Allowing unauthorized processes to run in your network environment is counterproductive and potentially dangerous. However, who has the time to sit and watch for these processes and events? The SolarWinds Log and Event Monitor can do it for you and it can respond to such events automatically, in the appropriate manner, just as if you were there.
Hello. Skeeter Pond here, trainer at SolarWinds®. Welcome to the third video in the series, “How to Actively Defend Your Network Using SolarWinds Security Event Manager. In this video, we’ll talk about some advanced workstation monitoring. Specifically, demonstrating how to detect and kill unwanted or unauthorized processes on agents.
Process Auditing, an advanced monitoring procedure, is not enabled by default. In order for the SolarWinds Security Event Manager to track and respond to such events, Process Auditing must be turned on. Doing so allows us to monitor for unauthorized processes, which might include: playing games, launching or installing unauthorized software, running instant messaging clients, or using unauthorized web browsers. Once enabled, Process Audit Alerts will be captured by the All Alerts Filter. However, with the volume of traffic typically captured by this filter, they could be extremely difficult to spot. Creating a filter to track Process Audit Alerts would be a better solution. If any of these activities were observed, we can immediately perform a point and click response to kill the process, and then build a rule for any future occurrences.
Let's examine a filter designed to capture these events. The logic behind this filter is very straight forward. It simply looks for any Process Audit Alerts that may exist. Here in the monitor area, our filter has captured a number of Process Audit Alerts- one of which indicates that the user has started to play solitaire. As this is a violation of company policy, we want to stop or kill the process immediately. In order to do so, two pieces of information are needed: the agent on which the unauthorized process is running, and either the ProcessID or the process name. The ProcessID is the more specific of the two identifiers, as different applications could have the same name ProcessIDs are unique. To kill the process, we’ll click the Respond button, and choose the “All Actions…” option. But here's a little tip- since the Agent field is the first required field in our point and click response, we're going to auto-populate that field by clicking on the DetectionIP just before we click the respond button. In the respond window, click the down arrow next to Action. Scroll through the list and select “Kill Process by ID”. Notice how the Agent field has been auto-populated with the Detection IP information from the alert below.
Next, we need to drag and drop the ProcessID into the ProcessID field. Our point and click response has all the necessary information, so we can click the OK button and kill the process. The alert indicating the process was stopped or killed can also be found in the Process Auditing filter. Since these types of unauthorized activities could occur at any time, automating our response by creating a rule would only make sense. Here's how: from the “Build Rules” area, select the NATO5 rules and the Active Responses folder. Locate and clone the Game Application Launch - Kill Process rule to your Custom Rules folder. The correlations of the rule look for the “sol.exe” Process Start Event. The default actions are to kill the process by ID, and send a pop-up message to the user informing him or her that playing games at work is a violation of company policy. Best practice would also dictate that we be notified of the event, so we've added the Send Email Message action to the Actions Area.
Now we can enable, save, and activate the rule. We’ll test it by launching solitaire on our agent. The process was killed automatically and we receive the pop-up message, which is exactly the response we wanted. Our rule could easily be cloned and modified to kill other unauthorized processes- such as installing unauthorized software, instant messaging clients, or even web browsers the possibilities are virtually endless.
And, here's a few more tips: You may be interested in exploring other activities related to those users who caused our rule to fire. Running an nDepth search for these users may reveal some interesting events or other inappropriate activities. Also, taking what you learned in the previous videos in this series, and what you've seen today, you might want to create and auto-populate a user-defined group of these offenders for possible disciplinary action and that brings us to the end of this video.
The next video in the series talks about unusual spikes in network traffic, what they might represent, and how to respond to them automatically. We encourage you to take a look at that video, as well as all the other instructional and informational videos available online at www.solarwinds.com. Thanks for watching.