solarwinds threat monitor getting started guide · 2020. 1. 3. · solarwinds applies company...

GETTING STARTED GUIDE

Threat MonitorVersion 1.0

Last Updated: Friday, October 16, 2020

© 2020 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

GETTING STARTED GUIDE: THREAT MONITOR

page 2

Table of ContentsGet started with Threat Monitor 4

Additional information for MSSPs 5

TM system requirements 8

Initial Threat Monitor login 9

Configure and customize dashboards 10

Create and edit dashboards and widgets 10

Geolocate and group events by country 15

Interact with widgets to view network activity 16

View event logs 18

Create search queries and views 21

Run and edit reports 24

Build a visual report 25

View and edit alarm policies 26

View triggered alarms 28

Add and edit users 30

Manage network policies 33

Manage assets 35

page 3

Get started with Threat MonitorThe Threat Monitor Getting Started Guide leads you through configuring Threat Monitor to manage and monitor event messages from your network devices.

To get started with Threat Monitor, complete the following tasks. If you are a licensed customer, coordinate with your customer support representative.

Obtain your account credentials and Threat Monitor link.*

Review the system requirements.

Log in to the Threat Monitor UI. The first time you log in, you will be prompted to change your password.

Install the Threat Monitor collector on VMware vSphere or Microsoft Hyper-V.

Add a new collector from the Threat Monitor dashboard and record your collector activation token.

The step is required for new trial users. If you are a licensed customer, coordinate with your customer support representative, if necessary.

Configure your network devices to transmit syslogs to the Threat Monitor collector. For information on configuring a specific device, refer to your vendor documentation.

Configure the Threat Monitor collector to receive and process syslog messages and add corresponding plugins to monitor an array of third-party data sources.

Install an OSSEC agent from the collector to monitor Windows Events.

Verify that logs from your network devices are processing into the system.

*This information will be provided in your registration confirmation email.

Existing customers: Follow the recommendations in the Threat Monitor Installation Guide to ensure your system capabilities are correct and your production environment is sized correctly. Access your licensed software from the SolarWinds Customer Portal. If you need any implementation help, contact our Support Team.

Evaluators: If you are evaluating SolarWinds Threat Monitor, download a free 14-day limited evaluation. After the evaluation period, you can convert your evaluation license to a production license. If you need assistance with your evaluation, contact [email protected].

MSSPs: Contact SolarWinds MSP to determine the best solution for your organization.


page 4

https://documentation.solarwinds.com/en/success_center/TM/Content/TM_Installation_Guide.htm

https://customerportal.solarwinds.com/

https://customerportal.solarwinds.com/support/submit-a-ticket/

https://customerportal.solarwinds.com/support/submit-a-ticket/

mailto:[email protected]

https://www.solarwindsmsp.com/contact

Additional information for MSSPsThis section contains additional information to help MSSPs get started with Threat Monitor.

Multitenancy and custom branding are only available to licensed customers.

Set up a multitenant environmentSolarWinds Threat Monitor supports multitenancy by allowing you to accommodate multiple tenants (customers) through a single instance of Threat Monitor software.

Each tenant maintains an individual share of this instance, which includes administrative functions such as UI configuration, user management, general setup and configuration, as well as log collection and management.

Even though tenants share the same infrastructure, data is segregated among tenants. No individual tenant data is accessible by other tenants. This is managed by adding multiple collectors to the MSSP environment. The MSSP Super Admin user can then determine collector access and restrictions per tenant.

To get started with multitenancy, SolarWinds needs the following:

l Hostnames and domain names l SMTP server settings l Collector provisioning information

Hostnames and domain names

Provide two different hostnames for the portals you plan to use: one for the web UI, and the other for authentication and access to the web UI when connecting from a new web browser or IP Address.

For example:

l soc.<insertcompanydomain> — This is your main login page and is the URL for you and your staff to log in to the application.

l access.<insertcompanydomain> — This page handles the transmission of the request token when a user logs in from a new location. The application automatically redirects to this URL when a new location is detected.

To ensure secure client/server communication, the Threat Monitor network environment uses an SSL certificate. To generate the SSL certificate, SolarWinds uses a Certification Signing Request (CSR), which requires the following point of contact information:

l Email address l Organization name l City l State or Province l Country

page 5

SMTP server settings

SolarWinds configures the web UI with IP address, port, and authentication information for sending system-generated emails such as authentication tokens, reports, and alarms. There are two from addresses configured through the web UI: one for alerts, and the other for sending reports and authentication tokens. For example:

l alerts@<insertcompanydomain> l socsupport@<insertcompanydomain>

The two addresses can also be the same.

Collector provisioning information

Provide the following provisioning information for the network (MSSP or customer) where you will deploy the collector:

After initial provisioning and setup of your first collector, provide this information for each customer collector.

l Organization name l Network: MSSP or customer network l IP address: Static IP address assigned to the collector l Netmask: Subnet mask from the network l Gateway: Default gateway or router l DNS entries: DNS servers from your network, or another third party, for the collector l Search domain: Local domain name of the network environment

For example: solarwinds.local

l Time zone: Time zone relevant to the network l Virtual host type (virtual server for the network): VMWare or Hyper-V

After SolarWinds completes the collector provisioning, we will contact you to complete the collector setup.

Set up customers in Threat Monitor 1. In Threat Monitor, navigate to Access > Companies, and then click New.

2. Enter the client name and description, and then click Save.

The Super Admin typically adds the company before the provisioning process. Otherwise, SolarWinds will add the company to the web UI during collector provisioning.

Add custom brandingSolarWinds allows you to apply your company logo and color scheme to the Threat Monitor UI to provide a familiar look for your customers.


page 6

SolarWinds applies company branding in three locations:

l Splash background image for the login screen l Company logo for the login screen l Background for the main header that appears on the Threat Monitor UI

You can choose a background image or select a single color. Most MSSPs choose a single-color header, but these settings are easily changeable. The header also displays the company logo image on the far left.

SolarWinds will customize the UI to your specifications, and then provide images for your final approval.

Branding requirements

l Splash background Image: High-resolution JPG file or background color (1650 x 1120) l Logo: High-resolution PNG file (400 x 110) l Header: High-resolution PNG file or background color (400 x 110 or 40 x 40)

SolarWinds can also brand your access request email and add a support email address that appears at the bottom of the web UI. For example:

l Email subject: <companyname> Login Request l Support contact: For issues, please contact support@<insertcompanydomain> l Time zone: Choose the time zone to be set in the web UI

page 7

TM system requirementsThe following specifications are required for a typical SolarWinds data collector deployment under VMware or Hyper-V environments. They are intended as a baseline and should be confirmed with SolarWinds prior to deployment.

Type Minimum Requirements

Hardware l VMware o 4 cores o 8GB RAM o 160GB HDD volume

l Hyper-V o 8 cores (Will function with four, but with diminished performance) o 8GB RAM o 160GB HDD volume

l 1 Ethernet Controller (NIC) for IP address management l 1 Ethernet Controller (NIC) for Intrusion Detection (optional)

Network connectivity and access control lists

l Static IP address (DHCP for trial users) o Connected to an accessible vSwitch instance

l TCP and UDP port 53 access to internal DNS servers l Outbound TCP port 443 (HTTPS) to SolarWinds VPN Gateway (to be

determined at deployment time) l Local Network Inbound TCP and UDP port 514

o For local Syslog data sources l Local Network bi-directional TCP and UDP port 1514

o For OSSEC Agent connectivity l Inbound TCP port 9654

o For OSSEC Agent key negotiation l Available Physical NIC on the HOST VMware/Hyper-V server

o To connect to a SPAN/Monitor port within the core-switching environment to facilitate Intrusion Detection capabilities (optional). Specific configuration requirements will be provided prior to implementation.

No inbound connectivity is required from the Internet.


page 8

Initial Threat Monitor login 1. Enter your user name and password, and then click Login.

The first time you log in, you will be prompted to change your password.

2. At the prompt, change your password. The initial Threat Monitor view includes the available list of collector images.

3. Select and download a collector image.

4. Install the collector image, and then log in to the collector with the following credentials:

l Username: admin l Password: IamSuperUser

To log in to the collector, enter the collector IP address using port 5000 (for example, http://10.10.10.10:5000). When you log in for the first time, you will be prompted to change your password.

For additional installation and configuration information, see the TM installation and admin guides.

page 9

https://documentation.solarwinds.com/en/success_center/TM/Content/TM_Installation_Guide.htm

https://documentation.solarwinds.com/en/success_center/TM/Content/TM_Administrator_Guide.htm

Configure and customize dashboardsThreat Monitor dashboards present device event data through a variety of graphical widgets from all collectors in your network cluster. You can customize existing dashboards, create new dashboards, and even share your dashboards with other users in your network.

The initial dashboard view is populated with events occurring within the past hour. If your dashboard widgets are not displaying data, adjust the time to today, last week, or last month.

Each dashboard widget can be moved, removed, added to a different dashboard, and edited to display specific event log data from your network devices. Click the tabs to navigate through a series of dashboards and configured widgets to observe and monitor activity in your network.

You can also set your dashboards to full-screen auto-rotate mode to cycle through your dashboards indefinitely and keep your session active.

Create and edit dashboards and widgetsTo create or edit your dashboards, log in as an administrator, click the Dashboards tab, and then click the gear icon . In edit mode, you can create new dashboards, add and remove widgets, edit display values in existing widgets, and reorder tabs.


page 10

1. To create a new dashboard, click New Dashboard. The Add new Dashboard Tab page appears.

2. Enter a dashboard name, and then click Add.

3. Click your new dashboard tab, and then click Add Widget.

4. From the Section drop-down list, select a widget type.

5. Enter a name or title for the widget.

page 11

6. Click Add. The widget appears on the new dashboard.

7. Continue to add and arrange widgets as needed on the dashboard.

8. As you add widgets, you can establish widget properties such and colors, number of events, and filter queries. Click the gear icon on an existing widget to make additional edits.


page 12

Add one or more of the following graph or chart widget types:

Add one or more event or facet widgets:

page 13

Add one or more geolocation (maps) widgets


page 14

Geolocate and group events by countryGroup events based on country or geographic location to view reputation data and associated information.

1. In the Threat Monitor dashboard, click Reputation Data.

2. Move the mouse pointer over a country and click to select it. The Event Logs page appears listing associated events and messages.

page 15

3. To geolocate events in a specific view, click the geolocation icon . The view refreshes to display the map and the number of associated events by country.

4. Zoom in on the map to view a specific location, and then click a pushpin to view logs associated with that location.

5. To return to the standard view, click Close Map.

Interact with widgets to view network activityWidgets are actively linked to network devices, which means you can click each graphic element to drill down into specific event data for in-depth analysis and root-cause investigation.

For example, in the Top Alarms widget, you can click a specific alarm policy rule to open the Alarms tab and review triggered alarms associated with that policy.


page 16

View event logsIn Threat Monitor, click Event Logs to view events in real time as they occur in your environment.

As logs stream into the table, the most recent events are listed first. Each log is parsed and lists any relevant data, including geolocation coordinates, reputation data, and host name resolution.


page 18

1. Click a log to view the associated event details.

Each log event details summary includes data that can be useful for correlating with other events, IP addresses, ports, etc.

2. To group and view high-level facets of the current data set, click Analyze Results.

page 19

3. To refine your results to group and view a specific subset of data, click the Add to Search Criteria icon next to any record detail in the table.

The search syntax updates and auto-submits the form.

4. To drill down even further, select a record to either filter out , or filter on data from the main events table to view very specific event logs and details. You can also click any column heading to show or hide the icons in each column row.

5. To adjust the data set to a specific time frame, drag the mouse over the histogram.

6. To export the results (up to 500 records) to Microsoft Excel, click the Excel icon .

7. To find unmatched events, navigate to Admin > Failed Events.

8. To see all possible field names which can be used during an event query, navigate to Admin > Event


page 20

Fields.

Create search queries and viewsOn the Event Logs page, you can create, edit, and save full-text custom queries to monitor log messages for specific groups or event activity, such as Active Directory logins, file integrity monitoring, antivirus, etc.

Follow this example to construct your query:

1. To remove existing query data from the search field, click Clear Form.

2. Use one or more of the following search parameters:

l Key words (Administrator) l Wildcards (Admin*) l Specific data fields (username:administrator) l IP addresses and ranges (src_net:192.168.0.0/2) l Any (for free-text search) l Use a dash (-) for Does Not Contain a particular field l Spaces are treated as implicit AND operands l Exists: and Missing: are valid prefixes for data fields

3. Select your time frame or enter a custom time range.

4. To save the search and add it to your views, click Add Search Criteria to My Views.

page 21

5. Enter a name for your query view.

6. Select the time frame type.

7. To make this your default Event Logs view, select the Is default check box.

8. Select facets and fields to display specific data points in your view.


page 22

9. Click Add View. The new view tab is added to the Event Logs page.

10. To view the high-level query facets and associated data, click Analyze Results.

11. To turn on the facet graphs, click the associated image icon .

12. To enable search within a facet, click the associated search icon .

13. To modify your query, edit the parameters in the search field, and then click Update.

14. To share the query view with another user in your network, click the gear icon .

15. On the editable tab, click the Share tab icon.

16. Select one or more available users, and then click Export.

17. To move the tab, drag it to another position in the tab rows.

18. To remove the query from your view and search history, click the delete icon.

page 23

Run and edit reportsThreat Monitor includes a variety of out-of-the-box reports that you can share with other members of your organization. You can run, edit, copy, and create the following report types:

l Data reports (Excel spreadsheets) l Multi-tabbed reports (one spreadsheet, multiple reports) l Visual reports (PDF format)

Use the visual report templates to create custom reports.

1. In Threat Monitor, click the Reports tab, and then select a report type.

2. To configure or modify an existing report, select a report, and then click Edit.

3. Modify or maintain the existing report name.

4. Enter your search criteria manually, or load a query from an existing event view to pre-populate the report.


page 24

5. Select your time frame and time zone format.

The report timestamp will appear relative to the selected time zone, even though the raw log time will indicate the time in the location the log was generated.

6. Select the filters and fields to display in the report.

7. Schedule your report to run once, daily, weekly, or monthly.

8. Set the day and time to generate the report.

9. To send the report by email, select the check box and enter your recipients.

10. Select or edit a report email template.

11. Click to save, run, copy, or delete the report.

Select Multi-tabbed reports to distribute a single spreadsheet containing multiple reports.

Build a visual report 1. In Threat Monitor, navigate to Reports > Visual Reports.

2. To access the report builder, select a report, and then click Layout Editor.

3. To modify the report, click the gear icon .

4. Add and arrange graphs and data views.

5. To include additional information, add report pages.

6. Click Save, and then click Generate and email to distribute the PDF-formatted report.

page 25

View and edit alarm policiesUsers with administrator access can view and edit pre-defined log policies, and then apply specific trigger criteria and subsequent actions for designated network events and activity.

1. In Threat Monitor, navigate to Admin > Alarm Policies.

2. To view or edit a policy, click to expand a policy category, and then click to select a policy.

3. Adjust your filters, subsequent actions, and additional parameters, and then click Save.

If the policy has multi-level rules, you can add, delete, and modify each rule within the policy. The multi-level rules allow you to manage the number of alert triggers within a specific category.


page 26

In the example below, the rule policy is configured to trigger after two incorrect password attempts, and then after 40 attempts within a five-minute span. Additional actions include an active response after 100 hits in 10 minutes, and then after 1000 hits within 10 hours.

To specify the email template used for each alarm, navigate to Alarms > Alarm Categories.

page 27

View triggered alarmsIn Threat Monitor, you can view triggered alarms associated with your established alarm policies and policy rules. You can monitor alarms as they occur in your environment, search alarms by one or more keywords, and adjust the date and time range to view alarms triggered during a specific period.

You can also narrow your search based on a spike in alarm activity in one section of the histogram. To further refine your search results, drag your mouse pointer over any section of the histogram.

1. On the Threat Monitor toolbar, click Alarms.

As alarms stream into the table, the most recent alarms are listed first. Each triggered alarm lists all relevant data associated with the event.

2. To view additional alarm details, click an event in the list.

3. To view event logs associated with the alarm, click the total events hyperlink at the bottom of the page.


page 28

4. To add or remove specific search criteria, click a column heading in the alarms table. The Add and Remove Search Criteria icons appear next to each entry in the column.

5. To update the search criteria, click an Add to Search Criteria icon in the column.

The search syntax updates and auto-submits the form.

6. To remove a specific alarm or event detail from the search, click the Remove from Search Criteria icon .

7. To return to the default view, click Clear Form.

page 29

Add and edit usersUsers with administrator access can add users and assign permissions and access levels. Each user can span multiple companies and possess different access levels.

1. In Threat Monitor, navigate to Access > New User.

You can also navigate to Access > Clone User to use an existing user account as a template and save time when creating multiple user accounts.

2. On the Account tab, enter a user name and password.

3. Select the Force password change check box, and then click Next.

4. On the Contacts tab, enter the user contact information, and then click Next.

5. To establish user permissions, click the Access tab and select one or more of the following access levels:

l Superadmin: Admin rights - can do everything in the portal

l Ossec admin: Access to the OSSEC UI l Syslog admin: Access to the Syslog UI l Reports admin: Access to the reports tab l Alarm view: Can see alarms l Alarm admin: Access to alarm policies l Email admin: Access to email templates l Asset admin: Access to add and remove assets l Policy admin: Access to policies

6. For users that do not require administrative access, make no selection to grant read-only access, and then click Next.


page 30

7. On the Company Access tab, select each company the user can access.

8. Select access options for sensors, alarms, and test email, and then click Next.

When you select Receive alarms or test emails, select the appropriate Alarm mail template as well.

9. Review your settings, and then click Next to create the new user.

page 31

10. To restrict the type of log data each user can view, navigate to Access > Access Filters.

11. From the Select User drop-down list, select a user name.

12. Select one or more filter check boxes.

13. Choose an action from the drop-down list, and then click Go.


page 32

Manage network policiesAdministrators can edit existing system policies to determine which types of data are archived, indexed, or discarded. The live index is set to a default of 10 days, and archived data is stored for a year.

1. In Threat Monitor, click the Policies tab.

2. Select a policy, and then click Edit.

3. From the Queue type drop-down list, select one of the following options:

l Archive and Index l Archive Only l Index Only l Discard

Discarding data is not recommended. However, you can contact SolarWinds Customer Support to filter and drop data at the collector level, so the filtered data can be recovered later, if necessary.

page 33

4. To edit the source IPs and ports, click the Source tab.

5. To edit the destination IPs and ports, click the Destination tab.


page 34

Manage assetsUpload a list of static assets in your network to map IP addresses and associated host names for reference.

1. In Threat Monitor, click the Assets tab.

2. To view assets within a designated group, navigate to Assets > Asset groups.

3. To view assets within a specific IP range, navigate to Assets > Networks, enter your search parameters, and then click Search.

4. To import existing lists, navigate to Assets > Network Import Tool or Asset Import Tool.

page 35

solarwinds threat monitor getting started guide · 2020. 1. 3. · solarwinds applies company...

Documents