• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 38 subscribers
  • Views 453 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Hacked... Alert Templates for Orion to alert in future?

jdeane1

Hi All,

We were breached over the weekend, someone got in, changed out DNS entries, changed out IT departments passwords, and then blocked all emails going out.

We're unsure of files changes, but traffic on orion NPM shows 500mb outbound on the firewall external port.

Do you guys know any alert templates that I can use with Orion Alert Manager that will allow me to monitor :*

* When a user logs on to a server
* When DNS has been changed e.g. a record added or removed?
* When a users password has been changed / expired / account disabled in AD?
* High traffic over the weekend on the firewall's I/O External port?

Any other suggestions that are in line with what I'm thinking would be great

PS. Were running a system with Server 2012, 3.2GHz, 16GB Ram, 128GB SSD & 250GB Raid 1 Data Drive. with the following:

  • Network Performance Monitor v10.7
  • Server & Application Monitor v6.1.0
  • NetFlow Traffic Analyzer v4.0.1

Thanks
James

  • 0

    Sorry to hear that sir. With NPM 10.7, you can set baseline thresholds for interface traffic that could detect anomalous traffic. SAM also has templates for most of what you are looking for:

    *When a user logs on to a server - Windows event log monitor for login events

    * When DNS has been changed e.g. a record added or removed?  DNS User Experience Template would alert on this

    * When a users password has been changed / expired / account disabled in AD? Windows Event Log monitor would enable this. May be worthwhile to check out SolarWinds Log and Event Manager: SIEM | Log Analysis | Log & Event Management for IT Security & Compliance | SolarWinds

  • 0

    Sorry to hear about your breach

    I use non-solarwinds apps for the following:

    * When a user logs on to a server

    * When a users password has been changed / expired / account disabled in AD?

    ScriptLogic Active Administrator is what I use

    Solarwinds can generate alerts for:

    * High traffic over the weekend on the firewall's I/O External port?

    Solarwinds NTA had previously alerted me to high malicious activity between a compromised laptop that was attacking my DNS servers and my ISP's DNS servers

    Hope your recover from this with minimal impact

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.