk Usage Summary section. Database Time Span (days): Note the Alert DB value in this section. This value tells you how many days' worth of live Alert data is currently stored on your LEM database. For detailed information about this value, see the second page of the Database Maintenance Report. Note: The Other Files figure in the Database Maintenance Report consists primarily of the data in the Syslog store noted above.
324
original log store noted above. If you have not enabled your LEM appliance and tools to store original log messages, this report will be blank.
Backup your LEM virtual appliance on a regular basis. This will give you "offline" storage for all of your LEM data stores and configuration settings. For instructions and recommendations, see the Log & Event Manager > Backup section of the SolarWinds Knowledge Base.
Decrease the number of days for which Syslog/SNMP data is stored on your LEM virtual appliance.
Deploy another LEM virtual appliance to be used as a Syslog server. Deploy another LEM virtual appliance to be used as a database server. Increase the space allocated to your LEM virtual appliance.
325
326
4. If you cannot ping the appliance by hostname, try pinging the appliance by IP address. 5. If you can ping the appliance by IP address, do one of the following:
l
Edit spop.conf so the LEM Agent calls the LEM appliance by its IP address instead of its hostname. For instructions, see the spop.conf procedure later in this section.
Change your DNS settings so the LEM Agent computer can resolve the LEM appliance's hostname (recommended).
6. If you cannot ping the appliance by IP address, resolve any network or firewall issues between the LEM Agent and appliance. To edit spop.conf so the LEM Agent calls the LEM appliance by its IP address (Windows): 1. Stop theSolarWinds Log and Event Manager Agentservice. 2. Delete thespopfolder(do not delete theContegoSPOPfolder):
l
3. In theContegoSPOPfolder, open and modify thespop.conffile by replacing theManagerAddressvalue with the LEM appliance's IP address. 4. Save and close the file. 5. Start theSolarWinds Log and Event Manager Agentservice.
327
Contacting Support
3. If the necessary connectors are configured and running, delete and recreate the connectors that are not working.
Contacting Support
If you still do not see alerts from your LEM Agents after completing these procedures, send the following files to SolarWinds Support (default paths): 32-bit Windows OS:
l
328
Virtual Console: Arrow down to Advanced Configuration, and then press Enter.
3. At the cmc> prompt, enter appliance. 4. At the cmc::acm# prompt, enter checklogs. 5. Enter an item number to select a log file to view. 6. Check each log file that is not empty for evidence that the device is logging to the appliance, such as the device's product name, device name, or IP address.
329
5. If the device is sending SNMP traps to the LEM appliance, verify you have configured the LEM appliance to accept SNMP traps. 6. Verify a firewall is not blocking communication between the device and the LEM appliance. To configure your LEM Manager to accept SNMP traps: 1. Connect to your LEM appliance using a virtual console or SSH client. 2. Access the CMC prompt:
l
Virtual Console: Arrow down to Advanced Configuration, and then press Enter.
3. At the cmc> prompt, enter service. 4. At the cmc::scm# prompt, enter enablesnmp. 5. Press Enter to confirm your entry. 6. After you see the message, Done starting the SNMP service, enter exit to return to the cmc> prompt.
330
Contacting Support
If you still do not see alerts from your network device after completing these procedures, send a screenshot of your device's logging configuration screens to SolarWinds Support.
331
332
File Audit Failures Displays the top 10 source accounts generating file audit failures. by Source Account Firewall Firewall Alerts by Firewall Firewall Alerts by Type Incidents Incidents by Rule Name Interactive Logons Displays the top 10 user logons by user account name. by User Account My Rules Fired by Displays the top 5 subscribed alerts by the name of the rule that generated Rule Name Network Alerts them. Displays all Network alerts. Displays all Incident alerts. Displays the top 5 incidents by the name of the rule that generated the Incident. Displays the top 5 firewall alerts by alert type. Displays all alerts from firewall devices. Displays the top 5 firewalls generating firewall alerts
Network Alerts by Displays the top 10 machines generating network alerts. Source Machine Network Alert Trends Rule Activity Rules Fired by Rule Name Security Processes Displays process launches and exits from processes in the "Security Processes" User-Defined Group, which is used to monitor critical security-related processes. Shows all of the rules that have fired. Displays the top 5 rules fired by rule name. Displays the top 10 network-related alerts by alert type.
333
Widget name/Filter Security Processes by Agent Subscriptions Displays alerts created by rules you are "Subscribed" to in the Rules area. Description Displays the top 10 Agents generating security process alerts.
SolarWinds Alerts Displays all Internal alerts (alerts generated during operation of the LEM). Unusual Network Traffic Unusual Network Traffic by Destination Unusual Network Traffic by Source USD Defender USB-Defender Activity by Detection IP USB File Auditing Displays USB-Defender's File Auditing events. USB File Auditing Displays the top 5 Agents with the most USB file auditing alerts. by Detection IP User Logons User Logons by Agent User Logons by Source Machine User Logons by User Account Displays the top 10 user logons by user account name. Displays the top 5 user logons by source machine. Displays all user account logons Displays the top 5 Agents reporting user logons. Displays all USB-Defender events. Displays the top 5 Agents with the most USB-Defender alerts. Displays the top 10 sources of unusual network traffic. Displays the top 5 destinations for unusual network traffic. Displays alerts that indicate unusual or suspicious network traffic.
334
User Logons (Inter- Displays interactive user account logons. active) Virus Attacks Virus Attacks by Source Machine Displays all virus attack alerts. Displays the top 5 sources of virus attacks or infections.
335
Appendix B: Alerts
This appendix describes every alert type that is displayed in the Alerts Panel and that can be configured with the Policy commands.
Types of Alerts
LEM reports alerts in a hierarchical node tree, shown here. When you click a node to open it, you will see that most nodes also have lower-level nodes. Each node that has lower-level nodes is called a parent node. similarly, all lower-level nodes below a particular parent node can be thought of as child nodes or children to that parent node. Naturally, the term parent and child applies to the node, relative to its position and role on the node tree. That is, a node can be a child to one node, and a parent to others.
336
Appendix B: Alerts
LEM automatically assigns alerts to the nodes of the alert tree based on the specific nature of the alert and its severity. Alert types There are five types of alerts:
l
Security Alerts are generally related to network activity that is consistent with an internal or external attack, a misuse or abuse of resources, a resource compromise, resource probing, or other abnormal traffic that is noteworthy. Security Alert events indicate aggressive behavior that may lead to an attack or resource compromise, or suspicious behavior that may indicate unauthorized information gathering.LEM infers some Security Alerts from what is normally considered audit traffic, but it escalates the events to alert status based on thresholds that are defined by Rules.
Internal Alerts are related to the operation of the LEM system. Any events generated by LEM relating to Active Response, LEM users, or LEM errors will appear under one of the many children. These alerts are for informational purposes. They do not necessarily reflect conditions that should cause alarm. Alerts that may reflect potential issues within LEM are specifically marked for forwarding to SolarWinds.
Audit Alerts are generally related to normal network activity that would not be considered an attack, compromise, or misuse of resources. Many of the audit alerts have rules that can be used to threshold and escalate normal behavior into something which may be considered a security event.
Incident alerts are used to raise global enterprise-wide visibility in response to any issue detected by Rules. Incidents generally reflect serious issues that should be addressed. Since Incidents are created by Rules, any combination of malicious or suspicious traffic from any other single alert or combination of alerts can create an Incident.
Asset alerts relate to the changing state of different types of enterprise assets, including software, hardware, and users. These alerts can indicate changes made to system configurations, software updates, patch applications, vulnerability information, and other system events.
Asset Alerts
Asset Alerts deal with assets and asset scan results. They relate to the changing state of different
337
Asset Alerts
types of enterprise assets, including software, hardware, and users. Asset information can come from centralized directory service tools, or it can be scan information from security scan tools, including Vulnerability Assessment and Patch Management tools. Therefore, these alerts indicate changes made to system configurations, software updates, patch applications, vulnerability information, and other system events. Each Asset Alert is described below. For your convenience, they are listed alphabetically. AssetManagement AssetManagement alerts are for gathering non-realtime data about system assets (computer, software, users). The data will come from various sources, including Directory Service tools. AssetManagement > MachineAsset MachineAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates (including software installation) of specific nodes that exist in the enterprise. AssetManagement > MachineAsset > MachineAssetAdded MachineAssetAdded alerts indicate a new presence of a node (host or network device) in the enterprise. AssetManagement > MachineAsset > MachineAssetRemoved MachineAssetRemoved alerts indicate the removal of a node (host or network device) from the enterprise. AssetManagement > MachineAsset > MachineAssetUpdated MachineAssetUpdated alerts indicate a change to an existing node (host or network device) in the enterprise, including new software and software patch installations on the node. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated SoftwareAssetUpdated alerts indicate an attempted software change (including application of a software patch) to an existing node (host or network device) in the enterprise, successful or failed. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated > SoftwareAssetPatched SoftwareAssetPatched alerts indicate a successful application of a software patch to an existing node (host or network device) in the enterprise.
338
Appendix B: Alerts
AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated > SoftwareAssetPatchFailed SoftwareAssetPatchFailed alerts indicate a failed application of a software patch to an existing node (host or network device) in the enterprise. AssetManagement > SoftwareAsset SoftwareAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates of specific software and software versions that exist in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetAdded SoftwareAssetAdded alerts indicate a new presence of an installation of specific software applications or operating systems in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetAdded > SoftwareAssetVersionAdded SoftwareAssetVersionAdded alerts indicate a new version installation of specific known software applications or operating systems in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetRemoved SoftwareAssetRemoved alerts indicate removals of specific software applications or operating systems from the enterprise. AssetManagement > UserAsset UserAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates to users and user groups that exist in the enterprise. AssetManagement > UserAsset > GroupAssetAdded GroupAssetAdded alerts indicate a new presence of a user group in the enterprise. AssetManagement > UserAsset > GroupAssetRemoved GroupAssetRemoved alerts indicate the removal of a user group from the enterprise. AssetManagement > UserAsset > GroupAssetUpdated GroupAssetUpdated alerts indicate a change to a user group that exists in the enterprise, including group member additions and deletions. AssetManagement > UserAsset > GroupAssetUpdated > GroupAssetMemberAdded
339
Asset Alerts
GroupAssetMemberAdded alerts indicate an addition of a user member to a user group that exists in the enterprise. AssetManagement > UserAsset > GroupAssetUpdated > GroupAssetMemberRemoved GroupAssetMemberRemoved alerts indicate a removal of a user member from a user group that exists in the enterprise. AssetManagement > UserAsset > UserAssetAdded UserAssetAdded alerts indicate a new presence of a user in the enterprise. AssetManagement > UserAsset > UserAssetRemoved UserAssetRemoved alerts indicate the removal of a user from the enterprise. AssetManagement > UserAsset > UserAssetUpdated UserAssetUpdated alerts indicate a change to a user that exists in the enterprise. AssetScanResult AssetScanResult contains alerts useful for data gathered from security scan results (reports). These alerts are commonly gathered from Vulnerability Assessment and Patch Management tools. AssetScanResult > ExposureFound ExposureFound alerts indicate scan results that are not high risk but demonstrate configuration issues or potential risks. These alerts may indicate exposures that can potentially cause future exploits or have been common sources of exploits in the past, such as common open ports or host configuration issues. AssetScanResult > VulnerabilityFound VulnerabilityFound alerts indicate scan results that demonstrate high risk vulnerabilities. These alerts can indicate the presence of serious exposures that should be addressed and can represent significant risk of exploit or infection of enterprise assets. GeneralAsset GeneralAsset alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be asset issue-related.
340
Appendix B: Alerts
Audit Alerts
Alerts that are children of AuditAlert node are generally related to normal network activity that would not be considered an attack, compromise, or misuse of resources. Many of the audit alerts have rules that can be used to threshold and escalate normal behavior into something which may be considered a security event. Each Audit Alert is described below. For your convenience, they are listed alphabetically. AuthAudit Alerts that are part of the AuthAudit tree are related to authentication and authorization of accounts and account ''containers'' such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients. AuthAudit > DomainAuthAudit DomainAuthAudit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These alerts are normally operating system related, however could be produced by any network device. AuthAudit > DomainAuthAudit > NewDomainMember NewDomainMember events occur when an account or account container has been added to a domain. Usually, these additions are made by a user account with administrative privileges, but occasionally a NewDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > DeleteDomainMember DeleteDomainMember events occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally a DeleteDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > ChangeDomainMember A ChangeDomainMember alert occurs when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but
341
Audit Alerts
occasionally a ChangeDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > ChangeDomainMember > DomainMemberAlias DomainMemberAlias events happen when an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. The alias for a domain member has been changed. AuthAudit > DomainAuthAudit > NewDomain NewDomain events occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. AuthAudit > DomainAuthAudit > ChangeDomainAttribute ChangeDomainAttribute events occur when a domain type is changed. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainAttribute alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > DeleteDomain DeleteDomain events occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. AuthAudit > GroupAudit GroupAudit events are authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. AuthAudit > GroupAudit > ChangeGroupAttribute ChangeGroupAttribute events occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeGroupAttribute alert will also happen when local system maintenance activity takes place. AuthAudit > GroupAudit > DeleteGroup
342
Appendix B: Alerts
DeleteGroup events occur upon deletion of a new group of any type. Usually, these deletions are made by a user account with administrative privileges. AuthAudit > GroupAudit > DeleteGroupMember DeleteGroupMember events occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally a DeleteGroupMember alert will also happen when local system maintenance activity takes place. AuthAudit > GroupAudit > NewGroup NewGroup events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges. AuthAudit > GroupAudit > NewGroupMember NewGroupMember events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally a NewGroupMember alert will also happen when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. AuthAudit > MachineAuthAudit MachineAuthAudit events are authentication, authorization, and modification events related only to computer or machine accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related. AuthAudit > MachineAuthAudit > MachineAuthTicketFailure MachineAuthTicketFailure alerts reflect failed computer or machine account ticket events from network devices that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the point on the network where the computer or machine was attempting logon. In larger quantities, these alerts may reflect a potential issue with a computer or set of computers, but as individual events they are generally not a problem. AuthAudit > MachineAuthAudit > MachineAuthTicket MachineAuthTicket alerts reflect computer or machine account ticket events from network devices monitored by Contego that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the type of device the logon was intended for along with all other relevant fields. AuthAudit > MachineAuthAudit > MachineDisable 343
Audit Alerts
MachineDisable events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers. AuthAudit > MachineAuthAudit > MachineEnable MachineEnable alerts reflect the action of enabling a computer or machine account. These events are normally OS-related and will trigger when a machine is 'enabled', normally by a user with administrative privileges. AuthAudit > MachineAuthAudit > MachineLogoff MachineLogoff alerts reflect computer or machine account logoff events from network devices (including network infrastructure devices, where appropriate). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. AuthAudit > MachineAuthAudit > MachineLogonFailure MachineLogonFailure alerts reflect failed computer or machine account logon events from network devices (including network infrastructure devices, when appropriate). Each alert will reflect the point on the network where the computer or machine was attempting logon. In larger quantities, these alerts may reflect a potential issue with a computer or set of computers, but as individual events they are generally not a problem. AuthAudit > MachineAuthAudit > MachineLogon MachineLogon events reflect computer or machine account logon events from network devices monitored by Contego (including network infrastructure devices, when appropriate). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. These events are normally operating system related. AuthAudit > MachineAuthAudit > MachineModifyAttribute MachineModifyAttribute events occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system. AuthAudit > MachineAuthAudit > MachineModifyPrivileges MachineModifyPrivileges events are created when a computer or machine's privileges are elevated or demoted based on their logon or activities they are performing. These events are uncommon. AuthAudit > UserAuthAudit
344
Appendix B: Alerts
UserAuthAudit events are authentication, authorization, and modification events related only to user accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients. AuthAudit > UserAuthAudit > UserAuthTicketFailure UserAuthTicketFailure alerts reflect failed user account ticket events from network devices that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. AuthAudit > UserAuthAudit > UserAuthTicket UserAuthTicket alerts reflect user account ticket events from network devices monitored by Contego that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. AuthAudit > UserAuthAudit > UserDisable UserDisable events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a user or set of users. AuthAudit > UserAuthAudit > UserEnable UserEnable alerts reflect the action of enabling a user account. These events are normally OS-related and will trigger both when an account is ''unlocked'' after lockout due to unsuccessful logons and 'enabled' in the traditional sense. AuthAudit > UserAuthAudit > UserLogoff UserLogoff alerts reflect account logoff events from network devices (including network infrastructure devices). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. AuthAudit > UserAuthAudit > UserLogon UserLogon alerts reflect user account logon events from network devices monitored by Contego (including network infrastructure devices). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. AuthAudit > UserAuthAudit > UserLogonFailure
345
Audit Alerts
UserLogonFailure alerts reflect failed account logon events from network devices (including network infrastructure devices). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. With SolarWinds policy, you can configure combinations of this event to escalate to FailedAuthentication in the Security tree, reflecting the increase in severity of the event over several occurrences. AuthAudit > UserAuthAudit > UserModifyAttribute UserModifyAttribute events occur when a user type is changed. These events are uncommon and usually provided by the operating system. AuthAudit > UserAuthAudit > UserModifyPrivileges UserModifyPrivileges events are created when a user's privileges are elevated or demoted based on their logon or activities they are performing. These events are uncommon. GeneralAudit GeneralAudit alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be audit-related. MachineAudit MachineAudit alerts are used to track hardware or software status and modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy. MachineAudit > SoftwareInstall SoftwareInstall alerts reflect modifications to the system at a software level, generally an OS level (or equivalent, in the case of a network infrastructure device). These alerts are generated when a user updates a system or launches system-native methods to install third party applications. MachineAudit > SoftwareInstall > SoftwareUpdate SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current version of software being installed to replace an older version. MachineAudit > SystemScan SystemScan alerts reflect information related to scheduled or on-demand scans of systems. These
346
Appendix B: Alerts
alerts are generally produced by Anti-Virus, Patch Management, and Vulnerability Assessment tools, and indicate the start, finish, and information related to a scan. MachineAudit > SystemScanInfo SystemScanInfo is a specific type of SystemScan alert that reflects information related to a system scan. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. MachineAudit > SystemScanStart SystemScanStart is a specific type of SystemScan alert that indicates initiation of a system scan. MachineAudit > SystemScanStop SystemScanStop is a specific type of SystemScan alert that indicates completion of a system scan. This activity is generally normal, however, in the error or failure state a specific alert will be generated. MachineAudit > SystemScanWarning SystemScanWarning is a specific type of SystemScan alert that indicates a scan has returned a 'Warning' message indicating an issue. These alerts may indicate scan issues that should be corrected for future scans. MachineAudit > SystemStatus SystemStatus alerts reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed. MachineAudit > SystemStatus > SystemReboot SystemReboot is a specific type of SystemStatus alert that is used to audit system restarts. This alert will only be generated if the system restart was normal and not a result of a crash or other failure condition. MachineAudit > SystemStatus > SystemReboot > SystemShutdown SystemShutdown is a specific type of SystemStatus alert that is used to audit system shutdowns, including both expected and unexpected shutdowns. In the event the shutdown was unexpected, the event detail will note the information provided by the tool related to the abnormality. PolicyAudit
347
Audit Alerts
PolicyAudit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided by the Operating System. PolicyAudit > NewAuthPolicy NewAuthPolicy alerts occur when a new authorization or authentication package, process, or logon handler is applied to an item (usually an account or domain). In the operating system context, these events will often occur on boot as the system initializes the appropriate authentication policies for itself. PolicyAudit > PolicyAccess PolicyAccess alerts reflect all levels of access to policy, mostly targeting domain, account, access, and logon policy modifications. PolicyAudit > PolicyAccess > PolicyModify PolicyModify alerts reflect all types of modifications to contained policies, both at a local and domain/account container level. In the context of a network infrastructure device, this would be a modification to access control lists or other similar policies on the device. PolicyAudit > PolicyAccess > PolicyModify > DomainPolicyModify DomainPolicyModify alerts are a specific type of PolicyModify alerts that reflect changes to domain and account container level policies. These types of policies are generally related to the operating system. Usually these modifications are made by a user with administrative privileges, but occasionally these changes can also be triggered by the local system. PolicyAudit > PolicyAccess > PolicyScopeChange PolicyScopeChange alerts are a specific type of PolicyAccess alert that reflect a new scope or assignment of policy to users, groups, domains, interfaces, or other items. In the context of the operating system, these events are usually describing elevation of user privileges according to predefined policies. The process of this elevation is considered a scope change as the user is being brought under a new scope of privileges appropriate to the type of access they are requesting (and being granted). These events may accompany or precede object or file opens, including other policies. PolicyAudit > PolicyAccess > GroupPolicyModify GroupPolicyModify alerts are specific PolicyAccess alerts used to describe modifications to account
348
Appendix B: Alerts
group policies. Usually these modifications are made by a user with administrative privileges, but occasionally these changes can also be triggered by the local system. ResourceAudit Members of the ResourceAudit tree are used to define different types of access to network resources. These resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. ResourceAudit > FileAudit FileAudit alerts are used to track file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. ResourceAudit > FileAudit > FileAuditFailure FileAuditFailure alerts are used to track failed file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. ResourceAudit > FileAudit > FileRead FileRead is a specific FileAudit alert generated for the operation of reading files (including reading properties of a file or the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileRead > FileExecute FileExecute is a specific FileRead alert generated for the operation of executing files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileRead > FileDataRead FileDataRead is a specific FileRead alert generated for the operation of reading data from a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite
349
Audit Alerts
FileWrite is a specific FileAudit alert generated for the operation of writing to a file (including writing properties of a file or changing the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems. ResourceAudit > FileAudit > FileWrite > FileDataWrite FileDataWrite is a specific FileWrite alert generated for the operation of writing data to a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileCreate FileCreate is a specific FileWrite alert generated for the initial creation of a file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileMove FileMove is a specific FileWrite alert generated for the operation of moving a file that already exists. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileDelete FileDelete is a specific FileWrite alert generated for the deletion of an existing file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileAttributeChange FileAttributeChange is a specific FileWrite alert generated for the modification of file attributes (including properties such as read-only status). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileLink FileLink is a specific FileWrite alert generated for the creation, deletion, or modification of links to other files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileHandleAudit FileHandleAudit alerts are used to track file handle activity on monitored network devices, usually
350
Appendix B: Alerts
through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. ResourceAudit > FileHandleAudit > FileHandleClose FileHandleClose is a specific FileHandleAudit alert generated for the closing of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileHandleAudit > FileHandleCopy FileHandleCopy is a specific FileHandleAudit alert generated for the copying of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileHandleAudit > FileHandleOpen FileHandleOpen is a specific FileHandleAudit alert generated for the opening of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileSystemAudit FileSystemAudit alerts reflect hardware to filesystem mapping events and usage of filesystem resources. These events are generally normal system activity, especially during system boot. ResourceAudit > FileSystemAudit > MountFileSystem MountFileSystem alerts are a specific type of FileSystemAudit that reflect the action of creating an active translation between hardware to a usable filesystem. These events are generally normal during system boot.
ResourceAudit > FileSystemAudit > UnmountFileSystem UnmountFileSystem alerts are a specific type of FileSystemAudit that reflect the action of removing a translation between hardware and a usable filesystem. These events are generally normal during system shutdown. ResourceAudit > NetworkAudit
351
Audit Alerts
Members of the NetworkAudit tree are used to define events centered on usage of network resources/bandwidth. ResourceAudit > NetworkAudit > ConfigurationTrafficAudit ConfigurationTrafficAudit alerts reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic. ResourceAudit > NetworkAudit > CoreTrafficAudit CoreTrafficAudit alerts reflect network traffic sent over core protocols. Alerts that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Alerts of this type and its children do not have any application-layer data. Alerts placed in the parent CoreTrafficAudit alert itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the tool. ResourceAudit > NetworkAudit > CoreTrafficAudit > TCPTrafficAudit TCPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be TCP. TCPTrafficAudit alerts may indicate normal traffic inside the network, normal traffic pass-through, denied traffic, or other non-application TCP traffic that is not known to have any immediate attack basis.
ResourceAudit > NetworkAudit > CoreTrafficAudit > IPTrafficAudit IPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be IP. IPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of spoofs, routing issues, or other abnormal traffic. Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > CoreTrafficAudit > UDPTrafficAudit
352
Appendix B: Alerts
UDPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be UDP. UDPTrafficAuditAlerts may indicate normal traffic inside the network, normal traffic pass-through, denied traffic, or other non-application UDP traffic that is not known to have any immediate attack basis. ResourceAudit > NetworkAudit > CoreTrafficAudit > ICMPTrafficAudit ICMPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be ICMP. ICMPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of scans, floods, or other abnormal traffic. Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > CoreTrafficAudit > IPSecTrafficAudit IPSecTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the traffic is known to be related to non-application layer IPSec events (such as key exchanges). IPSecTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured IPSec peers, problems with IPSec communication, or other abnormal traffic. ResourceAudit > NetworkAudit > LinkControlTrafficAudit LinkControlTrafficAudit alerts are generated for network events related to link level configuration. LinkControlTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic. ResourceAudit > NetworkAudit > RoutingTrafficAudit RoutingTrafficAudit alerts are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > RoutingTrafficAudit > RIPTrafficAudit
353
Audit Alerts
RIPTrafficAudit alerts are a specific subset of RoutingTrafficAudit alerts where the protocol is known to be RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > NamingTrafficAudit NamingTrafficAudit alerts are generated for network events related to the naming of network resources and nodes, using protocols such as WINS and DNS. NamingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate DNS authority attempts, misconfiguration of naming services, and other abnormal traffic. In several cases, for traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > FileSystemTrafficAudit FileSystemTrafficAudit alerts are generated for network events related to requests for remote filesystems, using protocols such as SMB and NFS. FileSystemTrafficAudit alerts generally indicate normal traffic for networks that have remote filesystem resources such as SMB and NFS shares; however, alerts of this type could also be symptoms of attempts to enumerate shares or services, misconfiguration of such resources, or other abnormal traffic. For networks that do not have remote filesystem resources, these alerts will generally indicate abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit ApplicationTrafficAudit alerts reflect network traffic that is mostly or all application-layer data. Alerts that are children of ApplicationTrafficAudit are also related to application-layer resources. Alerts placed in the parent ApplicationTrafficAudit alert itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic EncryptedTraffic alerts reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in EncryptedTraffic alerts are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic > EncryptedTrafficError 354
Appendix B: Alerts
EncryptedTrafficError alerts are a specific subnet of EncryptedTraffic alerts that reflect problems while exchanging keys or data. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > MailTrafficAudit MailTrafficAudit alerts reflect application-layer data related to mail services. Included in MailTrafficAudit are client and server mail events from protocols such as IMAP, POP3, and SMTP. MailTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of excessive mail usage, unintended mail traffic, abnormal command exchanges to a server, or generally abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > WebTrafficAudit WebTrafficAudit alerts reflect application-layer data related to web services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit TimeTrafficAudit alerts reflect application-layer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates. TimeTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, or other abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit > NTPTrafficAudit NTPTrafficAudit alerts are a specific type of TimeTrafficAudit related to the Network Time Protocol. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > FileTransferTrafficAudit FileTransferTrafficAudit alerts reflect application-layer data related to file retrieval and send to/from remote hosts. Included in FileTransferTrafficAudit are protocols such as TFTP and FTP. FileTransferTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access file transfer services, attempts to access devices that require file transfer services for configuration, or other abnormal traffic.
355
Audit Alerts
ResourceAudit > NetworkAudit > PointToPointTrafficAudit PointToPointTrafficAudit alerts reflect application-layer data related to point-to-point connections between hosts. Included in PointToPointTrafficAudit are encrypted and unencrypted point-to-point traffic. ResourceAudit > NetworkAudit > PointToPointTrafficAudit > PPTPTrafficAudit PPTPTrafficAudit alerts are a specific type of PointToPointTrafficAudit alerts that reflect applicationlayer encrypted Peer-to-Peer Tunneling Protocol activities. Included in PPTPTrafficAudit alerts are tunnel creation, tunnel deletion, session creation, and session deletion, among other PPTP-related events. PPTPTrafficAudit alerts generally indicate normal traffic for networks that have PPTP-accessible devices on the network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the PPTP server or clients, other communications errors, or other abnormal traffic. For networks that do not have remote filesystem resources, these alerts will generally indicate abnormal traffic. ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit RemoteProcedureTrafficAudit alerts reflect application-layer data related to remote procedure services. Included in RemoteProcedureTrafficAudit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks that have remote procedure services on their network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic. ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit > RPCTrafficAudit RPCTrafficAudit is a specific subset of RemoteProcedureTrafficAudit related to traditional RPC services, including portmapper. ResourceAudit > NetworkConnectionAudit NetworkConnectionAudit alerts are generated when a connection is initiated on a network client. ResourceAudit > NetworkConnectionAudit > LANConnection
356
Appendix B: Alerts
LANConnection is a specific type of NetworkConnectionAudit that reflects a successful connection on a physical network interface such as an Ethernet card. ResourceAudit > NetworkConnectionAudit > VPNConnection VPNConnection is a specific type of NetworkConnectionAudit that reflects a successful connection to a remote VPN. ResourceAudit > NetworkConnectionAudit > DialupConnection DialupConnection is a specific type of NetworkConnectionAudit that reflects a successful connection through a traditional modem. ResourceAudit > ObjectAudit ObjectAudit alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. ResourceAudit > ObjectAudit > ObjectAuditFailure ObjectAuditFailure alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. ResourceAudit > ObjectAudit > ObjectDelete ObjectDelete is a specific ObjectAudit alert generated for the deletion of an existing object. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > ObjectAudit > ObjectLink ObjectLink is a specific ObjectAudit alert generated for the creation, deletion, or modification of links to other objects. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > ProcessAudit
357
Audit Alerts
ProcessAudit alerts are generated to track launch, exit, status, and other events related to system processes. Usually, these events reflect normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. ResourceAudit > ProcessAudit > ProcessStop ProcessStop is a specific type of ProcessAudit alert that indicates a process has exited. Usually, ProcessStop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. ResourceAudit > ProcessAudit > ProcessStart ProcessStart is a specific type of ProcessAudit alert that indicates a new process has been launched. Usually, ProcessStart reflects normal system activity ResourceAudit > ProcessAudit > ProcessWarning ProcessWarning is a specific type of ProcessAudit alert that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. ResourceAudit > ProcessAudit > ProcessInfo ProcessInfo is a specific type of ProcessAudit alert that reflects information related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. ResourceAudit > ServiceAudit ServiceAudit alerts are generated to track information and other events related to system components. Usually, these events reflect normal system activity. System service-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. ResourceAudit > ServiceAudit > ServiceInfo ServiceInfo is a specific type of ServiceAudit alert that reflects information related to a service. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. ResourceAudit > ServiceAudit > ServiceStart ServiceStart events are a specific type of ServiceAudit alert that indicates a new system service is starting. ResourceAudit > ServiceAudit > ServiceStop
358
Appendix B: Alerts
ServiceStop events are a specific type of ServiceAudit alert that indicates a system service is stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted. ResourceAudit > ServiceAudit > ServiceWarning ServiceWarning is a specific type of ServiceAudit alert that indicates a service has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the service.
Incident Alerts
Incident Alerts reflect global enterprise-wide issues that should be raised for system-wide visibility. These alerts generally reflect serious issues that should be monitored and addressed. They are subcategorized into different types of Incidents Alerts that can provide more detailed information. Because Incident Alerts are created by Rules, any combination of malicious or suspicious traffic from any other single alert or combination of alerts can create an Incident Alert. Each Incident alert is described below. For your convenience, they are listed alphabetically. HostIncident HostIncident alerts reflect global enterprise-wide host system issues that should be raised for system-wide visibility. These alerts are used to indicate issues on hosts that should be tracked and addressed, including security and administrative issues that apply specifically to host-based information. HybridIncident HybridIncident alerts reflect global enterprise-wide combined network and host system issues that should be raised for system-wide visibility. These alerts are used to indicate the combination of network and host-based issues that should be tracked and addressed, including security and administrative issues that span both network and host-based information. NetworkIncident NetworkIncident alerts reflect global enterprise-wide network system issues that should be raised for system-wide visibility. These alerts are used to indicate network-based issues that should be tracked and addressed, including security and administrative issues that apply specifically to network-based information.
359
Internal Alerts
Internal Alerts
Alerts that are a part of the InternalAlert node are related to the operation of the LEM system. Any events generated by the system relating to Active Response, Internal users, or Internal errors will appear under one of the many children. These alerts are for informational purposes and do not necessarily reflect conditions that should cause alarm. Alerts that may reflect potential issues within the system are specifically marked for forwarding to SolarWinds. Each Internal Alert is described below. For your convenience, they are listed alphabetically. InternalAudit InternalAudit alerts reflect attempted accesses and changes to components of the LEM system by existing SolarWinds users. Both successful and failed attempts will generate alerts in this part of the tree. InternalAudit > InternalAuditFailure InternalAuditFailure is a specific type of InternalAudit alert that indicates failed audit information. These alerts are generated when a user fails to view or modify (including creation, update, and deletion) anything within the SolarWinds system. The alert will include the user, type of access, and item being accessed. InternalAuditFailure events are uncommon and can indicate an attempted privilege escalation within the LEM system by unprivileged users. InternalAudit > InternalAuditSuccess InternalAuditSuccess is a specific type of InternalAudit alert that indicates successful audit information. These alerts are generated when a user successfully views or modifies (including creation, update, and deletion) anything within the LEM system. The alert will include the user, type of access, and item being accessed. InternalCommands InternalCommands alerts are only used internally with few exceptions. These alerts are used for sending Commands through the system to complete active responses. InternalCommands > InternalAgentToolCommand
360
Appendix B: Alerts
InternalAgentToolCommand alerts are internal only. They are fired between Managers and Agents to manage tool settings. InternalCommands > InternalAgentFastPack InternalAgentFastPack alerts are internal only. They are fired between Managers and Agents to configure updated tool signatures. InternalFailure Alerts that are a part of the InternalFailure tree reflect potential issues within the system. These alerts could reflect configuration issues, issues that cannot be resolved without contacting SolarWinds, and potential serious issues which also merit contacting SolarWinds. InternalFailure > InternalError InternalError alerts reflect configuration or install issues that should be reported to SolarWinds. These are generally internal errors related to tools that may be producing unexpected log entries or conditions that were not expected. These issues generally cannot be solved without contacting SolarWinds, however they should not be fatal errors. InternalFailure > InternalException InternalException alerts reflect more serious problems within the system. These problems generally lie within the product implementation and may require a software update to eliminate. These alerts and their surrounding conditions should be reported to SolarWinds. InternalFailure > InternalWarning InternalWarning alerts are generally problems which can be solved by the user. Usually, these alerts are configuration related and may assist in debugging the underlying issue. InternalWarning alerts do not reflect internal problems within the system and thus should not be immediately reported to SolarWinds, however they may assist with solving a technical support issue should the need arise. InternalGeneralAlert InternalGeneralAlert events are uncommon events used to track Internal information that has not yet been placed into a more specific InternalAlert. Alerts of the InternalFailure family providing more information will be generated in addition to this event if the event is serious. InternalInfo
361
Internal Alerts
Alerts within the InternalInfo family are related to events that are happening within the system. Generally, these informational alerts are confirming or reporting normal activity such as user updates, user logons, policy updates, and Agent connection-related events. InternalInfo > InternalAgentOffline InternalAgentOffline alerts reflect detection of disconnection of an Agent to its Manager. These alerts will happen when the Manager has detected that the Agent closed the connection, whether that be due to network down time of the Agent or due to a shut down of the Agent service. InternalInfo > InternalAgentOnline InternalAgentOnline alerts reflect successful connection of Agents to their respective Managers. These alerts will happen when an Agent initiates successful communication with the Manager, whether that be due to network down time of the Manager or Agent or due to an update of the Agent in question. InternalInfo > InternalDuplicateConnection InternalDuplicateConnection alerts occur when an Agent has attempted to connect to their given Manager more than once. Usually these alerts are triggered by network issues on the Agent end, due to a possible asynchronous disconnection detection (for example, the Manager was not able to detect the Agent went offline, but the Agent service was restarted). Usually this issue can be resolved by stopping the Agent service, waiting for the InternalAgentOffline alert, and then restarting the Agent service. InternalInfo > InternalInvalidConnection InternalInvalidConnection alerts occur when an Agent that the Manager recognizes, but cannot communicate with, attempts to connect. These alerts usually reflect Agents that are missing an update that has already been applied to the Manager. Please ensure that the indicated Agent has been upgraded to the same release version of the system that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalInvalidInstallation InternalInvalidInstallation alerts occur in the unlikely case that the Manager can communicate with the Agent but there are errors detected in the Manager-to-Agent relationship. These alerts are very uncommon, but may be triggered during an upgrade process.
362
Appendix B: Alerts
Please ensure that the indicated Agent has been upgraded to the same release version of the system that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalLicenseMaximum InternalLicenseMaximum alerts reflect an attempt to add more Agents to a Manager than that Manager is licensed for. The number of Agents that can be added is a hard limit that the Manager stores and this limit is also enforced by the Console. If more licenses are needed, this issue can be resolved by contacting SolarWinds Sales for an update. InternalInfo > InternalNewToolData InternalNewToolData alerts generally reflect issues related to tools with unexpected log entries or other conditions that were not expected. These issues generally cannot be solved without contacting SolarWinds, however they are not fatal. InternalInfo > InternalPolicyConfiguration InternalPolicyConfiguration alerts reflect successful or unsuccessful attempts to update Policy on a given Manager. These alerts are generated after Policy has been successfully installed to the Manager or after an error has been detected. Generally, an error in updating Policy will also produce an alert from the InternalFailure family, providing more information. InternalInfo > InternalToolOffline InternalToolOffline alerts reflect successful stop of an Internal Tool. These alerts are generated after a tool has stopped the log file reader that was created when the tool was brought online. Generally, an error in an attempt to stop a tool will produce an alert from the InternalFailure family providing more information. InternalInfo > InternalToolOnline InternalToolOnline alerts reflect successful startup of an Internal Tool. These alerts are generated after a tool has successfully created a log file reader and has begun the reading process. Generally, an error in an attempt to start a tool will produce an alert from the InternalFailure family providing more information. InternalInfo > InternalUnknownAgent InternalUnknownAgent alerts occur when an Agent that the Manager does not recognize has
363
Internal Alerts
attempted to connect. Commonly, this alert is caused by removing the Agent from the Console before removing the Agent service on the client. These alerts may also be triggered during an upgrade process; in that case, they may reflect Agents that have not yet been brought up to date. Usually this issue can be resolved by Uninstalling and Reinstalling the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalUnsupportedAgent InternalUnsupportedAgent alerts are generated when a valid Agent connects and has not been upgraded to the same release version as the Manager. The Agent in question failed to properly negotiate its connection or respond to a query and has been assumed to be missing a feature required of it. Please ensure that the indicated Agent has been upgraded to the same release version of SolarWinds that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert, this will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalUserLogoff InternalUserLogoff alerts are generated when a user logs off or is disconnected from the Console. InternalInfo > InternalUserLogon InternalUserLogon alerts are generated when a user successfully completes the logon process to a Manager via the Console. Failed log-on attempts are produced in a separate alert, InternalUserLogonFailure. InternalInfo > InternalUserLogonFailure InternalUserLogonFailure alerts are generated when a user has completed initialization of a connection to the Console, but enters an incorrect user name and/or password. InternalInfo > InternalUserUpdate InternalUserUpdate alerts are generated when a user is modified and the update has successfully been sent to the Manager, or when the update has failed to apply. These updates include change or addition of an email address, change or addition of a pager, and change or addition of blocked alerts from selected Agents. Generally, an error in updating a user will also produce an alert from the InternalFailure family. InternalPolicy InternalPolicy alerts reflect information related to correlation rules. These alerts are used to indicate that a rule has been triggered, either in test mode or in normal operating conditions.
364
Appendix B: Alerts
InternalPolicy > InternalTestRule InternalTestRule alerts reflect rule activity where a correlation rule has triggered and is set in Test mode. It indicates the trigger of the rule and includes an enumeration of what actions would take place, if any, if the rule were fully enabled. To remove a rule from Test mode, clear the Test checkbox for the Rule in the Rule Builder. InternalPolicy > InternalRuleFired InternalRuleFired alerts reflect rule activity, specifically where a correlation rule has triggered. It indicates the trigger of the rule and includes an enumeration of what actions were triggered in response to the correlation.
Security Alerts
Alerts that are a part of the SecurityAlert node are generally related to network activity that is consistent with an internal or external attack, a misuse or abuse of resources, a resource compromise, resource probing, or other abnormal traffic that is noteworthy. Security Alert events indicate aggressive behavior that may lead to an attack or resource compromise, or suspicious behavior that may indicate unauthorized information gathering. LEM infers some Security Alerts from what is normally considered audit traffic, but it escalates the events to alert status based on thresholds that are defined by Rules. Each Security Alert is described below. For your convenience, they are listed alphabetically. AttackBehavior Alerts that are children of AttackBehavior are generally related to network activity that may be consistent of an attack, misuse or abuse of resources, a resource compromise, or other abnormal behavior that should be considered indicative of a serious security event. AttackBehavior > InferredAttack InferredAttack alerts are reserved AttackBehavior alerts used for describing attacks that are a composite of different types of alerts. These events will be defined and inferred by Contego Policy. AttackBehavior > ResourceAttack
365
Security Alerts
Members of the ResourceAttack tree are used to define different types of malicious or abusive access to network resources, where these resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. AttackBehavior > ResourceAttack > NetworkAttack Members of the NetworkAttack tree are used to define events centered on malicious or abusive usage of network bandwidth/traffic. These events include access to network resources, relaying attacks via network resources, or denial of service behavior on network resources. AttackBehavior > ResourceAttack > NetworkAttack > Access Children of the Access tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess ApplicationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess alerts will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or proxy servers may also provide them. Alerts placed in the parent ApplicationAccess alert itself are known to be application-related, but not able to be further categorized based on the message provided by the tool or because they are uncommon. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > DataBaseAccess DataBaseAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer database traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in database server or client software. These alerts are generally provided by network-based intrusion detection systems, the database server, or the client software itself. Appropriate response to these alerts may entail better access control of database servers (e.g. restriction by IP address and/or user name to ensure only trusted
366
Appendix B: Alerts
clients are connecting), applying updates or patches to database servers and/or clients, or the possible removal of the database service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess FileTransferAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPFileAccess FTPFileAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to filesystems of resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software with the intent of information gathering or low-level filesystem access of the server or client. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPInvalidFormatAccess FTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software with the intent of information gathering or low-level access to the server or client. These attacks are always abnormal traffic that the file transfer server or client is not prepared to
367
Security Alerts
respond to; attacks, such as buffer overflows, may also result in the server or client software or system being halted. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPCommandAccess FTPCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server software with the intent of information gathering or low-level access to the server or client. These attacks are always abnormal command traffic that the file transfer server is not prepared to respond to, but may provide access to (e.g. debug or legacy commands). These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, restriction of allowed commands, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess MailAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail-related server or client software. These alerts are generally provided by network-based intrusion detection systems or the mail server, service, or client software itself. Appropriate response to these alerts may entail better access control of mail servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail servers and/or clients, or possible removal of the mail server, service, or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess
368
Appendix B: Alerts
MailTransferAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPInvalidFormatAccess SMTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the SMTP server is not prepared to respond to; attacks, such as buffer overflows, may also result in the server software or system being halted. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPInvalidFormatAccess > SmailAccess SmailAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the SMTP server is not prepared to respond to; they may also result in the server software or system being halted. The smail attack specifically attempts to execute applications resulting in compromise of the SMTP server system. These alerts are generally provided by network-based intrusion detection systems, or the SMTP
369
Security Alerts
server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPCommandAccess SMTPCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal command traffic that the SMTP server is not prepared to respond to, but may provide access to (e.g. debug or legacy commands). These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, restriction of allowed commands, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailDeliveryAccess MailDeliveryAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail retrieval traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail retrieval related server or client software - the MDA (mail delivery Agent) or MUA (mail user Agent). These alerts are generally provided by network-based intrusion detection systems, or the mail server, service, or client software itself. Appropriate response to these alerts may entail better access control of mail servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail servers and/or clients, or the possible removal of the mail server, service, or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailServiceAccess MailServiceAccess alerts reflect malicious or abusive usage of network resources where the
370
Appendix B: Alerts
intention, or the result, is gaining access to resources via application-layer mail service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail service-related server or client software, including services such as mailing list software, spam filters, email redirection software, and other mail filtering software. These alerts are generally provided by network-based intrusion detection systems, the mail service, or the client software itself. Appropriate response to these alerts may entail better access control of mail services or servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail services and/or clients, or the possible removal of the mail service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailServiceAccess > MajordomoAccess MailServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in Majordomo, a specific type of mailing list software. These alerts are generally provided by network-based intrusion detection systems, or the mail service itself. Appropriate response to these alerts may entail better access control of mail services or servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to the mail service, or the possible removal of the mail service related to this event. Generally, the most appropriate response will be updates or patches that can be retrieved from the Majordomo web site (http://www.greatcircle.com/majordomo) or your operating system vendor. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > NewsAccess NewsAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer news traffic (over protocols such as NNTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the news server or client software. These alerts are generally provided by network-based intrusion detection systems, the news server, or the client software itself. Appropriate response to these alerts may entail better access control of news servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to news servers and/or clients, or the possible removal of the news service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > PrinterAccess
371
Security Alerts
PrinterAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote printer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote printer server or client software. These alerts are generally provided by network-based intrusion detection systems, the remote printer server, or the client software itself. Appropriate response to these alerts may entail better access control of remote printer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote printer servers and/or clients, or the possible removal of the remote printer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess WebAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the web server or client software. These alerts are generally provided by network-based intrusion detection systems, the web server, or client software itself. Appropriate response to these alerts may entail better access control of web servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers and/or clients, or the possible removal of the web service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess HTTPClientAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic where the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software or abuse and/or misuse of resources from clients. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess > FraudulentCertificateAccess FraudulentCertificateAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which
372
Appendix B: Alerts
the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software through fraudulent certificates. The intent of these attacks may be to forge certificates that convince the client that the site is trusted, when in fact it is not, passing data along with those certificates that may be inappropriate and/or contain exploits. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect the abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess > ProhibitedHTTPControlAccess ProhibitedHTTPControlAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software or abuse and/or misuse of resources from clients through client controls such as ActiveX and Java. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess HTTPServerAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic where the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in the server software or abuse and/or misuse of server resources. These alerts are generally provided by network-based intrusion detection systems, the web server or service software itself, and/or firewalls with the capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service or client application related to this event.
373
Security Alerts
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess HTTPApplicationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of the server software, such as PHP, CGI, administrative sites, and other application services. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPAdministrationAccess HTTPAdministrationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications run on top of server software that are related to remote administration of sites, services, and/or systems. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, administrative sites, and/or clients, or the possible removal of the web service application or administrative site related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPDynamicContentAccess HTTPDynamicContentAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications, running on top of the server software, that generate dynamic content such as PHP, CGI, and ASP.
374
Appendix B: Alerts
These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, dynamic content, and/or clients, or the possible removal of the web service application or dynamic content related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPFileRequestAccess HTTPFileRequestAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of server software that are related to remote administration of sites, services, and/or systems with the intent of information gathering or low-level filesystem access of the server or client. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPServiceAccess HTTPServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of server software that are related to remote services such as printing or console access. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application or site related to this event.
375
Security Alerts
AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPInvalidFormatAccess HTTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer web traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in web server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the web server is not prepared to respond to; attacks, such as buffer overflows, may also result in the server software or system being halted. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of the web server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers or services, or the possible removal of the web server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > NamingAccess NamingAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer naming service traffic (using protocols such as DNS and WINS). Generally, these alerts will reflect attempted exploitation of weaknesses in the naming server or client software. These alerts are generally provided by network-based intrusion detection systems, the naming server, or the client software itself. Appropriate response to these alerts may entail better access control of name servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to naming servers and/or clients, or the possible removal of the naming service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > RemoteConsoleAccess RemoteConsoleAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote console server or client software. These alerts are generally provided by network-based intrusion detection systems, the remote console server, or the client software itself. Appropriate response to these alerts may entail better
376
Appendix B: Alerts
access control of remote console servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote console servers and/or clients, or the possible removal of the remote console service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > TimeAccess TimeAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote time server or client software. These alerts are generally provided by network-based intrusion detection systems, the time server, or client software itself. Appropriate response to these alerts may entail better access control of remote time servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote time servers and/or clients, or the possible removal of the remote time service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ConfigurationAccess ConfigurationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these alerts will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain systemlevel access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. These alerts are generally provided by network-based intrusion detection systems, the configuration server, or the client software itself. Appropriate response to these alerts may entail better access control of configuration servers and services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to configuration servers and/or clients, or the possible removal of the configuration service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess CoreAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess alerts will reflect attempted exploitation of weaknesses in
377
Security Alerts
network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. In some cases, these events are escalated from the Audit tree via Contego Policy. Alerts placed in the parent CoreAccess alert itself are known to be a core protocol-related but not able to be further categorized based on the message provided by the tool or because they are uncommon. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > ICMPRedirectAccess ICMPRedirectAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all ICMP Redirects (ICMP type 5) and the intent is to redirect traffic to either enumerate devices or client machines, or to gather information on devices or client traffic to further attack those or other resources. ICMP Redirects are generally benign ICMP messages sent to hosts to redirect traffic intended for a network that another gateway can control. In the cases where ICMP Redirects are used for attacking, a host will generally feign themselves as a router, pass a redirect to a client machine to modify it's routing table to send traffic to the false router instead of their normal network gateway, and proceed to enumerate, gather information, or attack the redirected host. The false router will then send the traffic on to the correct gateway, and the host has no idea of what has occurred (unless another device or tool detects it). This is one type of what is commonly referred to as a manin-the-middle attack. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, updates to network infrastructure devices, or restriction of incoming/outgoing ICMP redirect requests/responses to reflect inappropriate or abusive access. Appropriate methods of prevention of ICMP redirect attacks would be to limit hosts who can broadcast ICMP Redirects across network devices to correct routers and gateways, limit ingress and egress ICMP traffic, and to make sure clients, servers, and network infrastructure devices are current with regards to operating system or other networking software to ensure that other attacks related to ICMP Redirect attacks of this type (such as denial of service attacks) do not occur. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPFragmentationAccess IPFragmentationAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is
378
Appendix B: Alerts
all IP and the intent is to mask possible malicious or abusive data past an IDS or other detection device by using many IP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, an IDS on the network may not be able to detect the malicious traffic, only the presence of fragments (if even that). The attack may be allowed to pass through the network either incoming or outgoing, thereby eliminating one line of defense. Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an IPFragmentationAccess alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software (especially the IDS), updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPSourceRouteAccess IPSourceRouteAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is generally to misrepresent the originating address to bypass detection. IPSourceRouteAccess is a type of IP Spoofing where an attacker falsifies network information to convince the destination that the given source is something other than the actual source, directing the destination to return the traffic through an IP Source Route option that traces the traffic to the trusted host and then on to the untrusted attacker. The trusted host receives the traffic from the destination and because of the IP Source Route, it passes the traffic on to the untrusted attacker. The data is not modified and the attacker has 'tricked' the network into passing the traffic on. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal or external devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to IP Spoofing itself is difficult as the originating host may be alternating spoofed hostnames or IP addresses in order to continually circumvent detection; however, response to IP spoofing which utilizes the IP source route could entail removing the ability to pass traffic through routers or gateways that contains an IP Source Route option. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, however this may prove ineffective or unrealistic. Other responses may include applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to
379
Security Alerts
reflect inappropriate or abusive access. Unfortunately, it may prove difficult to derail an attempted attack through IP Spoofing, however, routing and firewalling policies (including disallowing traffic with the IP Source Route option) should prevent further access through spoofed addresses. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPSpoofAccess IPSpoofAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is to misrepresent the originating address to either bypass detection or misdirect response to attack activity. IP Spoofing is done by falsifying network information to convince the destination (and any network hops in between) that the given source is something other than the actual source. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal or external devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to IP Spoofing is difficult as the originating host may be alternating spoofed hostnames or IP addresses in order to continually circumvent detection. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, however this may prove ineffective or unrealistic. Other responses may include applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. Unfortunately, it may prove difficult to derail an attempted attack through IP Spoofing, however, routing and firewalling policies should prevent further access through spoofed addresses. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > TCPHijackAccess TCPHijackAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all TCP and the intent is to hijack a user's connection. TCP Hijacking is done with the intent to take over another network user's connection by sending malformed packets to 'confuse' the server into thinking that the new user is the original user. In doing so, the original user gets removed from his connection to the server and the new user has injected himself, taking over all attributes the server assumed from the original - including levels of security and/or trust. TCP Hijacking can be used to place future attack tools on client systems, gather information about networks and/or client systems, immediately attack internal networks, or other malicious and/or abusive behavior. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. Appropriate response to these alerts may entail blocking or resetting the remote hijacker's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure
380
Appendix B: Alerts
devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > TCPTunnelingAccess TCPTunnelingAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all TCP and the intent is to tunnel a possible malicious or abusive connection through other TCP traffic. TCP tunneling uses permitted TCP traffic to bypass access policies on network devices, content filtering, monitoring, and other traffic shaping or behavior policies. TCP tunneling is done by initiating a known 'acceptable' TCP connection through allowed policies and piggybacking an unacceptable connection atop the granted one. On the new 'tunnel' that the user has built, they are allowed to pass any traffic through that does not match other policies - often after the connection has been initiated, it may be difficult to detect and prevent further malicious or abusive activity. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess FileSystemAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote filesystem traffic (using protocols such as SMB and NFS). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess > NFSAccess NFSAccess alerts are a specific type of FileSystemAccess alert that reflects malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via NFS
381
Security Alerts
(network file share) remote filesystem traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the NFS server or client software or attempts to gain system-level access to NFS servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess > SMBAccess SMBAccess alerts are a specific type of FileSystemAccess alert that reflects malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via SMB (server message block) remote filesystem traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the SMB server or client software or attempts to gain system-level access to SMB servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > LinkControlAccess LinkControlAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, LinkControlAccess alerts will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions - allowing a malicious client to sniff traffic and enumerate or attack. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices with link level control (such as switches). Appropriate response to LinkControlAccess events may be to clear the link-level control mechanisms of the switching device
382
Appendix B: Alerts
(things such as flushing the ARP cache), applying updates or patches to switching devices, or better segmentation of networks to prevent information disclosure if an attack occurs. AttackBehavior > ResourceAttack > NetworkAttack > Access > PointToPointAccess PointToPointAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via point to point traffic (using protocols such as PPTP). Generally, these alerts will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls, routers, or VPN servers may also provide them. Appropriate response to these alerts may entail better access control of remote access services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote access servers and/or clients, or the possible removal of the remote point to point service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > PointToPointAccess > PPTPSpoof PPTPSpoof alerts reflect a specific type of PointToPointAccess alert where the attack traffic is all PPTP and the intent is to misrepresent the originating address to either bypass detection or misdirect response to attack activity; often times the target of these attacks are internal trusted networks that allow remote access through PPTP tunneling. PPTP Spoofing is done by falsifying network information to convince the destination (and any network hops in between) that the given source is something other than the actual source. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to PPTP Spoofing is difficult, as the originating host appears to be coming from a 'trusted' address that has already completed initial handshaking and key sharing. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing PPTP traffic requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > RemoteProcedureAccess RemoteProcedureAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these alerts will
383
Security Alerts
reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote procedure server, or the client software itself. Appropriate response to these alerts may entail better access control of remote procedure (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote procedure servers and/or clients, or the possible removal of the remote procedure service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > RemoteProcedureAccess > RPCPortmapperAccess RPCPortmapperAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic using the traditional RPC portmapper service. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote procedure server, or the client software itself. Appropriate response to these alerts may entail better access control of remote procedure (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote procedure servers and/or clients, or the possible removal of the remote procedure service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess RoutingAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, RoutingAccess alerts will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices that utilize routing protocols such as firewalls and routers. Appropriate response to RoutingAccess events may be better access control of routing devices (e.g. restriction of what devices are allowed to update routing by IP address to ensure only trusted devices are passing
384
Appendix B: Alerts
data), applying updates or patches to routing servers and/or devices, or the possible removal of the automated routing protocols from servers and/or devices. AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess > MalformedRIPAccess MalformedRIPAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is all RIP (Routing Information Protocol). Generally, MalformedRIPAccess alerts will reflect attempted exploitation of weaknesses in RIP by usage of malformed incoming or outgoing data, with the intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. RIP is used to automate the routing process between multiple devices that share or span networks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices that utilize routing protocols such as firewalls and routers. Appropriate response to RIP Access events may be better access control of routing devices (e.g. restriction of what devices are allowed to update routing by IP address to ensure only trusted devices are passing data), applying updates or patches to routing servers and/or devices, or the possible removal of the automated routing protocols from servers and/or devices. AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess TrojanTrafficAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess > TrojanCommandAccess
385
Security Alerts
TrojanCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This alert detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess > TrojanInfectionAccess TrojanInfectionAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > VirusTrafficAccess VirusTrafficAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as
386
Appendix B: Alerts
viruses. This alert detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending virus to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Denial Children of the Denial tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources through a denial of service attack. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial ApplicationDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ApplicationDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > FileTransferDenial FileTransferDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer file transfer-related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transfer-
387
Security Alerts
related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial MailDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related protocols (SMTP, IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial > MailServiceDenial MailServiceDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailServiceDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial > MailServiceDenial > MailSpamDenial MailSpamDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related services (usually SMTP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack through excessive mail relaying. MailSpamDenial events reflect excessive attempts to relay mail through an SMTP server from remote sites that should not typically be relaying mail through the server, let alone excessive quantities of mail. The goal of these attacks may not be to enumerate or
388
Appendix B: Alerts
exploit weaknesses in the mail server, but to relay as much mail through an open relay mail server as quickly as possible, resulting in a denial of service attack. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the mail server itself, firewalls, or other network infrastructure devices. These alerts may indicate an open relay on the network or an attempt to find an open relay; appropriate response may be to close access to SMTP servers to only internal and necessary external IP addresses. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > WebDenial WebDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. WebDenial events may be attempts to exploit weaknesses in webrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial CoreDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. CoreDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ChargenDenial ChargenDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service via UDP chargen or echo services. This attack attempts to exploit network infrastructure devices and hosts by pointing two chargen or echo hosts at each other and forcing so many responses that the network and hosts are flooded. In response to a request to the echo or chargen port, the second device will send a response, which will trigger another request, which will trigger a response, etc. The source of the initial request is a spoofed IP address, which appears as one of the hosts which will be a party in the
389
Security Alerts
attack (sent to the second host). This will render both devices and possibly the network they are on useless either temporarily or for a significant amount of time by the sheer amount of traffic that is created. ChargenDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPFloodDenial ICMPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an ICMP-based 'flood' attack (which uses many very large ICMP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal ICMP Traffic should not trigger an ICMPFloodDenial alert. ICMPFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPFragmentationDenial ICMPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack by using many ICMP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may overflow the stack, triggering a host or service crash). Normal ICMP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an ICMPFragmentationDenial alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPSourceQuenchDenial ICMPSourceQuenchDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an ICMP-based attack (which uses many ICMP packets set to type 4 - Source Quench).
390
Appendix B: Alerts
The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any client listening and responding to source quench traffic may be slowed down to the point where rendered useless by way of correct response to the quench request. Normal ICMP traffic (including single, normal, source quench packets) should not trigger an ICMPSourceQuenchDenial alert. ICMPSourceQuenchDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFloodDenial IPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an IPbased 'flood' attack (which uses many very large IP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal IP Traffic should not trigger an IPFloodDenial alert. IPFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFragmentationDenial IPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack by using many IP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may overflow the stack, triggering a host or service crash). Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an IPFragmentationDenial alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFragmentationDenial > PingOfDeathDenial PingOfDeathDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'ping of death' attack (which uses many large ICMP Echo Request packets). The network
391
Security Alerts
infrastructure devices handling the traffic will pass on the traffic correctly, however, any vulnerable client on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Unpatched Windows NT and 95/98 clients are especially vulnerable to this type of attack. Normal ICMP Echo Traffic should not trigger a PingOfDeathDenial alert. PingOfDeathDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > LandAttackDenial LandAttackDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'land' attack (which uses TCP traffic with the SYN bit set and the same source IP and port as the destination). The network infrastructure devices handling the traffic will pass on the traffic correctly, however, any vulnerable client on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Unpatched Windows 3.11, NT, and 95 clients are especially vulnerable to this type of attack. Normal TCP traffic (with or without the SYN bit) should not trigger a LandAttackDenial alert. LandAttackDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SmurfDenial SmurfDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'Smurf' attack. A Smurf attack attempts to exploit a vulnerability in some network infrastructure devices by sending ICMP Echo Requests to devices that will re-broadcast the traffic to internal devices. In response to the broadcast Echo Request, all of the devices will send an ICMP Echo Reply, which will effectively overflow the device. The destination of the ICMP Echo Reply is a spoofed 'victim' IP address which will also be overflowed by the actual replies sent to their host. This will render both devices useless either temporarily or for a significant amount of time. SmurfDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SnorkDenial SnorkDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a
392
Appendix B: Alerts
'Snork' attack. A Snork attack attempts to exploit a vulnerability in Windows NT devices by using the Windows RPC service and sending packets to devices that will broadcast the traffic to other internal Windows NT devices using RPC. In response to the broadcast, all of the Windows NT devices will send another packet, and this process will continue until it effectively overflows the device and possibly the network. The destination or source of the initial packet is a spoofed 'victim' IP address which will create the illusion of internal activity. This will render both devices useless either temporarily or for a significant amount of time. SnorkDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SynFloodDenial SYNFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a TCP-based 'flood' attack (which uses many very large TCP packets with the SYN bit set). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal TCP Traffic (with or without the SYN flag) should not trigger a SYNFloodDenial alert. SYNFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > TeardropDenial TeardropDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a teardrop attack (which uses many overlapping IP fragments, usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may be reassembled in such a way that triggers a host or service crash). Unpatched Windows NT and 95/98 clients are especially vulnerable to this type of attack. Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger a TeardropDenial alert. TeardropDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > UDPBombDenial
393
Security Alerts
UDPBombDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a UDP-based 'bomb' attack (which uses many large UDP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Normal UDP Traffic should not trigger a UDPBombDenial alert. UDPBombDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ConfigurationDenial ConfigurationDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > FileSystemDenial FileSystemDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote filesystem-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileSystemDenial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > LinkControlDenial LinkControlDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is link level protocols (such as ARP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to
394
Appendix B: Alerts
gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RemoteProcedureDenial RemoteProcedureDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RemoteProcedureDenial > RPCPortmapperDenial RPCPortmapperDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols, specifically related to the RPC portmapper service. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RPCPortmapperDenial events may be attempts to exploit weaknesses the remote procedure service or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RoutingDenial RoutingDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RoutingDenial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities.
395
Security Alerts
These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > TrojanTrafficDenial TrojanTrafficDenial events are a specific type of Denial event where the transport of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. TrojanTrafficDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Relay Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Relay > DDOSToolRelay DDOSToolRelay events reflect potential network traffic related to known Distributed Denial of Service tools. These tools are used to relay attacks to new remote (and possibly local) hosts to exploit or inundate the remote host with data in an attempt to cripple it. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay tool (in some cases known as a 'zombie'), and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external
396
Appendix B: Alerts
network, blocking the remote host, better access control of clients, servers, and services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to servers and/or clients, or the possible removal of the service related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay FileTransferRelay events reflect potential network traffic related to known attack tools that operate over file transfer protocols. These tools are used to relay attacks to new remote (and possibly local) hosts to exploit or abuse services. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the file transfer software itself, and firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay tool, and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay > FTPBounce FTPBounce events are a specific type of FileTransferRelay related to known attack tools using file transfer protocols that are used to launder connections to other services, redirect attacks to other hosts or services, or to redirect connections to other hosts or services. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the file transfer software or service itself, and firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay tool, and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host,
397
Security Alerts
better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > ServiceProcessAttack Members of the ServiceProcessAttack tree are used to define events centered on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusAttack VirusAttack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. These alerts are usually provided by a virus scanner running on the client system. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent further outbreak, updates of virus scanner pattern files on other network nodes to prevent further outbreak, virus scans on other network nodes to detect further outbreak if any has taken place, and research into the offending virus to find out methods of removal. AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusSummaryAttack VirusSummaryAttack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field which reflects whether the virus or other malicious code was successfully removed. These alerts differ from VirusAttack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan. These alerts are usually provided by a virus scanner running on the client system. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent further outbreak, updates of virus scanner pattern files on other network nodes to prevent further outbreak, virus scans on other network nodes to detect further outbreak if any has taken place, and research into the offending virus to find out methods of removal. GeneralSecurity
398
Appendix B: Alerts
GeneralSecurity alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be security issue-related. SuspiciousBehavior Alerts that are children of SuspiciousBehavior are generally related to network activity that may be consistent of enumeration of resources, unexpected traffic, abnormal authentication events, or other abnormal behavior that should be considered indicative of a serious security event. SuspiciousBehavior > AuthSuspicious Members of the AuthSuspicious tree are used to define events regarding suspicious authentication and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. SuspiciousBehavior > AuthSuspicious > FailedAuthentication FailedAuthentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure. SuspiciousBehavior > AuthSuspicious > GuestLogin GuestLogin events describe user authentication events where an attempt was made successfully or unsuccessfully granting access to a user that generally has no password assigned (such as anonymous, guest, or default) and no special privileges. Access of a user with this level of privileges may be granted access to enough of the client system to begin exploitation. These events are usually produced by a client or server operating system, however may also be produced by a network-based IDS or network infrastructure device when it is possible or appropriate. SuspiciousBehavior > AuthSuspicious > RestrictedInformationAttempt RestrictedInformationAttempt events describe a user attempt to access local or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. SuspiciousBehavior > AuthSuspicious > RestrictedServiceAttempt RestrictedServiceAttempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services.
399
Security Alerts
SuspiciousBehavior > InferredSuspicious InferredSuspicious alerts are reserved SuspiciousBehavior alerts used for describing suspicious behavior that is a composite of different types of alerts. These events will be defined and inferred by Contego Policy. SuspiciousBehavior > ResourceSuspicious Members of the ResourceSuspicious tree are used to define different types of suspicious access to network resources, where these resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate Enumerate alerts reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate ApplicationEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the
400
Appendix B: Alerts
application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > FileTransferEnumerate FileTransferEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to file transfer services which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the file transfer service to attempt to fingerprint what is allowed or denied by the service, requests to the file transfer service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the file transfer service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > FileTransferEnumerate > FTPCommandEnumerate FTPCommandEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to file transfer services which will elicit responses that reveal information about the application. This enumeration specifically entails commands sent to the FTP service to attempt to fingerprint what is allowed or denied by the service, requests to the FTP service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics that use FTP commands to query. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the FTP service that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > MailEnumerate MailEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to mail-related services which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the mail service to attempt to fingerprint what is allowed or denied by the service, requests to
401
Security Alerts
the mail service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the mail service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > MailEnumerate > SMTPCommandEnumerate SMTPCommandEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to mail-related services which will elicit responses that reveal information about the application. This enumeration specifically entails commands sent to the SMTP service to attempt to fingerprint what is allowed or denied by the service, requests to the mail service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics that use SMTP commands to query. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the mail service that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > WebEnumerate WebEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to web-related services which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the web service to attempt to fingerprint what is allowed or denied by the service, requests to the web service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the web service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > BannerGrabbingEnumerate BannerGrabbingEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected.
402
Appendix B: Alerts
SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > MSNetworkingEnumerate MSNetworkingEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a LEMple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate RemoteProcedureEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate > RPCPortmapperEnumerate RPCPortmapperEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to the Portmapper Remote Procedure service that will illicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the portmapper service to attempt to fingerprint what is allowed or denied by the service, requests to the portmapper service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the
403
Security Alerts
portmapper service or client application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate > RPCPortScanEnumerate RPCPortScanEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This specific type of enumeration is done by sending queries to RPC related ports to attempt to fingerprint the types and specific services running, and may involve other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint Footprint alerts reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > DNSRequestFootprint DNSRequestFootprint alerts are a specific type of Footprint alert that reflects a DNS record request that may serve to reveal DNS configuration. Contained within this DNS configuration may be information that reveals internal networks, protected devices, or IP addresses of potential targets. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > FirewalkingFootprint FirewalkingFootprint alerts are a specific type of Footprint alert that reflects the usage of a tool that attempts to gather information about network infrastructure device access control and filtering lists. Firewalking works by passing TCP and UDP packets to determine what packets a given device will forward. This activity may reflect attempts to enumerate devices beyond the perimeter of a network, gathering information about activity that is allowed or denied past given gateways. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > TraceRouteFootprint TraceRouteFootprint alerts are a specific type of Footprint alert that reflects an IP packet route trace
404
Appendix B: Alerts
from source to destination. Generally, this route will not reveal specific information about device types or hosts on a network, but will trace the path of IP traffic across routing devices. This traffic may be an attempt to discover routing devices that are misconfigured (which may be vulnerable to attacks such as IP spoofing or IP fragmentation). SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan CoreScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > HostScan HostScan alerts reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > ICMPQuery ICMPQuery alerts reflect attempts to gather information about specific target hosts, or networks, by
405
Security Alerts
sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep PingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending ICMP or TCP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep > ICMPPingSweep ICMPPingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending ICMP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep > TCPPingSweep TCPPingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending TCP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan PortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that
406
Appendix B: Alerts
reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Portscans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan > TCPPortScan TCPPortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over TCP that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. TCP portscans specifically operate by sending TCP probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan > UDPPortScan UDPPortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over UDP that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. UDP portscans specifically operate by sending UDP probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint StackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the
407
Security Alerts
target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint > ICMPStackFingerprint ICMPStackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of ICMP packets to probe a device's ICMP stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint > TCPStackFingerprint TCPStackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of TCP packets to probe a device's TCP/IP stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > TrojanScanner TrojanScanner alerts reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of the target
408
Appendix B: Alerts
network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic UnusualTraffic alerts reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualICMPTraffic UnusualICMPTraffic alerts reflect ICMP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualICMPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualIPTraffic UnusualIPTraffic alerts reflect IP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualIPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualProtocol UnusualProtocol alerts reflect suspicious behavior on network devices where the traffic is targeted at unknown, unassigned, or uncommonly used protocols. This traffic may have no known exploit, but is unusual and should be considered potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualProtocol may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualTCPTraffic UnusualTCPTraffic alerts reflect TCP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes,
409
Security Alerts
fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualTCPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualUDPTraffic UnusualUDPTraffic alerts reflect UDP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualUDPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely.
410
DestinationMachine The IP address the network traffic is going to. DestinationPort DetectionIP The port number the network traffic is going to. The network node that is the originating source of the alert data. This is usually a Manager or an Agent and is the same as the InsertionIP field, but can also be a network device such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol. DetectionTime The time the network node generated the data. This is usually the same as the InsertionTime field, but they can differ when the Agent or Manager is reading historical data, or if a network device has an incorrect time setting. EventInfo A short summary of the alert details. Additional details appear in the following fields, but EventInfo provides enough information to view a snapshot of the alert information. ExtraneousInfo Extra information that is relevant to the alert, but may not be reflected in other fields. This can include information useful for correlating or summarizing alert information in addition to the EventInfo field.
411
Grid column or field Host Description The node the log message came from (that is, the LEM or Agent that collected the message for forwarding to nDepth). HostFromData The originating network device (if different than the node) that the message came from. Normally, Host and HostFromData are the same, but in the case of a remote logging device (such as a firewall) this field reports the original remote device's address. InferenceRule The name of the correlation that caused this alert. The InferenceRule field will generally be blank, but in cases where the alert was related to a rule, it displays the rule name. InsertionIP The Manager or Agent that first created the alert. This is the source that first read the log data from a file or other source. InsertionTime The time the Manager or Agent first created the alert. This time indicates when the data was read from a log file or other source. IPAddress The IP address associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the IPaddresses that appear in alert data. Manager The name of the Manager that received the alert. For data generated from an Agent, this is the Manager the Agent is connected to. Order In the Event explorers event grid, the Order field indicates when each event occurred: means the event occurred before the central event shown in the event map. means the event occurred during (as part of) the central event shown in the event map. means the event occurred after the central event shown in the event map. Protocol Displays the protocol associated with this alert (TCP or UDP).
412
Grid column or field ProviderSID Description A unique identifier for the original data. Generally, the ProviderSID field includes information that can be used in researching information on the alert in the originating network device vendor's documentation. Severity SourceMachine SourcePort ToolAlias (missing or bad snippet) The IP address the network traffic is coming from. The port number the network traffic is coming from. The Alias Name entered when configuring the tool on the Manager or Agent. For more information on configuring tools, see "Connecting products to the SolarWinds LEM" on page 1. ToolId ToolType Username The actual tool that generated the log message. Tool category for the tool that generated the log message. The user name associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the places that user names appear in alert data.
413
414
FileName bladerackswitch.xml bluecoatproxySG.xml bordermanager.xml bordermanagerwebproxy.xml Borderware.xml ciscoacsadminaudit.xml ciscoacsadminaudit.xml ciscoacsbackup.xml ciscoacsdbr.xml ciscoacsdbs.xml ciscoacsfailed.xml ciscoacspassauth.xml ciscoacspassword.xml ciscoacsradius.xml ciscoacsservmon.xml ciscoacssyslog.xml ciscoacstacacc.xml ciscoacstacadmin.xml ciscoacsvoip.xml ciscocatos.xml CiscoCSCSSM.xml Blade RackSwitch
Description
Version 6813 6817 5375 5375 5375 5488 5488 5375 5375 5375 5375 5375 5375 5375 5375 6948 5375 5375 5375 6870 6836
Blue Coat ProxySG Novell BorderManager Novell BorderManager Web Proxy Borderware Firewall Cisco ACS Admin Audit Cisco ACS Admin Audit 4.1+ Cisco ACS Backup and Restore Cisco ACS Database Replication Cisco ACS Database Sync Cisco ACS Failed Attempts Cisco ACS Passed Authentications Cisco ACS User Password Changes Cisco ACS RADIUS Accounting Cisco ACS Service Monitoring Cisco Secure ACS 4.1 Syslog Cisco ACS TACACS+ Accounting Cisco ACS TACACS+ Administration Cisco ACS VoIP Cisco CatOS Cisco Content Security and Control Security Services Module 6.1-6.2
CiscoCSCSSM63.xml
6923
415
Description
Cisco IDS/IPS v4/5.x Cisco IPS 5+ (SDEE) Cisco (NAC) Network Access Control Appliance with Clean Access Manager (CAM) or Server (CAS) Software
CiscoVPN.xml ciscowlc.xml
6871 6920
citrixnetscaler.xml
6878
CitrixSAG.xml ClamAV.xml codegreenci.xml codegreenciuser.xml CommandES.xml consentrycontroller.xml ContegoManagerMonitor.xml ContegoReports.xml corenteawb.xml cyberguard.xml CyberoamUTM.xml dellPowerConnect.xml devicelockevents.xml
Citrix Secure Access Gateway ClamAV CodeGreen Content Inspection CodeGreen Content Inspection user Command for Exchange Server ConSentry Controller Manager Monitor SWLEM Reports Corente AWB Cyberguard Cyberoam UTM Dell PowerConnect Switches DeviceLock Events
6562 5996 6813 6813 5375 6813 6706 6986 6813 5375 6813 6915 7034
416
FileName devicelockevents.xml eeyeblinkep.xml EFTServer.xml enterasysswitch.xml epo.xml epo45.xml esxcfgfirewall.xml esxhostd.xml esxihostd.xml esxmessages.xml esxmessages.xml esxsecure.xml esxvmkernel.xml esxvmkernel.xml esxvmkwarning.xml extremeswitch.xml F5BigIPdaemon.xml F5BigIPhttpd.xml F5BigIPLTMgeneral.xml F5BigIPmessages.xml FirePass.xml flexteller.xml DeviceLock Audit
Description
Version 7034 6893 5749 6618 6490 7039 5749 6576 7014 6976 6976 5749 7006 7006 5749 7005 7044 7045 7046 6990 6917 6813
eEye Blink Professional Endpoint Protection EFT Server Enterprise Windows Application Log Enterasys C-Series and N-Series Switches ePolicy Orchestrator (ePO) ePolicy Orchestrator (ePO) 4.5+ VMWare ESX esxcfg-firewall log VMWare ESX hostd log VMWare ESXi Hostd log VMWare ESX messages log VMWare ESXi messages log VMWare ESX secure log VMWare ESX vmkernel log VMWare ESXi vmkernel log VMWare ESX vmkwarning log Extreme Switch F5 BigIP BSD daemon messages F5 BigIP HTTPD specific F5 General BIG-IP specific messages F5 BigIP messages FirePass SSL VPN Flex Teller
417
FileName forefrontapp.xml
Description Forefront Security Application Log (Client Security, Exchange and Sharepoint)
Version 6663
Forefront Security SQL Database Forefront Security System Log (Client Security) FortiGate 2.5 FortiGate 2.8+ Foundry FreeRADIUS F-Secure Anti-Virus 7 Globalscape EFT client Globalscape Secure FTP (W3C Extended file format)
GNAT Box System Software v.3.3 Group Shield/Outbreak for Exchange Server HP ProCurve Switches Firmware F.05.65+ Zl Series
HP-ux Syslog Huawei Switches IAS RADIUS Non-Rotating File IAS RADIUS Rotating File Windows IAS System Log Microsoft IIS Web Server 5.0 (W3C Extended file format)
IIS.xml
7018
418
FileName IIS.xml
Description Microsoft IIS Web Server 7.0 (W3C Extended file format)
Version 7018
iisftp.xml
Microsoft IIS FTP Server 5+ (W3C Extended file for- 7048 mat)
iisftp.xml
Microsoft IIS FTP Server 7.0 (W3C Extended file for- 7048 mat)
InoculateIT 6.0 InoculateIT 7.0+ IntruShield IP Filter St. Bernard iPrism IronPort Web Security
Microsoft ISA 2004/2006 Firewall (ISA Server file for- 5375 mat)
ISA2004ProxyLog.xml
5375
ISA2004W3CFirewall.xml
5375
ISA2004W3CWebProxy.xml
Microsoft ISA 2004 Web Proxy (W3C Server file for- 5375 mat)
ISA2006ProxyLog.xml
5513
ISA2006W3CWebProxy.xml
Microsoft ISA 2006 Web Proxy (W3C Server file for- 5809 mat)
ISAApplication.xml ISAFirewallLog.xml
6957
419
Description Microsoft ISA Packet Filter (ISA Server file format) Apache Tomcat isapi_redirect Microsoft ISA Web Proxy (ISA Server file format) Microsoft ISA Firewall (W3C Extended file format)
Microsoft ISA Packet Filter (W3C Extended file for- 5375 mat)
ISAW3CProxyLog.xml
5375
issproventia.xml issrealsecure.xml jacocartcare.xml juniperidp30.xml juniperidp40.xml junipernsm.xml junos.xml KasperskyAdminKitDB.xml kasperskyav.xml linkproof.xml linuxauditd.xml linuxdhcpd.xml LogAgent.xml
ISS Proventia IPS ISS RealSecure IDS JACO CartCare Juniper IDP 3.x Juniper IDP 4.0+ Juniper NSM Juniper JUNOS Kaspersky Administration Kit 8 Kaspersky Anti-Virus 6 LinkProof Linux Auditd DHCPd LogAgent for OS400 (Patrick Townsend Security Solutions)
6894 6897 6813 5375 6233 6813 6907 7036 6413 6813 7021 5375 7009
LOGbinderSP.xml LOGbinderSP.xml
LOGbinder for Sharepoint: LOGbinder SP log LOGbinder for Sharepoint: Security Log
7072 7072
420
Description Lotus Notes and Domino Server 8 Mac OS X (crashreporter) Mac OS X (install) Mac OS X (mail) Mac OS X (ppp) Mac OS X (secure) Mac OS X (system) McAfee Access Protection
Version 6498 5375 6864 5375 5375 6865 6866 6750 6669 5375 5375 5375 5375 6912 5375 5375 5375 5375 5375 5375 6813 6813 6603
McafeeAccessScanLogReader.xml McAfee On Access Scan v7.0 McafeeActivityLog.xml McAfeeMailScan.xml McAfeeNetShield.xml McAfeeTotalProtection.xml McAfeeUpdateLogReader.xml McAfeeVSCLogReader.xml McafeeVSHHomeReader.xml McAfeeVSHLogReader.xml McAfee Activity Log (4.5 DAT file update) McAfee Mail Scan McAfee NetShield McAfee Total Protection McAfee Update v7.0 McAfee VSC McAfee VSH Home McAfee VSH 5.0/7.0
McAfeeVSHOnDemandReader.xml McAfee VSH 80i McAfeeVSHOnDemandReader.xml McAfee VSH 85i McAfeeWebEmail.xml meditech.xml motorola_wlancontroller.xml moveit.xml McAfee Web Email Scan Meditech Motorola WLAN Controller MOVEit Windows Application Log
421
FileName moveit.xml msexchange.xml msexchange.xml msrras.xml mssqlapplicationlog.xml mssqlauditor.xml nDepthLogMessage.xml neoaccelvpn.xml NeoterisVPN.xml NessusdMsgLog.xml NessusdReport.xml NessusdReport.xml nessusnbe.xml netaccess.xml netfilter.xml netgearFV.xml netgearsslvpn.xml netgearswitch.xml netilla.xml netiqdra.xml Netscreen.xml netscreen5.xml netvanta.xml MOVEit Log
Description
Microsoft Exchange Application Log Microsoft Exchange Event Log Microsoft RRAS MSSQL 2000 Application Log
SolarWinds Log and Event Manager MSSQL Auditor 6516 nDepth Log Storage Message Neo Accel SSL VPN Neoteris VPN/Juniper SA series Nessus Message Nessus Report Nessus XML Report Nessus Security Scanner NBE Report Net Access iptables / netfilter Netgear FV Series Netgear SSL VPN Concentrator SSL312 Netgear Switch Netilla VPN NetIQ Directory and Resource Administrator Netscreen Juniper/NetScreen 5 Adtran NetVanta Router 5727 5749 6968 5375 6359 6359 5749 6591 5866 5375 5749 6820 5375 6813 5375 6967 5935
422
FileName netware4153.xml netware65.xml netware65.xml NetwareDB.xml networkbox.xml nitroips.xml NOD32DB.xml NOD32DB.xml NOD32DB.xml NOD32DB.xml NOD32DB.xml NOD32DB.xml nortel200series.xml nortelalteon.xml nortelbaystack.xml nortelcontivity.xml nortelroutingswitch.xml nortelswitch4500.xml nortelwss.xml norton.xml novellidentityauditDB.xml ntapplication.xml ntdns.xml
Description Novell Netware 4.1 - 5.3 Novell Netware 6.5 Novell Netware 6.5 File Novell Netware 6.5 (Database) Network Box RM300 and ITPE1000 NitroSecurity IPS NOD32 Antivirus 4 SQL Threat NOD32 Antivirus 4 SQL Scan NOD32 Antivirus 4 SQL Event NOD32 Antivirus 4 Access Threat NOD32 Antivirus 4 Access Scan NOD32 Antivirus 4 Access Event Nortel Contivity 200 Series Nortel Alteon Nortel Baystack Nortel Contivity Nortel Ethernet Routing Switch Nortel Ethernet Routing Switch 4500 Series Nortel WLAN Security Switch Symantec Corp Antivirus Novell Identity Audit DB Windows Application Log Windows DNS Server Log
Version 5375 5375 5375 5375 6813 6813 7037 7037 7037 7037 7037 7037 6813 5375 6699 6245 5749 7060 5749 5375 5749 7061 6796
423
FileName ntds.xml ntfrs.xml ntsecurity.xml ntsystem.xml nubridgesprotect.xml nubridgesprotect.xml nubridgesprotect.xml openbsdftpd.xml openldap.xml Opsec.xml oraclesyslog.xml oraclewindows.xml OsirisHIMS.xml paloaltofirewall.xml
Description Windows Directory Service Log Windows File Replication Service Windows NT/2000/XP Security Log Windows System Log NuBridges Protect Key Manager NuBridges Protect Resource Service NuBridges Protect Token Manager Engine OpenBSD FTPd OpenLDAP OPSEC(TM) / Check Point(TM) NG LEA Client Oracle Auditor - Syslog Oracle Auditor - Windows Osiris Host Integrity Monitoring System Palo Alto Networks PA-2000 Series and PA-4000 Series Firewall
Version 6963 5749 6752 7053 5749 5749 5749 6813 5749 6674 6930 6722 6813 6999
Linux PAM PatchLink Vulnerability pcAnywhere Permeo VPN PointSec PC Postfix ProFTPD Access ProFTPD Auth
424
FileName ptechinteract.xml qualysguard.xml refleximc.xml RemotelyAnywhere.xml RetinaStatusLog.xml rsaauthmanager71.xml safeword.xml savantprotection.xml SecureNet.xml securid.xml securidsyslog.xml sentriant.xml Sidewinder.xml sidewinder61.xml SmoothWallUTM.xml snort.xml snort.xml snort.xml solarisbsm.xml solarissnare.xml solarissnare.xml sonicsslvpn.xml sonicwall.xml PowerTech Interact
Description
Version 5375 6813 5749 6813 5375 7032 6813 7040 5375 5375 6428 5749 5375 6767 6813 6742 6742 6742 5532 5375 5375 6842 7017
QualysGuard Scan Report Reflex IMC RemotelyAnywhere / LogMeIn Retina RSA Authentication Manager 7.1 SafeNet SafeWord Savant Protection SecureNet IDS SecurID SecurID Syslog Extreme Sentriant Sidewinder Firewall Sidewinder 6.1+ Firewall SmoothWall Unified Threat Manager Snort SyslogSnort FortiSnort Solaris 10 BSM Auditing Solaris 10 Snare Auditing Solaris 8 and 9 Snare Auditing SonicWALL SSL VPN SonicWall
425
FileName sonicwallgmsdb.xml Sophos.xml SophosDB.xml SophosDB.xml sophoses.xml sophoses.xml sophosws.xml SquidAccessLog.xml SquidGuardAccessBlock.xml sudolog.xml sudolog.xml SW_Orion.xml sybari.xml symantecep.xml SymantecGatewayIDS.xml symmetricomsyncserver.xml timirror.xml tippingpoint.xml tippingpoint.xml tippingpoint.xml tippingpoint_audit_system.xml tippingpointxseries.xml toplayer.xml SonicWall GMS
Description
Version 5375 6832 5633 5633 6813 6813 6867 5654 6813 5849 5849 7071 5995 7057 5375 6813 5749 6908 6908 6908 5749 5749 6601
Sophos Anti-Virus for Win2k Sophos Enterprise 2.0 Database Sophos Enterprise 3.0 Database Sophos ES appliance Sophos ES appliance auth Sophos WS appliance Squid Access Log SquidGuard Access Block Log sudo sudo syslog SolarWinds Orion and Virtualization Manager Sybari's Antigen 7.0 for Exchange Server 2000 Symantec Endpoint Protection 11 Symantec Gateway IDS Symmetricom SyncServer Titanium Mirror Firewall Tippingpoint SMS Tippingpoint IPS 2.1 Tippingpoint IPS 1.4 TippingPoint Audit and System Tippingpoint X505 TopLayer Attack Mitigator
426
FileName trendDeepSecurity.xml trendimss.xml trendimssemgr.xml trendimssvirus.xml trendInterScan.xml trendOfficeScan.xml trendScanMail.xml trendServerProtect.xml tricipher.xml tw_enterprise.xml ultravnc.xml Velociraptor.xml velociraptor20.xml velociraptor30.xml VIPREBusiness.xml VIPREBusiness.xml VIPREBusiness.xml VIPREEnterpriseDB.xml visneticfirewall.xml vistasecurity.xml vormetric.xml websense.xml
Description Trend Deep Security Trend IMSS Trend IMSS Policy Trend IMSS Virus Trend InterScan Trend Office Scan Trend ScanMail Trend Server Protect TriCipher Tripwire Enterprise Ultra VNC Symantec Velociraptor 1.5 Symantec Velociraptor 2.0 Symantec Velociraptor 3.0 VIPRE Business 4.0 VIPRE Business - System Events 4.0 VIPRE 5.0 VIPRE Enterprise 3.1 VisNetic Firewall Windows 7/2008/Vista Security Log Vormetric
Version 6414 5749 5749 5749 5375 5576 5375 5375 6699 5858 5749 5375 5375 5522 7035 7035 7035 5749 6300 7059 7011
427
FileName websenseDB.xml
Description
Version
WgFirebox.xml WgSoho.xml WgVclass.xml WgVclassAlarm.xml WgVclassVpn.xml WgXcore.xml WgXedge.xml WindowsDHCPServer.xml WindowsDHCPServer.xml WindowsDHCPSystem.xml
WatchGuard Firebox WatchGuard SOHO WatchGuard Vclass WatchGuard Vclass (Alarm) WatchGuard Vclass (VPN) WatchGuard Xcore WatchGuard Firebox X Edge E-Series Windows DHCP Server 2000 Windows DHCP Server 2003 Windows DHCP Server 2000/2003/2008 System Log
5694 5375 5375 5375 5375 6699 5916 6771 6771 5375
WindowsDNSTraffic.xml windowsfirewall.xml
6985 5375
428
upgrading the Manager software deploying new tool infrastructure to the Managers and Agents rebooting or shutting down the network appliance configuring trusted reporting hosts configuring supplemental services on the Manager appliance, and controlling your nDepth appliances.
The following topics describe how to log on to CMC and describe each command found in the appliance, manager, service and ind menus.
Logging on to CMC
To log on to CMC: 1. Connect to the Network Appliance either of two ways:
l
Connect directly to the Network Appliance with a keyboard and monitor. If you connect in this manner, skip to Step 7.
SSH stands for Secure Shell, which is a remote administration tool. To connect to the network appliance using SSH, you can use PuTTY, which is a free SSH tool. For more information on this too, see the SolarWinds Knowledge Base. The following example shows the PuTTY Configuration form with the default Manager settings.
429
2. In the Host Name (or IP address) box, type the IP address of your Manager (in this example, the IP address is 10.1.1.200). 3. Under Protocol, click SSH. 4. In the Port box, type 32022. 5. So you dont have to do this again, type Manager into the Saved Sessions box, and then click Save. 6. Click Open. Note: To reopen this connection for future sessions, double-click Manager in the Saved Session box. The connection will reopen 7. Whether you connect remotely or physically, the system will prompt you for your CMC user name and password.
430
Description Activates appliance features after activating LEM. Shows the contents of the virtual appliances log files from sources such as syslog and SNMP.
cleantemp
Removes temporary files created by the virtual appliance during normal operation. You may run this command to recover used disk space, or at the suggestion of SolarWinds Support.
dateconfig demote
Sets/shows the virtual appliances date and time. Demotes the appliance to a secondary appliance in a high availability or disaster recovery configuration. The demoted appliance will disable running LEM services and resume replicating its configuration information from the configured primary appliance.
diskusage
Checks and provides a summary of disk usage for your virtual appliance and several of the internal components (such as the database or log files). This information is included when you send SolarWinds Support information using the support command.
exit
exportsyslog Exports the System Logs. help hostname Shows the Help menu Changes the virtual appliances hostname.
431
Command netconfig
Description Configures network parameters for the appliance, such as the IP address, subnet mask and DNS server(s).
ntpconfig
Configures the Network Time Protocol (NTP) service on the virtual appliance for synchronization with a time server.
password ping
Changes the CMC user password. Pings other IP addresses or host names from the virtual appliance to verify network connectivity.
promote
Promotes the appliance to the primary appliance in a high availability or disaster recovery configuration. The promoted appliance will take over LEM services until it is demoted with the demote command.
Reboots the virtual appliance. Shuts down the virtual appliance. Displays and monitors CPU and memory usage, as well as per process information for the Manager Network Appliance.
tzconfig
viewnetconfig Displays the current network configuration parameters for the appliance such as the IP address, subnet mask and DNS server(s).
432
Command archiveconfig
Description Configures the Manager appliance database archives to a remote file share on a daily, weekly, or monthly schedule.
backupconfig
Configures the Manager appliance software and configuration backups to a remote file share on a daily, weekly, or monthly schedule.
Reconfigures the Agent on this Manager to a new Manager. Configures the virtual appliance to use an nDepth server Queries the Manager appliance database directly. Emails the Manager debugging information to any given email address. The email message contains a collection of data that can be useful in diagnosing problems.
Return to main CMC menu. Exports the CA certificate for Console. Exports a certificate request for signing by CA. Displays a brief description of each command. * Imports a certificate used for Console communication. Configures the Manager appliance remote log backups to a remote file share on a daily, weekly, or monthly schedule.
resetadmin
* Resets the admin password to "password". This command does not affect other users on the system and all settings are preserved.
restart
* Restarts the Manager service. This will take the Manager offline for 13 minutes.
sensortoolupgrade Upgrades the Managers Sensor Tools from a CD or floppy disk. showlog Allows you to page through the Managers log file.
showmanagermem Displays the Manager's configured memory utilization settings. start Starts the Manager service. If the Manager is already started, then nothing will happen.
433
Command stop
Description * Stops the Manager service. This makes the Manager inactive until it is started again.
support
Sends debugging information via email to support@SolarWinds.com. This command prompts you for your name and email address. It then sends SolarWinds a collection of data that can be useful in diagnosing problems.
viewsysinfo
Displays appliance settings and information, useful for support and troubleshooting.
watchlog
Displays 20 lines of the current Manager log file and monitors the log for further updates. Any new log entries appear as they are written to the log.
434
loadsnortbackup Loads Snort rules from factory default on the Manager. This allows you to revert to the Snort rules original default settings in case of an error. This command overwrites any changes that were made to the main set of rules with the original rules that were installed with the SolarWinds system.
435
Command loadsnortrules
Description Loads Snort rules from a floppy disk or a network file share to the Manager. This allows you to update the Snort rules on the Manager. The floppy disk must be in the same format (i.e., the same names and directories) that the copysnortrules command uses to issue the original rules; otherwise, the rules will not be updated.
restartsnort restartssh
Restarts the Snort service. Restarts the SSH service. If the SSH service is running, this command stops and then restarts the service.
restrictconsole
Restricts access to the Consoles graphical user interface to only certain IP addresses or hostnames. This command prompts you to provide the allowable IP addresses or hostnames. Once the restriction is in place, only the given IP addresses/hostnames are able to connect to the Console. Users are still required to log in with a password to fully access the Console.
restrictreports
Restricts access to reports to only certain IP addresses or hostnames. This command prompts you to provide the allowable IP addresses or hostnames. Once the restriction is in place, only the given IP addresses/hostnames are able to create and view reports.
restrictssh
Restrict the SSH service to only certain IP addresses. This command prompts you to provide the allowable IP addresses. Once the restriction is done, only the given IP address/user combinations will be able to connect to the Manager using the SSH service.
startssh stopopsec
Start running the SSH service. Terminate any connections from the Manager Appliance to Check Point OPSEC hosts.
stopssh
Stops running the SSH service. If you issue this command, you can only access the Manager with a keyboard and monitor until you issue a reboot command. To restrict access to the SSH service (outside of the user name and password requirements), see the restrictssh command.
436
Command
Description
unrestrictconsole Removes restrictions to the Consoles graphical user interface. This command removes all restrictions and allows any valid system user to connect to the Console. The only protection at this point is the user name and password combination. unrestrictreports Removes restrictions on access to reports. This command removes all restrictions and allows anyone with the Reports Console, or any alternative database connection software, with the proper username and password, to create and view reports and browse the database. unrestrictssh Removes restrictions to the SSH service. Any connection attempts will still require a user name and password.
437
Description
This report lists all authentications tracked by the SolarWinds system, including user logon, logoff, failed logon attempts, guest logons, etc. This report lists alert events that are related to authentication and authorization of accounts and account 'containers' such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients.
name
Schedule
This report lists alert events that are related to suspicious authentication and RPT2003- As Needed authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. This report lists the Top User Log On alerts grouped by user name. RPT2003- As needed 02-6-2.rpt 02-9.rpt
438
File Title
Authentication Report - User Log Off
Description
User Logoff alerts reflect account logoff events from network devices (including network infrastructure devices). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes.
name
Schedule
User Logon alerts reflect user account logon events from network devices monitored by SolarWinds (including network infrastructure devices). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields.
Authentication Report - User Log On by User Authentication Report - User Log On Failure
This report lists all account logon alerts, grouped by user name.
User Logon Failure alerts reflect failed account logon events from network devices (including network infrastructure devices). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem.
Authentication Report - User Log On Failure by User Change Management General Authentication Related Events Change Management General Authentication: Domain Events
This report lists all account logon failure alerts, grouped by user name.
This report includes changes to domains, groups, machine accounts, and user accounts.
This report includes changes to domains, including new domains, new members, and modifications to domain settings.
439
File Title
Change Management General Authentication: Domain Events Change Domain Attribute Change Management General Authentication: Domain Events Change Domain Member Change Management General Authentication: Domain Events Delete Domain Change Management General Authentication: Domain Events Delete Domain Member Change Management General Authentication: Domain Events Domain Member Alias This report lists alert events that happen when the alias for a domain member has been changed. This means an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. RPT2006- As needed 20-015.rpt This report lists alert events that occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. RPT2006- As needed 20-013.rpt This report lists alert events that occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. RPT2006- As needed 20-018.rpt This report lists alert events that occur when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally an alert occurs when local system maintenance activity takes place. Alerts of this nature mean a user, machine, or service account within the domain has been modified. RPT2006- As needed 20-014.rpt
Description
This report lists changes to domain type. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a change will happen when local system maintenance activity takes place.
name
Schedule
440
File Title
Change Management General Authentication: Domain Events DomainAuthAudit Change Management General Authentication: Domain Events New Domain Change Management General Authentication: Domain Events New Domain Member Change Management General Authentication: Group Events Change Management General Authentication: Group Events Change Group Attribute Change Management General Authentication: Group Events Delete Group This report lists alert events that occur upon deletion of a new group of any type. Usually, these additions are made by a user account with administrative privileges. RPT2006- As needed 20-025.rpt This report lists alert events that occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a they occur when local system maintenance activity takes place. RPT2006- As needed 20-026.rpt This report lists changes to groups, including new groups, members added/removed to/from groups, and modifications to group settings. RPT2006- As needed 20-02.rpt This report lists alert events that occur when an account or an account container (a new user, machine, or service account) has been added to the domain. Usually, these additions are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. RPT2006- As needed 20-012.rpt This report lists alert events that occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. RPT2006- As needed 20-016.rpt
Description
This report lists authentication, authorization, and modification events that are related only to domains, subdomains, and account containers. These alerts are normally related to operating systems. However, they can be produced by any network device.
name
Schedule
441
File Title
Change Management General Authentication: Group Events Delete Group Member Change Management General Authentication: Group Events Group Audit Change Management General Authentication: Group Events New Group Change Management General Authentication: Group Events New Group Member Change Management General Authentication: Machine Account Events This report includes changes to machine accounts, including enabling/disabling machine accounts and modifications to machine account settings. RPT2006- As needed 20-03.rpt This report lists NewGroupMember events. These events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally an alert will occur when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. RPT2006- As needed 20-022.rpt This report lists NewGroup events. These events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges. RPT2006- As needed 20-024.rpt This report lists authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. RPT2006- As needed 20-021.rpt
Description
This report lists alert events that occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place.
name
Schedule
442
File Title
Change Management General Authentication: Machine Account Events - Machine Disabled Change Management General Authentication: Machine Account Events - Machine Enabled Change Management General Authentication: Machine Account Events - Machine Modify Attribute Change Management General Authentication: User Account Events Change Management General Authentication: User Account Events - User Disabled This report lists UserDisable events. These events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication tool. These events are usually related to the operating system and can reflect a potential issue with a user or set of users. RPT2006- As needed 20-043.rpt This report includes changes to user accounts, including enabling/disabling user accounts and modifications to user account settings. RPT2006- As needed 20-04.rpt This report lists MachineModifyAttribute events, which occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system. RPT2006- As needed 20-032.rpt This report lists MachineEnable alerts, which reflect the action of enabling a computer or machine account. These events are normally related to the operating system, and will trigger when a machine is enabled, normally by a user with administrative privileges. RPT2006- As needed 20-031.rpt
Description
This report lists MachineDisable events. These events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers.
name
Schedule
443
File Title
Change Management General Authentication: User Account Events - User Enabled Change Management General Authentication: User Account Events - User Modify Attributes Change Management Network Infrastructure: Policy/View Change Change Management Windows/Active Directory Domains: Group Created Change Management Windows/Active Directory Domains: Group Deleted Change Management Windows/Active Directory Domains: Group Events This report includes Windows/Active Directory group-related events. RPT2006- As needed 22.rpt This report includes deletions of Windows/Active Directory groups. RPT2006- As needed 22-02.rpt This report includes creations of Windows/Active Directory groups. RPT2006- As needed 22-01.rpt This report includes accesses to network infrastructure device policy, including viewing or changing device policy. RPT2006- As needed 21.rpt This report lists UserModifyAttribute events that occur when a user type is changed. These events are uncommon and usually provided by the operating system. RPT2006- As needed 20-042.rpt
Description
This report lists UserEnable alerts, which reflect the action of enabling a user account. These events are normally related to the operating system . They occur both when an account is 'unlocked' after lockout due to unsuccessful logons, and when an account is enabled in the traditional sense.
name
Schedule
444
File Title
Change Management Windows/Active Directory Domains: Group Property Updated Change Management Windows/Active Directory Domains: Machine Events Change Management Windows/Active Directory Domains: Machine Events Account Created Change Management Windows/Active Directory Domains: Machine Events Account Deleted Change Management Windows/Active Directory Domains: Machine Events Account Disabled This report includes disables of Windows/Active Directory machine accounts. RPT2006- As needed 23-03.rpt This report includes deletions of Windows/Active Directory machine accounts. RPT2006- As needed 23-02.rpt This report includes creations of Windows/Active Directory machine accounts. RPT2006- As needed 23-01.rpt This report includes Windows/Active Directory machine-related events. RPT2006- As needed 23.rpt
Description
name
Schedule
This report includes changes to Windows/Active Directory group properties, RPT2006- As needed such as the display name. 22-03.rpt
445
File Title
Change Management Windows/Active Directory Domains: Machine Events Account Enabled Change Management Windows/Active Directory Domains: Machine Events Account Properties Update Change Management Windows/Active Directory Domains: Machine Events Added To Group Change Management Windows/Active Directory Domains: Machine Events Added To OU Change Management Windows/Active Directory Domains: Machine Events Removed From Group This report includes removals of Windows/Active Directory machine accounts from groups. RPT2006- As needed 23-08.rpt This report includes additions of Windows/Active Directory machine accounts to Organizational Units. RPT2006- As needed 23-07.rpt This report includes additions of Windows/Active Directory machine accounts to groups. RPT2006- As needed 23-06.rpt This report includes changes to Windows/Active Directory machine account properties, such as the display name. RPT2006- As needed 23-05.rpt
Description
This report includes enables of Windows/Active Directory machine accounts.
name
Schedule
446
File Title
Change Management Windows/Active Directory Domains: Machine Events Removed From OU Change Management Windows/Active Directory Domains: New Critical Group Members Change Management Windows/Active Directory Domains: OU Events Change Management Windows/Active Directory Domains: OU Events - OU Created Change Management Windows/Active Directory Domains: OU Events - OU Deleted This report includes deletion of Windows/Active Directory Organizational Units. RPT2006- As needed 24-02.rpt This report includes creation of Windows/Active Directory Organizational Units. RPT2006- As needed 24-01.rpt This report includes Windows/Active Directory Organizational Unit-related events. RPT2006- As needed 24.rpt This report includes additions of Windows/Active Directory user accounts to critical groups, such as Domain or Enterprise Admins. RPT2006- As needed 22-04.rpt
Description
This report includes removals of Windows/Active Directory machine accounts from Organizational Units.
name
Schedule
447
File Title
Change Management Windows/Active Directory Domains: OU Events - OU Properties Update Change Management Windows/Active Directory Domains: User Events Change Management Windows/Active Directory Domains: User Events - Account Created Change Management Windows/Active Directory Domains: User Events - Account Deleted Change Management Windows/Active Directory Domains: User Events - Account Disabled This report includes disables of Windows/Active Directory user accounts. RPT2006- As needed 25-03.rpt This report includes deletions of Windows/Active Directory user accounts. RPT2006- As needed 25-02.rpt This report includes creations of Windows/Active Directory user accounts. RPT2006- As needed 25-01.rpt This report includes Windows/Active Directory user-related events. RPT2006- As needed 25.rpt
Description
This report includes updates to Windows/Active Directory Organizational Unit properties, such as the display name.
name
Schedule
448
File Title
Change Management Windows/Active Directory Domains: User Events - Account Enabled Change Management Windows/Active Directory Domains: User Events - Account Lockout Change Management Windows/Active Directory Domains: User Events - Account Properties Updated Change Management Windows/Active Directory Domains: User Events - Added To Group Change Management Windows/Active Directory Domains: User Events - Added To OU This report includes additions of Windows/Active Directory user accounts to Organizational Units. RPT2006- As needed 25-08.rpt This report includes additions of Windows/Active Directory user accounts to groups. RPT2006- As needed 25-07.rpt This report includes changes to Windows/Active Directory user account properties, such as the display name. RPT2006- As needed 25-06.rpt This report includes user-driven disables of Windows/Active Directory user accounts, such as a user triggering an excessive failed password limit. RPT2006- As needed 25-05.rpt
Description
This report includes enables of Windows/Active Directory user accounts.
name
Schedule
449
File Title
Change Management Windows/Active Directory Domains: User Events Removed From Group Change Management Windows/Active Directory Domains: User Events Removed From OU File Audit Events This report tracks file system activity associated with audited files and system objects, such as file access successes and failures. File Audit Events - File Attribute Change is a specific File Write alert generated for the File Attribute Change modification of file attributes (including properties such as read-only status). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Audit alerts are used to track file activity on monitored network devices, File Audit usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. File Audit Events - File Audit Failure alerts are used to track failed file activity on monitored File Audit Failure network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. File Audit Events - File Create is a specific File Write alert generated for the initial creation of a File Create file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Data Read is a specific File Read alert generated for the operation of File Data Read reading data from a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003- As needed 05-31.rpt RPT2003- As needed 05-42.rpt RPT2003- As needed 05-12.rpt RPT2003- As needed 05-11.rpt RPT2003- Weekly 05.rpt RPT2003- As needed 05-41.rpt This report includes removals of Windows/Active Directory user accounts from Organizational Units. RPT2006- As needed 25-10.rpt
Description
This report includes removals of Windows/Active Directory user accounts from groups.
name
Schedule
450
File Audit Events - File Data Write is a specific File Write alert generated for the operation of File Data Write writing data to a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Delete is a specific File Write alert generated for the deletion of an File Delete existing file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Execute is a specific File Read alert generated for the operation of File Execute executing files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Handle Audit alerts are used to track file handle activity on monitored File Handle Audit network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. File Audit Events - File Handle Close is a specific File Handle Audit alert generated for the level file access, such as an Operating System or some Host-Based IDS'. File Audit Events - File Handle Copy is a specific File Handle Audit alert generated for the File Handle Copy copying of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. File Audit Events - File Handle Open is a specific File Handle Audit alert generated for the File Handle Open opening of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. File Audit Events - File Link is a specific File Write alert generated for the creation, deletion, or File Link modification of links to other files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Move is a specific File Write alert generated for the operation of moving File Move a file that already exists. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.
RPT2003- As needed
File Handle Close closing of file handles. These alerts may be generated by a tool that has low- 05-22.rpt
451
File Audit Events - File Read is a specific File Audit alert generated for the operation of reading File Read may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. File Audit Events - File Write is a specific File Audit alert generated for the operation of writing File Write to a file (including writing properties of a file or changing the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems. File Audit Events - Object Audit alerts are used to track special object activity on monitored Object Audit network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. File Audit Events - Object Audit Failure alerts are used to track special object activity on Object Audit Failure monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. File Audit Events - Object Delete is a specific Object Audit alert generated for the deletion of an Object Delete existing object. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. File Audit Events - Object Link is a specific Object Audit alert generated for the creation, Object Link deletion, or modification of links to other objects. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. Incident Alerts This report tracks the Incident, HostIncident, HybridIncident and NetworkIncident alerts that have been generated to reflect enterprise-wide issues. Inferred Alerts This report tracks alerts that are triggered by correlations built in the SolarWinds Rule Builder. Inferred Alerts by Inference Rule This report tracks alerts that are triggered by correlations, and orders them by the correlation rule name.
RPT2003- As needed
files (including reading properties of a file or the status of a file). These alerts 05-33.rpt
452
File Title
Log On/Off/Failure
Description
Track activity associated with account events such as log on, log off and log on failures. This is a refined version of the Authentication Report that does not include SolarWinds authentication events. It is more appropriate for management reports or audit reviews than regular use.
name
Schedule
Track activity associated with network traffic audit events such as TCP, IP and UDP alerts. Specifically, this report tracks regular network traffic activity, such as encrypted traffic, web traffic, and other forms of UDP, TCP and ICMP traffic. It gives you both an overview and some details of exactly what is flowing through your network. This report can be quite large.
ApplicationTrafficAudit alerts reflect network traffic that is mostly or all also related to application-layer resources. Alerts placed in the parent ApplicationTrafficAudit alert itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential.
Audit - Application application-layer data. Alerts that are children of ApplicationTrafficAudit are
Network Traffic Traffic by Destination Machine Network Traffic Traffic by Provider SID Network Traffic Traffic by Source Machine Network Traffic Traffic by Tool Alias
Audit - Application grouped by the SolarWinds sensor tool alias that reported each alert.
453
File Title
Network Traffic Audit Configuration Traffic
Description
Configuration Traffic Audit alerts reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic.
name
Schedule
CoreTrafficAudit alerts reflect network traffic sent over core protocols. Alerts that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Alerts of this type and its children do not have any application-layer data. Alerts placed in the parent CoreTrafficAudit alert itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the tool.
Network Traffic Audit - Core Traffic by Destination Machine Network Traffic Audit - Core Traffic by Provider SID Network Traffic Audit - Core Traffic by Source Network Traffic Audit - Core Traffic by Tool Alias Network Traffic Audit - Encrypted Traffic
This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by destination machine/IP.
This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by provider SID.
This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by source machine/IP.
This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by the SolarWinds tool sensor alias that reported the alert.
Encrypted Traffic Audit alerts reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in Encrypted Traffic Audit are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed.
454
File Title
Network Traffic Audit Link Control Traffic
Description
Link Control Traffic Audit alerts are generated for network events related to link level configuration. Link Control Traffic Audit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic.
name
Schedule
Network Traffic Audit - Network Traffic Network Traffic Audit Point to Point Traffic Network Traffic Audit - Remote
Members of the Network Audit tree are used to define events centered on usage of network resources/bandwidth.
Point To Point Traffic Audit alerts reflect application-layer data related to point-to-point connections between hosts. Included in Point To Point Traffic Audit are encrypted and unencrypted point-to-point traffic.
Remote Procedure Traffic Audit alerts reflect application-layer data related to remote procedure services. Included in Remote Procedure Traffic Audit shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks that have remote procedure services on their network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic.
Procedure Traffic are the traditional RPC services used to service remote logons and file
Routing Traffic Audit alerts are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic.
Network Traffic Audit Time Traffic Network Traffic Audit Top Application Traffic by Source
Time Traffic Audit alerts reflect application-layer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates.
This report lists the Top Application Traffic alerts (such as WebTrafficAudit), RPT2003- As needed grouped by source machine/IP. 06-012.rpt
455
File Title
Network Traffic Audit Top Core Traffic by Source Network Traffic Audit Web Traffic WebTrafficAudit alerts reflect application-layer data related to web services. RPT2003- As needed Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic. Network Traffic Audit - Web Traffic by Destination Machine Network Traffic Audit Web Traffic by Provider SID Network Traffic Audit - Web Traffic by Source Machine Network Traffic Audit Web Traffic by Tool Alias Network Traffic Audit Web URL Requests by Source Machine This report lists the most frequently visited URLs grouped by the requesting client source machine. RPT2003- As needed 06-015.rpt This report lists Web Traffic Audit alerts grouped by tool alias. RPT2003- As needed 06-010.rpt This report lists all WebTrafficAudit alerts grouped by source machine/IP. RPT2003- As needed 06-011.rpt This report lists Web Traffic Audit alerts grouped by provider SID. RPT2003- As needed 06-013.rpt This report lists all WebTrafficAudit alerts grouped by destination machine/IP. RPT2003- As needed 06-012.rpt 06-01.rpt
Description
This report lists the Top Core Traffic alerts (such as TCPTrafficAudit), grouped by source machine/IP.
name
Schedule
456
File Title
Network Traffic Audit Web URL Requests by Source Machine Graphs Resource Configuration The Resource Configuration report details events that relate to relationships. Items such as domain or group modification, policy changes, and creation of new network resources. Resource Configuration Authorization Audit Resource Configuration Domain Authorization Audit Resource Configuration Group Audit Resource Configuration Machine Authorization Audit Resource Configuration Policy Audit Policy Audit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided by the Operating System. Resource Configuration User Authorization Audit User Auth Audit events are authentication, authorization, and modification events related only to user accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients. RPT2003- As needed 08-05.rpt RPT2003- As needed 08-06.rpt Group Audit events are authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. Machine Auth Audit events are authentication, authorization, and modification events related only to computer or machine accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related. RPT2003- As needed 08-04.rpt RPT2003- As needed 08-03.rpt Alerts that are part of the Auth Audit tree are related to authentication and authorization of accounts and account ''containers'' such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients. Domain Auth Audit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These alerts are normally operating system related, however could be produced by any network device. RPT2003- As needed 08-02.rpt RPT2003- As needed 08-01.rpt RPT2003- Weekly
Description
This report shows graphs of the most frequently visited URLs for each client source machine.
name
Schedule
configuration of user accounts, machine accounts, groups, policies and their 08.rpt
457
Authentication Failed Authentication events occur when a user has made several attempts to Report Failed Authentication Authentication This report shows logins to various Guest accounts. Report Guest Login Authentication Restricted Information Attempt events describe a user attempt to access local Report Restricted Information Attempt Authentication Restricted Service Attempt events describe a user attempt to access a local or Report Restricted Service Attempt Console The Console report shows every alert that passes through the system in the given time interval. It mimics the basic management console view. It does not contain the same level of field detail, but it is useful to get a quick snapshot of activity for a period, a lunch hour, for example.This report can be very large, so you will only want to run for small time intervals, such as hours. Console Overview Event Summary Attack Behavior Statistics An overview of all alerts during the specified time range. Shows graphs of the most common generic alert field data from the console report. Event Summary Sub Report - Attack Behavior Statistics remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services. or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure.
458
File Title Event Summary Authorization Audit Statistics Event Summary Graphs Event Summary Machine Audit Statistics Event Summary Policy Audit Statistics Event Summary Resource Audit Statistics Event Summary Suspicious Behavior Statistics Event Summary Top Level Statistics Machine Audit Track activity associated with machine process and service audit events. This report shows machine-level events such as software installs, patches, system shutdowns, and reboots. It can be used to assist in software license compliance auditing by providing records of installs. Machine Audit This report tracks activity associated with file system audit alerts including mount RPT2003- As needed File System Audit file system and unmount file system alerts. These events are generally normal system activity, especially during system boot. 09-010.rpt RPT2003- Weekly 09.rpt Event Summary Sub Report - Top Level Statistics RPT2003- As needed 01-01.rpt Event Summary Sub Report - Suspicious Behavior Statistics RPT2003- As needed 01-08.rpt Event Summary Sub Report - Resource Audit Statistics RPT2003- As needed 01-07.rpt Event Summary Sub Report - Policy Audit Statistics RPT2003- As needed 01-06.rpt The event summary report gathers statistical data from all major event categories, summarizes it with a one-hour resolution, and presents a quick, graphical overview of activity on your network. Event Summary Sub Report - Machine Audit Statistics RPT2003- As needed 01-05.rpt RPT2003- Daily 01.rpt Description Event Summary Sub Report - Authorization Audit Statistics name Schedule
459
Machine Audit Mount File System alerts are a specific type of File System Audit that reflect the - File System Audit - Mount File System Machine Audit Unmount File System alerts are a specific type of File System Audit that reflect - File System Audit Unmount File System Machine Audit This report tracks activity related to processes, including processes that have - Process Audit Machine Audit This report lists Process Audit alerts that are generated to track launch, exit, - Process Audit Process Audit status, and other events related to system processes. Usually, these events reflect normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. started, stopped, or reported useful process-related information. the action of removing a translation between hardware and a usable files ystem. These events are generally normal during system shutdown. action of creating an active translation between hardware to a usable files ystem. These events are generally normal during system boot.
Machine Audit Process Info is a specific type of Process Audit alert that reflects information - Process Audit Process Info Machine Audit Process Start is a specific type of Process Audit alert that indicates a new - Process Audit Process Start Machine Audit Process Stop is a specific type of Process Audit alert that indicates a process - Process Audit Process Stop has exited. Usually, Process Stop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. process has been launched. Usually, Process Start reflects normal system activity. related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state.
Machine Audit Process Warning is a specific type of Process Audit alert that indicates a process RPT2003- As needed - Process Audit Process Warning Machine Audit This report tracks activity related to services, including services that have - Service Audit started, stopped, or reported useful service-related information or warnings. RPT2003- As needed 09-040.rpt has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. 09-035.rpt
460
Machine Audit This report tracks ServiceInfo events, which reflect information related to a - Service Audit particular service. Most of these events can safely be ignored, as they are - Service Info generally normal activity that does not reflect a failure or abnormal state.
Machine Audit This report tracks ServiceStart events, which indicate that a new system service RPT2003- As needed - Service Audit is starting. - Service Start Machine Audit This report tracks ServiceStop events, which indicate that a system service is - Service Audit stopping. This activity is generally normal, however, in the event of an - Service Stop unexpected stop the abnormal state will be noted. RPT2003- As needed 09-044.rpt RPT2003- As needed 09-043.rpt 09-042.rpt
Machine Audit This report lists ServiceWarning alerts. These alerts indicate a service has - Service Audit returned a 'Warning message that is not a fatal error and may not have - Service Warning Machine Audit This report tracks activity associated with system status and modifications, - System Audit including software changes, system reboots, and system shutdowns. Machine Audit Machine Audit alerts are used to track hardware or software status and - System Audit modifications. These events are generally acceptable, but do indicate - Machine Audit Machine Audit SoftwareInstall alerts reflect modifications to the system at a software level, - System Audit generally at the operating system level (or equivalent, in the case of a network - Software Install infrastructure device). These alerts are generated when a user updates a system or launches system-native methods to install third party applications. modifications to the client system that may be noteworthy. triggered an exit of the service.
Machine Audit SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current - System Audit version of software being installed to replace an older version. - Software Update Machine Audit System Reboot alerts occur on monitored network devices (servers, routers, - System Audit etc.) and indicate that a system has restarted. - System Reboot Machine Audit System shutdown alerts occur on monitored network devices (servers, routers, - System Audit etc.) and indicate that a system has been shutdown. - System Shutdown
461
Machine Audit SystemStatus alerts reflect general system state events. These events are - System Audit generally normal and informational, however, they could potentially reflect a - System Status Machine Audit This report tracks activity associated with USB-Defender, including insertion USBDefender Malicious Code This report tracks event activity associated with malicious code such as virus, Trojans, and worms, both on the network and on local machines, as detected by anti-virus software. Malicious Code Service Process Attack Malicious Code - Trojan Command Access Trojan Command Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This alert detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). Malicious Code - Trojan Infection Access Trojan Infection Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). and removal events related to USB Mass Storage devices. failure or issue which should be addressed.
Members of the Service Process Attack tree are used to define events centered RPT2003- As needed on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. 04-01.rpt
462
File Title Malicious Code - Trojan Description Trojan Traffic Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). Malicious Trojan Traffic Denial Trojan Traffic Denial events are a specific type of Denial event where the client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Trojan Traffic Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. Malicious Virus Attack Virus Attack alerts reflect malicious code placed on a client or server system, further attack. The severity of this alert will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. Malicious Virus Summary Attack Virus Summary Attack alerts reflect malicious code placed on a client or server to further attack. The severity of this alert will depend on the Action Taken field which reflects whether the virus or other malicious code was successfully removed. These alerts differ from Virus Attack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan Malicious Virus Traffic Access Virus Traffic Access alerts reflect malicious or abusive usage of network through malicious code commonly known as viruses. This alert detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. RPT2003- As needed 04-08.rpt RPT2003- As needed 04-07.rpt RPT2003- As needed 04-06.rpt RPT2003- As needed 04-03.rpt name Schedule
Traffic Access through malicious code commonly known as a Trojan Horse. This alert detects
Code Report - transport of the malicious or abusive usage originates with malicious code on a
Code Report - which may lead to system or other resource compromise and may lead to
Code Report - system, which may lead to system or other resource compromise and may lead
Code Report - resources where the intention, or the result, is gaining access to resources
463
File Title Network Events: Attack Behavior Network Behavior Access Network Behavior Access Access Network Behavior Access Application Access Network Behavior Access Configuration Access Application Access alerts reflect malicious or abusive usage of network where the related data is mostly or all application-layer. Generally, ApplicationAccess alerts will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. Configuration Access alerts reflect malicious or abusive usage of network resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these alerts will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain system-level access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. Network Behavior Access - Core Access Core Access alerts reflect malicious or abusive usage of network resources related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess alerts will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. Network Behavior Access Database Access Database Access alerts reflect malicious or abusive usage of network application-layer database traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in database server or client software. RPT2003- As needed 11-05.rpt RPT2003- As needed 11-04.rpt RPT2003- As needed 11-03.rpt RPT2003- As needed 11-02.rpt Children of the Access tree define events centered on malicious or abusive inappropriate or abusive access to network resources. RPT2003- As needed 11-01.rpt This report shows malicious asset access via the network. For example, attacks RPT2003- Weekly 11.rpt abuses of services, or attempted unauthorized entry. Description This report tracks activity associated with top-level NetworkAttack alerts. name Schedule
Events: Attack on FTP or Windows Network servers, malicious network database access,
Events: Attack usage of network bandwidth/traffic where the intention, or the result, is
Events: Attack resources where the intention, or the result, is gaining access to resources
Events: Attack resources where the intention, or the result, is gaining access to resources via
Events: Attack where the intention, or the result, is gaining access to resources where the
Events: Attack resources where the intention, or the result, is gaining access to resources via
464
File Title Network Behavior Access - File System Access Network Behavior Access - File Transfer Network Behavior Access - Link Control Access Link Control Access alerts reflect malicious or abusive usage of network where the related data is low-level link control (using protocols such as ARP). Generally, Link Control Access alerts will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions allowing a malicious client to sniff traffic and enumerate or attack. Network Behavior Access - Mail Access Network Behavior Access Naming Access Network Behavior Access News Access News Access alerts reflect malicious or abusive usage of network resources layer news traffic (over protocols such as NNTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the news server or client software. RPT2003- As needed 11-11.rpt Naming Access alerts reflect malicious or abusive usage of network resources layer naming service traffic (using protocols such as DNS and WINS). Generally, these alerts will reflect attempted exploitation of weaknesses in the naming server or client software. RPT2003- As needed 11-10.rpt Mail Access alerts reflect malicious or abusive usage of network resources layer mail transfer, retrieval, or service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail-related server or client software. RPT2003- As needed 11-09.rpt RPT2003- As needed 11-08.rpt Description File System Access alerts reflect malicious or abusive usage of network remote filesystem traffic (using protocols such as SMB and NFS). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves. File Transfer Access alerts reflect malicious or abusive usage of network application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software. RPT2003- As needed 11-07.rpt name Schedule
Events: Attack resources where the intention, or the result, is gaining access to resources via
Events: Attack resources where the intention, or the result, is gaining access to resources via
Events: Attack resources where the intention, or the result, is gaining access to resources
Events: Attack where the intention, or the result, is gaining access to resources via application-
Events: Attack where the intention, or the result, is gaining access to resources via application-
Events: Attack where the intention, or the result, is gaining access to resources via application-
465
File Title Network Behavior Access - Point to Point Access Network Behavior Access Printer Access Network Behavior Access Remote Console Access Network Behavior Access Remote Procedure Access Network Behavior Access Routing Access Routing Access alerts reflect malicious or abusive usage of network resources related data is routing-related protocols (RIP, IGMP, etc.). Generally, Routing Access alerts will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. Network Behavior Access - Time Access Time Access alerts reflect malicious or abusive usage of network resources layer remote time service traffic (using protocols such as NTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote time server or client software. RPT2003- As needed 11-17.rpt RPT2003- As needed 11-16.rpt Remote Procedure Access alerts reflect malicious or abusive usage of network remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. RPT2003- As needed 11-15.rpt Remote Console Access alerts reflect malicious or abusive usage of network application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote console server or client software. RPT2003- As needed 11-14.rpt Description Point To Point Access alerts reflect malicious or abusive usage of network point to point traffic (using protocols such as PPTP). Generally, these alerts will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. Printer Access alerts reflect malicious or abusive usage of network resources layer remote printer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote printer server or client software. RPT2003- As needed 11-13.rpt name Schedule
Events: Attack resources where the intention, or the result, is gaining access to resources via
Events: Attack where the intention, or the result, is gaining access to resources via application-
Events: Attack resources where the intention, or the result, is gaining access to resources via
Events: Attack resources where the intention, or the result, is gaining access to resources via
Events: Attack where the intention, or the result, is gaining access to resources where the
Events: Attack where the intention, or the result, is gaining access to resources via application-
466
File Title Network Behavior Description Virus Traffic Access alerts reflect malicious or abusive usage of network through malicious code commonly known as viruses. Generally, these alerts will name Schedule
Events: Attack resources where the intention, or the result, is gaining access to resources Access - Virus reflect attempted exploitation of weaknesses in the web server or client Traffic Access software. Network Behavior Access - Web Access Network Behavior Denial / Relay Network Behavior Denial / Relay - Application Denial Track activity associated with network denial or relay attack behaviors. This network. For example, FTP bouncing, Distributed Denial of Service events, and many protocol abuses. Web Access alerts reflect malicious or abusive usage of network resources layer WWW traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the web server or client software.
Events: Attack where the intention, or the result, is gaining access to resources via application-
Events: Attack report shows malicious asset relay attempts and denials of service via the
Application Denial events are a specific type of Denial event where the transport RPT2003- As needed 12-01.rpt the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Application Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.
Events: Attack of the malicious or abusive usage is application-layer protocols. The intent, or
Configuration Denial events are a specific type of Denial event where the of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.
Events: Attack transport of the malicious or abusive usage is protocols related to configuration
Core Denial events are a specific type of Denial event where the transport of intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Core Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.
Events: Attack the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The
467
File Title Network Behavior Denial / Relay - Denial Network Behavior Denial / Relay - File System Denial File System Denial events are a specific type of Denial event where the protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. File System Denial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. Network Behavior Denial / Relay Denial File Transfer Denial events are a specific type of Denial event where the related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of weaknesses in file transfer-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Behavior Denial / Relay - Link Control Denial Link Control Denial events are a specific type of Denial event where the The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. Network Behavior Denial / Relay - Mail Denial MailDenial events are a specific type of Denial event where the transport of the IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. RPT2003- As needed 12-08.rpt RPT2003- As needed 12-07.rpt RPT2003- As needed 12-06.rpt RPT2003- As needed 12-05.rpt Description Children of the Denial tree define events centered on malicious or abusive inappropriate or abusive access to network resources through a denial of service attack. name Schedule
Events: Attack usage of network bandwidth/traffic where the intention, or the result, is
Events: Attack transport of the malicious or abusive usage is application-layer file transfer-
Events: Attack transport of the malicious or abusive usage is link level protocols (such as ARP).
468
File Title Network Behavior Denial / Relay - Relay Description Children of the Relay tree define events centered on malicious or abusive inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. Network Behavior Denial / Relay - Remote Procedure Denial Remote Procedure Denial events are a specific type of Denial event where the protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Behavior Denial / Relay - Routing Denial Routing Denial events are a specific type of Denial event where the transport of The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Routing Denial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities. Network Behavior Denial / Relay - Web Denial Web Denial events are a specific type of Denial event where the transport of the RPT2003- As needed 12-12.rpt HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Web Denial events may be attempts to exploit weaknesses in web-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. Network Events: Suspicious Behavior Track activity associated with suspicious network behaviors such as reconnaissance or unusual traffic. Specifically, this report shows potentially dangerous activity, such as excessive authentication failures, port scans, stack fingerprinting, and network enumerations. RPT2003- Weekly 07.rpt RPT2003- As needed 12-11.rpt RPT2003- As needed 12-10.rpt name Schedule
Events: Attack usage of network bandwidth/traffic where the intention, or the result, is relaying
Events: Attack the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.).
469
File Title Network Events: Suspicious Behavior Application Enumerate Description Application Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. Network Events: Suspicious Behavior Banner Grabbing Enumerate Banner Grabbing Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected. Network Events: Suspicious Behavior Core Scan Core Scan alerts reflect attempts to gather information about target networks, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Network Events: Suspicious Behavior Enumerate Enumerate alerts reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. Network Events: Suspicious Behavior Footprint Footprint alerts reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. RPT2003- As needed 07-05.rpt RPT2003- As needed 07-04.rpt RPT2003- As needed RPT2003- As needed 07-02.rpt name Schedule
or specific target hosts, by sending scans over core network protocols (TCP, IP, 07-03.rpt
470
File Title Network Events: Suspicious Behavior General Security Network Events: Suspicious Behavior Host Scan Host Scan alerts reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. Network Events: Suspicious Behavior ICMP Query ICMP Query alerts reflect attempts to gather information about specific target hosts, or networks, by sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. RPT2003- As needed 07-07.rpt RPT2003- As needed 07-06.rpt Description General Security alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be security issue-related. name Schedule
471
File Title Network Events: Suspicious Network Enumerate Description MS Networking Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will network. This enumeration may be a LEMple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. Network Events: Suspicious Behavior Network Suspicious Network Events: Suspicious Behavior Port Scan Port Scan alerts reflect attempts to gather information about target networks, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Port Scans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. Network Events: Suspicious Behavior Recon Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. RPT2003- As needed 07-11.rpt RPT2003- As needed Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. RPT2003- As needed 07-09.rpt name Schedule
Behavior - MS illicit responses that reveal information about the application, host, or target
or specific target hosts, by sending scans over core network protocols (TCP, IP, 07-10.rpt
472
File Title Network Events: Suspicious Behavior Remote Procedure Enumerate Description Remote Procedure Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time enabling them to modify their methodology to go on relatively undetected. Network Events: Suspicious Behavior Scan Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Network Events: Suspicious Behavior Stack Fingerprint Stack Fingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. Network Events: Suspicious Behavior Trojan Scanner Trojan Scanner alerts reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. RPT2003- As needed 07-15.rpt RPT2003- As needed 07-14.rpt RPT2003- As needed 07-13.rpt name Schedule
473
File Title Network Events: Suspicious Behavior Unusual Traffic Priority Alert (reference) This report is no longer in use. The Priority Alert report tracks those events that the user has identified as a priority event. These alerts appear in the Priority filter of the Console. Priority Alert By User (reference) This report is no longer in use.This report mirrors the standard Priority Alert report but groups the events received by Console User account. The same alert may be seen by many users, so this report tends to be much larger than the standard Priority Alert report. Rule Subscriptions by User SolarWinds Actions The SolarWinds Action Report lists all commands or actions initiated by SolarWinds Network Security. RPT2003- As needed 18.rpt The Rule Subscriptions report tracks those events that the user has subscribed to monitor. RPT2006- Daily 28-01.rpt RPT2003- As needed 17.rpt RPT2003- As needed 16.rpt Description Unusual Traffic alerts reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. Unusual Traffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. name Schedule
474
File Title Agent Connection Summary Audit Internal Audit Report Audit Internal Audit Report by User Agent Maintenance Report Database Maintenance Report List of Rules for Rule Subscriptions List of Subscription Rules by User List of Users This report lists each user entered. Currently, the users are only used for Rule Subscriptions. Tool Maintenance by Alias Tool Maintenance by Insertion Point Tool Maintenance by Provider This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data alerts based on ProviderSID. RPT2003- As needed 13.rpt This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data alerts based on Agent InsertionIP. RPT2003- As needed 15.rpt This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data alerts based on Tool Alias. RPT2006- As needed 29-01.rpt RPT2003- As needed 14.rpt This report lists the rules that users have subscribed to. RPT2006- As needed 29-03.rpt This report lists available rules for the Rule Subscriptions. RPT2006- As needed 29-02.rpt This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report displays internal alert data for possible misconfigured agents. This report is a diagnostic tool used by Customer Support, and generally run only at their request. RPT2006- As 26.rpt requested RPT2007- As 32.rpt requested Internal Audit Report grouped by User RPT2006- As 31-02.rpt requested Description This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report shows high level summary information for when agents go online and offline. Audit - Internal Audit Report RPT2006- As 31-01.rpt requested name Schedule
475
File Title Tool Maintenance Detail Report Tool Maintenance Report Description This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of all SolarWinds error messages received from various tools. This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of unique SolarWinds error messages received from various tools. RPT2003- As 13.rpt requested name Schedule
476
Tool categories
The following table describes the various categories of network security products that can be connected to LEM. The Description column describes how the tools (sensors and actors) typically work with each type of product or device. The Use with columns indicate if each product type requires Manager tools, Agent tools, or both. Use with Category Anti-Virus Description This category lets you configure sensors for use with common anti-virus products. These products protect against, isolate, and remove viruses, worms, and Trojan programs from computer systems. To configure an anti-virus tool, the anti-virus software must already be installed on the Agent computer. Some anti-virus tools can also be run on the Manager by remotely logging from an Anti-Virus server. Due to software conflicts, it is recommended that you run only one brand of anti-virus software per computer. Application Switch This category lets you configure sensors for use with application switches. Application-Layer switches transmit and monitor data at the application layer. Managers Agents
477
Use with Category Database Description This category lets you configure sensors for use with database auditing products. These products monitor databases for potential database intrusions, changes, and database system events. File Transfer and This category lets you configure sensors for use with file Sharing transfer and file sharing products. These products are used to share files over the local network and/or Internet. Monitoring these products provides information about what files are being transferred, by whom, and system events. Firewalls This category lets you configure sensors and actors for use with applications and devices that are used to protect and isolate networks from other networks and the Internet. Firewall sensors connect to, read, and retrieve firewall logs. Most firewalls also have an active response tool. These tools configure actors that interface with routers and firewalls to perform block commands. Actors can perform active responses either via telnet or serial/console cable. Normally, you will configure these tools on the Manager. To configure a firewall tool, the firewall product must already be installed on the Agent computer, or it must be remotely logging to an Agent or a Manager. Normally, you will configure these tools on the Manager. You must also configure each firewalls data gathering and active response capabilities separately. For example, configuring a firewalls data gathering capabilities does not configure the firewalls active response settings. Managers Agents
478
Tool categories
Use with Category Identity and Access Management Description This category lets you configure sensors for use with identity access, identity management, and other singlesign on tools. These products provide authentication and single-sign on capabilities, account management, and other user access features. Monitoring these products provides information about authentication and management of accounts. IDS and IPS This category lets you configure sensors and actors for use with network-based and host-based intrusion detection systems. These products provide information about potential threats on the network or host, and can be used to raise alarms about possible intrusions, misconfigurations, or network issues. Generally, network-based IDS and IPS tools are configured to log remotely, while host-based IDS and IPS systems log locally on an agent system. Some networkbased IPS systems provide the capability to perform an active response via their actor tool, allowing you to block an IP address at the IPS device. Manager This category lets you configure sensors for use with the Manager and other Appliances. These tools monitor for conditions on the Manager that may be informational or display potential problems with the appliances. Network Management This category lets you configure sensors for use with network management tools. These tools monitor for different types of network activity from users on the network, such as workstation-level process and application monitoring. Generally, these systems are configured to log remotely from a central monitoring server. Managers Agents
479
Network Services This category lets you configure sensors for use with different network services. These tools monitor servicelevel activity for different network services, including DNS and DHCP. Most network services are configured to log locally on an agent's system, however, some are configured to log remotely. Operating Systems This category lets you configure sensors for use with utilities in the Microsoft Windows operating system that monitor system events. This category includes a Windows Active Response tool. This tool configures an actor that enables Windows active response capabilities on Agents using Windows operating systems. This allows LEM to perform operating system-level responses, such as rebooting computers, shutting down computers, disabling networking, and disabling accounts. To configure an operating system tool, the operating system software must already be installed on the Agent computer. If you perform the remote Agent installation, the Windows NT/2000/XP Event Application Logs and System Logs tools are configured by default. Proxy Servers and Content Filters This category lets you configure sensors for use with different content monitoring tools. These tools monitor user network activity for such activities as web surfing, IM/chat, and file downloads, and events related to administering the monitoring systems themselves. Generally, these tools are configured to log remotely from the monitoring system.
480
Tool categories
Routers/Switches This category lets you configure sensors, and in some cases actors, for use with different routers and switches. These tools monitor activity from routers and switches such as connected/disconnected devices, misconfigurations or system problems/events, detailed access-list information, and other related messages. Some routers/switches have the capability to configure an actor tool to block an IP address at the device. Generally, these tools are configured to log remotely from the router/switch. System Scan Reporters This category lets you configure sensors for use with different asset scanning tools, such as vulnerability scanners. These tools provide information about potential vulnerabilities, exposures, and misconfigurations with different devices on the network. Generally, these tools create alerts in the 'Asset' categories in the alert tree. System Tools This category lets you configure the Manager with an external notification system, so LEM can transmit alert messages to LEM users via email or pager. For details, see "Setting up a notification system" on page 488. VPN and Remote This category lets you configure sensors and actors for Access use with Virtual Private Network (VPN) server products that provide secure remote access to networks. Normally, you will configure these tools on the Manager. Web Server This category lets you configure sensors for use with Web server products. To configure a web server tool, the web server software must already be installed on the Agent or Manager computer.
481
Configuring sensors
The following table describes each field youll find on the Tool Configuration form when configuring sensors for data gathering tools. The actual fields that appear depend on the tool you are configuring. Not every field appears with every tool. For convenience, the table is sorted alphabetically by field name. Field Alias Description Type a name that easily identifies the application or appliance event log file that is being monitored. For active response tools, we recommend you end the alias with AR. For example, an alias for the Cisco PIX Active Response tool might be Cisco PIX AR. This allows you to differentiate the active response tool from the data gathering tool.
482
Configuring sensors
Field
Description
Log File / When you create a new alias for a tool, LEM automatically places a default log file path Log in the Log File box. This path tells the tool where the operating system stores the Directory products event log file. For most tools, you can change the log file path, as needed. However, some products write events to the Windows Application Log or the Windows System Log. In these cases, you are actually configuring the sensor that monitors events that are written to that log file. For these tools, the Log File setting is disabled, and the system automatically populates the Log File field with the name of the Windows event log the sensor is monitoring. In most cases, you should be able to use the default log file path that is shown for the tool. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, type or paste the correct path in the Log File box, or use the Browse button to explore to correct folder or file. If you are uncertain about which file path to use, either refer to your original product documentation, or contact SolarWinds Technical Support. Note: If the product creates separate log files based on the current date or some other fixed interval, you can either select the log directory or any log file in that directory. If you select a log file, LEM reads through the directorys log files in order, from the file you selected to the most current file. The LEM then reads new files as they are added. nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so. nDepth Port If you are using a separate nDepth appliance (other than the SolarWinds LEM), type the port number to which the tool is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so. New File Select the interval in which the tool posts and names each new log file. The interval Name Interval tells the SolarWinds LEM when to begin reading the next log file. The default setting is Daily: yymmdd.
483
Field Output
Description Select the appropriate data output option: Alert - This is the default option. It sends the tools log file data as alerts to the SolarWinds LEM for processing by your correlation rules, associated active responses, SolarWinds Consoles, and databases. nDepth - This option sends the tools log file data to a separate nDepth appliance for archiving. The data does not go to the SolarWinds LEM, so any potential alert activity does not appear in the Alert Panel. However, you can still use the Console's nDepth explorer to search the data on this appliance. Alert, nDepth - SolarWinds recommends that you choose this option if you want to use nDepth to search log messages in addition to alerts. This option sends the tools log file data to the SolarWinds LEM for alert processing and to SolarWinds nDepth for data archiving. This means the LEM reports potential alert activity in the Alert Panel, and nDepth archives the tools output data for later reference. Furthermore, you can use the Console's nDepth explorer to search either type of data.
Server IP Type the IP address of the router or firewall. Use the following IP address format: Address/ 192.123.123.123. [Product] IP Address/ [Product] Server
Sleep Time
Type or select the time (in seconds) the tool sensor is to wait between event monitoring sessions. The default (and minimum) value for all tools is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate tools. Windows NT-based tools automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events.
484
Configuring sensors
Description This is SolarWindss release version for this tool. This is read-only information for reference purposes. This is an identification key that the SolarWinds LEM uses to uniquely identify the properties that apply to this particular tool. This is read-only information for SolarWinds reference purposes.
If the tool settings you need are not shown here, you are probably configuring an active response tool. See "Tool configuration tables," below. When you have finished configuring the tool settings, dont forget to start the tool.
485
Configuring actors
The following table describes each field you will find on the Tool Configuration form when configuring actors for active response tools. Because each tool is product-based, the fields that appear depend on the tool you are currently configuring. Not every field appears with every tool. For convenience, the table is sorted alphabetically by field name. Field Advanced Auth Port Recommended field settings These settings are no longer applicable. For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the LEA/OPSEC interface. Base URL Type the URL to connect to the SonicWALL firewall and perform the login. Include http:// at the beginning of the URL. Note: SolarWinds does not support HTTPS. Only use this tool for older SonicWALL firmware version. Block Timeout Client DN For CheckPoint OPSEC firewalls, type the timeout in seconds for the blocks to expire from the firewall. A value of zero (0) means never expire. For CheckPoint OPSEC firewalls, type the client DN string. The CN and O must be uppercase. Configuration Select either telnet or SerialPort. Mode Enable Password Enable Windows Active Response From Zone Type the external zone used for configuring restrictions on firewall connections. For the Windows Active Response tool, select this check box to enable active response settings. Type the tools password for entering Enable mode.
486
Configuring actors
Recommended field settings Type the Interface for which the block is to be made effective; that is, the Interface for which incoming traffic will be filtered to prevent traffic from the blocked IP address.
Type the tools login password. For some products, the password name must be the same one that was used when the firewall was installed.
Select a serial port for performing active response via console cable, if applicable. The port name represents the physical communication port on the computer. The port name is only relevant if the Configuration Mode (below) is set to SerialPort. /dev/ttyS0 = serial port 1, and /dev/ttyS1 = serial port 2. If the Configuration Mode is set to telnet, then this field is disabled and the Port Name box reads: There are no ports available.
Type the firewall port used for connecting to and configuring the firewall.
For CheckPoint OPSEC firewalls, type the server DN string. The cn and o must be lowercase.
Server Port
For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the SAM/OPSEC interface.
Type the IP address of the router or firewall. This address allows LEM to perform active responses to events on that particular router or firewall. Use the following IP address format: 192.123.123.123.
487
Field SSLCA
Recommended field settings For CheckPoint OPSEC firewalls, click the Browse button to locate the SSL certificate file to upload to the server. If the tool is already configured, then use the existing certificate on the server. You can use the same path for both the LEA (log reading) and SAM (active response) certificates.
Only one person can configure the firewall at one time. Selecting this check box allows LEMs active response to take administrative control over the firewall when a user is logged into the WatchGuard Management Console. That is, LEM disconnects the user and takes control over the firewall.
Type the internal zone used for configuring restrictions on firewall connections. Type a name that easily identifies the product that LEM is to act on. For active for the Cisco PIX Active Response tool might be Cisco PIX AR. This allows you to differentiate the active response tool from the data gathering tool. Type the user name needed to log onto and configure the firewall. For some products, the user name must be the same one that was used when the firewall was installed.
Configuration response tools, we recommend you end the alias with AR. For example, an alias
If the tool settings you need are not shown here, you are probably configuring a sensor (data gathering) tool.When you have finished configuring the tool settings, dont forget to start the tool.
488
Use this tool to have the Agent write the specified alert data or text to the specified file.
How to append
Select Newline to write the alert data to the file so that each alert is on a distinct line (that is, one alert per line), by inserting a return or newline character. Select No Newline to stream the alert data to the file by appending the new data immediately following any existing data in the file.
Type the allowable maximum file size for the text file, in Megabytes.
Directory Service Query Description Use this tool to have the Manager communicate with existing directory services on the network to retrieve and update group information. This allows you to synchronize your existing Directory Service Groups for use with rules and filters. User Name Type a user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. Directory Type the IP address or host name of your directory services server (commonly,
Service Server this is a domain controller). Domain Name Type the fully-qualified domain name of your directory services domain. Password Type the password for the above user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. Directory Service Servers Port Email Active Response Description Use this tool to have a Manager automatically notify users of alert events when configured to do so by alert policy. Type the port used to communicate with the directory service server.
489
Field Return
Recommended field settings Type the name that you want to appear in the From field of active response e-mail
Display Name messages. Port Return Address Mail Host Type the port used to communicate with the internal email server. Type the email address that you want to appear in the From field of active response email messages. Type the IP address or host name of an internal SMTP server that the Manager can use to send email messages through without authentication. Authentication Type the user name needed to access the internal email server, if required. Server Username Authentication Type the password needed to access the internal email server, if required. Server Password Test E-mail Address Type the e-mail address you want to use to test the Mail Host assignment. When you click the Test Email button, a test message should appear at this email address. Test Email button This button tests your email notification settings to ensure that you entered the correct e-mail host. Click the Test Email button. Then check the email addresss in-box. If you entered the correct address, the in-box should receive the test message.
490
The Left field column lists each type of field you can drag into the Conditions boxs left field.
The Right field column lists the corresponding field types that you can drag into the Conditions boxs right field.
The Operators columns list the types of comparisons you can make between left and right fields.
Operators not
exists
in
in
>
>=
<
<=
Right field
text alert field text alert group field text constant directory service group subscription group tool profile user-defined group time alert field
491
Operators not Left field exists in in = > >= < <= Right field time alert group field time constant time of day
number alert field
number alert field number alert field group number constant text alert field text alert group field text constant directory service group subscription group tool profile user-defined group
time alert field time alert group field time constant time of day
number alert field number alert group field number constant directory service group tool profile
text constant
492
Operators not Left field exists in in = > >= < <= Right field user-defined group directory service group tool profile user-defined group directory service group tool profile user-defined group
number constant
time constant
For configuring filter conditions, see the "Filter condition table" on page 1. For configuring rule correlations, see see the "Rule correlation table" on page 1.
Each of these tables provides a matrix of valid operators for comparing an alert variable to other elements.
493
Click an operator to cycle through the various operators that are acceptable for the current condition.
Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use.
494
Operator tips
Operator tips
The following tips apply to operators:
l
When comparing two numeric values, the full range of mathematical operator options is available.
An IP address is treated as a string (or text) value. Therefore, operators are limited to equal and not equal.
DateTime fields have a default value of > Time Now, which means, greater than the current date and time.
Table of operators
The following table describes each operator and how it should be interpreted when used as a filter condition. (missing or bad snippet) Operator Meaning Exists Description Use these operators to specify if a particular alert or Alert Group exists. Read conditions with these operators as follows: This [alert/Alert Group] must Not exist is in [exist/not exist]. Note: "Not exist" is only used in rules. Use these operators when comparing alert fields with groups (such as Alert Groups, User-Defined Groups, etc.). They determine the filters behavior, based on whether or not the field is contained a specific Group. Read conditions with these operators as follows:
n
This [alert field] must be in this [Group]. This [alert field] must not be in this [Group].
495
Description
This [alert variable] must equal this [list item*]. This [alert variable] must not equal this [list item*].
Text comparisons (for IP addresses, host names, etc.) are limited to equal or not equal operators. Read conditions with these operators as follows:
n
This [alert variable] must be greater than this [list item*]. This [alert variable] must be greater than or equal to this [list item*]. This [alert variable] must be less than this [list item*]. This [alert variable] must be less than or equal to this [list item*].
The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups.
OR
The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct alerts, you must use the OR symbol.
If you click an AND operator, it changes to an OR, and vice versa. *A list item can be another alert variable, such as an alert field. For example, you may want to
496
Table of operators
compare that an alert's source is equal to a destination. In this case, you would compare two alert fields, such as SourceMachine = DestinationMachine.
497
If x AND y AND z occur, report the alert. If all of the conditions apply, report the alert. If x OR y OR z occurs, report the alert. If (x AND y) OR z occurs, report the alert. If (a AND b) OR (x AND y) OR (z), occurs, report the alert. If any of the conditions apply, report the alert. If conditions x and y occur, or if condition z occurs, report the alert. In this case, you would create three groups, two nested within the third:
n
The nested groups are configured as (a AND b) and (x AND y), joined with an OR.
The outer group is configured as (z), surrounding the nested groups with an OR.
In this example, the filter reports the alert when it meets the following conditions: Condition1 and Condition2 and Condition3, or Condition1 and Condition4 and Condition5.
498
Notifications table
The following table lists the various notification methods that can be employed to notify a user that a filters alert threshold has been met.
l
The Notification column lists each options that is available in the list panes Notifications list. They are alphabetized for easy reference.
The Description column briefly states how each option behaves. The Fields column explains the data fields that can be configured for each option.
499
Description
Fields
This option causes the Notify on x alerts received filter to display the Popup Notification form when receiving an alert. This form states the name of the filter that is receiving the alerts, and that the filters alert threshold has been met. From the form, the message recipient can choose to view the filter, to turn off the pop-up form for that filter, or to turn off the pop-up form for all filters. Type the number of alerts the filter must receive before displaying the Popup Notification form. Repeat on x alerts received If you want the pop-up form to appear again after receiving repeated alerts, select the Repeat on check box. Then in the alerts received box, type how many more alerts the filter should receive before issuing the pop-up form another time.
Display
Not applicable
New Alerts new alerts in the filter As Unread with bold text. They remain bold until you acknowledge them by clicking them or by opening them in
l
500
Notifications table
Description This option causes the Color filter name to blink in the Filters pane.
Fields
Click the Color button to open the Blink Color form. Choose a color from one of the three color palettes. Then click OK. The filter name will blink in this color. Time (ms) Move the slider to select the amount of time between blinks, in milliseconds. Notify on x alerts received Type the number of alerts the filter must receive before the filter tab begins blinking. Repeat on x alerts received The filter tab stops blinking once you acknowledge it by selecting it. If you want the tab to begin blinking again after receiving repeated alerts, select the Repeat on check box. Then in the alerts received box, type how many more alerts the filter should receive before it starts blinking again.
501
Description This option causes the Sound/Browse filter to play a sound upon receiving an alert.
Fields
To select a sound, click the Browse button. Then use the Open form to locate and select the sound file that you want to use. Sound files must be of the .wav file type. When you are done, the name of the file should appear in the Sound box. To test the sound, click the play button. Notify on x alerts received Type the number of alerts the filter must receive before displaying the sound. Repeat on x alerts received If you want the sound to play again after receiving repeated alerts, select the Repeat on check box. Then in the alerts received box, type how many more alerts the filter should receive before the filter plays the sound another time.
502
The Left field column lists each type of field you can drag into the Correlations boxs left field.
The Right field column lists the corresponding field types that you can drag into the Correlations boxs right field.
The Operators columns list the types of comparisons you can make between left and right fields.
Operators not not in in = > >= < <= Right field
exists
exists
text alert field text alert group field text state variable field text constant directory service group tool profile user-defined group time alert field time alert group field time state variable field
503
Operators not Left field exists exists in not in = number alert field text alert group field time alert group field number alert group field text state variable > >= < <= Right field time constant time of day number alert field number alert group field number state variable field number constant text alert field text alert group field text state variable field text constant directory service group tool profile user-defined group time alert field time alert group field time state variable field time constant time of day number alert field number alert group field number state variable field number constant text alert field text alert group field text state variable field
504
Operators not Left field exists exists in not in time state variable number state variable text constant number constant time constant = > >= < <= Right field text constant directory service group tool profile user-defined group time alert field time alert group field time state variable field time constant time of day number alert field number alert group field number state variable field number constant directory service group tool profile user-defined group directory service group tool profile user-defined group directory service group tool profile user-defined group
.Comparing values with operators When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to alert variable, an operator icon appears between them. The operator states how the alert variable must compare with the other item to be subject to rule's or filters conditions.
505
For example, an operator might state whether or not an alert should be contained within or outside of an Time of Day Set; or it may state whether or not an alert applies to a particular Tool Profile. The operators that appear between two elements vary, depending on your selections. The form only allows comparisons that are logical for the elements you have selected. For more information on which operators are available for a particular field, see the following reference tables:
l
For configuring filter conditions, see the "Filter condition table" on page 1. For configuring rule correlations, see see the "Rule correlation table" on page 1.
Each of these tables provides a matrix of valid operators for comparing an alert variable to other elements.
Click an operator to cycle through the various operators that are acceptable for the current condition.
Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use.
Operator tips
The following tips apply to operators:
l
When comparing two numeric values, the full range of mathematical operator options is available.
An IP address is treated as a string (or text) value. Therefore, operators are limited to equal and not equal.
DateTime fields have a default value of > Time Now, which means, greater than the current date and time.
506
Table of operators
Table of operators
The following table describes each operator and how it should be interpreted when used as a filter condition. (missing or bad snippet) Operator Meaning Exists Description Use these operators to specify if a particular alert or Alert Group exists. Read conditions with these operators as follows: This [alert/Alert Group] must Not exist is in [exist/not exist]. Note: "Not exist" is only used in rules. Use these operators when comparing alert fields with groups (such as Alert Groups, User-Defined Groups, etc.). They determine the filters behavior, based on whether or not the field is contained a specific Group. is not in Read conditions with these operators as follows:
n
This [alert field] must be in this [Group]. This [alert field] must not be in this [Group].
Equals
This [alert variable] must equal this [list item*]. This [alert variable] must not equal this [list item*].
Text comparisons (for IP addresses, host names, etc.) are limited to equal or not equal operators.
507
Description
Read conditions with these operators as follows: This [alert variable] must be greater than this [list item*]. This [alert variable] must be greater than or equal to this [list item*]. This [alert variable] must be less than this [list item*]. This [alert variable] must be less than or equal to this [list item*].
The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups.
OR
The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct alerts, you must use the OR symbol.
If you click an AND operator, it changes to an OR, and vice versa. *A list item can be another alert variable, such as an alert field. For example, you may want to compare that an alert's source is equal to a destination. In this case, you would compare two alert fields, such as SourceMachine = DestinationMachine.
508
If x AND y AND z occur, report the alert. If all of the conditions apply, report the alert. If x OR y OR z occurs, report the alert. If (x AND y) OR z occurs, report the alert. If (a AND b) OR (x AND y) OR (z), occurs, report the alert. If any of the conditions apply, report the alert. If conditions x and y occur, or if condition z occurs, report the alert. In this case, you would create three groups, two nested within the third:
n
The nested groups are configured as (a AND b) and (x AND y), joined with an OR.
The outer group is configured as (z), surrounding the nested groups with an OR.
In this example, the filter reports the alert when it meets the following conditions: Condition1 and Condition2 and Condition3, or Condition1 and Condition4 and Condition5.
Actions table
The following table lists the various actions a Manager can take to respond to alert events. These actions are configured in Respond form when you are initiating an active response, and in the rules windows Actions box when you are configuring a rule's automatic response. The tables Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists
509
the primary data fields that apply with each action. Some data fields will vary, depending on the options you select. Action Add Domain User To Group Description This action adds a domain user to a specified user group that resides on a particular Agent. Fields Domain Controller Agent Select the alert field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines the group that is to be modified. Username Select the alert field or constant that defines the user who is to be added to the group. Add Local User To Group This action adds a local user to a specified user group that resides on a particular Agent. Agent Select the alert field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines the group that is to be modified. Username Select the alert field or constant that defines the user who is to be added to the group.
510
Actions table
Description This action adds a new data element to a particular userdefined group.
Fields User-Defined Group Element From the User-Defined Groups list, select the UserDefined Group that is to receive the new data Element. Value Select the alert field or constant that defines the data element that is to be added to the specified UserDefined Group. The fields will vary according to which User-Defined Group you select.
This action appends text to a file. This allows you to data from an alert and put it in a text file.
Agent Select the alert field or constant that defines the Agent on which the file to be appended is located. File Path Select the alert field or constant that defines the path to the Agent file that is to be appended with text. Text Select the alert field or constant that defines the text to be appended to file.
Block IP
IP Address Select the alert field or constant that identifies the devices IP address.
511
Fields
Select the alert field or constant that defines the Agent on which the new user account is to be added. To create a user account at the domain level, specify a domain controller as the Agent. Account Name Select the alert field or constant that names the account that is to be created. Account Password Select the alert field or constant that defines the password that is to be assigned to the new account.
Create
This action creates a Agent. A user group is a new group of Windows users on a Windows PC, server, or network who are external to the LEM system.
Agent Select the alert field or constant that defines the Agent on which the new user group is to reside. To create a user group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines which user group is to be created.
512
Actions table
Fields
Select the alert field or constant that defines the Agent on which the user account is to be deleted. To delete a user account at the domain level, specify a domain controller as the Agent. Account Name Select the alert field or constant that names the account that is to be deleted.
Delete
Agent Select the alert field or constant that defines the Agent on which the user group to be deleted resides. To delete a user group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines the user group that is to be deleted.
This action detaches a USB mass storage device that is connected to an Agent.
Agent Select the alert field or constant that defines the Agent from which the USB device is to be detached. Device Select the alert field or constant that defines the device ID of the USB device that is to be detached.
513
Description This action disables a Domain User Account on a Domain Controller Agent.
Fields Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the domain user is to be disabled. Destination Account Select the alert field or constant that defines the account that is to be disabled.
Disable Account
Agent Select the alert field or constant that defines the Agent on which the local user is to be disabled. Destination Account Select the alert field or constant that defines the account that is to be disabled.
Disable
Agent Select the alert field or constant that defines the Agent that is to be disabled from the network. Message Type the message that is to appear on the Agent.
Networking Agents network access. The result is that the specified Agent will be unable to connect to the network.
This action disables a Windows machine account that resides on a Domain Controller Agent.
Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the account is to be disabled. Destination Account Select the alert field or constant that specifies which Windows account is to be disabled.
514
Actions table
Description
Fields
This action enables a Domain Domain Controller Agent User Account on a Domain Controller Agent. Select the alert field or constant that defines the Domain Controller Agent on which the domain user is to be enabled. Destination Account Select the alert field or constant that defines the account that is to be enabled.
Agent Select the alert field or constant that defines the Agent on which the local user is to be enabled. Destination Account Select the alert field or constant that defines the account that is to be enabled.
This action enables a Windows machine account that resides on a Domain Controller Agent.
Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the account is to be enabled. Destination Account Select the alert field or constant that specifies which Windows account is to be enabled.
515
Description This action escalates potential issues by creating an Incident Alert. Alert
Fields
Select which Incident Alert the rule is to create. Alert Fields From the list pane, select the alerts and constants that define the appropriate data elements for each alert fields The fields vary, depending on which Incident Alert alert is selected.
Infer Alert
This action escalates potentially irregular audit traffic into security events by creating (or inferring) a new alert with a higher severity.
Alert Select which Alert the rule is to infer. Alert Fields From the list pane, select the alerts and constants that define the appropriate data elements for each alert field. The fields vary, depending on the which alert is selected.
Kill ID
Agent Select the alert field or constant that defines the Agent on which the process is to be terminated. Process ID Select the alert field or constant that identifies the ID number of the process that is to be terminated.
516
Actions table
Description This action terminates the Agent by referring to the process name. Agent
Fields
Select the alert field or constant that defines the Agent on which the process is to be terminated. Process Name Select the alert field or constant that identifies the name of the process that is to be terminated. Account Name Select the alert field or constant that identifies the name of the account that is running the process to be terminated.
Agent Select the alert field or constant that defines the Agent from which the user is to be logged off. Account Name Select the alert field or constant that identifies the specific account name that is to be logged off.
State Variable From the State Variables list, drag the state variable that the rule is to modify. State Variable Fields From the appropriate component list, type or drag the data element that is to be modified in the state variable. The fields vary, depending on the which state variable is selected.
517
Description
Fields
This action removes a domain Domain Controller Agent user from a specified user group that resides on a particular Agent. Select the alert field or constant that defines the domain controller Agent on which the group to be modified resides. Group Name Select the alert field or constant that defines the group that is to be modified. User Name Select the alert field or constant that defines the user who is to be removed from the group.
Remove
Agent Select the alert field or constant that defines the Agent on which the group to be modified resides. Group Name Select the alert field or constant that defines the group that is to be modified. User Name Select the alert field or constant that defines the user who is to be removed from the group.
Local User user from a specified user From Group group that resides on a particular Agent.
518
Actions table
Description This action removes a data element from a particular user-defined group. User-Defined Group
Fields
From the User-Defined Groups list, select the userdefined group from which the specified data element is to be removed. Value Select the alert field or constant that defines the data element that is to be removed from the specified userdefined group. The fields will vary according to which user-defined group you select.
Reset User This action resets a user Account Password account password on a particular Agent.
Agent Select the alert field or constant that identifies the Agent on which the user password is to be reset. To reset an account at the domain level, specify a domain controller as the Agent. Account Name Select the alert field or constant that identifies the user account that is to be reset. New Password Select the alert field or constant that defines the users new password.
Restart Machine
This action reboots an Agent. Agent Select the alert field or constant that identifies the Agent that is to be rebooted. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before rebooting the Agent.
519
Description This action restarts the specified Windows service on an Agent. Agent
Fields
Select the alert field or constant that identifies the Agent on which the Windows service will be restarted. Service Name Select the alert field or constant that identifies the name of the service that is to be restarted.
Send Email This action sends a Message preconfigured email message to a predetermined email distribution list.
Email Template Select the template that the email message is to use. For more information on email templates, see "Configuring Email Templates" on page 1. Recipients Click the check boxes to select which users are to receive the email message. Email Fields Either drag a field from the components list, or select a constant from the components list to select the appropriate data elements that are to appear in each email template field. The fields vary, depending on which email template is selected.
520
Actions table
Fields
Select the alert field or constant that identifies the Agent that is to receive the pop-up message. Account Name Select the alert field or constant that identifies the user account to receive the message. Message Select the alert field or constant that defines the message that is to appear on the Agents monitor.
Shutdown Machine
Agent Select the alert field or constant that identifies the Agent that is to be shut down. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before shutting down the Agent.
Agent Select the alert field or constant that identifies the Agent on which the Windows service is to be started. Service Name Select the alert field or constant that defines the Windows service that is to be started.
521
Description This action stops the specified Windows service on an Agent. Agent
Fields
Select the alert field or constant that identifies the Agent on which the Windows service is to be stopped. Service Name Select the alert field or constant that defines the Windows service that is to be stopped.
522
Index
A
actors 486, 488 Agents 175 editng Tool Profiles with 243 Agents view 175 Agents grid 177 Refine Results form 179 Alert Description pane 92 Alert Details pane 92, 103 alerts 103, 109 alert details 105 alert distribution policy 168, 174 alert descriptions 171 Alert Distribution Policy window 168, 174 configuring 172 defined 168 exporting Manager policy 174 locked policies 169 opening 169 pushing policy downward 173 window features 170 alert grid 91, 103 alert severity 105 applying filters to 98 copying alert messages 101 exploring alerts 215 highlighting alerts 99 Pause/Resume buttons 202 read messages 102 removing alerts 103 responding to alerts 210 sorting 99 unread messages 102 Alert Groups 153, 258-259 alert properties 103 alert severity 105 Alerts mode 114, 122 Asset Alerts 337, 410 Audit Alerts 337, 341, 410 copying 101 exploring 215 highlighting 99 Incident Alerts 337, 359, 410 Internal Alerts 337, 360, 410 nDepth Result Details view 122 pausing 202 read 102 removing 103 Security Alerts 337, 365, 410 types of 336 unread 102 Alerts mode 114, 122 AND conditions 198 AND operators 496, 508 anti-virus tools 477 appliances 174 removing 251 Appliances view 174 appliance status 166 Appliances grid 165 copying grid data 251 features 164 appliances. See Managers. 164 application switch tools 477 Apply button 298 Asset Alerts 337, 410 Audit Alerts 341, 410
C
CMC commands 434 appliance menu 431 logging into CMC 429 manager menu 432 ndepth menu 434 service menu 435 columns rearranging 72 sorting 72 Configure Alert Distribution Policy window Alert/Field column 171 check boxes 171 locked policies 169
523
Index:D F
node tree 171 Configure Users form 187 adding users 181 configuring tools 252 general procedure 252 Console. See LEM Console 70 content filter tools 480 copying grid data 251 Correlations box 297, 299
D
database servers 164 database tools 478 Details pane Managers 167-168 Directory Service Groups 154, 261, 264 adding to TriGeo SIM 262 assigning to Managers 263 defined 261 grid columns 264
features 214 opening 213 Explore > nDepth. See "nDepth" 108 Explore > Utilities view 107 about 107 Event explorer 148, 213 Flow explorer 148 nDepth 149 NSLookup explorer 148-149 Traceroute explorer 148, 150 Whois explorer 148, 151 Explore menu 91, 125, 230 Export to CSV command 127
F
file transfer tools 478 Filter Creation 96 about 96 Add Group button 197 AND conditions 198 Conditions box 97, 195 conditions table 491, 493 features 97 Filter Status bar 97 list pane 97, 191, 195 notifications 97, 498, 502 operators 198, 493, 498, 505, 509 AND/OR 496, 498, 508-509 selecting 494, 506 selection tips 495, 506 table of 495, 507 OR conditions 198 Redo command 98 Undo command 98 Filtering Alerts 96 filters 93 alert severity 105 conditions table 491, 493 configuring 493 configuring. See "Filter Creation" 493, 505 copying 204 creating 199 deleting 206 editing 200 exporting 206 filter groups 93, 207, 248 adding 207
E
Email Templates 154, 264, 285 about 264 configuring 265 creating messages 267 message parameters 266 template folders 267 Event explorer 148, 213 about 213 Alert Details pane 219 about 219 closing 220 exploring from 221 opening 220 viewing alert details 220 description 148 event grid 218 exploring from 219 Order column 218 structure 218 viewing events from 218 event map legend 217 event maps 216 about 216 legend 217 reading 216
524
Index:G G
deleting 209 moving filters between groups 208 rearranging 208 renaming 208 importing 205 pausing 202 pausing/resuming 202 showing in Alert Panel 204 standard filters 93 turning on/off 204 Filters pane 90, 96 filter groups 207, 248 adding 207 deleting 209 moving filters between groups 208 rearranging 208 renaming 208 standard filters 93 Filters pane. See Widget Manager. 78 firewall tools 478 Flow explorer 148 description 148 Folders pane Email Template folders 267 Email Templates 267 State Variables folders 271
G
grids 72 Agents grid 177 alert grid 91, 103 applying filters to 98 copying alert messages 101 exploring alerts 215 highlighting alerts 99 pausing filters 202 removing alerts 103 responding to alerts 210 sorting 99 Appliances grid 165 rearranging columns 72 Rules grid 157 sorting columns 72 Groups 285 Alert Groups 153, 258-259 configuring Alert Groups 258-259
Directory Service Groups 261, 264 Email Templates 264, 285 State Variables 268, 285 Time Of Day Sets 271, 273 Tool Profiles 279 User-Defined Groups 273, 278 Directory Service Groups 154, 261, 264 adding to TriGeo SIM 262 assigning to Managers 263 defined 261 grid columns 264 Email Templates 154, 264, 285 about 264 configuring 265 creating messages 267 message parameters 266 template folders 267 exporting 257 Folders pane Email Tempalte folders 267 State Variables folders 271 Group types 153 Groups grid adding Groups 254 cloning Groups 255 deleting Groups 258 editing Groups 254 refining 156 Groups view features 155 importing 256 State Variables 154, 268, 285 adding fields 268 configuring 268 defined 268 deleting fields 270 editing fields 270 Time Of Day Sets 154, 271, 273 configuring 271 defined 271 Tool Profiles 154, 253, 279 adding tools 284 adding/removing Agents 282 creating 280 defined 279 editing tools 283, 285 editing via Agent 243
525
Index:H N
opening tool configuration 284 rules of 280 template 280 User-Defined Groups 155, 273, 278 adding data elements 275 configuring 274 defined 273 deleting data elements 277 editing data elements 277
H
highlighting alerts 99 History pane 147 nDepth items 116
I
Incident Alerts 359, 410 Internal Alerts 360, 410
L
LEM Console exiting 74 opening 70 Lines Displayed 199 log file directory 483 log file path 483 log messages 109 disabled 114 Log Messages mode 114, 122 nDepth Result Details view 122 logging servers 164
Mark All As Read command 102 Mark All As Unread command 102 Mark As Read command 102 Mark As Unread command 102 master widgets. See widgets. 244 Monitor view Alert Description 92 Alert Details 92 features 90 filter groups 207, 248 adding 207 deleting 209 moving filters between group 208 rearranging 208 renaming 208 Filters pane 96 copying filters 204 creating filters 199 deleting filters 206 editing 200 exporting filters 206 filter groups 207, 248 importing filters 205 pausing filters 202 standard filters 93 turning filters on/off 204 Notifications pane 91 Remove All command 103 Remove command 103 Respond form 210 Widgets pane 92
M
Managers 174 appliances 164 Appliances grid 165 configuring 249 connecting to Console 249 defined 164 Details pane 167-168 first time setup 249 logging in 73 logging out 74 removing 251 status 166 users. Also see "users" 187 Managers list 143
N
nDepth 146, 149 about 108 alert messages 109 Bar Charts 115 Bubble Charts 115 configuring network for 322 dashboard 114 dashboard icons 135 toolbar 114 data fields (Alerts) 127 data fields (Log Messages) 128 description 149 Explore menu 230 Export command 229
526
Index:O P
features of 110 histogram 117 changing query timeframe 120 features 117 moving search period 119 searching activity with 119 history items 116 Line Charts 115 log messages 109 opening 109 Pie Charts 115 primary uses of 108 Repsond menu 231 Result Details 116, 121, 127 adding to nDepth dashboard 139 Alerts mode data 122 creating searches from 124 description 121 exploring search results 125 exporting dat 127 Log Messages mode data 122 Respond menu 126 selecting data in 124 Save command 228 search bar 112 Search Builder 116, 139, 146 configuring searches 145 features 142 opening 141 queries 145 searches 222 changing saved searches 228 creating search conditions 224, 232 custom timeframes 226, 234 deleting search strings 225, 234 Explore menu 230 exporting to PDF 229 Respond menu 231 saving 227 searching from widgets 136 using saved searches 228 separate appliances installing 322 when to use 321 toolbar 114 Tree Map 115, 132, 134 adding to nDepth dashboard 139
description 132 exploring 133 opening 133 resizing 133 searching from 133 widgets 134, 139 adding to nDepth dashboard 138 adding widgets 137 default widgets 134 editing widgets 138 seaching from 136 viewing widget details 136 widget icons 135 Word Cloud 114, 129, 131 adding to nDepth dashboard 139 description 129 exploring 131 filtering 130 opening 130 searching from 131 viewing statistics 130 network services tools 480 notification system 488 Notifications pane 91 Notifications tab (status bar) 92 NSLookup explorer 148 about 149 description 148
O
operating system tools 480 operators 198, 300, 493, 498, 505, 509 about 493, 505 AND/OR 496, 498, 508-509 selecting 494, 506 selection tips 495, 506 table of 495, 507 Ops Center 335 features 76 OR conditions 198 OR operators 496, 508 Organize Filters form hiding filters 204 showing filters 204
P
Pause button 91
527
Index:Q R
policy rules 522 activating 308 cloning 310 configuring rules 522 delting 313 disabling 309 editing 301 enabling 304 exporting 311 importing 311 subscribers 302 test mode 305 proxy server tools 480
Q
queries 145
R
Redo command 98, 298 Refine Fields categories (Alerts) 127 categories (Log Messages) 128 Refine Fields list 143 Refine Results form Agents view 179 Rules view 159 Remove All command 103 Remove command 103 reports report tables 476 schedules 476 TriGeo report tables audit reports 438, 457 security reports 458, 474 TriGeo reports 474 Respond form 210 drag and drop functionality 211 Respond menu 91, 126, 210, 231 Result Details 116, 121, 127 adding to nDepth dashboard 139 Alerts mode data 122 creating searches from 124 description 121 exploring search results 125 exporting data 127 Log Messages mode data 122 Respond menu 126
selecting data in 124 Resume button 91 router tools 481 Rule Creation 522 about 157 actions 291 about 291 Actions box 298 Actions table 509, 522 configuring 292 using constants and fields with 291 activating rules 308-309 advanced thresholds 288 adding fields 289 configuring 289 defined 288 deleting 291 editing fields 290 Set Advanced Threshold form 288 AND correlations 198 Apply button 298 configuring rules 293-294 correlation time 297 correlations Correlations box features 299 defined 297 Correlations table 503, 505 Delete button 299 disabling rules 310 edting rules 302 enabling rules 305 features 287 Group button 299 operators 493, 498, 505, 509 AND/OR 496, 498, 508-509 selecting 494, 506 selection tips 495, 506 table of 495, 507 OR correlations 198 Redo command 298 rule status 297 rule subscribers 304 rule window features 294 test mode 307 Threshold button 299 Undo command 298 using caution 286
528
Index:S T
rules activating 308 adding new rules 293 caution when configuring 286 cloning 310 configuring 294 configuring. See "Rule Creation" 493, 505 defined 157 deleting 313 disabling 309 edting 301 enabling 304 exporting 311 importing 311 locked rules 302 subscribing 302 test mode 305, 307 Rules view 157, 522 description 157 enabled status indicators 158 features 157 locked rules 302 Refine Results form 159 Rules grid 157 activating rules 308 adding rules 293 cloning rules 310 deleting rules 313 disabling rules 309 editing rules 301 enabling rules 304 exporting rules 311 importing rules 311 opening rules for editing 301 Rules grid columns 157 subscribers 302 test mode 305 test status indicators 158
searches 222 nDepth 145, 222 changing saved searches 228 creating search conditions 224, 232 custom timeframes 226, 234 deleting search strings 225, 234 exploring search results 230 exporting to PDF 229 responding to search results 231 saving 227 using saved searches 228 queries 145, 222 Search Builder 145 Security Alerts 365, 410 sensors 482, 485 sleep time 484 State Variables 154, 268, 285 adding fields 268 configuring 268 defined 268 deleting fields 270 editing fields 270 folders 271 status appliances 166 subscribing to policy rules 302 switch tools 481 System Tools 481
T
Time Of Day Sets 154, 271, 273 configuring 271 defined 271 Tool Configuration form opening for a Manager 236 opening for an Agent 236 Tool Profiles 154, 253, 279 adding tools 284 adding/removing Agents 282 creating 280 defined 279 editing tools 283, 285 editing via Agent 243 opening tool configuration 284 rules of 280 template 280
S
Search Builder 116, 139, 146 Conditions box 144 features 142 list pane 143 opening 141 queries 145 search conditions 144
529
Index:U W
tools anti-virus tools 477 application switches 477 configuring actors 486, 488 configuring sensors 482, 485 database tools 478 file transfer tools 478 firewall tools 478 log file path 483 notification system 488 notification system tools 481 opening Tool Configuration form 236-237 starting 239 stopping 240 System Tools 481 tool categories 477, 481 tool configuration tables 477 tool instances adding 237, 239 deleting 241 editing 240 reconfiguring 240 starting 239 stopping 240 Tool Profiles 253 tool version 485 VPN tools 481 web server tools 481 wrapper name 485 Traceroute explorer 148 about 150 description 148 Tree Map 115, 132, 134 adding to nDepth dashboard 139 categories (Alerts) 127 categories (Log Messages) 128 description 132 exploring 133 opening 133 resizing 133 searching from 133
User-Defined Groups 155, 273, 278 adding data elements 275 configuring 274 defined 273 deleting data elements 277 editing data elements 277 users 187 adding users 181 Configure Users form 187 adding users 181 deleting users 187 email settings deleting 186 pager and email settings deleting 187
V
VPN tools 481
W
web server tools 481 Whois explorer 148 about 151 description 148 Widget Builder 79, 82 Widget Manager 76 closing 243 Filters pane 78 opening 243 Widgets pane 78 widgets 75, 244, 335 dashboard widgets deleting 247 editing graphs 87 editing in Widget Builder 247 legend 88 opening filters with 85 refreshing 85 resizing 88 viewing data on 84 master widgets 244 adding to dashboard 245 creating 244 deleting 246 editing from Ops Center 244 Widget Builder 79, 82
U
Undo command 98, 298 USB-Defender Agent status 177 audit report 462
530
Index:U U
nDepth widgets 134, 139 adding to nDepth dashboard 138 adding widgets 137 editing widgets 138 searching from widgets 136 viewing widget details 136 storage of 89 Widgets pane (Monitor view) 92 Widgets pane (Ops Center) 78 Word Cloud 114, 129, 131 adding to nDepth dashboard 139 description 129 exploring 131 filtering 130 opening 130 searching from 131 viewing statistics 130 wrapper name 485
531