How to monitor activity by users of the admin group

can someone tell me how to create a rule in LEM to show activity by the administrator user or users in the admin group. Or is there perhaps a report in the SW LEM reports module?

thank you......Rick

Find more posts tagged with

monitor admin

admin activity

Accepted answers

chris.jeffreys

Hi rickb@fresnocfcu.org‌,

There are a couple of ways to monitor administrator activity.

First I would caution on configuring a rule for all administrator activity. With everything an administrator "touches" day in and day out the types and amount of alerts you receive would result in a lot of noise. Instead we recommend setting up rules for specific activity such as logon failures, changes made by administrator accounts and changes made to those administrator accounts. LEM provides a number of rules (Build->Rules) for this type of activity out of the box. I would recommend taking a look at the rules within the Activity Type-> Administrative Monitoring section of the Rule Categories and Tags dropdown to determine if those will fit your needs. From there you can view the rules details, clone individual rules or enable them in bulk.

Creating Rules for Real-time Correlation and Response with Log & Event Manager - Videos | SolarWinds

Several of these rules look for the default administrator account and admin groups via pre-built User Defined Groups. You can edit these groups to include any additional administrator accounts/groups that you would like through the Build->Groups section of the LEM web console. The other option would be to include your existing AD groups by configuring the Directory Service Query connector.

From a reporting perspective you have a couple of options.

nDepth searches - You can search for user activity through the Explore->nDepth section of the LEM web console and turn those results into saved queries or ad-hoc reports.
SolarWinds LEM Reports - A number of the Change Management and Authentication reports will track administrator activity. You can filter these reports down to just administrator activity and/or save‌ the filtered report as a custom report so it can be scheduled and run on a regular basis.

Thanks,

Chris

All comments

mrs.alterego

Hi rickb@fresnocfcu.org‌ - I have moved this to the LEM forum in the hopes you will have some more visibility on this question from folks that know LEM well.

rickb1

Thank you Maam

chris.jeffreys

Hi rickb@fresnocfcu.org‌,

There are a couple of ways to monitor administrator activity.

Creating Rules for Real-time Correlation and Response with Log & Event Manager - Videos | SolarWinds

From a reporting perspective you have a couple of options.

nDepth searches - You can search for user activity through the Explore->nDepth section of the LEM web console and turn those results into saved queries or ad-hoc reports.
SolarWinds LEM Reports - A number of the Change Management and Authentication reports will track administrator activity. You can filter these reports down to just administrator activity and/or save‌ the filtered report as a custom report so it can be scheduled and run on a regular basis.

Thanks,

Chris

twuk

I get the windows event codes from https://www.ultimatewindowssecurity.com/

Ones I use are

Domain Admins Group additions and deletions using Auditable Group Events.EventInfo" = Member "*" (added/deleted) from group "XXXXXXXX\Domain Admins"

This emails me when users are added or removed from domain admins

Domain passwords changed using Admin privileges using UserModifyAttribute.ProviderSID = *4724*

This emails me when an admin changes a users password

Create email templates to fill in the who and when and where from details