Have you checked out the content exchange here on THWACK?
In the Reports console, you can go to Manage Categories and pick industries and compliance standards to recommend reports. The same thing can be said for the Rule Templates in the LEM web interface, as there are categories on the left side of the screen. These are the Solarwinds suggestions for rules and reports.
Like, i would like a rule / filter that would show any activity performed with a Domain Admin account. I am sure something like that is in there somewhere but i just can't find it.
First, you're going to need to configure your LEM to be able to talk to Active Directory.
Then, you'll need to bring in your Domain Admins group to the LEM, it's kind of like this process, but under Build > Groups click the + and then go to Directory Service Groups.
Now, we can make a filter.
I think that would get you all setup for watching Domain Admins do things in real time.
That rule looks like it'd work. Are you seeing the events in LEM (look at the "General Change Management" filter)? What source accounts are being logged?
Also, can you check the time on the LEM? If you SSH into the LEM, go to APPLIANCE, run DATECONFIG and then press ENTER without entering any information 4 times. Is the date, time and timezone correct? If not, rerun the command and fix it.
Have you clicked the "Activate Rules" button in the GUI?
Can you open a command prompt as an admin and run "auditpol /get /category:*" and post the results?
What do you want me to run that command on?
Your domain controller(s), sorry.
System audit policy
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
File System Failure
Kernel Object Failure
Certification Services Failure
Application Generated Failure
Handle Manipulation Failure
File Share Failure
Filtering Platform Packet Drop Failure
Filtering Platform Connection Failure
Other Object Access Events Failure
Detailed File Share Failure
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change Success and Failure
Filtering Platform Policy Change Success and Failure
Other Policy Change Events Success and Failure
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
Directory Service Changes Failure
Directory Service Replication Failure
Detailed Directory Service Replication Failure
Directory Service Access Failure
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
Are you running the Agent on the DC where the changes are occurring or just on a primary DC?
The service is running on both DCs
Can you confirm that the events appear in the windows event logs?
I looked in the content exchange and really didn't see much. I guess i just need to spend more time in the templates, i just don't understand what some of these things do and i cant seem to find it in the hep or Google.
Not being able to find details and examples for LEM drove me nuts for a few days until I thought about what I needed to search for Basically don't try and search for how to do something in LEM, instead Google for the event or log data that you need to trigger from. Then use nDepth to search for that item, from there look at the normalised event, it will show you what items to pick from to create the correlation. Also did you read the manual front to back? I was just search for things and read the relevant part, then one day read all the parts I skipped, would have saved time to just read it from day one For example skipped over how to use the GUI, assume it was like all the other ones I have ever used (NOT!)
You are exactly right, the more I focused on the alerts themselves and the data they generate the easier it has become for me to use in LEM. I am now down to fighting some issues getting things to graph the way I want "ex. failed logon attempts by destination account". That may be one where i need to go back and reread the manual. I will be honest I have just been picking and choosing what I need out of it. I have never read it front to back.
Thanks for the response.
In one of my other posts note how the graphs are not very useful for my needs. For example, unless I missed something, there is no way to create a graph that show a list of top TCP traffic servers and top TCP ports used on these servers at the same time. I have resorted to exporting and doing it in other software. I might be able to do something in Crystal Reports but for some reason they take forever, even in a short time frame even with 16 core server with 128GB of RAM, much faster doing the export.