Example: WMI Monitor

Imagine that a device on your network has been illegally logged into through a brute force attack (an attack where an intruder runs a script to try random usernames and passwords on a range of IP addresses on your network). These types of attacks are extremely dangerous if the device that is compromised is on your domain or has sensitive information stored on it.

You can use a custom WMI Active Monitor to check the appropriate performance counters on a Windows device and notify you when this type of attack occurs, so you can do something about it before a potential intruder gains access to your network.

To configure this type of Active Monitor:

  1. Using the WhatsUp Gold web interface, create the WMI monitor.
    1. In the web interface, select Go > Configure > Active Monitor Library, click New. The Select Active Monitor Type dialog opens.
    2. Select WMI Monitor and click Ok. The Add WMI Monitor dialog opens.
    3. In the Name box, enter "ErrorsLogon" to identify that this monitor checks for logon errors.
    4. Click the Browse () button next to Instance to access the Performance Counters dialog.
    5. Enter the share name or IP address of the computer to which you want to connect.
    6. Enter the domain and user login for the account on this computer. If a domain account is used, then the expected user name is domain\user. If the device is on a workgroup, there are two possible user names: workgroup name\user or machine name\user.
    7. Enter the password for the login used above and click OK to connect to the computer. The Performance Counters dialog opens.
    8. In the Performance object box, select Server.
    9. In the Server folder, select the ErrorsLogon performance counter.

      Take note of the Current value entry at the bottom of the dialog. This is the number of logon errors currently reported through WMI.

      Click OK to add the Performance counter to the New WMI Monitor dialog.

    10. In the Check type box, select Rate of Change.
    11. In the Rate of Change box, enter the number of logon errors you feel is acceptable. This is the number of failed logon attempts between polls.
    12. In the If the value is above the rate, then the monitor is box, select Down.
    13. Click OK to add the active monitor to the library.
  2. Enter the credentials for logging on to the device to which you will add this monitor.
    1. In the Device Properties for the device, select the Credentials section.
    2. In the Credentials Section, click the Browse () button next to Windows credentials to access the Credentials Library.
    3. Create a Windows credential using the administration login and password for the device you want to create the passive monitor for. When you have configured the credential, click Close.
    4. On the Credentials page, select the new Windows credential, then click OK.
  3. Add the ErrorsLogon monitor to the problem device.
    1. In your device list, find the device. Double-click the device to display its properties, then select Active Monitors.
    2. Click Add. The Active Monitor wizard opens.

      Select the ErrorsLogon monitor, and continue with the wizard to configure any actions for the monitor.

    3. For more information on setting up an action, see Configuring an Action.

You may want to consider creating several levels of the active monitor, each with a higher threshold than the other, and with more severe actions associated with it.

For example, create a monitor with 30 as the threshold that simply sends you an email, letting you know that at least 31 attempts have been made. Next, create another monitor that uses 60 as the threshold. This monitor may have an SMS action associated with it that sends a text message to you when at least 61 attempts are made. For the most severe level you could create a 100 threshold and have the action send messages to several people who may be able to block the IP or take the device off the network while the attack is addressed.