I have a few questions around your question:
When you state: "user logs into the network (example: Domain Controller)" are they logging into a server that has the Agent installed locally on the system?
Does part of "esculates privileges" a separate item of interest, or are you only looking for port scans by users with esculated privileges?
Is the port scan on the local system they logged into, such as the Domain Controller you mention as an example? Or is the port scan on another system that has / doesnt have the Agent installed, or possibly just a port scan on the VLAN / the network?
There is a built in "Port Scan" Rule (that needs alittle tweeking) in the default rule set. Is this not detecting whatever you are trying to accomplish?
Good Afternoon All,
I may have failed to mention that I am new to SolareWinds
LEM and I am still working through understanding a lot of this tools
capabilities and functionally. I think I actually asked three separate and
independent questions here. I appreciate your patience.
I will do some more digging to look for existing templates. This
makes it a little easier to find one rule for RDP, escalated privileges, and
one for port scans.
I think the original idea, regarding port scans was, to be
alerted when a port scan is initiated after an RDP session by the same user. (Logon
to server, RDP to another server, then port scan (maybe?). I’ll do more
homework on the question itself.
Thank you for trying to address my questions. I’ll reach out
again if this continues to elude me.
There is already a built in rule for portscan - go to Build - Rules and search for portscan.