Custom WMI Monitor for Windows Domain and Physical Registry

• Planning
• Adding New IBM WebSphere Performance Objects
• Associating Device Types to Performance Objects
• Testing the Performance Monitor
• Enabling the Performance Monitor
• Writing Queries for the Performance Metrics

Planning

Mapping Windows WMI Classes to FortiSIEM Event Attribute Types

If you run the command wmic -U <domain>/<user>%<pwd> //<ip> "select * from Win32_ComputerSystem against a Windows server, you will see an output similar to this:

CLASS: Win32_ComputerSystem
AdminPasswordStatus::SEP::AutomaticManagedPagefile::SEP::AutomaticResetBootOption::SEP::AutomaticResetCapability::SEP::BootOptionOnLimit::SEP::BootOptionOnWatchDog::SEP::BootROMSupported::SEP::BootupState::SEP::Caption::SEP::ChassisBootupState::SEP::CreationClassName::SEP::CurrentTimeZone::SEP::DaylightInEffect::SEP::Description::SEP::DNSHostName::SEP::Domain::SEP::DomainRole::SEP::EnableDaylightSavingsTime::SEP::FrontPanelResetStatus::SEP::InfraredSupported::SEP::InitialLoadInfo::SEP::InstallDate::SEP::KeyboardPasswordStatus::SEP::LastLoadInfo::SEP::Manufacturer::SEP::Model::SEP::Name::SEP::NameFormat::SEP::NetworkServerModeEnabled::SEP::NumberOfLogicalProcessors::SEP::NumberOfProcessors::SEP::OEMLogoBitmap::SEP::OEMStringArray::SEP::PartOfDomain::SEP::PauseAfterReset::SEP::PCSystemType::SEP::PowerManagementCapabilities::SEP::PowerManagementSupported::SEP::PowerOnPasswordStatus::SEP::PowerState::SEP::PowerSupplyState::SEP::PrimaryOwnerContact::SEP::PrimaryOwnerName::SEP::ResetCapability::SEP::ResetCount::SEP::ResetLimit::SEP::Roles::SEP::Status::SEP::SupportContactDescription::SEP::SystemStartupDelay::SEP::SystemStartupOptions::SEP::SystemStartupSetting::SEP::SystemType::SEP::ThermalState::SEP::TotalPhysicalMemory::SEP::UserName::SEP::WakeUpType::SEP::Workgroup

1::SEP::True::SEP::True::SEP::True::SEP::3::SEP::3::SEP::True::SEP::Normal boot::SEP::WIN2008-ADS::SEP::3::SEP::Win32_ComputerSystem::SEP::-420::SEP::True::SEP::AT/AT COMPATIBLE::SEP::WIN2008-ADS::SEP::FortiSIEM.net::SEP::5::SEP::True::SEP::3::SEP::False::SEP::NULL::SEP::(null)::SEP::3::SEP::(null)::SEP::VMware, Inc.::SEP::VMware Virtual Platform::SEP::WIN2008-ADS::SEP::(null)::SEP::True::SEP::1::SEP::1::SEP::NULL::SEP::([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],Welcome to the Virtual Machine)::SEP::True::SEP::3932100000::SEP::0::SEP::NULL::SEP::False::SEP::0::SEP::0::SEP::3::SEP::(null)::SEP::Windows User::SEP::1::SEP::-1::SEP::-1::SEP::(LM_Workstation,LM_Server,Primary_Domain_Controller,Timesource,NT,DFS)::SEP::OK::SEP::NULL::SEP::0::SEP::NULL::SEP::0::SEP::X86-based PC::SEP::3::SEP::4293496832::SEP::FortiSIEM\Administrator::SEP::6::SEP::(null)

From this output you can see that the Win32_ComputerSystem WMI class has two attributes:

• Domain
• TotalPhysicalMemory

From these outputs you can see that if you want to create a performance monitor for Windows Domain and Physical Registry, you need to

1. Create an event type, PH_DEV_MON_CUST_WIN_MEM, that will contain the event attribute types Domain and memTotalMB, both of which are already contained in the FortiSIEM event attribute types library. 
2. Create the mapping between the WMI class attributes and the FortiSIEM event attribute types:
   • WMI class attribute Domain and Domain.
   • WMI class attribute TotalPhysicalMemory (Bytes) and memTotalMB (type INT64). Because TotalPhysicalMemory returns in bytes, and memTotalMB is in INT64, a transform will be required to convert the metrics.

Creating New Device Types, Event Attributes, and Event Types

• Device Type

  Since Microsoft Windows is supported by FortiSIEM, you don't need to create a new device type.

• Event Attribute Types and Event Types

  Both Domain and memTotalMB are included in the FortiSIEM event attribute type library, so you only need to create a new event type,  PH_DEV_MON_CUST_WIN_MEM, that will contain them. 

• Naming Custom Event Types

  All custom event types must begin with the prefix P H_DEV_MON_CUST_ .

Name	Device Type	Severity	Description
PH_DEV_MON_CUST_WIN_MEM	Microsoft Windows	0 - Low	Windows Domain and Memory

Adding the Microsoft Windows WMI Performance Object

In this case, you will create one performance object that will map the WMI Class attributes to the FortiSIEM event attribute types  Domain and   memTotalMB, and then associate them with the  PH_DEV_MON_CUST_WIN_MEM event type. When you create the  memTotalMB mapping you will also add a transform to convert bytes to INT64 as shown in the second table. 

Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

Field	Setting
Name	WinMem
Type	System
Method	WMI
Parent Class	Win32_ComputerSystem
Parent Class is Table	<left cleared>
List of Attributes	Attribute Format Type Event Attribute Domain String RawValue domain TotalPhysicalMemory Integer RawValue memTotalMB
Event Type	PH_DEV_MON_CUST_WIN_MEM
Polling Frequency	20 seconds

Transform Formula for TotalPhysicalMemory Event Attribute Type

Type	Formula
custom	TotalPhysicalMemory/1024/1024

Associating Device Types to Performance Objects

In this example, you would need to associate Microsoft Windows device types to the performance object. 

Edit Device to Performance Object

Field	Settings
Name	WinMisc
Device Types	Microsoft Windows Microsoft Windows NT Microsoft Windows Server 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows XP
Perf Objects	WinMem(WMI) - DefaultInterval:0.33mins

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity. 

1. Go to ADMIN > Device Support > Monitoring.
2. Select one of the performance monitors you created, and then click Test. 
3. For IP, enter the address of the Microsoft Windows server, and select either the Supervisor or Collector node that will retrieve the information for this monitor. 
4. Click Test. 
   You should see succeed under Result, and the parsed event attributes in the test result pane. 
5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

1. Discover or re-discover the device you want to monitor. 
2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. 

Writing Queries for the Performance Metrics

You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined. 

Create a structured historical search with these settings:

Filter Criteria	Display Columns	Time	For Organizations
Host IP = <IP> AND Event Type = " PH_DEV_MON_CUST_WIN_MEM";Group by:[None]	Event Receive Time,Reporting IP,Domain,Total Memory (MB)	Last 10 Minutes	All