Have you been seeing some suspicious URLs appear in your reports? You can now set a rule to track that activity with SolarWinds Log & Event Manager (LEM). LEM has many configured rules built into it for your ease of use. For this particular procedure, you can clone and enable the Known Spyware Site Traffic rule to track when users attempt to access suspicious websites by partial or complete URL addresses. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.

Before enabling this rule, ensure your proxy server transmits complete URL addresses to your SolarWinds LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

 

To clone and enable the Known Spyware Site Traffic rule:

  1. Open theSolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Select the Build tab, and then click Rules.
  3. Click NATO5 Rules on the Refine Results pane (left).
  4. Enter Known Spyware Site Traffic in the search box at the top of the Refine Results pane.
  5. Click the gear  button next to the rule (left), and then click Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable at the top of the Rule Creation window, next to the Description field.
  8. Click Save.
  9. Back on the main Rules screen, click Activate Rules.