0:00:10.009,0:00:11.280
Hello. Skeeter Pond here,
0:00:11.280,0:00:13.150
trainer at SolarWinds®.
0:00:13.150,0:00:17.220
Welcome to the third video in the series,
“How to Actively Defend Your Network
0:00:17.220,0:00:20.070
Using SolarWinds Log & Event ManagerTM.”
0:00:20.070,0:00:24.150
In this video we’ll talk about some
advanced workstation monitoring.
0:00:24.150,0:00:29.840
Specifically, demonstrating how to detect
and kill unwanted or unauthorized
0:00:29.840,0:00:32.630
processes on agents.
0:00:32.630,0:00:33.929
Process Auditing,
0:00:33.929,0:00:38.290
an advanced monitoring procedure, is not
enabled by default.
0:00:38.290,0:00:41.950
In order for the SolarWinds Log & Event
Manager to track and respond to such
0:00:41.950,0:00:45.520
events, Process Auditing must be turned on.
0:00:45.520,0:00:49.890
Doing so allows us to monitor for
unauthorized processes, which might
0:00:49.890,0:00:51.409
include: playing games,
0:00:51.409,0:00:54.330
launching or installing unauthorized
software,
0:00:54.330,0:00:56.320
running instant messaging clients,
0:00:56.320,0:00:59.300
or using unauthorized web browsers.
0:00:59.300,0:01:03.970
Once enabled, Process Audit Alerts will
be captured by the All Alerts Filter.
0:01:03.970,0:01:07.580
However, with the volume of traffic
typically captured by this filter, they
0:01:07.580,0:01:10.300
could be extremely difficult to spot.
0:01:10.300,0:01:14.800
Creating a filter to track Process Audit
Alerts would be a better solution.
0:01:14.800,0:01:17.150
If any of these activities were observed,
0:01:17.150,0:01:19.950
we can immediately perform a point and
click response
0:01:19.950,0:01:21.380
to kill the process,
0:01:21.380,0:01:25.330
and then build a rule for any future
occurrences.
0:01:25.330,0:01:29.570
Let's examine a filter designed to
capture these events.
0:01:29.570,0:01:32.829
The logic behind this filter is very
straightforward.
0:01:32.829,0:01:38.079
It simply looks for any Process Audit
Alerts that may exist.
0:01:38.079,0:01:39.869
Here in the monitor area,
0:01:39.869,0:01:42.970
our filter has captured a number of
Process Audit Alerts-
0:01:42.970,0:01:47.189
one of which indicates that the user has
started to play solitaire.
0:01:47.189,0:01:51.649
As this is a violation of company policy,
we want to stop or kill the process
0:01:51.649,0:01:53.350
immediately.
0:01:53.350,0:01:54.820
In order to do so,
0:01:54.820,0:01:57.660
two pieces of information are needed:
0:01:57.660,0:02:01.290
the agent on which the unauthorized
process is running,
0:02:01.290,0:02:03.639
and either the ProcessID
0:02:03.639,0:02:05.700
or the process name.
0:02:05.700,0:02:09.869
The ProcessID is the more specific of
the two identifiers, as different
0:02:09.869,0:02:12.769
applications could have the same name.
0:02:12.769,0:02:16.149
ProcessIDs are unique.
0:02:16.149,0:02:17.550
To kill the process,
0:02:17.550,0:02:22.209
we’ll click the Respond button, and
choose the “All Actions…” option.
0:02:22.209,0:02:23.989
But here's a little tip-
0:02:23.989,0:02:27.759
since the Agent field is the first
required field in our point and
0:02:27.759,0:02:28.930
click response,
0:02:28.930,0:02:31.359
we're going to auto-populate that field
0:02:31.359,0:02:37.799
by clicking on the DetectionIP just
before we click the respond button.
0:02:37.799,0:02:41.609
In the respond window, click the down
arrow next to Action.
0:02:41.609,0:02:43.659
Scroll through the list and select
0:02:43.659,0:02:46.609
“Kill Process by ID”.
0:02:46.609,0:02:50.919
Notice how the Agent field has been auto-
populated with the Detection IP
0:02:50.919,0:02:54.939
information from the alert below.
0:02:54.939,0:02:58.220
Next, we need to drag and drop the
ProcessID
0:02:58.220,0:03:01.079
into the ProcessID field.
0:03:01.079,0:03:04.819
Our point and click response has all
the necessary information, so we can
0:03:04.819,0:03:06.309
click the OK button
0:03:06.309,0:03:09.149
and kill the process.
0:03:09.149,0:03:12.269
The alert indicating the process was
stopped or killed
0:03:12.269,0:03:13.580
can also be found
0:03:13.580,0:03:16.399
in the Process Auditing filter.
0:03:16.399,0:03:20.509
Since these types of unauthorized
activities could occur at any time,
0:03:20.509,0:03:24.779
automating our response by creating a
rule would only make sense.
0:03:24.779,0:03:26.739
Here's how:
0:03:26.739,0:03:29.049
from the “Build Rules” area,
0:03:29.049,0:03:33.999
select the NATO5 rules and the
Active Responses folder.
0:03:33.999,0:03:36.949
Locate and clone the Game Application
Launch -
0:03:36.949,0:03:40.369
Kill Process rule to your Custom Rules
folder.
0:03:40.369,0:03:46.739
The correlations of the rule look for
the “sol.exe” Process Start Event.
0:03:46.739,0:03:50.539
The default actions are to kill the
process by ID,
0:03:50.539,0:03:54.559
and send a pop-up message to the user
informing him or her that playing games
0:03:54.559,0:03:58.409
at work is a violation of company policy.
0:03:58.409,0:04:02.329
Best practice would also dictate that we
be notified of the event,
0:04:02.329,0:04:06.939
so we've added the Send Email Message
action to the Actions Area.
0:04:06.939,0:04:10.779
Now we can enable, save, and activate the
rule.
0:04:10.779,0:04:14.529
We’ll test it by launching solitaire on
our agent.
0:04:14.529,0:04:16.780
The process was killed automatically
0:04:16.780,0:04:22.179
and we receive the pop-up message, which
is exactly the response we wanted.
0:04:22.179,0:04:26.239
Our rule could easily be cloned
and modified to kill other unauthorized
0:04:26.239,0:04:27.619
processes-
0:04:27.619,0:04:32.280
such as installing unauthorized software,
instant messaging clients,
0:04:32.280,0:04:34.270
or even web browsers.
0:04:34.270,0:04:37.939
The possibilities are virtually endless.
0:04:37.939,0:04:40.239
And, here's a few more tips:
0:04:40.239,0:04:44.689
You may be interested in exploring other
activities related to those users who
0:04:44.689,0:04:46.919
caused our rule to fire.
0:04:46.919,0:04:49.300
Running an nDepth search for these
users
0:04:49.300,0:04:51.500
may reveal some interesting events
0:04:51.500,0:04:54.650
or other inappropriate activities.
0:04:54.650,0:04:58.430
Also, taking what you learned in the
previous videos in this series,
0:04:58.430,0:05:00.319
and what you've seen today,
0:05:00.319,0:05:04.270
you might want to create and auto-
populate a user-defined group of these
0:05:04.270,0:05:08.020
offenders for possible disciplinary
action.
0:05:08.020,0:05:11.149
And that brings us to the end of this
video.
0:05:11.149,0:05:16.080
The next video in the series talks about
unusual spikes in network traffic,
0:05:16.080,0:05:17.800
what they might represent,
0:05:17.800,0:05:21.590
and how to respond to them automatically.
0:05:21.590,0:05:23.979
We encourage you to take a look at that
video,
0:05:23.979,0:05:27.520
as well as all the other instructional
and informational videos
0:05:27.520,0:05:28.940
available online
0:05:28.940,0:05:31.169
at www.solarwinds.com
0:05:31.169,0:05:31.659
Thanks for watching.