Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all 5385 articles
Browse latest View live

Re: Need help with correlating two events

July 17, 2015, 10:17 am
$
0
0

Are they Domain Admins, or just Local Admins, or both? You could possibly do this more simply if you wanted to by looking for domain admins and ANY local account logins (since presumably on a domain local logons really shouldn't be happening). If you integrate LEM with Active Directory you can pull down the Domain Admins group and then create a "UserLogon.LogonType = *Interactive*" AND "UserLogon.DestinationAccount = Domain Admins" rule.

 

However, to answer the question....  we need a field that is the same across the two of them to tie them together, then we can do something like:

UserLogon.ProviderSID = *4624

and

PolicyScopeChange.ProviderSID = *4762

and

UserLogon.DestinationAccount = PolicyScopeChange.DestinationAccount

 

within ~30 seconds.

 

(You might also want to toss in a DetectionIP or DestinationMachine in case that user could be logging on more than one place at once, but that's pretty unlikely.)

 

...but from the screenshots it looks like the logon has the bare username and the privilege assignment has DOMAIN\username?

Search

Re: Need help with correlating two events

July 17, 2015, 10:28 am
$
0
0

That seemed to me like it might be an issue as well, as the "Destination Account" field is different between the two events (one with domain, one without). Would this not be possible to do then in this manner?

 

However, your first option sounds like it should deliver the results we are looking for. How would I go about getting the Domain Admins group pulled into LEM?

Re: Need help with correlating two events

July 17, 2015, 12:44 pm
$
0
0

This video @ 1:20 shows an example of configuring Active Directory with LEM - [VIDEO] How To Use Log and Event Manager to Alert on Unauthorized Access - it's about something else before/after that, but it does show an example. The easiest way is to use the Getting Started widget tools from Ops Center to configure basic settings, which includes the active directory connection. Then, from Build>Groups, you can select the groups you want to use in LEM. Theeeeen, from Build>Rules you can use these groups in rules, to do something like:

 

UserLogon.DestinationAccount = <domain admins>

and

UserLogon.LogonType = *interactive* (if you only want to see interactive or remote desktop logons, not network or service logons - if you want to see everything you can leave this off)

 

To create a local logons rule, the easiest thing to do is to look for logons not to your domain/domains. For example:

UserLogon.DestinationDomain <> <your domain>

and

UserLogon.LogonType = *interactive* (to only see interactive logons)

 

You shouldn't need to refine by the Event ID, but you can always use the ProviderSID field if you need to.

Re: Need help with correlating two events

July 17, 2015, 1:03 pm
$
0
0

That all makes sense, but I've already used the basic config tool to add our own domain info in LEM. This is for a client that is in our LEM console. How would I go about pulling the domain information from their domain controllers?

Re: Need help with correlating two events

July 17, 2015, 1:38 pm
$
0
0

Ah - two options -

  1. You'd need to connect to their AD to pull in that info (LEM can connect to multiple domains, but you have to be able to connect to a DC, which is kind of a bummer if it's over a WAN )
  2. You could build the groups manually if you know the names of their admin accounts, but you have to maintain them as those groups change

 

Which might bring us back to the original solution, if neither of those are feasible.

Re: Need help with correlating two events

July 17, 2015, 2:01 pm
$
0
0

Their DC has an agent and is in LEM, and I'm sure I need to use a connector to get this? But not sure of how?

Re: Alert DB of the Database Maintenance Report

July 17, 2015, 2:13 pm
$
0
0

Curtis,

 

I am running LEM v6.0.1

 

I have attached the first and last pages of a Database Maintenance Report.

 

T.J.

 

First page of Database Maintenance Report

 

Report

First_page_Database_Maintenance_Report.jpg

Last page of Data Maintenance Report

Last_page_Database_Maintenance_Report.jpg

Re: Need help with correlating two events

July 17, 2015, 2:31 pm
$
0
0

Usually we configure AD to connect directly from the LEM appliance, but you can try configuring it on the agent. If you go to Manage > Nodes, then select the agent on their network, then select System Tools and add a new Directory Service Query Tool and configure it, that might work.

Search

Null Session Enumeration

July 17, 2015, 7:32 pm
$
0
0

I would like to alert if any thing or anyone attempts Null Session Enumeration against Active Directory.

 

This is two fold since I want to know if it is being done and want to stop it if possible.  Alerting on it would be great as well.

 

I have been looking for something in the logs to key into but have not found it yet.

 

RT

Re: Null Session Enumeration

July 17, 2015, 7:41 pm
$
0
0

I might have found the answer for Snort but not LEM.

 

From The Anatomy of a Attack

 

Identify Null Sessions with IDS

If the registry changes or firewall rules mentioned earlier break the functionality of network applications, then you must switch to a reactive approach rather than a proactive one. Rather than preventing enumeration through null sessions the best we can hope to do is catch it when it happens and react to it as we would a normal network security incident.


If you are using Snort, the most popular IDS in production today, then the following rule will detect null session enumeration (taken from the Intrusion Detection with Snort, by Jack Koziol):


alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:”NETBIOS NT NULL session”; flow:to_server.establshed;


content: ‘|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|’; classtype:attempted-recon;)


This would not prevent null session connections from occurring, but it will alert you when they do so you can react appropriately.

Re: Null Session Enumeration

July 18, 2015, 9:24 pm

LEM connector for crossbeam and Daemon log file in the lem server

July 19, 2015, 5:32 am
$
0
0

Hello,

 

I'm having trouble getting traps from crossbeam to the LEM, what we noticed is that the xb sends its messages to the Daemon log on the lem server (through the cmc) and it does not forward them to the web gui (probably doesn't parse them).

 

We don't understand what connector to use, or how to get the messages from the Daemon log on the server.

Also there was a try to send the traps through solarwinds orion to local7 log, but still it doesn't seem to find them.

 

 

Appreciate any kind of help, thanks.

Re: Null Session Enumeration

July 19, 2015, 7:27 am
$
0
0

I am going to test this and see if it shows up in the logs this week.  If it works I will monitor Security Log ID 4625 and alert if it is logged when anything attemps Null Session Enumeration (NSE).

 

Even if your Domain is setup to block NSE this might be a way to find internal attackers/hackers or poorly written apps that use NSE.

 

RT

Need to extract top web users from TMG logs using LEM

July 19, 2015, 9:48 pm
$
0
0

Hi all,

We just purchased Solarwinds to for our log monitoring.  There is new requirement to extract monthly top 10 web users through TMG 2010 logs using LEM.  Just wandering if anybody using LEM for similar usage?

Re: LEM connector for crossbeam and Daemon log file in the lem server

July 20, 2015, 7:02 am
$
0
0

You probably want to open a support ticket for a connector request, but if you're okay with it, can you run an EXPORTSYSLOG and pull the DAEMON log off the LEM and attach it here?  I can test it against our connectors.

Search

Re: Need to extract top web users from TMG logs using LEM

July 20, 2015, 2:37 pm
$
0
0

I'd try using the "Network Traffic Audit - Web Traffic by Source Machine" report. What this tells you is the most # of hits through the proxy server by source, but it doesn't tell you anything about duration of their surfing. If you need to know how long they were on certain sites, I don't think there's a good way to accumulate that data with LEM and the TMG logs.

Re: Null Session Enumeration

July 20, 2015, 2:43 pm
$
0
0

For reference - in LEM, 4625 will either appear as MachineLogonFailure or UserLogonFailure, depending on whether the account name has a $... I'm not sure how the null SID and other details will appear, though, so if you get those details I'll be curious to see if we can distinguish them and how it looks in the event log.

Re: Null Session Enumeration

July 20, 2015, 2:54 pm
$
0
0

I will be working with a team to generate fresh logs in the Lab.  When I get the logs I will definitely know what I should search and find.

 

I hope to have more on this tomorrow.  Until then try the search below in nDepth.

 

( ProviderSID = "Microsoft-Windows-Security-Auditing 4625" )

 

RT

Re: Alert DB of the Database Maintenance Report

July 20, 2015, 4:39 pm

Crystal Report for customization

July 20, 2015, 5:48 pm
$
0
0

Hi Team,

 

I would like to seek your assistance/advise.

Please confirm where we can get the FULL edition of Crystal Report which is suggested if we want to add a NEW(not listed on build-in report). Is it available on customer portal?

Viewing all 5385 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>