Hi guys, I'm setting up SEM from scratch and importing default rule templates one by one is driving me crazy. Does anyone have an exported .json file of the basic Windows / AD monitoring rules they can share?
.json
While I can't attach a physical .json file here, I can give you the exact sequence to bulk-import the default "Windows / AD" rule packs that SolarWinds provides. In the newer versions of SEM (2022+), you can actually import multiple rules from a single JSON file if you know where to grab them from the community or the documentation.
Instead of one-by-one, use the Import Rules feature with a bundled file. SolarWinds provides a set of common security rule templates in the Rules → Templates tab, but to get them into your "Active" list in bulk, follow this:
Since you’re building your Evidence Layer, these are the "Must-Haves" for an AD setup to ensure you aren't just seeing logs, but interpreting State:
Rule Category
Evidence (Raw Log)
Interpreted State (The "Story")
Account Lockouts
Event 4740
"Brute force attack or misconfigured service account."
Privilege Escalation
Event 4728/4732
"Unauthorized user added to Domain Admins."
Object Deletion
Event 4660
"Critical configuration drift or malicious cleanup."
Logon Failures
Event 4625
"Potential credential stuffing on DC."
If you're finding the JSON approach finicky, try this:
