Understanding Real-Time Monitoring Policies
Real-time monitoring policies are essentially different from gathering policies (explained in Understanding Policies): they maintain rule and site dependencies, and handle notification.
When you create a monitoring policy, you bind rules to sites and define notification message recipients. By default, real-time monitoring policies are disabled. Enable policies manually.
To create a real-time monitoring policy
- In InTrust Manager, right-click Real-Time Monitoring | Policies, and select New Policy.
- Follow the New Policy Wizard.
- On the final step of the wizard, activate the policy.
You can change monitoring policy settings using the policy's properties. The following is an overview of the settings that you can specify during real-time monitoring policy creation or for existing real-time monitoring policies.
Where the Policy Is Applied
The scope of the policy is defined by the sites that it is associated with, and it can be refined by applying an object filter to site members. In the properties of a policy, the sites are specified on the Sites tab and the filter on the Filter tab.
What Rules Are Associated
You can specify the set of rules for a policy by selecting individual rules or entire rule groups. In the properties of a policy, this is done on the Rules tab.
Who Is Notified about Rule Matches
Whenever a rule is matched, it generates notification messages of the types that are specified for that rule. A policy specifies who gets the messages. As long as the corresponding notification type is enabled for a rule, a message from that rule is sent to the recipients specified by the policy. For details, see Configuring Notification Groups and Recipients.
The following notification types are supported:
|
Notification type |
Details |
|---|---|
|
|
In the properties of a real-time monitoring policy, this is configured on the E-mail tab. You can specify regular recipients, notification groups and dynamic operators. |
|
Event Log |
In the properties of a real-time monitoring policy, this is configured on the Event Log tab. You can specify only Event Log Recipient, which implements logging of rule match events. Using other recipients has no effect for this notification type. For details about Event Log Recipient, see Configuring Notification Groups and Recipients. Note that even though Event Log Recipient is not really a message addressee, you still need to enable it so that rules with the Event Log notification type can log their match events. |
Who Has Access to Alerts
If you need to set up fine-grained access to the resulting alerts in Monitoring Console, you can do it on the Alert security tab in the properties of a policy. Specify Active Directory accounts and define alert permissions for them. This affects whether Monitoring Console lets these accounts view and resolve the alerts generated by the associated rules in the policy.
Handling Alerts
InTrust Real-Time Monitoring Console is a Web-based application that you can use to view and manage InTrust real-time alerts (stored in an InTrust alert database).
|
|
Caution: If you are using Monitoring Console installed on Microsoft IIS 6.0 or 7.0, make sure ASP extensions are allowed. Refer the documentation of your version of IIS for details about allowing extensions. |
Monitoring Console administrators control user access to the alerts by configuring profiles.
A profile defines which InTrust server provides the alert records a user can work with, and specifies other user preferences for Monitoring Console operation (such as language and display style). A user selects a profile and works with associated alert views. An alert view is a collection of settings that define alert choice and presentation.
Alert Security Settings
Alert records are available to users only if their accounts have sufficient privileges to view the alerts or change their state (for example, from New to Acknowledged, or from Acknowledged to Resolved).
By default, InTrust organization administrators (explained in the InTrust Organization Administrators topic) have all privileges for working with all alerts (Read and Change Alert State). If you cannot view the alerts you need, see the policy security settings.
To provide users with these rights, Alert Security settings should be configured in InTrust Manager in the following way:
- In InTrust Manager, select Real-Time Monitoring | Policies.
- Right-click the required policy that binds the rules you need to the InTrust sites you want to monitor, and select Properties.
- Click the Alert Security tab, and configure access to alerts for user or group accounts, using the Allow and Deny options for the following privileges:
- Read
Allows users to view the alerts from the selected sites triggered by selected rules - Change Alert State
Allows users to change alert status and add custom Knowledge Base articles to the alerts
- Read
Managing Profiles for Monitoring Console
Monitoring Console offers profiles to allow authorized users or groups work with the alerts they need. During InTrust suite setup, a default profile for Monitoring Console users is created automatically.
However, if Monitoring Console installation was not a part of InTrust suite setup (that is, Monitoring Console's own setup was used), no default profile is created, and you have to create it manually from the Monitoring Console Administration page.
|
|
Caution: To create or edit a profile, your user account should be granted an Administrator role for COM+ System Application on the computer where the Monitoring Console runs. To check if you have this role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node. |
When configuring a profile, you are prompted for the Run As account. This account will be used to connect to the InTrust server responsible for alert generation. To ensure a proper connection and correct flow of the monitoring process, this account requires sufficient privileges. The minimal requirements are:
- Membership in InTrust Alerting Admins
- Read permission on monitoring-related items (policies, rules, rule groups, sites, data sources) from InTrust configuration – this can be set in each item’s properties on the Security tab
- Modify permission on monitoring rules – this can be set in the rule properties on the Security tab; this is required for editing the Knowledge Base articles
|
|
Caution: Consider that the Run As account of the default profile is listed as an InTrust organization administrator, thus having all required privileges. New profiles with the Run As account listed as an InTrust organization administrator can be also created. |
To create a profile
- Open the Monitoring Console Administration page, for example, from the Start menu.
- Click New in the left pane to start the New Profile Wizard.
- Supply the following:
- Profile name and optional description
- Path for quick access to this profile from your browser
For example, if Monitoring Console is installed on the computer SERVER in the virtual directory ITMonitoring, then to access the profile with path Profile1, in the Address bar you should type http://SERVER/ITMonitoring/Profile1. - Run As account to use when connecting to the InTrust server
Depending on the user role in alerts handling process, this account should be an InTrust organization administrator. Alternatively, if you prefer more granularity in privilege assignment, the account should:- Be a member of the InTrust Alerting Admins group
- Have at least Read access to monitoring policies, rule groups, sites, and data sources, and Modify access to rules for editing the Knowledge Base articles
- Specify the InTrust server that provides alert records to this profile, and connection protocol information:
- TCP/IP and port
- Named Pipes and pipe name
- RPC and endpoint
- When you select an InTrust server, the corresponding alert database is selected automatically. You only have to:
- Select the authentication method to use when connecting to the alert database: Windows authentication (with the credentials used for connecting to InTrust Server) or SQL Server authentication (specify access credentials here)
|
|
Notes:
|
- Supply the number of concurrent database connections to the alert database (note that actual number will be one more than specified in this field, due to the connection always used when recalculating alert statistics). If the connection rate is not enough to provide users with alerts they need in a timely manner, you can increase the number of connections.
- Configure the time interval for recalculating alert statistics; that is, how often to update statistics within the active views of users who utilize the profile at any moment (Refresh alerts).
- Select:
- The working language that will be used for current profile
- The theme (display style)
You can also modify settings for existing profiles by selecting a profile from the list and opening the corresponding tabs.
For more details on working with the profiles, see the help topic for the Monitoring Console Administration page.
Creating Alert Views
After a new profile is configured, you can customize alert views for this profile in Monitoring Console. Monitoring Console can be opened from the Start menu.
To create a view
- In Monitoring Console, click New to start the New Alert View Wizard.
- Follow the wizard, selecting the rules and sites that you want to monitor, and specifying other settings. For details, see the Monitoring Console help.
- After you finish the wizard, these preferences are saved as an alert view.
For an existing view, you can configure filters based on alert state and generation time in addition to the settings specified in the wizard.
Within a view, you can examine alert statistics, analyze the alerts in detail, or search for the alerts.
For more details, see the Monitoring Console help.
Sample Rule Configuration
The easiest way to configure real-time monitoring is to use predefined objects (making copies is recommended): sites, rules and policies.
To learn to watch out for activity that you are interested in, consider the following scenarios:
- Setting Up Monitoring for User Account Creation
- Setting Up Monitoring for Suspicious Processes
- Setting Up Monitoring for Suspicious PowerShell Activity
You can use them directly, adapt them to your own environment or make your own real-time monitoring configurations based on them.
Setting Up Monitoring for User Account Creation
In this scenario, let’s assume you intend to monitor user account creation performed by unauthorized personnel, meaning:
- You want the monitoring to span your Active Directory domain.
- You want to be notified by email when account creation is detected.
- You do not want any automated response actions to be taken.
To achieve this, you must configure the following:
- A site that encompasses all Windows servers and workstations in the domain,
- A rule that defines the notification message and is matched when the specified event occurs,
- A policy that binds the site and the rule together, and specifies e-mail as the notification method.
All of the required elements are predefined in InTrust, so all you need to do is to make the copies of these objects and associate them with one another as follows:
- In InTrust Manager, double-click Configuration | Sites | Microsoft Windows Network, and check that the following predefined sites exist:
- All Windows servers in the domain
- All Windows workstations in the domain
|
|
Caution: Populate your predefined sites with objects you need and confirm that the sites span objects reside in the right domain. (You can enumerate site objects by clicking Refresh on the site’s Enumeration pane.) |
- Double-click Real-Time Monitoring | Rules | Windows/AD Security | Administrative activity | Account management, right-click the User account created by unauthorized personnel rule.
- Select Properties from the rule’s shortcut menu. Click the Notifications tab and check that an email message is listed. Edit the message if necessary, as described in the Message Templates section of the Notification topic.
- Select the Response Actions tab, and clear the check boxes next to the response actions listed–response actions are disabled.
- Click the General tab and select the Enabled option to activate the rule. After you close rule properties, commit the changes.
- Double-click Real-Time Monitoring | Policies, right-click the Windows/AD Security: Administrative Activity Monitoring policy and select Properties.
- Click the Rules tab. The Administrative activity rule group is specified in the list by default. This group includes the required rule. If you want to select just this rule rather than the entire group, open the group and select the rule.
- Select the E-mail tab, and click Add to specify who will receive the messages. For detailed instructions, see the Notification Groups section of the Real-Time Monitoring Overview topic.
- Select the General tab and select the Activate option. After you close the properties dialog box, commit the changes. The configuration is now finished; InTrust agents will be installed automatically to the site computers to execute the monitoring tasks.
You can modify such settings as alerting, response actions, rule activity time, or others at any time as necessary.
To create your own InTrust object (site, rule, policy and so on), copy the corresponding InTrust predefined object and edit this object according to your specific needs. InTrust treats all sites, rules and policies the same whether they are predefined or user-defined.