September 28, 2017
Introducing the security monitoring management pack for SCOM
There's another great, free Management Pack from the community that we wanted to share with you and we think this one's a must have!
With cyber attacks on the rise, security is top of the agenda for most IT teams, but too many organizations are investing large sums of money in security tools and not necessarily seeing much return on that investment.
"Organizations that prioritize security spend large amounts of money on big data tools like Splunk or OMS in conjunction with SCOM and Azure PowerBI, but these take an extensive time investment, training, and in some cases rare resources, and that's before considering that you actually have to know what you're looking for."
- Nathan Gau (Microsoft PFE, author of the Security Monitoring MP)
The Security Monitoring MP for SCOM from Nathan Gau bundles together lots of different rules and monitors for general security monitoring, keeping in mind that attacks aren't usually instantaneous (Nathan notes in his blog that, on average, it takes 250 days for an attacker to be found).
As a result, there's typically a breadcrumb trail of evidence that an organization's security has vulnerabilities and so this MP focuses on collecting and monitoring these points of evidence.
The MP monitors a broad array of issues and evidence of potential issues, including:
- Domain Admin, Enterprise Admin and Schema Admin Group change monitoring
- Pass the hash, overpass the hash, and pass the ticket detection
- Detection of the creation of a service on a domain controller
- Modification of a Local Admin Group on member server
- Scheduled task creation
- Software installed on a server
- Software removed from a server
- System powered off
- Kevin Holman's failed RDP attempts monitor
- System pending restart monitor
You can download the MP from here, and may also want to listen to an excerpt from one of our Coffee Break webinars (below) which discusses it in more detail.
A huge thanks to Nathan for sharing his work with the community and we highly recommend checking out more of his work, in particular he's a goldmine of other useful information on using SCOM in the context of cyber security.