Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > How-To Use Log & Event Manager to Detect Privilege Changes in Active Directory - Video

How-To Use Log & Event Manager to Detect Privilege Changes in Active Directory - Video

Updated

Overview

This video will show you how to use LEM to alert you when users are added to privileged groups in Active Directory®.

 

 

Environment

  • Log & Event Manager

Video Transcription

Before creating the rules ensure you have configured the email connector in your LEM console. To enable email navigate to the Ops Center view, locate the "Getting Started" widget and click on "Configure Basic LEM Settings". A wizard will appear and guide you through the email configuration process.

Let's get started!

  1. Login to your web console and navigate to BUILD the Rules.
  2. LEM includes several rules specifically designed to monitor Active Directory located in the Change Management category.
  3. Within the Change Management category select "Group Changes" and locate the "New Critical Group Member" rule.
  4. To view and edit the rule, select "Clone" and it will open the rule configuration interface.
  5. The Correlations window contains the logic and information needed to detect the proper event. So as you can see here, the rule is specifically looking in the Eventinfo field within the New Group Member event for the message "Member Added to Group". The rule is also looking in the MemberID field to ensure that it does NOT contain a $ and the specific group names belonging to a list of Admin Groups.
  6. To view or edit the Admin Groups list, click on "Build" then "Groups." Then under the Type drop-down menu select "User Defined Groups." User defined groups are basically lists of information you can use throughout the web console.
  7. Click on the group to view the list details. As you can see, all of the well-known Administrative groups have already been added. If you wish to add more group names simply click the gear icon next to the list and select "Edit."
  8. Now back to the rule. The rules interface, like other interfaces within the web console uses AND/OR boolean logic which is easily changed by clicking on the outside of the group. The thick blue line with a triangle in the middle seen here indicates AND. If you click on it again, it will switch to an OR operator indicated with a thick orange line and a half circle. You can use combinations of AND/OR operators to create well-defined correlation rules.
  9. Now that you have defined exactly what you want LEM to detect, the next step is to configure a threshold.
  10. The purple box located here allows you to further define exactly when the rule should send you an email. This can be very helpful in reducing false positives. In this case, we want know when any account has been added to an admin group so the threshold should be left at "1".
  11. Next, you will need to review the email action and select a recipient. The Actions area already contains a pre-configured email template however you can edit and create templates under Build menu.
  12. Starting at the top, you can see the Account Modification template is in use and if you click on the "Recipients" drop-down menu you can select who should receive this notification.
  13. The items here in the email that display a dollar sign represent fields. Typically, this will be specifically related to the event or events you have configured in the correlation window above.
  14. To verify fields are correct, click on the "Events" menu, type in "Group", select "New Group Member" from the list and match up the fields. LEM will collect the information located in these fields and write the data to the email notification so you know who was added to an admin group and when they were added.
  15. Now that you have verified the rule is configured properly, select the "enable" check box above, then save the rule and finally, click the "Activate Rules" button at the top.

For more training, visit: https://support.solarwinds.com/Succe...)/LEM_Training

 

 

Last modified
14:16, 18 Aug 2016

Tags

Classifications

Public