DECLARE @tagid int; DECLARE @rulenum int; SELECT @tagid=MAX(id) FROM host_verification_tags; SELECT @rulenum=MAX(rule_number) FROM host_verification_rules; IF @tagid IS NULL SET @tagid=0 ELSE SET @tagid=@tagid + 1 IF @rulenum IS NULL SET @rulenum=0 ELSE SET @rulenum=@rulenum + 1 SET IDENTITY_INSERT [dbo].[host_verification_tags] ON insert into host_verification_tags(id, name) values(@tagid, 'EndpointsWithSolarWinds') insert into host_verification_tags(id, name) values(@tagid+1, 'SolarWinds Suspicious') SET IDENTITY_INSERT [dbo].[host_verification_tags] OFF DECLARE @name nvarchar(100) DECLARE @index int SET @name=N'SolarWinds.Administration.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid, 'Endpoints with SolarWinds Application Running'); SELECT @index=SCOPE_IDENTITY(); insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) SET @name=N'SolarWinds.Alerting.Service.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid, 'Endpoints with SolarWinds Application Running'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) SET @name=N'SolarWinds.Collector.Service.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid, 'Endpoints with SolarWinds Application Running'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) SET @name=N'SolarWinds.InformationSerice.ServiceV3.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid, 'Endpoints with SolarWinds Application Running'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) SET @name=N'SolarWinds.ServiceHost.Process.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid, 'Endpoints with SolarWinds Application Running'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) SET @name=N'SolarWinds.HighAvailability.Service.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid, 'Endpoints with SolarWinds Application Running'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) SET @name=N'SolarWinds.BusinessLayerHost.exe' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid+1, 'Suspicious process: SolarWinds.BusinessLayerHost.exe'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 6, @name, 0, @index, @rulenum) --dll SET @name=N'C:\Windows\SysWOW64\netsetupsvc.dll' insert into host_verification_rule_sets(name, status, tag, comments) values(@name, 1, @tagid+1, 'Endpoint with compromised file: C:\Windows\SysWOW64\netsetupsvc.dll'); SELECT @index=SCOPE_IDENTITY(); SET @rulenum=@rulenum+1; insert into host_verification_rules(os, type, content, negative, rule_set_id, rule_number) values(1, 4, @name, 0, @index, @rulenum) GO