The Security Monitoring MP for SCOM from Nathan Gau bundles together lots of different rules and monitors for general security monitoring, keeping in mind that attacks aren't usually instantaneous (Nathan notes in his blog that, on average, it takes 250 days for an attacker to be found).
As a result, there's typically a breadcrumb trail of evidence that an organization's security has vulnerabilities and so this MP focuses on collecting and monitoring these points of evidence.
The MP monitors a broad array of issues and evidence of potential issues, including:
- Domain Admin, Enterprise Admin and Schema Admin Group change monitoring
- Pass the hash, overpass the hash, and pass the ticket detection
- Detection of the creation of a service on a domain controller
- Modification of a Local Admin Group on member server
- Scheduled task creation
- Software installed on a server
- Software removed from a server
- System powered off
- Kevin Holman's failed RDP attempts monitor
- System pending restart monitor
You can download the MP from here, and may also want to listen to an excerpt from one of our Coffee Break webinars (below) which discusses it in more detail.
A huge thanks to Nathan for sharing his work with the community and we highly recommend checking out more of his work, in particular he's a goldmine of other useful information on using SCOM in the context of cyber security.
SCOM is an amazingly powerful platform, but it’s the management packs that do all the heavy lifting. Thanks to the extensibility, maturity, and huge install base of SCOM, there are tons of fantastic, freely-available management packs out there, all provided by a vibrant, creative and generous worldwide SCOM community.
But how do you find every single management pack that might be of interest to you..?
Do you spend your whole life digging around the internet, looking in every nook and cranny for little-known bloggers who might have put a useful MP out there? And once you’ve found them, how do make sure that you’ve always got the latest version installed? Not easy, right?
Well, help is at hand in the form of the Community MP Catalog which extends the SCOM console to simplify the discovery and life-cycle management of community MPs, including:
- Rapid discovery of the best SCOM community MPs, including searchability by type, technology, author and more.
- A view of all the SCOM community MPs you have installed, including details of your current version, the latest version available and the download location.
- Configurable notifications, allowing you to be alerted on the availability of new versions of your community MPs.
For a more in-depth introduction to the MP, we recommend checking out the recording of the release webinar below.
Want to contribute to the Community MP Catalog?
If you’ve got a handy custom MP that you think would make a great addition to the Community MP Catalog then it's time for you to get involved! For more details, check out this video to learn all about how you can contribute to this awesome new community project.