Using WMI to create alert for a specific security event

A while back I got a request from the security department, they wanted to know when someone sign onto the file print servers using an RDP connection – remote desktop. Seeing that we already have ACS deployed and these events is already stored in a database it was real easy to pull this information out of the ACS databases. What they however wanted was to be email in real-time when this happened, someone sign onto a file and print server. One approach to get this done was to use the WMI and the SCOM management group.

You will need to create a Alert Generating WMI Event rule

Choose a destination management pack different from the “Default Management Pack” and click on “Next”
On the next screen give the rule a name, as a best practise I also use “Custom – ” in front of any rules that i create, it makes the searching for rules easier.
The rule category must be “Alert” as we will create an alert

Here comes the important bit: The Rule Target must “Microsoft Audit Collection Services Collector”, the WMI query will run against the WMI namespace on the ACS collector server as that is where all security events from the forwarders is forwaded to

Click Next

On the WMI Configuration screen you will need to specify the WMI Namespace and also the Query
The namespace must be “root\default”
The query in my case is “SELECT * FROM AdtsEvent WHERE EventId=528 and String01=’10′”

Security Event 528 is when a account succesfully logs onto a computer

Now String01 is the more difficult part, the value 10 refers to the LogonType and 10 equals RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) logon type and this is what i need.

An easy way to find out what the different strings are that ACS breaksup a security event is to run a select statement agains the ACS database server for all events with id 528
Select * from AdtServer.dvAll where eventid=528
This query will then return all the events and you can see the fields and what database columns they are stored in

Click Next

On the Configure Alerts screen you need to create and specify the alert description and alert name
The alert description allows you to custom-define what you want the alert to say. In my case i used

The User: $Data/EventData/DataItem/Property[@Name=’PrimaryDomain’]$\$Data/EventData/DataItem/Property[@Name=’PrimaryUser’]$ signed onto server: $Data/EventData/DataItem/Property[@Name=’String04′]$ using an RDP session from IP Addres: $Data/EventData/DataItem/Property[@Name=’String02′]$

The fields above is reference like that, if you run the query against the ACS database server you can substitute the SQL columns for the values in ‘ ‘ quotes to get that information into the alert description.

I left all other fields default and clicked Create.

Example of alert in the console

Advertisements

One thought on “Using WMI to create alert for a specific security event

  1. Pingback: unarmed secutity guard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s