2 Replies Latest reply on Nov 15, 2015 9:16 AM by asisit

    LEM Rules Fired Based on WMI Events

    asisit

      Hello thwack! I am fairly new to LEM and all of the features it has to offer. I have been doing some reading up on WMI and some of the potential security flaws (and fixes) that it has to offer. Based on my research, I was wondering if anyone here has experience with drawing up rules in LEM to fire based on WMI events being fired and created on a per-machine basis. It looks like something that is possible, but I can't seem to find any documentation or previous discussions on the matter. Thanks all!

        • Re: LEM Rules Fired Based on WMI Events
          colinbarr

          Can you give an example of a WMI event you would like to trigger events around? I am working now on some different trigger criteria and am curious what type of events others may be doing as well.

            • Re: LEM Rules Fired Based on WMI Events
              asisit

              We ended up going a different route as Solarwinds technical support was saying they don't currently have a way to fire rules based on WMI events. I was going off of a white paper I had found somewhere that talked about 7 or 8 of the most common ways that organizations got beaten with a WMI-based attack and the corresponding WMI events that would be seen if it was being monitored. If you'd like I can dig up that whitepaper for you - I know it's somewhere on my desktop..