New to SEM What kind of logs and rules should I monitor/create first?

Hello everyone! This is my first time diving into SEM from Solarwinds. I have created a simple rule to monitor remote logins from computers that normally would never RDP into anything. This was my first rule I ever made and it was mainly created so I could learn the system, but it can be helpful if an admin saved their credentials and then a standard user RDP into something using those credentials. 

My question- What are some of your favorite rules that you have created? Where should I look to gain best practices for this tool? What do you think are the most important things to track and report? What kind of reports/rules do you have for your firewall?

Any advise will be much appreciated!

Parents
  • 1. Ensure you enable additional logging on the AD server for success and failure which is not by default. reference MS security Baseline if your not sure.

    2. if you have an LDAP connection setup import directory groups to filter by department(depends if you setup your AD this way).  

    3. I set up a reverse proxy with a public DNS name for agents to connect to this means getting data back to sem regardless of VPN status. 

    4. Setup of query or live events group to track VPN logins.

    That is a good start

Reply
  • 1. Ensure you enable additional logging on the AD server for success and failure which is not by default. reference MS security Baseline if your not sure.

    2. if you have an LDAP connection setup import directory groups to filter by department(depends if you setup your AD this way).  

    3. I set up a reverse proxy with a public DNS name for agents to connect to this means getting data back to sem regardless of VPN status. 

    4. Setup of query or live events group to track VPN logins.

    That is a good start

Children
No Data