Thursday, May 10, 2018

SCOM - Security Monitoring MP has been Updated

Last year, Nathan Gau (Microsoft Premier Field Engineer) released an awesome free management pack to the community with the specific focus of enhancing your security monitoring capabilities with SCOM.

I've been using this management pack in our own environment and on customer sites for a while now and there's some really useful alerts that it can generate which give you an extra layer of security monitoring within your environment.

Some examples of the alerts include:

  • Active Directory Domain Admin/Enterprise Admin/Schema Admin group changes
  • Detecting the clearance of security logs
  • Detection of new services being created on Domain Controllers
  • Golden Ticket detection
  • App Locker rules for detection of WCE, Mimikatz, PSExec, Powersploit
  • Scheduled task creation

The management pack isn't designed to be the only security monitoring tool that you use and it should instead be an addition to complement your overall security alert management strategy.

Here's how the author has positioned the management pack on his blog:

"To be clear, this is not a foolproof management pack. It is another defense in depth strategy that can help an organization to determine if they are breached, potentially catching the attacker before data loss occurs. It will not catch every intrusion, so please do not assume that putting this in makes you secure. It is 100% dependent on good alert management process, a subject that I have written extensively. With that said, main goal in this design was to keep alert noise down to a minimum. The hope is that very little of this will fire out of the box. If this MP is generating alerts, they should be investigated."

Since its inception, there has been a lot of work put into this management pack with the list of contributors making up a 'who's-who' list of the best in the SCOM community.
If you're using SCOM, then I highly recommend you take this free community MP for a test drive and see for yourself the value it can add to your security monitoring arsenal.

You can get all the information you need on this MP (including the latest change log and a summary of all features) from Nathan's main blog post on it from the following link:

Introducing the Security Monitoring Management Pack for SCOM