Example: WMI Monitor

Imagine that a device on your network has been illegally logged into through a brute force attack (an attack where an intruder runs a script to try random usernames and passwords on a range of IP addresses on your network). These types of attacks are extremely dangerous if the device in peril is on your domain or is storing sensitive information.

You can use a custom WMI Active Monitor to check the appropriate performance counters on a Windows device and notify you when this type of attack occurs, so you can do something about it before a potential intruder gains access to your network.

To configure this type of active monitor:

  1. Using the WhatsUp Gold web interface, create the WMI monitor.
    1. Open the Active Monitor Library.
    • From the web interface, click GO. The GO menu appears.
    • If the WhatsUp section is not visible, click WhatsUp. The WhatsUp section of the GO menu appears.
    1. Select Configure > Active Monitor Library. The Active Monitor Library appears.
    2. Click New. The Select Active Monitor Type dialog appears.
    3. Select WMI Monitor and click OK. The Add WMI Monitor dialog appears.
    4. In the Name box, enter "ErrorsLogon" to identify that this monitor checks for logon errors.
    5. Click the Browse () button next to Instance to access the Performance Counters dialog.
    6. Enter the computer name or IP address of the computer in which you want to connect.
    7. Select a credential from a list of Windows credentials (pulled from the Credentials Library), then click OK to connect to the computer.
    8. In the Performance object box, select Server.
    9. In the Server folder, select the ErrorsLogon performance counter.

      Take note of the Current value entry at the bottom of the dialog. This is the number of logon errors currently reported through WMI.

      Click OK to add the Performance counter to the New WMI Monitor dialog.

    10. In the Check type box, select Rate of Change.
    11. In the Rate of Change box, enter the number of logon errors you feel is acceptable. This is the number of failed logon attempts between polls.
    12. In the If the value is above the rate, then the monitor is box, select Down.
    13. Click OK to add the active monitor to the library.
  2. Enter the credentials for logging on to the device to which you will add this monitor.
    1. In the Device Properties for the device, select the Credentials section.
    2. In the Credentials Section, click the browse () button next to Windows credentials to access the Credentials Library.
    3. Create a Windows credential using the administration login and password for the device you want to create the passive monitor for. When you have configured the credential, click Close.
    4. On the Credentials page, select the new Windows credential, then click OK.
  3. Add the ErrorsLogon monitor to the problem device.
    1. In your device list, find the device. Double-click the device to display its properties, then select Active Monitors.
    2. Click Add. The Active Monitor wizard appears.

      Select the ErrorsLogon monitor, and continue with the wizard to configure any actions for the monitor.

    3. For more information on setting up an action, see Configuring an Action.

You may want to consider creating several levels of the active monitor, each with a higher threshold than the other, and with more severe actions associated with it.

For example, create a monitor with 30 as the threshold that simply sends you an email, letting you know that at least 31 attempts have been made. Next, create another monitor that uses 60 as the threshold. This monitor may have an SMS action associated with it that sends a text message to you when at least 61 attempts are made. For the most severe level you could create a 100 threshold and have the action send messages to several people who may be able to block the IP or take the device off the network while the attack is addressed.