3 Replies Latest reply on Mar 10, 2014 7:39 AM by curtisi

    LEM shutdown Windows Machine at admin logon failure


      Hi folks,


        Im very very new in LEM, I started to work with this SIEM this week and my boss tell me to conduct a demo with a customer next week.


        So, i did configured an Cisco ASA connector and active response, initatite a Scan attack with Metasploit and Nmap, did a correlation rule for TCP traffic and the LEM shuns the attacker IP automatically at the ASA. Works Nice.


        My second part of the demo is to shutdown o restart a windows server with  the LEM agent installed, when the Administrator account has serveral login failures. I used the critical account logon failure template, and modify it with the action of shutdown machine. I started a remote desktop session , put a wrong password several time, but neither the alert or the shutdown action takes effect. If I manually goes and look for the userlogonfailure event and select the shutdown respond, the machine is correctly shutdown, so the communication between the LEM and agent i think is working fine.


        Any ideas why the rule dont fired with  the right action? Im using the UserLogonFailure.DetectionIP as the agent field in the rule.



        • Re: LEM shutdown Windows Machine at admin logon failure

          I have two thoughts:


          First, it's possible that the machine that's "Detecting" the error is your Domain Controller, which hopefully doesn't have Active Response enabled.  Perhaps you should try using UserLogonFailure.DestinationMachine for the agent?


          2014-03-07 12_37_49-SolarWinds Log and Event Manager Console.png


          Second, and a much simple possibility: Did you click the Activate Rules button after modifying, saving, and enabling the rule?


          2014-03-07 12_40_11-SolarWinds Log and Event Manager Console.png

          1 of 1 people found this helpful
            • Re: LEM shutdown Windows Machine at admin logon failure

              Hi Curtisi, thanks for your answer.


                The machine im tryng to made the Windows active response is a windows 2008 server, its not configured as a Domain Controller  or part of any domain at all ( its a standalone VM that i installed in a VMware as a part of a demo). I installed the Windows agent as you can see next:



              The rule its not fired at all, but manually i can shutdown the machine in the monitor option. The config of the rule is this:



              The field destination machine has the name of the agent as i see. In the monitor events i dond see the ruled fired at all, so my suspect is about the rule behavior, not the active response. I did enable the activate rule after the modification, and test after that.


              Thanks for your help!

                • Re: LEM shutdown Windows Machine at admin logon failure

                  If you go to EXPLORE --> nDEPTH, and search for events matching the rule correlation, what do you get?  What do these events have in the Destination Machine field?  Does it all look correct?


                  When you say you don't see the rule firing, you're not seeing events in the Rule Activity filter?  If you do an nDepth search for InternalRuleFired where the EventInfo contains *NAMEOFRULE*, do you get any results at all in the last few days?