Experiencing a Real-World Security Investigation with OMS Security


Earlier this month, Tom Shinder wrote this article about the  OMS Suite Experience Center. This is an amazing resource to learn more about OMS Security, experience the interface and get used to the dashboard. Now let’s move to the next level, let’s really perform a security investigation using the data available in this environment.

Perform the following steps before start this lab:

  1. Access https://experience.mms.microsoft.com
  2. Fill the form with your own information, under Scenario select Security & Compliance, click I accept the terms and conditions and click Get started.
  3. If you receive a message asking if you want to download the PDF, click Download PDF, minimize Adobe Acrobat and switch to the browser that was opened.
  4. The OMS Dashboard is loaded in your browser.
  5. Click Security and Audit tile
  6. Go to the next section.

 

Investigating Security Issues with OMS

Scenario: you are investigating a series of suspicious activities in your network. The intent of this investigation is to find answers for the following questions:

  • Which computer was infected with malware
  • The source country that launched the attack against the company’s web server
  • Which computer has malicious outbound communication and based on your research how this communication took place
  • Which user attempted to perform a privilege escalation attack and from which computer

To answer the first question, follow the steps below:

  1. Under NOTABLE ISSUES, click Computers with detected threats.
  2. If the Search quick tips pop up window appear, click close (X).
  3. The search result should show one computer, click on it to obtain more information
  4. By reviewing the information on this screen you should be able to obtain the following information:

Threat name: ___________________________________________

Threat status: ___________________________________________

Which product detected this threat: _________________________

Name of the computer that was infected: _____________________

  1. Once you finish reviewing, go back to OMS Security and Audit

To answer the second question, follow the steps below:

  1. Under NOTABLE ISSUES, click Malicious on IIS
  2. If the Search quick tips pop up window appear, click close (X).
  3. On the left pane, under REMOTEIPCOUNTRY, take notes of the countries that originated the malicious traffic
  4. You can also see the same list on the right pane, under RemoteIPCountry for each event. Make sure to review both (left and right pane) to understand the source of the attack.
  5. Once you finish reviewing, go back to OMS Security and Audit dashboard.

To answer the third question, follow the steps below:

  1. Under THREAT INTELLIGENCE, click Servers with outbound malicious traffic
  2. If the Search quick tips pop up window appear, click close (X).
  3. The search result should show one computer, click on it to obtain more information.
  4. By reviewing the information on this screen you should be able to obtain the following information:

Computer that has malicious outbound traffic: ____________________________________

How the communication took place: _____________________________________________

(TIP: look to the description field in the right pane)

To answer the fourth question, follow the steps below:

  1. Under SECURITY DOMAINS, click Computer
  2. If the Search quick tips pop up window appear, click close (X).
  3. On the right pane, the search result will show four entries, click SecurityDetection.
  4. By reviewing the information on this screen you should be able to obtain the following information:

The user that tried to perform a privilege escalation attack: __________________________

The computer used by this user to perform this attack: _____________________________

 

I hope you enjoyed this exercise, and that this helped you to understand the real value of OMS Security as a tool to investigate security related issues and monitor your environment.

Stay safe!

Yuri Diogenes
@yuridiogenes

 

Comments (0)

Skip to main content