Example: WMI Monitor
Imagine that a device on your network has been
illegally logged into through a brute force attack (an attack where
an intruder runs a script to try random usernames and passwords on
a range of IP addresses on your network). These types of attacks
are extremely dangerous if the device that is compromised is on
your domain or has sensitive information stored on it.
You can use a custom WMI Active Monitor to
check the appropriate performance counters on a Windows device and
notify you when this type of attack occurs, so you can do something
about it before a potential intruder gains access to your
To configure this type of Active
- Using the WhatsUp Gold web interface, create
the WMI monitor.
- In the web interface, select , click .
The Select Active Monitor Type dialog opens.
- Select and click .
The Add WMI Monitor dialog opens.
- In the box, enter "ErrorsLogon" to identify
that this monitor checks for logon errors.
- Click the () button next to to access the Performance Counters
- Enter the share name or IP address of the
computer to which you want to connect.
- Enter the domain and user login for the
account on this computer. If a domain account is used, then the
expected user name is domain\user. If the device is on a workgroup,
there are two possible user names: workgroup name\user or machine
- Enter the password for the login used above
and click to connect to the
computer. The Performance Counters dialog opens.
- In the box, select Server.
- In the folder, select the performance counter.
Take note of the Current value entry at
the bottom of the dialog. This is the number of logon errors
currently reported through WMI.
Click to add the Performance counter to the New
WMI Monitor dialog.
- In the box, select .
- In the box, enter the number of logon errors you feel is
acceptable. This is the number of failed logon attempts between
- In the box, select
- Click to add the active monitor to the
- Enter the credentials for logging on to the
device to which you will add this monitor.
- In the Device Properties for the device,
- In the Credentials Section, click the
() button next to to access the
- Create a Windows credential using the
administration login and password for the device you want to create
the passive monitor for. When you have configured the credential,
- On the Credentials page, select the new
, then click
- Add the monitor to the problem device.
- In your device list, find the device.
Double-click the device to display its properties, then select
- Click . The Active Monitor wizard opens.
Select the ErrorsLogon monitor, and
continue with the wizard to configure any actions for the
- For more information on setting up an
action, see Configuring an Action.
You may want to consider creating several
levels of the active monitor, each with a higher threshold than the
other, and with more severe actions associated with it.
For example, create a monitor with 30 as the
threshold that simply sends you an email, letting you know that at
least 31 attempts have been made. Next, create another monitor that
uses 60 as the threshold. This monitor may have an SMS action
associated with it that sends a text message to you when at least
61 attempts are made. For the most severe level you could create a
100 threshold and have the action send messages to several people
who may be able to block the IP or take the device off the network
while the attack is addressed.