Creating Rules for Real-time Correlation and Response with Log & Event Manager

Uploaded by solarwindsinc on 02.03.2012

[Music Playing]
A "rule" is a mechanism within the SolarWinds Log & Event Manager
which allows us to correlate events which take place on our networks,
and then perform an action or take a response automatically with no
intervention required on our part.
This ability to take action is the major difference between a rule
and a filter.
Filters only display the events they capture.
Rules perform an action based upon those events.
SolarWinds Log & Event Manager comes with hundreds of preconfigured
rules, and you have the ability to create your own rules to fit
your specific needs.
It is up to you to make the determination that you want a rule in
place to take some action on your network.
Since change management events are of concern to us all,
especially the auditors, let's begin there.
While there are numerous different change management events,
we're going to focus on one which poses the greatest potential threat--
users being added to administrative groups.
Granting a user the keys to the kingdom might be a perfectly valid event
for a real sysadmin, but if someone is hacked Active Directory or is
adding a back door account, the sooner you are aware of the activity
and can act upon it, the better.
So how do we begin?
Well, if you can see an event in the LEM Console, you can build a rule
to take action against it.
Here in the monitor view, as we look in the "Change Management Events"
filter, we can see a number of events have taken place, but the one
highlighted indicates that a new group member has been added to the
built-in administrators group.
They key pieces of data to building our rule are the name of the event
or alert, new group member, and the text string within the event info
field showing the group the user was added to.
The key text in that entire string is the word "Administrators."
To build a rule, you'll use the BUILD option on the navigation bar
and select "Rules."
Building a rule is very similar to building a filter, and there are a number
of videos and Knowledge Base documents which explain
exactly how it's done.
We're just going to examine the finished product.
The correlations of a rule are the logic behind it.
From our list of components on the left, we added the event or alert name
NewGroupMember along with the specific data field "Event Info"
into our correlations.
In the text string, we surrounded the text "admin" with asterisks or wild
cards, this allows the rule to correlate the data "admin," "admins,"
"administrator," or "administrators" -- just so we don't miss
an iteration of the word.
Correlation Time is an advanced condition, which is not needed
for this rule and was left as is.
For our action, we added the "Send Email Message" from the list of action
components on the left-hand side of the window pane.
We selected the "Default" email template, but you may choose
whatever template you feel would be most helpful.
From the user drop-down menu of "Recipients," we checked the LEM
users we wanted to receive this email when the rule fired.
For the two merge fields of the email template, we brought over the
respective data fields.
The key to using these merge fields is to make sure you are pulling the
data from the same alert or event that you used in the correlations--
in our case, the "NewGroupMember" event.
Otherwise, you'll be pulling data from the wrong event.
Be sure to check the "Enable" check box up at the top.
This tells LEM that you want this rule to be active and running in
your environment and then, save your rule.
The final step is to activate your rule by clicking the "Activate Rules" button.
Effectively, you built the rule within the LEM Console.
In order for that rule to take action in your environment, it must reside on the
manager so that it will run regardless of what you were doing or where you are.
Clicking the "Activate Rules" button sends the rule to the manager.
Now, whenever a user is added to an administrative account,
you'll receive an email message, similar to the one you see here,
which will tell you exactly what the event was and the time it occurred.
What are some useful rules to have in place and what actions or
responses should be utilized?
Being the hot topic that it is, a rule that looks for and responds to
specific change management events would be a good candidate.
Perhaps you just want to receive an email if a specific event occurs.
If an unauthorized user has hacked active directory, perhaps a more
aggressive response is appropriate.
A "Port Scan" rule would also be helpful.
While somewhat more complex to correlate than other events,
it is definitely an activity that deserves a rapid response--
perhaps automatically blocking the offending IP address should be
the appropriate response.
Sudden spikes in network traffic from a particular machine or device
might warrant a response such as an email.
Perhaps you want your rule to disable networking on that device
until you ascertain what the problem is.
A "Process Kill' rule is another excellent candidate.
Such a rule can stop someone from playing games on company time
and equipment, or visiting inappropriate or potentially malicious websites.
Along with killing the process, you might want to send the offending user
a pop-up message informing them of their violation of corporate policy.
A "Detach USB Device" rule should also be high on the list.
Such devices are probably the easiest method for someone to
walk out the door with your sensitive data or files.
Basically, any activity or event that could pose a threat to our networks
would be a good candidate for a rule.
For more information on how to easily customize LEM for your environment,
please visit