This video will show you how to use LEM to alert on unauthorized access events.
Let's get started!
- First, you will need to either create a list of vendor accounts or if you already have a vendor Active Directory Group you can use LEM's LDAP tool to import the group. You will also need to create a list of device or system IP addresses that the vendor is allowed to access.
- To create a list of Vendor accounts open your LEM web console and navigate to "Build" then select "Groups".
- On the right-hand side click the plus sign and select User Defined Group.
- Name the group "Vendor Accounts" then click the plus sign to start adding account names.
- The NAME field is your short name and/or description for the account. For this example, let's type in "Router Co."
- The DATA field is the most important field as it will contain the actual usernames. You can also use wildcards "*" to cover any variations so for example I will type in Star jrouter Star. (*jrouter*)
- Now Click the Save button to add the account then click the plus sign again to add additional accounts.
- Once you are finished adding accounts click the SAVE button on the right to save the group.
- Repeat the process to create your list of servers.
If you wish to use Active Directory, you will need to configure the LDAP tool and import your groups.
- Click on the Ops Center button and locate the "Getting Started" widget.
- Within the "Getting Started" widget click on "Configure Basic LEM Settings" to open the configuration wizard.
- Click next and you will see the option to configure email. If you haven't completed this step go ahead and do so. If you have click "Skip" and the "Configure Active Directory Connection" will appear.
- Complete the Domain Name field with your fully qualified domain name.
- Fill in the The Directory Service Server field with the IP address or hostname of a domain controller.
- And now, fill in the User Name field with any user account as is does not require administrative privileges. However, it is recommended that you use an account that either has a static password or one that does not change often.
- If there is no encryption enabled then you can ignore the Encryption field. If you use a port other then 389 for LDAP, enter it in the Custom port field otherwise leave it blank.
- Once you have entered your information click "Finish"
- Now you can import Active Directory groups by clicking on Build, then Groups.
- Click the plus sign on the right and select "Directory Service Group."
- Your domain should now appear here on the bottom with a list of all of your Active Directory containers.
- To add groups, click on a container and the groups should appear on the right with check boxes.
- Select the check box next to each group you wish to add, then click "Save."
Now that you know how to create User Defined Groups and import Active Directory groups let's configure LEM to send an email when suspicious access attempts occur from your vendor accounts.
- Navigate to Build then Rules to access the LEM Rules interface.
- LEM comes complete with hundreds of built-in rules that you can use for different situations.
- To search rules, simply type in a key word here in the search bar. <Demo - Type in the word Vendor.>
- Now, you will see a list of rules that meet your search term and as you can see there are several built-in rules that monitor Vendor activity.
- Let's use the Unauthorized Server Logon rule as it fits our purpose for monitoring unauthorized access.
- To use the rule click on the gear icon and select "CLONE." This will create a copy of the rule above and open the Rule Builder for editing.
- The rules interface is comprised of three configuration areas. The first section defines the rule. The second section is where you apply simple and advanced thresholds. The last section tells LEM how to respond to the event. Finally, the categories here on the left supply the rule with the necessary events, groups and other details.
- Looking at the rule logic you will see that it is focusing on User logons with account names that are listed in a Vendor or Contractor group and servers that are NOT contained in the authorized server list. Additional logic is in place to ignore events where the logon type field is empty or contains the word "network."
- The purple box allows you to apply simple and advanced thresholds. For example, you may not want the rule to fire until there are 5 logons from a single account so you can set the time and frequency threshold here then click on this icon to the right and apply an advanced threshold to indicate a single account. For this example, we will leave both at default.
- Now that you have reviewed the logic and thresholds, its time to define how you want LEM to respond.
- Since this is a built-in rule there are already two recommended actions configured. The first will actually disable the account preventing access while the second generates an incident with all of the details that will populate a report.
- If you want to receive an email notification click on the "Actions" section here on the bottom left then drag the "Send Email Message" into the actions area of the rule.
- Now select an email template. Let's use "Account Modification." Next, populate the blank fields with the information you wish to see in the email.
- To populate the fields, note the event name you are using in the correlation area. In this case it is "UserLogon." Now click on the "Events" section here at the top left and select "Userlogon."
- Now, drag the fields you need from the list below the event and drop them into the white boxes.
- Once you have completed the email template click on the "Recipients" drop-down and select the email recipients.
- Review the rule one more time and click the "Enable" checkbox. Save the rule and finally the most important step is to click on the "Activate Rules" button.
- You have successfully enabled a rule that will notify you when vendor accounts log into unauthorized servers and automatically disable the account to prevent further access.
Visit the Success Center for more information on using Log & Event Manager. https://support.solarwinds.com/Succe..._Manager_(LEM)