3 Replies Latest reply on Sep 14, 2015 2:57 PM by dcross.dfc

    How to: Create a notification of a port scan and/or sweep using LEM?

    dcross.dfc

      Good Morning All,

       

      09/03/2015 - I have edited the title in an attempt to more accurately reflect the question.

       

      I would like to know if it is possible to create a Report,
      Filter, Rule, and/or Alert to notify me when a user logs into the network
      (example: Domain Controller), and/or escalates privileges, then runs a Port
      Scan. Is this currently possible, and if so, would someone provide me with
      clear detailed instruction. At a minimum, help me understand some of the logic behind
      how such a rule would be created. With this logic, hopefully, I’d be able to
      use the knowledge of my network architecture to create such.

       

       

      Thank you

        • Re: How to: Create a notification of a port scan and/or sweep using LEM?
          colinbarr

          I have a few questions around your question:

          When you state: "user logs into the network (example: Domain Controller)" are they logging into a server that has the Agent installed locally on the system?

          Does part of "esculates privileges" a separate item of interest, or are you only looking for port scans by users with esculated privileges?

          Is the port scan on the local system they logged into, such as the Domain Controller you mention as an example? Or is the port scan on another system that has / doesnt have the Agent installed, or possibly just a port scan on the VLAN / the network?

           

          There is a built in "Port Scan" Rule (that needs alittle tweeking) in the default rule set. Is this not detecting whatever you are trying to accomplish?

            • Re: How to: Create a notification of a port scan and/or sweep using LEM?
              dcross.dfc

              Good Afternoon All,

               

              I may have failed to mention that I am new to SolareWinds
              LEM and I am still working through understanding a lot of this tools
              capabilities and functionally. I think I actually asked three separate and
              independent questions here. I appreciate your patience.

               

              I will do some more digging to look for existing templates. This
              makes it a little easier to find one rule for RDP, escalated privileges, and
              one for port scans.

               

              I think the original idea, regarding port scans was, to be
              alerted when a port scan is initiated after an RDP session by the same user. (Logon
              to server, RDP to another server, then port scan (maybe?). I’ll do more
              homework on the question itself.

               

              Thank you for trying to address my questions. I’ll reach out
              again if this continues to elude me.

            • Re: How to: Create a notification of a port scan and/or sweep using LEM?
              donthomas

              There is already a built in rule for portscan - go to Build - Rules and search for portscan.