Mapping ACS Reports to OMS Search Queries

This post features a table that shows the mapping between Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics.

In OpsMgr 2012, Audit Collection Services (ACS) provides a means to collect records generated by an audit policy and store them in a centrally managed database. It allows filtering and analyzing of events using the data analysis and reporting tools provided by Microsoft SQL Server like SSRS. There is a set of audit report definition files specifically for ACS data that can be installed to be able to access this collected audit data. After installation, more than 20 audit reports and 2 report models will be available out-of-the-box in the Audit Reports folder on the SQL Reporting server (Figure 1). These reports enable the user to report on security events occurring in their IT environment that are related to Access Violation, Account Management, Forensic, Planning, Policy, System Integrity, Usage and Dynamic Access Control (DAC).

image
Figure 1: Out-of-the-box audit reports available in the Audit Report folder

In OMS Log Analytics,
The Security and Audit solution in Log Analytics provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.”
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled. For more information on installation, best practises and scenario walkthroughs on the Security and Audit solution, refer to Security and Audit solution in Log Analytics by Bill Anderson.

Although the datasource is the same – the Security Eventlog, the event data collection mechanism used in ACS is different from what is currently used in the OMS Security and Audit solution. In ACS, the ACS collector receives and processes security events from ACS forwarders and then sends this data to the ACS SQL database.
Whereas in OMS, security events are collected by the direct agent or OpsMgr agent and sent directly to the OMS service in the cloud for processing. The collected security event records can then be retrieved and consolidated quickly using log searches in a query syntax that OMS Log Analytics provide.

To retrieve and analyze the security events highlighted by the ACS Audit Reports in OMS Log Analytics instead, the SQL query search conditions used in these Audit Reports can also be used as the filter expressions in OMS log search queries. The following table shows this mapping between the ACS Audit Reports and their corresponding Search Queries in OMS Log Analytics based on this idea:

OpsMgr Audit Collection Services (ACS)

OMS Log Analytics

Report Name

Description

Log Analytics Search Queries (KQL)

Further Details

 

Access Violation: Account Locked

On Windows Server 2000 and 2003, events 539 and 644 indicate an account was locked. On Windows Server 2008, event 4740 and 6279 indicate an account was locked. This report details all account lock events.

SecurityEvent | where EventID==539 or EventID==644 or EventID==4740 or EventID==6279

Link

SecurityEvent | where EventID==539 or EventID==644 or EventID==4740 or EventID==6279| summarize count() by EventID

 

Access Violation: Unsuccessful Logon Attempts

On Windows Server 2000 and 2003, event 529-537 and 539 indicates that somebody has tried to logon unsuccessfully. On Windows Server 2008, event 4625 indicates that somebody has tried to logon unsuccessfully. This report details who and where. Large number of unsuccessful logon attempt for the same user or computer may indicate a potential intrusion.Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id from 529 to 537, Event Id = 539, All of (Event Id = 4625, Status = "0xc000006d")))

SecurityEvent | where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status=="0xc000006d")  | project TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName

Link

SecurityEvent | where EventID between (529 .. 537) or EventID==539 or (EventID==4625 and Status=="0xc000006d")  | summarize EventCount=count() by TargetAccount | order by EventCount desc

 

Account Management: Domain and Built-in Administrators Membership Changes

This report details membership changes in the Domain and Built-in Administrators group. It looks for event 632, 633, 636 and 637 (membership change event for local and global groups) with target sid = S-1-5-33-544 (Built-in Admin group sid) or target sid that ends with -512 (domain admins group).

SecurityEvent | where EventID==4728 or EventID==4732 or EventID==4756 or EventID==632 or EventID==636 or EventID==660| search "S-1-5-32-544" or "512"| project Action="Add Member", TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

Link

SecurityEvent | where EventID==4729 or EventID==4733 or EventID==4757 or EventID==633 or EventID==637 or EventID==661| search "S-1-5-32-544" or "512"| project Action="Remove Member", TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

 

Account Management: Passwords Change Attempts by Non-owner

On Windows Server 2000 and 2003, event 627 indicates password change attempt and event 628 indicates password reset. On Windows Server 2008, event 4723 indicates password change attempt and event 4724 indicates password reset. This report details any password change/reset attempts by someone other than the account owner.

 

SecurityEvent | where EventID==4723 or EventID==4724 or EventID between (627 .. 628) and SubjectAccount != "ANONYMOUS LOGON" and TargetAccount!=SubjectAccount| project TimeGenerated, Computer, TargetAccount, ChangedBy=SubjectAccount

Link

 

Account Management: User Accounts Created

This report shows user accounts created in the specified time range. The report looks for events 624 (Windows Server 2000 and 2003) and 4720 (Windows Server 2008) which tracks user account creation. Filter: Dv Alls with: All of (State Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 624, Event Id = 4720))

 

SecurityEvent | where EventID==624 or EventID==4720| project TimeGenerated, TargetAccount, CreatedBy=SubjectAccount, Computer

Link

 

Account Management: User Accounts Deleted

This report shows user accounts deleted within the specified date/time range.It looks for event 630 (Windows Server 2000 and 2003) and 4726 (Windows Server 2008) which tracks account deletion. Filter: Dv Alls with: All of (State Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 630, Event Id = 4726))

 

SecurityEvent | where EventID==630 or EventID==4726 | project TimeGenerated, TargetAccount, DeletedBy=SubjectAccount, Computer

Link

 

Forensic: All Events For Specified Computer

This report shows all events generated from the specified computer within the specified time range.

let computerName = ""; //Enter Computer NameSecurityEvent | where Computer==computerName

Link

let computerName = ""; //Enter Computer NameSecurityEvent | where Computer==computerName| summarize count() by Activity

 

Forensic: All Events For Specified User

This report details all events associated with the specified user within the specified time range. It is useful for general investigation.

let accountName = ""; //Enter a User Domain\\Account NameSecurityEvent| where Account == accountName

Link

let accountName = ""; //Enter a User Domain\\Account NameSecurityEvent| where Account == accountName| summarize count() by Activity

 

Forensic: All Events With Specified Event ID

This report details all events associated with the specified event id within the specified time range. It is useful for general investigation.

let eventId = 0; //Replace 0 with an eventIdSecurityEvent| where EventID == eventId

Link

let eventId = 0; //Replace 0 with an eventIdSecurityEvent| where EventID == eventId| summarize count() by Computer

let eventId = 0; //Replace 0 with an eventIdSecurityEvent| where EventID == eventId| summarize count() by Account

 

Planning: Event Counts

This report shows the number of events collected, grouped by event id, within the specified time range. This help identify high volume events, which is useful in tuning and adjusting audit policies.Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Event Id ≠ 0)

 

SecurityEvent | where EventID!=0 | summarize Count=count() by Activity| order by Count

Link

 

Planning: Event Counts by Computer

This report shows the number of events collected, grouped by event id, within the specified time range.This help identify high volume events, which is useful in tuning and adjusting audit policies.

let computerName = ""; //Enter Computer NameSecurityEvent | where Computer==computerName| summarize Count=count() by Activity| order by Count

Link

let computerName = ""; //Enter Computer NameSecurityEvent | where Computer==computerName| summarize Count=count() by EventID| order by Count

 

Planning: Hourly Event Distribution

This report display the event distribution group by the hour, averaged by the number of days.It is useful for capacity planning around the audit collection.Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted))

SecurityEvent | where EventID!=0| summarize Count=count() by bin(TimeGenerated,1h)| render timechart

Link

let x=1;          //Replace with start EventIDlet y=10000;  //Replace with end EventIDSecurityEvent | where EventID between (x .. y) or EventID!=0| summarize Count=count() by Activity, bin(TimeGenerated,1h)| render timechart

 

Planning: Logon Counts of Privileged Users

This report shows the logon counts of privileged users.If the logon count for a specific privileged user is higher than the normal range, then this indicates unusual network activities that should be investigated.Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), All of (Any of (String 01 does not contain "SeChangeNotifyPrivilege", Header Domain ≠ "NT AUTHORITY"), Any of (Event Id = 576, Event Id = 4672), Last Character in User ≠ "$"))

SecurityEvent | where EventID==576 or EventID==4672| where SubjectDomainName!="NT AUTHORITY" and AccountType!="Machine"| project SubjectAccount, PrivilegeList

Link

SecurityEvent | where EventID==576 or EventID==4672| where SubjectDomainName!="NT AUTHORITY" and AccountType!="Machine"| summarize count() by SubjectAccount | order by count_

 

Policy: Account Policy Changed

On Windows Server 2000 and 2003, events 643 indicates an account policy change. On Windows Server 2008, event 4739 indicates an account policy change.This report details all account policy change events.

SecurityEvent | where EventID==643 or EventID==4739| project Computer, Activity, TimeGenerated, EventData

Link

 

Policy: Audit Policy Changed

On Windows Server 2000 and 2003, event 612 indicates an audit policy was changed. On Windows Server 2008, event 4719 indicates an audit policy was changed.This report details all audit policy change events.

SecurityEvent | where EventID==612 or EventID==4719 | project Computer, Activity, TimeGenerated, EventData

Link

 

Policy: Object Permissions Changed

On Windows Server 2008, event 4670 indicates a permission was changed on an objectThis report details all object permission change events.

SecurityEvent | where EventID==4670 | project TimeGenerated, Activity, Computer, EventData

Link

 

Policy: Privilege Added Or Removed

On Windows Server 2000 and 2003, events 608 and 621 indicate a privilege was granted and 609 and 622 indicate a privilege was removed. On Windows Server 2008, event 4704 indicates a privilege was granted and 4705 indicates a privilege was removed.This report details all privilege add or remove events.

SecurityEvent | where EventID between (608 .. 609) or EventID between (621 .. 622) or EventID between (4704 .. 4705)| project TimeGenerated, Activity, Computer, EventData

Link

 

System Integrity: Audit Failure

Event 516 (WIndows Server 2000 and 2003) or 4612 (Windows Server 2008) indicates that the system failed to log audit events due to lack of resources. This is a serious problem and should be resolved as soon as possible to prevent further loss of audit events. This report shows the time and computer on which the event occurred.Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 516, Event Id = 4612))

 

SecurityEvent | where EventID==516 or EventID==4612| project TimeGenerated, Activity, Computer

Link

 

System Integrity: Audit Log Cleared

Event 517 (Windows Server 2000 and 2003) and 1102 (Windows Server 2008) indicates that somebody has cleared the Audit Log. This may suggest the person who cleared the log is trying to cover his/her tracks on the computer. This report shows which computer's audit log was cleared and who cleared it.Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 517, Event Id = 1102))

 

SecurityEvent | where EventID==517 or EventID==1102| project Activity, Computer, TimeGenerated, EventData

Link

 

Usage: Object Access

This report shows all object access related audit event within the specified time range.For Windows Server 2000 and 2003, it uses the events 560 (object opened) and 567 (object access attempted) to track items with object access auditing enabled.For Windows Server 2008, it uses the events 4656 (object opened) and 4663 (object access attempted).

 

SecurityEvent | where EventID==560 or EventID==567 or EventID==4656 or EventID==4663 | project Computer, Activity, TimeGenerated, EventData

Link

 

Usage: Privileged logon

This report shows all privileged logons. It filters on EventID = 576 and string01 <> "SeChangeNotifyPrivilege"Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 576, Event Id = 4672), Privileges does not contain "SeChangeNotifyPrivilege")

 

SecurityEvent | where EventID==576 or EventID==4672| project TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList

Link

 

Usage: Sensitive Security Groups Changes

Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted). Any of (All of (Event Id >=631, Event Id <=639, Event Id=641, All of (Event Id >= 658, Event Id <= 662), All of (Event Id >= 4727, Event Id <= 4735), Event Id=4737. All of (Event Id >= 4754, Event Id <= 4758)))

SecurityEvent | where EventID between (4727 .. 4735) or EventID==4737 or EventID between (4754 .. 4758) or EventID between (631 .. 639) or EventID==641 or EventID between (658 .. 662) | project Activity, GroupName=TargetUserName, SubjectAccount, MemberName, TimeGenerated| order by Activity desc

Link

 

Usage: User Logon

This report display all user logon activity for a specified user within a specific time rangeIt looks for event 540 and 528 to identify logon activity</Value>Filter: Dv Alls with: All of (Event Id in 528, 540, 4624, Start Date on or after (prompted), End Date on or before (prompted), Any of (UPPER(Primary Domain\User) = UPPER(Parameter: Domain\User), UPPER(Target Domain\User) = UPPER(Parameter: Domain\User)))

 

SecurityEvent | where EventID==528 or EventID==540 or EventID==4624| project TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount

Link

 

DAC: File Resource Property Changes

This report displays File Resource Property changesFor Windows Server 2012, it uses event 4911.

SecurityEvent | where EventID==4911 | project Computer, Activity, TimeGenerated, SubjectAccount, EventData

Link

 

DAC: Central Access Policy For File Changes

This report displays changes to the Central Access Policy that applies to a File Resource.For Windows Server 2012, it uses event 4913.

SecurityEvent | where EventID==4913| project Computer, Activity, TimeGenerated, SubjectAccount, EventData

 

Link

 

DAC: Object Attribute Changes

This report displays Object Attribute changes.For Windows Server 2012, it uses events 5136 and 5137.

SecurityEvent | where EventID==5136 or EventID==5137 | project Computer, Activity, TimeGenerated, SubjectAccount, EventData

Link

 

 

 

 

 

(Note: Please re-type the double quote characters as they may be re-encoded into a format that is not compatible with OMS Log Analytics)

Check out the OpsMgr Featured Audit Collection Services (ACS) Dashboard:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/16/acs-dashboard-in-oms-your-audit-report-highlights-at-a-glance/ 

 

Additional Resources:

Log Analytics search reference by Bill Anderson:
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-search-reference/

Getting started with Operations Management Suite Security and Audit Solution by Yuri Diogenes
https://azure.microsoft.com/en-in/documentation/articles/oms-security-getting-started

Some Custom ACS Reports by Jimmy Harper
https://blogs.technet.microsoft.com/jimmyharper/2009/12/09/some-custom-acs-reports/

What is Log Analytics? by Brian Wren
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-overview/

TechNet: Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908(v=sc.12).aspx

TechNet: Deploying ACS and ACS Reporting
https://technet.microsoft.com/en-us/library/hh298613(v=sc.12).aspx

 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.