Hi All! We are just getting started with SAM and we want to set up a SAM alert for any login to a large subset of our VM servers for any user except a couple. This would be for domain and local accounts. The idea is to exclude the very few accounts that would legit need to perform daily operations from the alert but receive alerts if: * a local account is added then logged into * the existing local admin account is used * a domain user logs into a server (outside of the few currently authorized accounts) We have other controls in place, such as only allowing login for a minimal set of users and service accounts, but this would be a "fail-safe" in case these controls are defeated/bypassed. The idea is that if an alert for a server login pops up on the NOC view for a local admin account, unrecognized account, or domain account (outside of the few authorized ones) the System Admin and Help Desk would immediately be able to investigate and remediate. Any advice on setting this up would be greatly appreciated.

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Looking for a SAM template for user login alerts

Hi All!

We are just getting started with SAM and we want to set up a SAM alert for any login to a large subset of our VM servers for any user except a couple. This would be for domain and local accounts. The idea is to exclude the very few accounts that would legit need to perform daily operations from the alert but receive alerts if:

a local account is added then logged into
the existing local admin account is used
a domain user logs into a server (outside of the few currently authorized accounts)

We have other controls in place, such as only allowing login for a minimal set of users and service accounts, but this would be a "fail-safe" in case these controls are defeated/bypassed.

The idea is that if an alert for a server login pops up on the NOC view for a local admin account, unrecognized account, or domain account (outside of the few authorized ones) the System Admin and Help Desk would immediately be able to investigate and remediate.

Any advice on setting this up would be greatly appreciated.

Find more posts tagged with

Accepted answers

All comments

Seashore

Logins are logged in the Windows event log, security log, right. Can a normal "SAM Event log Montior" do the trick for you?

adam.beedell

I would go SAM -> +3 or so event log monitors -> 2 or 3 alerts, should be reasonably easy to test given some server to work on

adam.beedell

Note you're getting into the security/siem world here, if this is sufficient and you've got SAM already it should be a quick add, if this is the first in a series of asks there is probably something in one of the other products that can help while being a little less custom