Quantcast
Channel: THWACK: Message List - Security Event Manager (SEM) - Formerly Log & Event Manager
Viewing all 5385 articles
Browse latest View live

SEM: Rule Help

August 19, 2019, 7:00 am
$
0
0

Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info:

 

Here are the event rules:

I based it off of these events (edited out certain info)

  • Event Type

UserDisable

  • EventInfo

Account lockout "domain\username"

  • DetectionIP

DC Server.doamin

  • ToolAlias

Vista Security

  • DestinationDomain

DC Server

  • ProviderSID

Microsoft-Windows-Security-Auditing 4740

  • SourceAccount

DC Name

  • Severity

4

  • InsertionTime

2019-08-19 06:45:43

  • Manager

LEM Hostname

  • SourceLogonID

012345

  • SourceDomain

domain

  • InsertionIP
  1. DC.domain
    • DetectionTime

2019-08-19 06:45:41

  • ExtraneousInfo

User Account was locked out after repeated logon failures due to a bad password.

  • DestinationAccount

Username

  • DestinationMachine
  1. DC.domain
    • ManagerTime

2019-08-19 06:45:43

  • SourceMachine

User’s PC

Search

Re: SEM: Rule Help

August 19, 2019, 7:56 am
$
0
0

Try updating the EventInfo field to "Account lockout *" without the quotes. and removing the quotes from your filter basically.

Re: SEM: Rule Help

August 19, 2019, 7:57 am
$
0
0

Additionally, this is what's used in the template rule for the same:

 

Re: SEM: Rule Help

August 19, 2019, 8:32 am
$
0
0

Ah that would make sense, made the change. Is there a way like in Orion to simulate the alert/rule? If not, ill just intentionally lock out one of my accounts to try haha. (If that fixes it ill make sure to give your post correct answer for points)

Re: SEM: Rule Help

August 19, 2019, 8:52 am
$
0
0

Normally I would say just use the criteria in a search and that should work, but after trying to do the same it seems like both filters *should* work. Still I would go with the templated one as that should be more thoroughly tested overall.

Re: Can I add McAfee Antivirus to SEM (Linux) Appliance?

August 20, 2019, 7:31 am

Re: Nessus Scanning

August 20, 2019, 7:43 am
$
0
0

There isn't any functionality in SEM to automatically pause all alerts. If there's some particularly noisy rules during vulnerability scans could you manually disable them during the scan, or even place them in Test Mode whereby the rule will trigger but actions won't be executed.

Re: SEM: Rule Help

August 22, 2019, 9:22 am
$
0
0

Castlerobertd;

 

I would do a build a filter to see if it captures any events.

Then I wold look at Internal Events filter and see if you see any email send failed alerts.

 

Just a couple of thoughts.

 

sosborne99

Search

Re: Check Membership of a Custom Security Group on File Server

August 23, 2019, 2:57 am
$
0
0

What information do you need to monitor for the Local Security Groups? There's some Event ID's that specifically related to Local Security Groups, for example Event ID 4732 will tell you that a user has been added to a local security group. You you then build filters in SEM to capture those events, and include the group name in the filter also if needed.

Re: Check Membership of a Custom Security Group on File Server

August 26, 2019, 5:33 am
$
0
0

I don't know if i described it quite right in my original post. I have figured out how to monitor changes to the local group. What i am looking to do is check group membership in the rule. What i am using now is a LEM User Defined group in the rule. In logical terms the rule says "if user is not a member of the LEM User Defined group then...apply rule". I want to use a local security group instead of the LEM User Defined group.

Monitor Domain Security Group Changes in Environment With Multiple Domain Controllers

August 26, 2019, 5:42 am
$
0
0

I have a really large environment (many domain controllers). I currently have the SEM/ LEM agent installed on my two local domain controllers and I can see the changes made to the security groups as long as I am logged into one of those two local domain controllers that have the agent installed. If I, or someone else, were to make changes to the security groups from a different domain controller (that do not have the agent installed) the changes are not detected in the monitor.

 

I need to monitor changes to domain security groups without having to install the SEM/ LEM agent on every domain controller. Is that possible?

Re: Check Membership of a Custom Security Group on File Server

August 26, 2019, 8:38 am

Re: Check Membership of a Custom Security Group on File Server

August 26, 2019, 8:45 am
$
0
0

There's no built in way to have LEM look up a local security group, what he was suggesting is having lem use a rule to watch for changes to the local group and then have the alert action modify the contents of the LEM user defined group as they happen so you don't have to manually update it every time.

Re: Check Membership of a Custom Security Group on File Server

August 26, 2019, 8:54 am
$
0
0

Yeah. that sort of where i was leaning also. I just wanted to be sure that i exhausted my options and i wasn't missing something.

Thanks for your reply.

Re: Check Membership of a Custom Security Group on File Server

August 26, 2019, 8:58 am
$
0
0

Is it possible to create a directory service group to sync with a server (not a domain controller) local security group? I thought you could only do that to an Active Directory directory service group.

Search

Re: Monitor Domain Security Group Changes in Environment With Multiple Domain Controllers

August 26, 2019, 8:58 am
$
0
0

No, the agent needs to be installed on all domain controllers to really have anything close to decent coverage.  In most cases you also want to install it on all servers to capture their local events, and depending on your policy may also need to be installed on all workstations.

Re: Monitor Domain Security Group Changes in Environment With Multiple Domain Controllers

August 26, 2019, 9:00 am
$
0
0

I was afraid of that. Unfortunately i do not have access to all DCs in the domain. Going to have to approach this from a server local security group i think.

Thanks for your help. Much appreciated.

Alert on Not Receiving Syslog From a Device

August 26, 2019, 3:59 pm
$
0
0

Is there a way to alert on a syslog device not sending?

 

As part of our security checks we have to alert if a server or device stops sending logs.

 

Thanks for any ideas you might have.

 

Steve

SEM dashboard

August 27, 2019, 6:05 am
$
0
0

Hi,

 

Does anybody know if it's possible to create a dashboard with the widgets in SEM and assign it to some of the users? Like in NPM where you can create views for some users.

 

Thank you.

Supported Java Versions with Linux and SEM v6.7.2

August 27, 2019, 10:43 am
$
0
0

Hello,

 

I recently updated SEM to the latest version (v6.7.2) and one of my Sys Admins also is trying to bring a RHEL server online. I gave him the latest agent, but he is getting Java errors and the agent is not reporting into the SEM appliance. The RHEL server is running Open JDK v11. What Java versions are supported? I can't seem to find what versions are supported. I am not sure if they are running too new of a version or not.

 

Thanks - I am having a case of the Mondays on a Tuesday.

 

 

Cole

Viewing all 5385 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>