Example: WMI monitor

Imagine that a device on your network has been illegally logged into through a brute force attack (an attack where an intruder runs a script to try random usernames and passwords on a range of IP addresses on your network). These types of attacks are extremely dangerous if the device in peril is on your domain or is storing sensitive information.

You can use a custom WMI Active Monitor to check the appropriate performance counters on a Windows device and notify you when this type of attack occurs, so you can do something about it before a potential intruder gains access to your network.

To configure this type of active monitor:

  1. Using the WhatsUp Gold web interface, create the WMI monitor.
    1. From the WhatsUp Gold web interface, go to Admin > Monitors. The Monitor Library dialog appears.
    2. Click the Active tab inside the dialog.
    3. Click New. The Select Active Monitor Type dialog appears.
    4. Select WMI Monitor and click OK. The Add WMI Monitor dialog appears.
    5. In the Name box, enter "ErrorsLogon" to identify that this monitor checks for logon errors.
    6. Click browse () to access the Performance Counters dialog.
    7. Enter the computer name or IP address of the computer in which you want to connect.
    8. Select a credential from a list of Windows credentials (pulled from the Credentials Library), then click OK to connect to the computer.
    9. Select Server from the Performance object list.
    10. Under Performance Counters, select the ErrorsLogon.
    11. Click OK to add the Performance counter to the New WMI Monitor dialog.
    12. Select Rate of Change from the the Check type list.
    13. In the Rate of Change box, enter the number of logon errors you feel is acceptable. This is the number of failed logon attempts between polls.
    14. In the If the value is above the rate, then the monitor is box, select Down.
    15. Click OK to add the active monitor to the library.
  2. Enter the credentials for logging on to the device to which you will add this monitor.
    1. In the Device Properties dialog for the device, select Credentials.
    2. Select Windows, then click Edit.
    3. Click browse () to access the Credentials Library.
    4. Create a Windows credential using the administration login and password for the device you want to create the monitor for. When you have configured the credential, click Close.
    5. On the Credentials page, select the new Windows credential, then click OK.
  3. Add the ErrorsLogon monitor to the device.
    1. In your device list, find the device. Double-click the device to display its properties, then click Active Monitors.
    2. Click Add. The Active Monitor wizard appears.
    3. Select the ErrorsLogon monitor, and continue working through the wizard to configure any actions for the monitor.
      For more information on setting up an action, see Configuring an Action.

Consider creating several levels of the active monitor, each with a higher threshold than the other, and with more severe actions associated with it.

For example, create a monitor with 30 as the threshold that simply sends you an email, letting you know that at least 31 attempts have been made. Next, create another monitor that uses 60 as the threshold. This monitor may have an SMS action associated with it that sends a text message to you when at least 61 attempts are made. For the most severe level you could create a 100 threshold and have the action send messages to several people who could block the IP or take the device off the network while the attack is addressed.

See Also

Adding and Editing a WMI Monitor

Using WMI monitors