ecklerwr1 · Sr. Network / Systems Architect · ✭✭✭✭✭

This is an interesting topic. Due to STIG's and 800-53 security controls I get a LOT of events per minute. I'm interested in hearing more about dealing with many events and best ways to use SEM search and reporting features. I worked with UX team on replacement for Crystal Reports. What do you modify in your SEM to assist…

Mine are windows machines. I wonder if the fact that they're STIG'd has anything to do with it? Bill

Also the source account always seems to be machine account like something hostname$

I'm getting these too from multiple detection IP's: UserLogonFailure Logon Failure "\" They're all Kerberos and Logon Process Authz Some are webservers and some are sqlservr.exe in extraneous info field. Bill

Would be pretty nice aye!

Is this ACS as in Cisco Access Control Server?

The UI team is one of the best teams SW has going. By asking us what works and what doesn't it really helps make things better.

We we would love any new HTML5 interface reporting at this point. One of the main things I always had to use it for was capacity information that the application just didn't show. The new KPI Widget helps some with this. Bill

I haven't figured out private messages yet so ;^} Case # 00732298

Thanks Chris! I guessed that was the case but I'm always extra careful with this specific VM. The nice thing it is a VM so worst case I can roll back to snapshot of it or even a Commvault backup if there wasn't a snapshot. Bill

You can see why I was a little hesitant at first.

Author: Jared Jackson [technicalsupport@solarwinds.com] Recipient: william.eckler@gd-ms.com documentation.solarwinds.com/.../SEM_2020-4-1_Release_Notes.htmBill, I opened the link you sent and it states the same thing I just sent you. You will need to upgrade to 2020.2.2 before you can upgrade to 2020.4.1. Also, if you were…

@"Radioteacher" Me too... gate was way before my time really. I'm lucky with one system and the other is offline right now. I'm hoping SEM has nothing to do with this. I'm pretty sure it's a totally different codebase and totally different developers. It seems this may have been done to target specific targets. The DHS…

I completely agree... sometimes you don't have a choice with these things. Bill

Nice sharing this information... this is what thwack is really good for! You helped save 3 people we know of and probably even more we didn't hear about. Bill

In some crazy way if FireEye hadn't noticed the breach they had this could have gone on a lot longer. Of those of us affected it's a drag but geesh if this hadn't been noticed and kept going on just think what it could have meant. This isn't some kid in his basement that did this. It's actually pretty elegant how this APT…

Yes me too! We really liked the old platform and from what I hear it's been greatly improved and has many new features now. Bill

@"Radioteacher" once again with the best information. The best details of the incident are in: FIREEYE: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html The github link contains tools/filters to help see the APT. Bill

I know it's a little confusing with the different modules. The NTA HF2 isn't the same thing as the hopefully coming soon 2020.2.1 HF 2 for Orion Platform. I don't think it's been released yet. Bill

Personally I wouldn't right away. If you're not affected you're not affected right now. I'm not sure right now is the best time to be doing upgrades until the dust settles if you're not affected. That's just me though. I definitely wouldn't upgrade until the 2020.2 HF 2 version comes out possibly today. Your version, if…

SolarWinds Orion Platform 2019.4 HF 5 < 2020.2.1 HF 2 SUNBURST Malware Backdoor HIGH Nessus Plugin ID 144198 SynopsisAn application running on the remote host is affected by a malware backdoor. DescriptionThe version of SolarWinds Orion Platform running on the remote host is 2019.4 HF 5 or later but prior to 2020.2.1 HF 2.…

If your software appears on the Security Advisory page, load the Orion Core Hotfix 2 when it is released scheduled for December 15 (today). It says it was 2019.4 Hotfix 5 that had the problem. If you aren't on HF5 I think you might have dodged the bullet. Of course you could always contact support to make sure but that's…

Helpful info to search for hashes from SANS: https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/... What you should do at this point: * Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely…

Helpful info to search for hashes from SANS: https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/26884/ What you should do at this point: * Verify if you are running SolarWinds Orion version 2019.4 through 2020.2.1HF1 and if so, assert which networks are managed by it (likely…

Might have to get some verification from support. Sometimes the database schema changes between versions and this is where you can run into problems. As some have suggested what if you used new servers and patched version from tomorrow and restored your SQL server from a date prior to the APT versions? So basically a…

This is good in case you're not on an affected version and someone still thinks it's smart to upgrade to 2020.2.1 HF2 right now! I'm not sure why anyone would think this is a good idea right away but... that's just me. Bill

A Disciplined Approach to IT!!! Threat Detectives was the BEST! Thomas and Dez on the case! This was so awesome! https://play.vidyard.com/oQGoXyDKEi4GtSYSPHmoiT?disable_popouts=1&v=4.2.27 Bill

We're using nothing but the HTML5 interface.... flash isn't even installed. Can't wait now for the new reporting. I know that will be big undertaking to get the reports added in. Bill

I'm really looking forward to the new reporting engine! Bill

Telepathy ie. mind reading. Bill