Hello,
Has anyone been able to come up with a custom rule to detect ZeroLogon vulnerability exploitation? I will like to here from anyone that has created a rule.
cheers!!!
Thanks.
Does Solarwinds assist customers in creating custom rules like this, especially when new threats appears in the InfoSec space? ? e.g. Does Solarwinds have USE CASE like other vendors?
Check first if you have any events for this before creating a rule.
Once you find the event you can create easily
Here is a script to check
https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-changes-in-netlogon
Please read this
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc#:~:text=Log%20event%20ID%205829%20in,starts%20on%20February%209%2C%202021.
This will have to be created manually or custom rules. I don't think solarwind SEM have constant updates for new rules.
You can call them for support to create a rule for you.
