cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

ZeroLogon Exploitation Rule set

Jump to solution

Hello,

Has anyone been able to come up with a custom rule to detect ZeroLogon vulnerability exploitation? I will like to here from anyone that has created a rule.

cheers!!!

0 Kudos
2 Solutions
Level 8
you can create something like this
 
Rule is true when
ServiceWarning.ProviderSID
is equal to *5828
OR
 ServiceWarning.ProviderSID
is equal to  *5827
OR
 ServiceWarning.ProviderSID
is equal to *5829
 

View solution in original post

Thanks. 

Does Solarwinds assist customers in creating custom rules like this, especially when new threats appears in  the InfoSec space? ? e.g. Does Solarwinds have USE CASE like other vendors? 

View solution in original post

0 Kudos
4 Replies
Level 8
you can create something like this
 
Rule is true when
ServiceWarning.ProviderSID
is equal to *5828
OR
 ServiceWarning.ProviderSID
is equal to  *5827
OR
 ServiceWarning.ProviderSID
is equal to *5829
 

View solution in original post

Thanks. 

Does Solarwinds assist customers in creating custom rules like this, especially when new threats appears in  the InfoSec space? ? e.g. Does Solarwinds have USE CASE like other vendors? 

View solution in original post

0 Kudos

This will have to be created manually or custom rules. I don't think solarwind SEM have constant updates for new rules. 

You can call them for support to create a rule for you.

0 Kudos
Level 8

Check first if you have any events for this before creating a rule. 

Once you find the event you can create easily 

Here is a script to check 

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

 

Please read this 

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channe....

 

0 Kudos