Documentation forAccess Rights Manager

Enable alerts for suspected cases on ransomware on file servers

A Ransomware attack involves the combination of creating and deleting files by one user account. To capture security incidents, ARM focuses on user-initiated file server events. If these occur in unusually high numbers and additionally in a short period of time, ARM proactively informs all those responsible.

Create an alert

  1. Log in to the Access Rights Manager application.

  2. Click Resources in the toolbar.

  3. Expand File server. Configured alerts display with a bell symbol.

  4. Choose an action:

    • Right-click a resource and select Create alert to create a new alert.

    • Right-click a resources and select Manage alerts to customize or delete existing alerts.

  5. Under Alert Name, enter a name for this alert configuration.

  6. Select Event.

  7. Select the events that trigger an alert.

    For ransomware on file servers, select File created and File deleted.

  8. (Optional) Create a blacklist that defines all users who are not considered for the alert. Otherwise, go to the next step.

    ach alert configuration has its own blacklist configuration.
    You can only add users, not groups.

    1. Click Blacklist Users.

    2. Use the Search function to find the target users.

    3. Double-click or drag the directory to the blacklist.

    4. Click Apply.

  9. (Optional) Create a blacklist that defines all directories that are not considered for the alert. Otherwise, go to the next step.

    1. Click Blacklist Directories.

    2. Use the filter function to find the target directories. When you filter, the tree view changes to a result list of the directory paths.

    3. Double-click or drag the directory to the blacklist.

    4. Click to enable or disable monitoring the subdirectories. To remove a directory from the blacklist, select the directory and press Delete.

    5. Click Apply.

  10. Select Threshold.

  11. Activate the thresholds.

    1. Set Turn threshold on to On.

    2. Set Caused by the same initiator to Yes. When ransomware is suspected, typically all events are triggered by the same user.

    3. Define the required number of events to trigger the alert.

    4. Define the period of time (number of seconds) to limit monitoring.

      Defining a threshold with a large number of events over a long period of time will consume a lot of memory (RAM). SolarWinds recommends configure time intervals as small as possible.

      Your selections display at the bottom of the Threshold window. Your threshold is set.

  12. Select Actions.

  13. Select at least one action that executes when an alert is triggered.

    1. If an email should be sent when an alert is triggered, select the Send email checkbox and complete the fields.

      The content of the emails can be customized. This is analogous to the recertification emails.

    2. To write the alert to the Windows Event Log using this categorization, select the Write to Windows event log checkbox.

      This option is useful if you are using a security information and event management (SIEM) tool that monitors the Windows Event Log.

    3. To execute a script, select the Execute script checkbox. To activate this option, a script configuration for alerts must be stored.

      To write the event to a syslog server, select the Write to SysLog checkbox.

      The syslog server must be configured in the ARM Configuration application. See Set the syslog servers for instructions.

  14. Under Category, click the drop-down menu and select a category used when writing to the Windows Event Log and selecting the email subject.

    This option is useful if you are using a security information and event management (SIEM) tool.

  15. (Required) Enter a reason for the alert configuration.

  16. Click Create.

See the following sections for more information.