ADMINISTRATOR GUIDE

Threat Monitor
Version 1.0

Last Updated: Friday, March 29, 2019

ADMINISTRATOR GUIDE: THREAT MONITOR

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published
or distributed, in whole or in part, or translated to any electronic medium or other means without the prior
written consent of SolarWinds. All right, title, and interest in and to the software, services, and
documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its
respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED,

STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION
NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED
HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY
DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of
SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and
may be registered or pending registration in other countries. All other SolarWinds trademarks, service
marks, and logos may be common law marks or are registered or pending registration. All other
trademarks mentioned herein are used for identification purposes only and are trademarks of (and may
be registered trademarks) of their respective companies.

page 2
Table of Contents
Threat Monitor Administrator Guide 5

VM collector requirements 6

Install the Threat Monitor collector on the hypervisor 7

Import and deploy the collector on VMware ESXi 7

Import and deploy the collector on Microsoft Hyper-V 10

Initial Threat Monitor login 13

Add the collector to the web 14

Verify the server settings 18

Configure syslog-based log sources 19

Install an OSSEC agent from the collector 23

Add a plugin to a collector 27

Add Barracuda logs 30

Add Cisco ASA logs 34

Add FortiGate logs 38

Add IIS logs 42

Add Palo Alto logs 46

Add SonicWall logs 50

Add Windows event logs 54

Add additional Windows event logs 57

Add Windows DHCP logs 61

View event logs 65

Create search queries and views 68

Configure and customize dashboards 71

Create and edit dashboards 71

Geolocate and group events by country 74

Interact with widgets to view network activity 75

Run and edit reports 77

Build a visual report 78

page 3
ADMINISTRATOR GUIDE: THREAT MONITOR

View and edit alarm policies 79

View triggered alarms 81

Add and edit users 83

Manage network policies 86

Manage assets 88

page 4
Threat Monitor Administrator Guide
The Threat Monitor Administrator Guide provides an overview of product features and related
technologies. In addition, it contains recommendations on best practices, instructions for getting started
with advanced features, and troubleshooting information for common situations.

For more information about planning, installing and getting started with Threat Monitor, see the Threat
Monitor Getting Started Guide.

page 5
ADMINISTRATOR GUIDE: THREAT MONITOR

VM collector requirements
The following specifications are required for a typical SolarWinds data collector deployment under VMware
or Hyper-V environments. They are intended as a baseline and should be confirmed with SolarWinds prior
to deployment.

TYPE MINIMUM REQUIREMENTS

Hardware  l VMware
 o 4 cores
 o 8GB RAM
 o 160GB HDD volume
 l Hyper-V
 o 8 cores (Will function with four, but with diminished performance)
 o 8GB RAM
 o 160GB HDD volume
 l 1 Ethernet Controller (NIC) for IP address management
 l 1 Ethernet Controller (NIC) for Intrusion Detection (optional)

Network connectivity  l Static IP address

and access control  o Connected to an accessible vSwitch instance
lists  l TCP and UDP port 53 access to internal DNS servers
 l Outbound TCP port 443 (HTTPS) to SolarWinds VPN Gateway (to be
determined at deployment time)
 l Local Network Inbound TCP and UDP port 514
 o For local Syslog data sources
 l Local Network bi-directional TCP and UDP port 1514
 o For OSSEC Agent connectivity
 l Inbound TCP port 9654
 o For OSSEC Agent key negotiation
 l Available Physical NIC on the HOST VMware/Hyper-V server
 o To connect to a SPAN/Monitor port within the core-switching
environment to facilitate Intrusion Detection capabilities (optional).
Specific configuration requirements will be provided prior to
implementation.

No inbound connectivity is required from the Internet.

page 6
Install the Threat Monitor collector on the
hypervisor
This section describes how to install the Threat Monitor collector on VMware vSphere and Microsoft Hyper-
V.

The collector IP address is obtained via DHCP. If your environment does not have DHCP enabled,
contact SolarWinds customer support.

Import and deploy the collector on VMware ESXi

 1. Log in to the VMware server.

 2. In the Navigator pane, click Virtual Machines.

 3. On the Virtual Machines toolbar, click Create/Register VM.

page 7
ADMINISTRATOR GUIDE: THREAT MONITOR

 4. On the Select creation type tab, select Deploy a virtual machine from an OVF or OVA file, and then
click Next.

 5. On the Select OVF and VMDK files tab, enter a name for the virtual machine.

 6. In the Click to select files or drag/drop pane, click and navigate to your OVF and VMDK files.

 7. Select both files, and then click Open (you can also drag your files into the pane).
 8. Click Next.
 9. On the Select storage tab, click Next.

page 8
 10. On the Deployment options tab, select the Thin Disk provisioning option button, and then click Next.

 11. On the Ready to complete tab, review your settings, and then click Finish. To adjust your settings,
click Back.

 12. On the lower-left section of the page, click Recent tasks. The panel displays the details and status of
your file import.

page 9
ADMINISTRATOR GUIDE: THREAT MONITOR

Import and deploy the collector on Microsoft Hyper-V

 1. Open Windows Hyper-V Manager.
 2. Right-click the Hyper-V host and select New > Virtual Machine.
 3. Enter a name for the virtual machine, and then click Next.

page 10
  4. On the Specify Generation tab, select Generation 1, and then click Next.

Do not use Generation 2 with a VHD file.

 5. On the Assign Memory tab, enter the amount of memory to allocate to the virtual machine, and then
click Next.

page 11
ADMINISTRATOR GUIDE: THREAT MONITOR

 6. On the Configure Networking tab, select an option, and then click Next.
 7. On the Connect Virtual hard Disk tab, select Use an existing virtual hard disk, connect the provided
VHD collector image as the disk image, and then click Next.

 8. Review the summary, and then click Finish.

page 12
Initial Threat Monitor login
 1. Enter your user name and password, and then click Login.

The first time you log in, you will be prompted to change your password.

 2. At the prompt, change your password. The initial Threat Monitor view includes the available list of
collector images.
 3. Select and download a collector image.
 4. Install the collector image, and then log in to the collector with the following credentials:
 l Username: admin
 l Password: IamSuperUser

To log in to the collector, enter the collector IP address using port 5000 (for example,
http://10.10.10.10:5000). When you log in for the first time, you will be prompted to change
your password.

For additional installation and configuration information, see the TM installation and admin guides.

page 13
ADMINISTRATOR GUIDE: THREAT MONITOR

Add the collector to the web

Collector set up and configuration is typically administered by SolarWinds. Contact SolarWinds
Customer Support for assistance. If you are a free trial user, follow these instructions.

Licensed customers

 1. Log in to Threat Monitor.

 2. On the Threat Monitor toolbar, navigate to Admin > Manage Collectors.
 3. On the Sensors page, click New.
 4. On the New Sensor page, enter the collector name, IP address, and sensor key.

 5. From the Sensor type drop-down list, select Dedicated or Cloud (for a cloud collector).
 6. Select your time zone, enter a sensor description, and then click Save.
 7. To view the collector details, navigate to Admin > Manage Collectors.

page 14
Free trial users
 1. Log in to Threat Monitor.
 2. On the Threat Monitor dashboards page, locate your collector name, and then click Request token.

 3. Under Request collector activation token, enter your administrator password.

 4. Copy the activation token.

page 15
ADMINISTRATOR GUIDE: THREAT MONITOR

 5. Log in to the collector as an administrator, and then click the Collector Key tab.

To log in to the collector, enter the collector IP address using port 5000 (for example,
http://10.10.10.10:5000). When you log in for the first time, you will be prompted to change
your password.

 6. In the Collector activation token field, paste the collector key, and then click Submit.

page 16
  7. Return to the Threat Monitor dashboard to verify the collector is active.

page 17
ADMINISTRATOR GUIDE: THREAT MONITOR

Verify the server settings

 1. Log in to Threat Monitor as an administrator.
 2. On the Threat Monitor toolbar, navigate to Admin > Server Settings.
 3. On the Server Setting page, click Edit/View.

 4. From the Server Timezone list, select your time zone.
 5. Verify or adjust the remaining settings, and then click Save. A Settings updated confirmation appears
on the page.

page 18
Configure syslog-based log sources
 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 19
ADMINISTRATOR GUIDE: THREAT MONITOR

 4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source.

When entering a name, do not use spaces.

 7. Enter a file storage location on the collector, select the appropriate plugin, and then click Save.

This is typically located in /var/log/<filename>.log. For example, if this were a Fortigate firewall,
the unique name would be fortigate and the path to the log would be /var/log/fortigate.log.
You must specify a log destination for each plugin.

page 20
  8. Click the Filters tab, and then click Add.

 9. Enter a unique filter name based on the data source.

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. In the example above, cisco-asa will always have
%ASA in the message or another type of device may always have a specific IP to match. The
best way to determine what filter to use, is to look at the logs that are being sent over to find
something unique and specific.

 10. To set your filter conditions, click Add Row.

 11. From the Condition drop-down list, select your condition.
 12. From the Filter drop-down list, select an appropriate filter based on unique identifiers found in the
logs.
 13. In the Value field, enter a unique identifier, and then click Save.
 14. Click the Actions tab, and then click Add.

 15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source
 l Filter
 l Destination - Select the file storage location on the collector (This is the elastic SOC destination
established in step 5 above)
 l Destination - Select the file storage location on the collector (This is the file destination
established in step 5 above)
 16. To save your settings, click Apply changes.

page 21
ADMINISTRATOR GUIDE: THREAT MONITOR

 17. Click the Status tab to view the number of log entries in both destinations.

page 22
Install an OSSEC agent from the collector
 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the OSSEC tab.

page 23
ADMINISTRATOR GUIDE: THREAT MONITOR

Install the agent manually

 1. On the Agents tab, Click Add.

This process also creates agent specific installers and therefore it's only valid for the machine
that it is configured for.

 2. Enter the host name and IP address of the target device, select an operating system, and then click
Submit.
 3. In the server list, select your new agent, click Download, and then run the installer on the target
device.

page 24
Install the agent automatically
 1. Click the Windows Auto Installer tab, and then click Create New Windows Installer.

 2. When the Creating New Installer window closes, click Download, and then run the installer on the
target device.

Add a log source using OSSEC

 1. Click the Remote Logs tab, and then click Add.

 2. In the Config Setup window, select the appropriate log format, and then enter the log location.

Ossec requires a specific log location, such as C:\logs\thisIsmyLogfile.log. Also, OSSEC does not
work with wildcards. For example, C:\logs\*.log.

 3. From the Type drop-down list, select Host, and then select the appropriate device.

page 25
ADMINISTRATOR GUIDE: THREAT MONITOR

 4. Click Create, and then click Restart Required to push the changes to all OSSEC agents and the OSSEC
server.

page 26
Add a plugin to a collector
 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Data Sources tab.

page 27
ADMINISTRATOR GUIDE: THREAT MONITOR

 4. Click New Plugin.

page 28
  5. From the Active Plugin list, select the appropriate plugin for your data source.

 6. Next to each inactive worker, click the gear icon, and then click Save.

If you have a very talkative and busy log (especially one like a firewall), click the appropriate
gear icon to update the Parser to at least five processes, and then Storage to at least ten. Error
can stay at one.

 7. Next to each inactive worker, click the play button , and then click Save.

page 29
ADMINISTRATOR GUIDE: THREAT MONITOR

Add Barracuda logs

 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 30
  4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source (Barracuda).

When entering a name, do not use spaces.

 7. Enter a file storage location on the collector, select the appropriate plugin (barracuda), and then click
Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/barracuda.log. You

must specify a log destination for each plugin.

page 31
ADMINISTRATOR GUIDE: THREAT MONITOR

 8. Click the Filters tab, and then click Add.

 9. Enter a unique filter name based on the data source (Barracuda).

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 10. To set your filter conditions, click Add Row.

 11. From the Condition drop-down list, select n/a.
 12. From the Filter drop-down list, select IP.
 13. In the Value field, enter the Barracuda IP address.
 14. Click the Actions tab, and then click Add.

 15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: network
 l Filter: barracuda
 l Destination: barracuda (Elastic SOC)
 l Destination: barracuda (file)
 16. To save your settings, click Apply changes.
 17. Click the Data Sources tab.
 18. Click New Plugin.
 19. From the Active Plugin list, select barracuda.

page 32
 20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 21. For each queue, click Play.

 22. Set Parser Workers to 5 and Storage Workers to 10.
 23. Click Save.

page 33
ADMINISTRATOR GUIDE: THREAT MONITOR

Add Cisco ASA logs

 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 34
  4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source (cisco-asa).

When entering a name, do not use spaces.

 7. Enter a file storage location on the collector, select the appropriate plugin (cisco-asa), and then click
Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/cisco-asa.log. You

must specify a log destination for each plugin.

page 35
ADMINISTRATOR GUIDE: THREAT MONITOR

 8. Click the Filters tab, and then click Add.

 9. Enter a unique filter name based on the data source (cisco-asa).

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 10. To set your filter conditions, click Add Row.

 11. From the Condition drop-down list, select n/a.
 12. From the Filter drop-down list, select program.
 13. In the Value field, enter %ASA.
 14. Click the Actions tab, and then click Add.

 15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: network
 l Filter: cisco-asa
 l Destination: cisco-asa (Elastic SOC)
 l Destination: cisco-asa (file)
 16. To save your settings, click Apply changes.
 17. Click the Data Sources tab.
 18. Click New Plugin.
 19. From the Active Plugin list, select cisco-asa.

page 36
 20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 21. For each queue, click Play.

 22. Set Parser Workers to 5 and Storage Workers to 10.
 23. Click Save.

page 37
ADMINISTRATOR GUIDE: THREAT MONITOR

Add FortiGate logs

Before following this procedure, find the devid field in your fortigate log. For example,
devid=GHU2LE4028911449.

 1. In Threat Monitor, navigate to Admin > Manage Collectors.

 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 38
  4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source (fortigate).

When entering a name, do not use spaces.

 7. Enter a file storage location on the collector, select the appropriate plugin (fortigate), and then click
Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/fortigate.log. You

must specify a log destination for each plugin.

page 39
ADMINISTRATOR GUIDE: THREAT MONITOR

 8. Click the Filters tab, and then click Add.

 9. Enter a unique filter name based on the data source (Fortigate).

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 10. To set your filter conditions, click Add Row.

 11. From the Condition drop-down list, select n/a.
 12. From the Filter drop-down list, select message.
 13. In the Value field, enter the devid value from your fortigate log.

The value in the image above is the devid presented at the start of this procedure and should
be unique to your Fortigate device. Do not use the example value shown here.

 14. Click the Actions tab, and then click Add.

 15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: network
 l Filter: fortigate
 l Destination: fortigate (Elastic SOC)
 l Destination: fortigate (file)
 16. To save your settings, click Apply changes.
 17. Click the Data Sources tab.
 18. Click New Plugin.

page 40
 19. From the Active Plugin list, select fortigate.
 20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 21. For each queue, click Play.

 22. Set Parser Workers to 5 and Storage Workers to 10.
 23. Click Save.

page 41
ADMINISTRATOR GUIDE: THREAT MONITOR

Add IIS logs

 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the OSSEC tab.

 4. Click the Remote Logs tab, and then click Add.

 5. From the Log Format drop-down list, select iis.

 6. Change Log Location to D:\inetpub\logs\LogFiles\W3SVC2\u_ex%y%m%d_x.log.

Update the drive letter and any folder locations to where your IIS logs are stored on that
machine.

 7. From the Type drop-down list, select Host.

 8. From the next drop-down list, select the appropriate host, and then click Create.
 9. To push the changes out to the OSSEC agents, click Restart Required.

page 42
 10. Click the Syslog tab.

 11. Click the Log Destinations tab, and then click Add.

page 43
ADMINISTRATOR GUIDE: THREAT MONITOR

 12. In the Destination Setup window, select Both File and Elastic SOC.

 13. Enter a unique name based on the data source (iis).

When entering a name, do not use spaces.

 14. Enter a file storage location on the collector, select the appropriate plugin (iis), and then click Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/iis.log. You must

specify a log destination for each plugin.

 15. Click the Filters tab, and then click Add.

 16. Enter a unique filter name based on the data source (iis).

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 17. To set your filter conditions, click Add Row.

 18. From the Condition drop-down list, select n/a.
 19. From the Filter drop-down list, select message.
 20. In the Value field, enter W.SVC.

page 44
 21. Click the Actions tab, and then click Add.

 22. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: ossec
 l Filter: iis
 l Destination: iis (Elastic SOC)
 l Destination: iis (file)
 23. To save your settings, click Apply changes.
 24. Click the Data Sources tab.
 25. Click New Plugin.
 26. From the Active Plugin list, select iis.
 27. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 28. For each queue, click Play.

 29. Set Parser Workers to 5 and Storage Workers to 10.
 30. Click Save.

page 45
ADMINISTRATOR GUIDE: THREAT MONITOR

Add Palo Alto logs

Before following this procedure, locate the value from your palo alto log that comes after the
timestamp. For example, 2018/10/25 12:29:42,118912111971.

 1. In Threat Monitor, navigate to Admin > Manage Collectors.

 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 46
  4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source (paloalto).

When entering a name, do not use spaces.

 7. Enter a file storage location on the collector, select the appropriate plugin (paloalto), and then click
Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/paloalto.log. You must

specify a log destination for each plugin.

page 47
ADMINISTRATOR GUIDE: THREAT MONITOR

 8. Click the Filters tab, and then click Add.

 9. Enter a unique filter name based on the data source (paloalto).

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 10. To set your filter conditions, click Add Row.

 11. From the Condition drop-down list, select n/a.
 12. From the Filter drop-down list, select message.
 13. In the Value field, enter the value listed after the timestamp in your paloalto log.

The value in the image above is the presented at the start of this procedure and should be
unique to your Palo Alto device. Do not use the example value shown here.

 14. Click the Actions tab, and then click Add.

 15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: network
 l Filter: paloalto
 l Destination: paloalto (Elastic SOC)
 l Destination: paloalto (file)
 16. To save your settings, click Apply changes.
 17. Click the Data Sources tab.
 18. Click New Plugin.

page 48
 19. From the Active Plugin list, select paloalto.
 20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 21. For each queue, click Play.

 22. Set Parser Workers to 5 and Storage Workers to 10.
 23. Click Save.

page 49
ADMINISTRATOR GUIDE: THREAT MONITOR

Add SonicWall logs

Before following this procedure, find the sn field in your SonicWall log. For example,
sn=D1FBF5DDGF39.

 1. In Threat Monitor, navigate to Admin > Manage Collectors.

 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 50
  4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source (sonicwall).

When entering a name, do not use spaces.

 7. Enter a file storage location on the collector, select the appropriate plugin (sonicwall), and then click
Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/sonicwall.log. You

must specify a log destination for each plugin.

page 51
ADMINISTRATOR GUIDE: THREAT MONITOR

 8. Click the Filters tab, and then click Add.

 9. Enter a unique filter name based on the data source.

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 10. To set your filter conditions, click Add Row.

 11. From the Condition drop-down list, select n/a.
 12. From the Filter drop-down list, select message.
 13. In the Value field, enter the devid value from your sonicwall log.

The value in the image above is the sn field presented at the start of this procedure and
should be unique to your SonicWall device. Do not use the example value shown here.

 14. Click the Actions tab, and then click Add.

 15. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: network
 l Filter: sonicwall
 l Destination: sonicwall (Elastic SOC)
 l Destination: sonicwall (file)
 16. To save your settings, click Apply changes.
 17. Click the Data Sources tab.
 18. Click New Plugin.

page 52
 19. From the Active Plugin list, select sonicwall.
 20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 21. For each queue, click Play.

 22. Set Parser Workers to 5 and Storage Workers to 10.
 23. Click Save.

page 53
ADMINISTRATOR GUIDE: THREAT MONITOR

Add Windows event logs

 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the Syslog tab.

page 54
  4. Click the Log Destinations tab, and then click Add.

 5. In the Destination Setup window, select Both File and Elastic SOC.

 6. Enter a unique name based on the data source (winevtlog).

When entering a name, do not use spaces.

Delete the default log destination for winevtlog.

 7. Enter a file storage location on the collector, select the appropriate plugin, and then click Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/winevtlog.log. You

must specify a log destination for each plugin.

page 55
ADMINISTRATOR GUIDE: THREAT MONITOR

 8. Click the Actions tab, and then click Add.

The winevtlog filter is added by default.

 9. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: ossec
 l Filter: winevtlog
 l Destination: winevtlog (Elastic SOC)
 l Destination: winevtlog (file)
 10. To save your settings, click Apply changes.
 11. Click the Data Sources tab.
 12. Click New Plugin.
 13. From the Active Plugin list, select winevtlog.
 14. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 15. For each queue, click Play.

 16. Set Parser Workers to 5 and Storage Workers to 10.
 17. Click Save.

page 56
Add additional Windows event logs
These are for the non-standard system, application, or security event logs. To configure this section, please
pull up the event logs on the target machine, select the Details tab, and then click the XML View button.
Please note the channel value as you will need that later in this procedure.

 1. In Threat Monitor, navigate to Admin > Manage Collectors.

 2. In the sensors list, select a collector, and then click Edit.

 3. Click the OSSEC tab.

 4. Click the Remote Logs tab, and then click Add.

 5. From the Log Format drop-down list, select eventlog.

 6. Change Log Location to AD FS/Admin.

Update the log location to the to the channel value referenced in the beginning of this
procedure.

 7. From the Type drop-down list, select Host.

 8. From the next drop-down list, select the appropriate host, and then click Create.
 9. To push the changes out to the OSSEC agents, click Restart Required.

If you have already configured Syslog to pull in Windows Event Logs, then skip the rest of the
steps in this procedure as the WinEvtLog plugin will gather all additional Windows Event Logs.

page 57
ADMINISTRATOR GUIDE: THREAT MONITOR

 10. Click the Syslog tab.

 11. Click the Log Destinations tab, and then click Add.

page 58
 12. In the Destination Setup window, select Both File and Elastic SOC.

 13. Enter a unique name based on the data source (winevtlog).

When entering a name, do not use spaces.

 14. Enter a file storage location on the collector, select the appropriate plugin (winevtlog), and then click
Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/winevtlog.log. You

must specify a log destination for each plugin.

 15. Click the Actions tab, and then click Add.

The WinEvtLog filter is added by default.

 16. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: ossec
 l Filter: WinEvtLog
 l Destination: winevtlog (Elastic SOC)

page 59
ADMINISTRATOR GUIDE: THREAT MONITOR

 l Destination: winevtlog (file)

 17. To save your settings, click Apply changes.
 18. Click the Data Sources tab.
 19. Click New Plugin.
 20. From the Active Plugin list, select winevtlog.
 21. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 22. For each queue, click Play.

 23. Set Parser Workers to 5 and Storage Workers to 10.
 24. Click Save.

page 60
Add Windows DHCP logs
 1. In Threat Monitor, navigate to Admin > Manage Collectors.
 2. In the sensors list, select a collector, and then click Edit.

 3. Click the OSSEC tab.

 4. Click the Remote Logs tab, and then click Add.

 5. From the Log Format drop-down list, select Syslog.

 6. Change Log Location to C:\DHCP_Logs\DhcpSrvLog-%a.log.

Update the drive letter and any folder locations to where your DHCP logs are stored on that
machine.

 7. From the Type drop-down list, select Host.

 8. From the next drop-down list, select the appropriate host, and then click Create.
 9. To push the changes out to the OSSEC agents, click Restart Required.

page 61
ADMINISTRATOR GUIDE: THREAT MONITOR

 10. Click the Syslog tab.

 11. Click the Log Destinations tab, and then click Add.

page 62
 12. In the Destination Setup window, select Both File and Elastic SOC.

 13. Enter a unique name based on the data source (windows-dhcp).

When entering a name, do not use spaces.

 14. Enter a file storage location on the collector, select the appropriate plugin (windows-dhcp), and then
click Save.

This is typically located in /var/log/<filename>.log. For example, /var/log/windows-dhcp.log.

You must specify a log destination for each plugin.

 15. Click the Filters tab, and then click Add.

 16. Enter a unique filter name based on the data source (windows-dhcp).

The purpose of this filter is to give Threat Monitor something unique that it can match in the
logs so it knows what log it is coming from. The best way to determine what filter to use, is to
look at the logs that are being sent over to find something unique and specific.

 17. To set your filter conditions, click Add Row.

 18. From the Condition drop-down list, select n/a.
 19. From the Filter drop-down list, select message.
 20. In the Value field, enter DhcpSrvLog.

page 63
ADMINISTRATOR GUIDE: THREAT MONITOR

 21. Click the Actions tab, and then click Add.

 22. Add four rows, and then make the following selections from the Type and Value drop-down lists:
 l Source: ossec
 l Filter: windows-dhcp
 l Destination: windows-dhcp (Elastic SOC)
 l Destination: windows-dhcp (file)
 23. To save your settings, click Apply changes.
 24. Click the Data Sources tab.
 25. Click New Plugin.
 26. From the Active Plugin list, select windows-dhcp.
 27. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error
Workers, and then click Save.

Please note that this is necessary to create the queues to process your incoming logs.

 28. For each queue, click Play.

 29. Set Parser Workers to 5 and Storage Workers to 10.
 30. Click Save.

page 64
View event logs
In Threat Monitor, click Event Logs to view events in real time as they occur in your environment.

As logs stream into the table, the most recent events are listed first. Each log is parsed and lists any
relevant data, including geolocation coordinates, reputation data, and host name resolution.

page 65
ADMINISTRATOR GUIDE: THREAT MONITOR

 1. Click a log to view the associated event details.

Each log event details summary includes data that can be useful for correlating with other events, IP
addresses, ports, etc.
 2. To group and view high-level facets of the current data set, click Analyze Results.

page 66
  3. To refine your results to group and view a specific subset of data, click the Add to Search Criteria
icon next to any record detail in the table.

The search syntax updates and auto-submits the form.

 4. To drill down even further, select a record to either filter out , or filter on data from the main
events table to view very specific event logs and details. You can also click any column heading to
show or hide the icons in each column row.
 5. To adjust the data set to a specific time frame, drag the mouse over the histogram.

 6. To export the results (up to 500 records) to Microsoft Excel, click the Excel icon .
 7. To find unmatched events, navigate to Admin > Failed Events.
 8. To see all possible field names which can be used during an event query, navigate to Admin > Event

page 67
ADMINISTRATOR GUIDE: THREAT MONITOR

Fields.

Create search queries and views

On the Event Logs page, you can create, edit, and save full-text custom queries to monitor log messages for
specific groups or event activity, such as Active Directory logins, file integrity monitoring, antivirus, etc.

Follow this example to construct your query:

 1. To remove existing query data from the search field, click Clear Form.
 2. Use one or more of the following search parameters:
 l Key words (Administrator)
 l Wildcards (Admin*)
 l Specific data fields (username:administrator)
 l IP addresses and ranges (src_net:192.168.0.0/2)
 l Any (for free-text search)
 l Use a dash (-) for Does Not Contain a particular field
 l Spaces are treated as implicit AND operands
 l Exists: and Missing: are valid prefixes for data fields
 3. Select your time frame or enter a custom time range.
 4. To save the search and add it to your views, click Add Search Criteria to My Views.

page 68
  5. Enter a name for your query view.

 6. Select the time frame type.

 7. To make this your default Event Logs view, select the Is default check box.
 8. Select facets and fields to display specific data points in your view.

page 69
ADMINISTRATOR GUIDE: THREAT MONITOR

 9. Click Add View. The new view tab is added to the Event Logs page.

 10. To view the high-level query facets and associated data, click Analyze Results.

 11. To turn on the facet graphs, click the associated image icon .
 12. To enable search within a facet, click the associated search icon .
 13. To modify your query, edit the parameters in the search field, and then click Update.
 14. To share the query view with another user in your network, click the gear icon .
 15. On the editable tab, click the Share tab icon.

 16. Select one or more available users, and then click Export.
 17. To move the tab, drag it to another position in the tab rows.

 18. To remove the query from your view and search history, click the delete icon.

page 70
Configure and customize dashboards
Threat Monitor dashboards present device event data through a variety of graphical widgets from all
collectors in your network cluster. You can customize existing dashboards, create new dashboards, and
even share your dashboards with other users in your network.

Each dashboard widget can be moved, removed, added to a different dashboard, and edited to display
specific event log data from your network devices. Click the tabs to navigate through a series of
dashboards and configured widgets to observe and monitor activity in your network.

You can also set your dashboards to full-screen auto-rotate mode to cycle through your dashboards
indefinitely and keep your session active.

Create and edit dashboards

To create or edit your dashboards, log in as an administrator, and then click the gear icon . In edit mode,
you can create new dashboards, add and remove widgets, edit display values in existing widgets, and
reorder tabs.

 1. To create a new dashboard, click New Dashboard. The Add new Dashboard Tab page appears.

 2. Enter a dashboard name, and then click Add.

page 71
ADMINISTRATOR GUIDE: THREAT MONITOR

 3. Click your new dashboard tab, and then click Add Widget.

 4. From the Section drop-down list, select a widget type.

 5. Enter a name or title for the widget.

page 72
  6. Click Add. The widget appears on the new dashboard.

 7. Continue to add and arrange widgets as needed on the dashboard.

 8. As you add widgets, you can establish widget properties such and colors, number of events, and
filter queries. Click the gear icon on an existing widget to make additional edits.

page 73
ADMINISTRATOR GUIDE: THREAT MONITOR

Geolocate and group events by country

Group events based on country or geographic location to view reputation data and associated information.

 1. In the Threat Monitor dashboard, click Reputation Data.

 2. Move the mouse pointer over a country and click to select it. The Event Logs page appears listing
associated events and messages.

page 74
  3. To geolocate events in a specific view, click the geolocation icon . The view refreshes to display the
map and the number of associated events by country.

 4. Zoom in on the map to view a specific location, and then click a pushpin to view logs associated with
that location.
 5. To return to the standard view, click Close Map.

Interact with widgets to view network activity

Widgets are actively linked to network devices, which means you can click each graphic element to drill
down into specific event data for in-depth analysis and root-cause investigation.

For example, in the Top Alarms widget, you can click a specific alarm policy rule to open the Alarms tab
and review triggered alarms associated with that particular policy.

page 75
ADMINISTRATOR GUIDE: THREAT MONITOR

page 76
Run and edit reports
Threat Monitor includes a variety of out-of-the-box reports that you can share with other members of your
organization. You can run, edit, copy, and create the following report types:

 l Data reports (Excel spreadsheets)

 l Multi-tabbed reports (one spreadsheet, multiple reports)
 l Visual reports (PDF format)

Use the visual report templates to create custom reports.

 1. In Threat Monitor, click the Reports tab, and then select a report type.

 2. To configure or modify an existing report, select a report, and then click Edit.

 3. Modify or maintain the existing report name.

 4. Enter your search criteria manually, or load a query from an existing event view to pre-populate the
report.

page 77
ADMINISTRATOR GUIDE: THREAT MONITOR

 5. Select your time frame and time zone format.

The report timestamp will appear relative to the selected time zone, even though the raw log
time will indicate the time in the location the log was generated.

 6. Select the filters and fields to display in the report.

 7. Schedule your report to run once, daily, weekly, or monthly.
 8. Set the day and time to generate the report.
 9. To send the report by email, select the check box and enter your recipients.
 10. Select or edit a report email template.
 11. Click to save, run, copy, or delete the report.

Select Multi-tabbed reports to distribute a single spreadsheet containing multiple reports.

Build a visual report

 1. In Threat Monitor, navigate to Reports > Visual Reports.
 2. To access the report builder, select a report, and then click Layout Editor.

 3. To modify the report, click the gear icon .

 4. Add and arrange graphs and data views.
 5. To include additional information, add report pages.
 6. Click Save, and then click Generate and email to distribute the PDF-formatted report.

page 78
View and edit alarm policies
Users with administrator access can view and edit pre-defined log policies and apply specific trigger
criteria and subsequent actions for designated network events and activity.

 1. In Threat Monitor, navigate to Admin > Alarm Policies.

 2. To view or edit a policy, click to expand a policy category, and then click to select a policy.

 3. Adjust your filters, subsequent actions, and additional parameters, and then click Save.

If the policy has multi-level rules, you can add, delete, and modify each rule within the policy. The multi-
level rules allow you to manage the number of alert triggers within a specific category.

page 79
ADMINISTRATOR GUIDE: THREAT MONITOR

In the example below, the rule policy is configured to trigger after two incorrect password attempts, and
then after 40 attempts within a five-minute span. Additional actions include an active response after 100
hits in 10 minutes, and then after 1000 hits within 10 hours.

To specify the email template used for each alarm, navigate to Alarms > Alarm Categories.

page 80
View triggered alarms
In Threat Monitor, you can view triggered alarms associated with your established alarm policies and
policy rules. You can monitor alarms as they occur in your environment, search alarms by one or more
keywords, and adjust the date and time range to view alarms triggered during a specific period.

You can also narrow your search based on a spike in alarm activity in one section of the histogram. To
further refine your search results, drag your mouse pointer over any section of the histogram.

 1. On the Threat Monitor toolbar, click Alarms.

As alarms stream into the table, the most recent alarms are listed first. Each triggered alarm lists all
relevant data associated with the event.
 2. To view additional alarm details, click an event in the list.

 3. To view event logs associated with the alarm, click the total events hyperlink at the bottom of the
page.

page 81
ADMINISTRATOR GUIDE: THREAT MONITOR

 4. To add or remove specific search criteria, click a column heading in the alarms table. The Add and
Remove Search Criteria icons appear next to each entry in the column.

 5. To update the search criteria, click an Add to Search Criteria icon in the column.

The search syntax updates and auto-submits the form.

 6. To remove a specific alarm or event detail from the search, click the Remove from Search Criteria
icon .
 7. To return to the default view, click Clear Form.

page 82
Add and edit users
Users with administrator access can add users and assign permissions and access levels. Each user can
span multiple companies and possess different access levels.

 1. In Threat Monitor, navigate to Access > New User.

 2. On the Account tab, enter a user name and password.

 3. Select the Force password change check box, and then click Next.
 4. On the Contacts tab, enter the user contact information, and then click Next.
 5. To establish user permissions, click the Access tab and select one or more of the following access
levels:
 l Superadmin: Admin rights - can do everything in the portal
 l Ossec admin: Access to the OSSEC UI
 l Syslog admin: Access to the Syslog UI
 l Reports admin: Access to the reports tab
 l Alarm view: Can see alarms
 l Alarm admin: Access to alarm policies
 l Email admin: Access to email templates
 l Asset admin: Access to add and remove assets
 l Policy admin: Access to policies
 6. For users that do not require administrative access, make no selection to grant read-only access, and
then click Next.

page 83
ADMINISTRATOR GUIDE: THREAT MONITOR

 7. On the Company Access tab, select each company the user can access.

 8. Select access options for sensors, alarms, and test email, and then click Next.

When you select Receive alarms or test emails, select the appropriate Alarm mail template as
well.

 9. Review your settings, and then click Next to create the new user.

page 84
 10. To restrict the type of log data each user can view, navigate to Access > Access Filters.

 11. From the Select User drop-down list, select a user name.
 12. Select one or more filter check boxes.
 13. Choose an action from the drop-down list, and then click Go.

page 85
ADMINISTRATOR GUIDE: THREAT MONITOR

Manage network policies

Administrators can edit existing system policies to determine which types of data are archived, indexed, or
discarded. The live index is set to a default of 10 days, and archived data is stored for a year.

 1. In Threat Monitor, click the Policies tab.

 2. Select a policy, and then click Edit.
 3. From the Queue type drop-down list, select one of the following options:
 l Archive and Index
 l Archive Only
 l Index Only
 l Discard

Discarding data is not recommended. However, you can contact SolarWinds Customer Support
to filter and drop data at the collector level, so the filtered data can be recovered at a later
date, if necessary.

page 86
  4. To edit the source IPs and ports, click the Source tab.

 5. To edit the destination IPs and ports, click the Destination tab.

page 87
ADMINISTRATOR GUIDE: THREAT MONITOR

Manage assets
Upload a list of static assets in your network to map IP addresses and associated host names for reference.

 1. In Threat Monitor, click the Assets tab.

 2. To view assets within a designated group, navigate to Assets > Asset groups.
 3. To view assets within a specific IP range, navigate to Assets > Networks, enter your search
parameters, and then click Search.
 4. To import existing lists, navigate to Assets > Network Import Tool or Asset Import Tool.

page 88