Can anyone help me with rules for the below events on SEM
Simultaneous Logins
Malware Detection on systems – with the view to take action at a later point in time (remove system from the network).
New Application Installation on systems
Traffic by Destination Port
SEM Log storage
Server Status
Torrent Traffic .
Hi,
A lot of these are going to based on what devices you have sending information into SEM. I will do my best to outline how I'd do these rules myself, hopefully they can give you a start:
1.
Device/connectors: Domain Controller with Windows Security connector (Must configure auditing in Group Policy too)
Rule set-up:
2.
Device/Connector: Workstations added to SEM and connector for Windows Defender. (Depending on Anti-virus solution this will vary. I will use Window Defender as an example.)
Rule Set-up:
3.
Device/Connector: Windows Security
Rule:
4.
Device/Connector: Firewall connector and I would suggest creating a user defined group for the list of ports.
Rule:
5.
May I suggest the SEM Log Storage Dashboard widget instead:
6.
May I suggest the node health Dashboard widget instead:
7.
Device/Connector: Firewall again, but you may have to configure the Firewall to categorise Torrent data as SEM only gets certain fields like IP and Port, but not the application type. Once that happens you can do it similar to 4.
Let me know if you have any questions - I know it's a little information light.
Kind regards,
Marlie Fancourt | SolarWinds Pre-Sales Manager | Prosperon Networks
