Documentation forServer & Application Monitor

Use case: Create a SAM template that uses the Windows PowerShell Monitor to detect possible dictionary attacks

The following use case shows how to create a SAM template that includes a Windows PowerShell Monitor with a script that tracks the average number of Read operations performed by lsass.exe on target systems. Lsass.exe is a Windows process that validates user logins, which is useful for detecting dictionary attacks.

Here is a high-level overview of what's involved:

  • Create the new template.
  • Add the Windows PowerShell Monitor as the primary component monitor in the template. It will execute scripts on target systems to gather data.
  • Provide credentials so the script can run on target systems.
  • Add a PowerShell script that uses Get-WmiObject calls to measure the average ReadOperationCount for the lsass.exe process.
  • Assign the new template to nodes.

Before you begin, make sure the WinRM service is properly configured on polling engines and target servers to support remote execution of PowerShell commands. See Using PowerShell in SAM.

To create a template with a Windows PowerShell Monitor: 

  1. Verify that the WinRM service is properly configured on the main Orion server and target servers so you can execute PowerShell commands remotely. See Using PowerShell in SAM.
  2. Click Settings > All Settings > SAM Settings > Create a New Template
  3. Name the template (for example, Lsass.exe PowerShell Monitor).
  4. Click Add Component Monitor, type "powershell" in the search field, select the Windows PowerShell Monitor, and click Add.
  5. Select a Credential for Monitoring with appropriate permissions to run the script on the Orion server, and that also has appropriate permissions to do whatever else the script requires (in this case, to get the average number of read operations performed on the target node).
  6. Select Remote Host as the Execution Mode.
  7. Click Edit Script and then paste the following PowerShell script into the Script Body field:
    $avg = Get-WmiObject win32_process -ComputerName '${IP}' -Credential '${CREDENTIAL}' | Where-Object {$_.Name -eq "lsass.exe" } | Measure-Object -property ReadOperationCount -Average; Write-Host 'Statistic: ' $avg.Average; exit(0)

    The PowerShell code does the following:

    1. Reads the average ReadOperationCount for the process lsass.exe running on the server at the IP address specified by the ${IP} variable, using the credential specified by the ${CREDENTIAL} variable.

      The user name from the specified Credential for Monitoring is stored automatically in the ${CREDENTIAL} variable by the monitor. Do not add the ${CREDENTIAL} variable in the Script Arguments field. When the script runs and needs a password, the monitor automatically gets the password from the Credential for Monitoring.

    2. Writes the statistic information gathered by the script.
    3. Exits the script with an exit code (0) to report the status of the monitor, as displayed in the Orion Web Console. See Report status through exit codes in SAM script monitors.
  8. Enter the following Script Arguments:

    Use the token ${IP} to populate the IP address in the script body with the IP address of the target node. You can then access the value in the script body using the variable ${IP}.

  9. Select Count Statistic as Difference to change the statistic to be the difference in query values between polling cycles.
  10. Click Set test node. Browse the tree view, select the desired target node for the PowerShell script, and then click Select.
  11. Change the Statistic Warning Threshold to, greater than 800.
  12. Change the Statistic Critical Threshold to, greater than 1000.
  13. Click Test, and then click Submit.

To assign your new template to a node:

  1. Navigate to the Manage Application Template page, select the new template, and click Assign to Node.
  2. Expand the tree view, select a target node, and then click Next.
  3. Select "Inherit credentials from template", and then click Test to confirm the credentials.
  4. Click Assign Application Monitors and then click Done.
  5. (Optional) Configure alerts to be notified when spikes occur.