Example: WMI Monitor
Imagine that a device on your network has been illegally logged into through a brute force attack (an attack where an intruder runs a script to try random usernames and passwords on a range of IP addresses on your network). These types of attacks are extremely dangerous if the device that is compromised is on your domain or has sensitive information stored on it.
You can use a custom WMI Active Monitor to check the appropriate performance counters on a Windows device and notify you when this type of attack occurs, so you can do something about it before a potential intruder gains access to your network.
To configure this type of Active Monitor:
- Using the WhatsUp Gold web interface, create the WMI monitor.
- In the web interface, select , click . The Select Active Monitor Type dialog opens.
- Select and click . The Add WMI Monitor dialog opens.
- In the box, enter "ErrorsLogon" to identify that this monitor checks for logon errors.
- Click the () button next to to access the Performance Counters dialog.
- Enter the share name or IP address of the computer to which you want to connect.
- Enter the domain and user login for the account on this computer. If a domain account is used, then the expected user name is domain\user. If the device is on a workgroup, there are two possible user names: workgroup name\user or machine name\user.
- Enter the password for the login used above and click to connect to the computer. The Performance Counters dialog opens.
- In the box, select Server.
- In the folder, select the performance counter.
Take note of the Current value entry at the bottom of the dialog. This is the number of logon errors currently reported through WMI.
Click to add the Performance counter to the New WMI Monitor dialog.
- In the box, select .
- In the box, enter the number of logon errors you feel is acceptable. This is the number of failed logon attempts between polls.
- In the box, select .
- Click to add the active monitor to the library.
- Enter the credentials for logging on to the device to which you will add this monitor.
- In the Device Properties for the device, select the section.
- In the Credentials Section, click the () button next to to access the Credentials Library.
- Create a Windows credential using the administration login and password for the device you want to create the passive monitor for. When you have configured the credential, click .
- On the Credentials page, select the new , then click .
- Add the monitor to the problem device.
- In your device list, find the device. Double-click the device to display its properties, then select Active Monitors.
- Click . The Active Monitor wizard opens.
Select the ErrorsLogon monitor, and continue with the wizard to configure any actions for the monitor.
- For more information on setting up an action, see Configuring an Action.
You may want to consider creating several levels of the active monitor, each with a higher threshold than the other, and with more severe actions associated with it.
For example, create a monitor with 30 as the threshold that simply sends you an email, letting you know that at least 31 attempts have been made. Next, create another monitor that uses 60 as the threshold. This monitor may have an SMS action associated with it that sends a text message to you when at least 61 attempts are made. For the most severe level you could create a 100 threshold and have the action send messages to several people who may be able to block the IP or take the device off the network while the attack is addressed.