Thank you Maam
1 of 1 people found this helpful
There are a couple of ways to monitor administrator activity.
First I would caution on configuring a rule for all administrator activity. With everything an administrator "touches" day in and day out the types and amount of alerts you receive would result in a lot of noise. Instead we recommend setting up rules for specific activity such as logon failures, changes made by administrator accounts and changes made to those administrator accounts. LEM provides a number of rules (Build->Rules) for this type of activity out of the box. I would recommend taking a look at the rules within the Activity Type-> Administrative Monitoring section of the Rule Categories and Tags dropdown to determine if those will fit your needs. From there you can view the rules details, clone individual rules or enable them in bulk.
Several of these rules look for the default administrator account and admin groups via pre-built User Defined Groups. You can edit these groups to include any additional administrator accounts/groups that you would like through the Build->Groups section of the LEM web console. The other option would be to include your existing AD groups by configuring the Directory Service Query connector.
From a reporting perspective you have a couple of options.
- nDepth searches - You can search for user activity through the Explore->nDepth section of the LEM web console and turn those results into saved queries or ad-hoc reports.
- SolarWinds LEM Reports - A number of the Change Management and Authentication reports will track administrator activity. You can filter these reports down to just administrator activity and/or save the filtered report as a custom report so it can be scheduled and run on a regular basis.
I get the windows event codes from https://www.ultimatewindowssecurity.com/
Ones I use are
Domain Admins Group additions and deletions using Auditable Group Events.EventInfo" = Member "*" (added/deleted) from group "XXXXXXXX\Domain Admins"
This emails me when users are added or removed from domain admins
Domain passwords changed using Admin privileges using UserModifyAttribute.ProviderSID = *4724*
This emails me when an admin changes a users password
Create email templates to fill in the who and when and where from details