2 Replies Latest reply on Apr 1, 2014 10:37 AM by shawn_b

    Hacked... Alert Templates for Orion to alert in future?

    jdeane

      Hi All,

       

      We were breached over the weekend, someone got in, changed out DNS entries, changed out IT departments passwords, and then blocked all emails going out.

       

      We're unsure of files changes, but traffic on orion NPM shows 500mb outbound on the firewall external port.

       

      Do you guys know any alert templates that I can use with Orion Alert Manager that will allow me to monitor :*

       

      * When a user logs on to a server
      * When DNS has been changed e.g. a record added or removed?
      * When a users password has been changed / expired / account disabled in AD?
      * High traffic over the weekend on the firewall's I/O External port?

       

      Any other suggestions that are in line with what I'm thinking would be great

       

      PS. Were running a system with Server 2012, 3.2GHz, 16GB Ram, 128GB SSD & 250GB Raid 1 Data Drive. with the following:

       

      • Network Performance Monitor v10.7
      • Server & Application Monitor v6.1.0
      • NetFlow Traffic Analyzer v4.0.1

       

      Thanks
      James

        • Re: Hacked... Alert Templates for Orion to alert in future?
          rob.hock

          Sorry to hear that sir. With NPM 10.7, you can set baseline thresholds for interface traffic that could detect anomalous traffic. SAM also has templates for most of what you are looking for:

           

          *When a user logs on to a server - Windows event log monitor for login events

          * When DNS has been changed e.g. a record added or removed?  DNS User Experience Template would alert on this

          * When a users password has been changed / expired / account disabled in AD? Windows Event Log monitor would enable this. May be worthwhile to check out SolarWinds Log and Event Manager: SIEM | Log Analysis | Log & Event Management for IT Security & Compliance | SolarWinds

          • Re: Hacked... Alert Templates for Orion to alert in future?
            shawn_b

            Sorry to hear about your breach

             

            I use non-solarwinds apps for the following:

             

            * When a user logs on to a server

            * When a users password has been changed / expired / account disabled in AD?

             

            ScriptLogic Active Administrator is what I use

             

            Solarwinds can generate alerts for:

             

            * High traffic over the weekend on the firewall's I/O External port?

             

            Solarwinds NTA had previously alerted me to high malicious activity between a compromised laptop that was attacking my DNS servers and my ISP's DNS servers

             

            Hope your recover from this with minimal impact

            1 of 1 people found this helpful