The LEM appliance includes hundreds of pre-configured rules. Use these rules to instruct LEM to respond to specific events on your network.
To clone and enable a rule for use on your network:
1. In the LEM Console, click the Build tab, and then select Rules.
2. Use the Folders list or the Refine Results pane to browse, search, or filter for specific rules or scenarios.
3. After you find a rule you want to clone, click the gear button next to it, and then select Clone.
4. On the Clone Rule dialog, select a Custom Rules folder and rename the rule if you wish, and then click OK.
5. In the Rule Creation view, customize the rule further if necessary, select Enable at the top of the form, and then click Save.
6. Back in the main Rules view, click Activate Rules to sync your local changes with the LEM appliance.
Example: Change Management
Create a change management rule to notify you anytime a user makes any kind of change to your network configurations. Examples of such network changes
include:
l Adding, changing, or deleting users in Active Directory l Installing software on monitored computers
l Changing firewall policy
Create a general change management rule, similar to the filter illustrated in the previous section, to instruct LEM to notify you anytime any user makes a
configuration change, or create a more specific rule to only fire for specific users, groups, or types of changes.
Note: An important rule of thumb is, "If you can see it in your LEM Console, you can build a rule for it." Remember to use your filters as a starting-place as you consider creating custom rules.
To create a rule that sends you an email anytime someone adds a user to an administrative group:
1. In the LEM Console, click the Build tab, and then select Rules. 2. Click the plus button in the upper-right corner.
3. Enter an appropriate name for the rule, such as New Admin User.
4. Populate the rule's Correlations box with an appropriate event or event group. For this example, use a NewGroupMember.EventInfo Equals *admin* condition to fire anytime LEM gets a NewGroupMember event with the text, admin anywhere in the EventInfo field:
a. Click Events>on the left pane.
b. At the top of the Events list, enter NewGroupMemberto search for that event, and then select it in the list.
c. In the Fields: NewGroupMemeberlist, find EventInfo, and then drag it into the Correlations box.
d. In the text field (denoted by a pencil icon in the Correlations box), enter *admin* to account for all variations on the word "administrator."
5. Leave the Correlation Time box as-is so your rule fires anytime LEM captures this type of event.
6. Add the Send Email Message action to the Actions box: a. Click Actions on the left pane.
b. Find Send Email Message, and then drag it into the Actions box. c. Select a template from the Email Template menu.
d. Select a LEM user from the Recipients menu.
e. Drag and drop event fields or constants from the left pane into the Send Email Message form to complete the action.
Note: Always use event fields for the event(s) present in the Correlations box. For example, use NewGroupMember.DetectionTime to populate the
DetectionTime field in this example.
7. Select Enable at the top of the Rule Creation form, and then click Save. 8. To sync your local changes with the LEM appliance, click Activate Rules
back in the main Rules view.
After you enable and activate this rule, the LEM appliance sends an email anytime someone adds a user to any group in Active Directory that contains the text, "admin" in its name.
For more detailed information about how to create LEM rules to take action on your network, seeCreating Rules from Your LEM Console to Take Automated Action.
Other Rule Scenarios
Countless scenarios may warrant a rule. Consider these combinations of rules and actions:
l Respond to other change management events with the Send Email
Message action.
l Respond to port scanning events with the Block IP action.
l Respond to isolated spikes in network traffic with the Send Email
Message or Disable Networking action.
l Respond to users playing games on monitored computers with the
Send Popup Message or Kill Process action.
l Respond to users attaching unauthorized USB devices to monitored
computers using the Detach USB Device action.
Basically, any activity or event that can pose a threat to your network might warrant a LEM rule.
Troubleshooting
If you have created a rule, but you are not getting the expected results, verify the following to track down the root cause:
1. Check for the requisite events on the Monitor tab. For example, if your rule is based on the NewGroupMember event, see if you can find one in the All Events or default Change Management filter.
2. If you do not see the requisite events, troubleshoot your devices and
connectors to get the events into LEM. Otherwise, continue troubleshooting here.
3. Check for an InternalRuleFired event in the SolarWinds Events filter. 4. If you do not see an InternalRuleFired event for your rule, check the following
to continue troubleshooting. Otherwise, skip to Step 5 to continue.
l Is your rule enabled?
l Did you modify the Correlation Time or Response Window in your rule? l Did you click Activate Rules after saving your rule?
l Is the time on your device more than 5 minutes off from the time on your
LEM appliance?
5. If you see an InternalRuleFired event for your rule, but the rule LEM does not respond as expected, check the following, according to the action you
l Send Email Message: Verify you have configured and started the Email
Active Response connector on the LEM appliance.
l Send Email Message: Verify you have associated an email address for the
LEM user you selected as your email recipient.
l Agent-based Actions: Verify you have installed the LEM Agent on the
computer you want LEM to respond to.
l Block IP:Verify you have configured the active response connector for the
firewall you want to use to take this action. The active response connector is separate from the data gathering connector.
For more detailed information about how to troubleshoot LEM rules and active responses, seeTroubleshooting LEM Rules and Email Responses.
Additional Information
For a general procedure and video addressing how to create and clone rules in the LEM Console, seeCreating Rules from Your LEM Console to Take
Automated Action
For additional information about the active responses available for LEM rules, see:
l How does the Block IP active response work?
l How does the Detach USB Device active response work? l How does the Append Text To File active response work? l How do the computer-based active responses work? l How do the user-based active responses work? l How do the Kill Process active responses work?
l How does the Disable Networking active response work?