Hi All,
We were breached over the weekend, someone got in, changed out DNS entries, changed out IT departments passwords, and then blocked all emails going out.
We're unsure of files changes, but traffic on orion NPM shows 500mb outbound on the firewall external port.
Do you guys know any alert templates that I can use with Orion Alert Manager that will allow me to monitor :*
* When a user logs on to a server
* When DNS has been changed e.g. a record added or removed?
* When a users password has been changed / expired / account disabled in AD?
* High traffic over the weekend on the firewall's I/O External port?
Any other suggestions that are in line with what I'm thinking would be great
PS. Were running a system with Server 2012, 3.2GHz, 16GB Ram, 128GB SSD & 250GB Raid 1 Data Drive. with the following:
- Network Performance Monitor v10.7
- Server & Application Monitor v6.1.0
- NetFlow Traffic Analyzer v4.0.1
Thanks
James