Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Ability to ignore or whitelist certain events, so they don't count toward alerting thresholds

An Active Directory Application Monitor using the AppInsight for Active Directory template is generating a large number of alerts related to
"A logon was attempted using explicit credentials."
These events are being generated on our domain controllers, because some of our application servers use certain Account Names to frequently do LDAP binds. These alerts are false-positives, because we consider them normal operations. It is easy enough to raise the alerting thresholds from the default , but this can hide a real threat.

I am requesting an enhancement to allow us to define that if certain fields contain specific values, they will not count toward triggering an alert. In our use case, if an Account Name is the LDAP bind name, the alerting component will ignore the event.

Find more posts tagged with

appinsight

Status: None

Comments

jfaldmo

I've seen the same in our environment. In addition to ignoring certain account names it would have to be from identified servers as well. If an account it connecting from an unapproved server then it should count against the threshold.

mestasew

I have the same problem of getting an alert coming from accounts running some process that are identified as a valid explicit credential use .

I have attempted to use the component feature setting intended to exclude events on the alert. This feature helps to exclude events by defining key words on the event. I defined a known account names as keywords to exclude from the alert , but the alert still triggers for the excluded accounts.

So I vote Solarwinds to improve this exclusion feature to accurately work excluding alerts for accounts stated as legit.

mestasew

I was able to use exclusion keywords to define accounts and process for avoiding alerts from a known accounts with the help of a SolarWinds support representative.

However the exclusion feature still needs improvement to define two combined key words as as a condition. For instance defining account "xyz" with process "abc" . This will make the alert to reach to ideal benefits.

robren

@mestasew

"I was able to use exclusion keywords to define accounts and process for avoiding alerts from a known accounts with the help of a SolarWinds support representative."

Could you please elaborate on how you created the exclusion?

Thanks,

Robert

mestasew

Hello Robert

I edited application monitor component to exclude the accounts that we validated on the exclude events with key words Below option.

You will find the match definition under the component by expanding the + sign. checkout screenshot below .

robelk

@mestasew I believe Robert is referring to the component monitor within the AppInsight for Active Directory template which lacks the granularity to be able to make those same adjustments as you can to the regular application monitor. Please see attached pic.

Annotation 2020-07-08 120558.jpg

mestasew

The component name is the same " attempted to logon explicit credentials event" But mine is from an application component called "windows server 2008-2016 domain controller security"

I think both have the same purpose. So may be you can try to override template to get more options for specifying particular settings for the component or may use the 08-16 domain controller security template.