Mapping ACS Reports to OMS Search Queries


This post features a table that shows the mapping between Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics.

In OpsMgr 2012, Audit Collection Services (ACS) provides a means to collect records generated by an audit policy and store them in a centrally managed database. It allows filtering and analyzing of events using the data analysis and reporting tools provided by Microsoft SQL Server like SSRS. There is a set of audit report definition files specifically for ACS data that can be installed to be able to access this collected audit data. After installation, more than 20 audit reports and 2 report models will be available out-of-the-box in the Audit Reports folder on the SQL Reporting server (Figure 1). These reports enable the user to report on security events occurring in their IT environment that are related to Access Violation, Account Management, Forensic, Planning, Policy, System Integrity, Usage and Dynamic Access Control (DAC).

image
Figure 1: Out-of-the-box audit reports available in the Audit Report folder


In OMS Log Analytics,
The Security and Audit solution in Log Analytics provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.”
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled. For more information on installation, best practises and scenario walkthroughs on the Security and Audit solution, refer to Security and Audit solution in Log Analytics by Bill Anderson.

Although the datasource is the same – the Security Eventlog, the event data collection mechanism used in ACS is different from what is currently used in the OMS Security and Audit solution. In ACS, the ACS collector receives and processes security events from ACS forwarders and then sends this data to the ACS SQL database.
Whereas in OMS, security events are collected by the direct agent or OpsMgr agent and sent directly to the OMS service in the cloud for processing. The collected security event records can then be retrieved and consolidated quickly using log searches in a query syntax that OMS Log Analytics provide.

To retrieve and analyze the security events highlighted by the ACS Audit Reports in OMS Log Analytics instead, the SQL query search conditions used in these Audit Reports can also be used as the filter expressions in OMS log search queries. The following table shows this mapping between the ACS Audit Reports and their corresponding Search Queries in OMS Log Analytics based on this idea:

OpsMgr Audit Collection Services (ACS)

OMS Log Analytics

 

Report Name

Description

Log Analytics Search Queries

Further Details

 

Access
Violation:
Account Locked

On Windows Server 2000 and 2003, events 539 and 644 indicate an account was locked.  On Windows Server 2008, event 4740 and 6279 indicate an account was locked. This report details all account lock events.

Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279

Link

Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | measure count() by EventID

 

Access
Violation:
Unsuccessful Logon Attempts

On Windows Server 2000 and 2003, event 529-537 and 539 indicates that somebody has tried to logon unsuccessfully. On Windows Server 2008, event 4625 indicates that somebody has tried to logon unsuccessfully. This report details who and where. Large number of unsuccessful logon attempt for the same user or computer may indicate a potential intrusion.
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id from 529 to 537, Event Id = 539, All of (Event Id = 4625, Status = “0xc000006d”)))

Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d)  | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName

Link

Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount

 

Account Management:
Domain and Built-in Administrators Membership Changes

This report details membership changes in the Domain and Built-in Administrators group.  It looks for event 632, 633, 636 and 637 (membership change event for local and global groups) with target sid = S-1-5-33-544 (Built-in Admin group sid) or target sid that ends with -512 (domain admins group).

Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756 OR EventID=632 OR EventID=636 OR EventID=660 AND (“*512” OR “S-1-5-32-544”) | Extend “Add Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

Link

Type=SecurityEvent EventID=4729 OR EventID=4733 OR EventID=4757 OR EventID=633 OR EventID=637 OR EventID=661 AND (“*512” OR “S-1-5-32-544”) | Extend “Remove Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

 

Account Management:
Passwords Change Attempts by Non-owner

On Windows Server 2000 and 2003, event 627 indicates password change attempt and event 628 indicates password reset. On Windows Server 2008, event 4723 indicates password change attempt and event 4724 indicates password reset. This report details any password change/reset attempts by someone other than the account owner.

Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select  TimeGenerated, Computer, TargetAccount, ChangedBy

Link

 

Account Management:
User Accounts Created

This report shows user accounts created in the specified time range. The report looks for events 624 (Windows Server 2000 and 2003) and 4720 (Windows Server 2008) which tracks user account creation.
Filter: Dv Alls with: All of (State Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 624, Event Id = 4720))

Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer

Link

 

Account Management:
User Accounts Deleted

This report shows user accounts deleted within the specified date/time range.
It looks for event 630 (Windows Server 2000 and 2003) and 4726 (Windows Server 2008) which tracks account deletion.
Filter: Dv Alls with: All of (State Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 630, Event Id = 4726))

Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer

Link

 

Forensic:
All Events For Specified Computer

This report shows all events generated from the specified computer within the specified time range.

Type=SecurityEvent Computer=”<<Computer Name>>”

Link

Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity

 

Forensic:
All Events For Specified User

This report details all events associated with the specified user within the specified time range. It is useful for general investigation.

Type=SecurityEvent Account=”<<User Domain\\Account Name>>”

Link

Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | measure count() by Activity

 

Forensic:
All Events With Specified Event ID  

This report details all events associated with the specified event id within the specified time range. It is useful for general investigation.

Type=SecurityEvent EventID=”<<Event Id>>”

Link

Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Computer

Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Account

 

Planning:
Event Counts

This report shows the number of events collected, grouped by event id, within the specified time range. This help identify high volume events, which is useful in tuning and adjusting audit policies.
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Event Id ≠ 0)

Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity

Link

 

Planning:
Event Counts by Computer

This report shows the number of events collected, grouped by event id, within the specified time range.
This help identify high volume events, which is useful in tuning and adjusting audit policies.

Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity

Link

Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by EventID

 

Planning:
Hourly Event Distribution

This report display the event distribution group by the hour, averaged by the number of days.
It is useful for capacity planning around the audit collection.
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted))

Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour

Link

Type=SecurityEvent EventID!=0 AND EventID:[xx..yy] | measure count() AS Count by Activity Interval 1Hour

 

Planning:
Logon Counts of Privileged Users

This report shows the logon counts of privileged users.
If the logon count for a specific privileged user is higher than the normal range, then this indicates unusual network activities that should be investigated.
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), All of (Any of (String 01 does not contain “SeChangeNotifyPrivilege”, Header Domain ≠ “NT AUTHORITY”), Any of (Event Id = 576, Event Id = 4672), Last Character in User ≠ “$”))

Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Select SubjectAccount, PrivilegeList

Link

Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Measure Count() by SubjectAccount

 

Policy:
Account Policy Changed

On Windows Server 2000 and 2003, events 643 indicates an account policy change.  On Windows Server 2008, event 4739 indicates an account policy change.
This report details all account policy change events.

Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData

Link

 

Policy:
Audit Policy Changed

On Windows Server 2000 and 2003, event 612 indicates an audit policy was changed.  On Windows Server 2008, event 4719 indicates an audit policy was changed.
This report details all audit policy change events.

Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData

Link

 

Policy:
Object Permissions Changed

On Windows Server 2008, event 4670 indicates a permission was changed on an object
This report details all object permission change events.

Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData

Link

 

Policy:
Privilege Added Or Removed

On Windows Server 2000 and 2003, events 608 and 621 indicate a privilege was granted and 609 and 622 indicate a privilege was removed.  On Windows Server 2008, event 4704 indicates a privilege was granted and 4705 indicates a privilege was removed.
This report details all privilege add or remove events.

Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData

Link

 

System Integrity:
Audit Failure

Event 516 (WIndows Server 2000 and 2003) or 4612 (Windows Server 2008) indicates that the system failed to log audit events due to lack of resources. This is a serious problem and should be resolved as soon as possible to prevent further loss of audit events. This report shows the time and computer on which the event occurred.
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 516, Event Id = 4612))

Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer

Link

 

System Integrity:
Audit Log Cleared

Event 517 (Windows Server 2000 and 2003) and 1102 (Windows Server 2008) indicates that somebody has cleared the Audit Log. This may suggest the person who cleared the log is trying to cover his/her tracks on the computer.
This report shows which computer’s audit log was cleared and who cleared it.
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 517, Event Id = 1102))

Type=SecurityEvent EventID=517 OR EventID=1102 | Select Activity, Computer, TimeGenerated, EventData

Link

 

Usage:
Object Access

This report shows all object access related audit event within the specified time range.
For Windows Server 2000 and 2003, it uses the events 560 (object opened) and 567 (object access attempted) to track items with object access auditing enabled.
For Windows Server 2008, it uses the events 4656 (object opened) and 4663 (object access attempted).

Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData

Link

 

Usage:
Privileged logon

This report shows all privileged logons.
It filters on EventID = 576 and string01 <> “SeChangeNotifyPrivilege”
Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 576, Event Id = 4672), Privileges does not contain “SeChangeNotifyPrivilege”)

Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList

Link

 

Usage:
Sensitive Security Groups Changes

Filter: Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted). Any of (All of (Event Id >=631, Event Id <=639, Event Id=641, All of (Event Id >= 658, Event Id <= 662), All of (Event Id >= 4727, Event Id <= 4735), Event Id=4737. All of (Event Id >= 4754, Event Id <= 4758)))

Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated

Link

 

Usage:
User Logon

This report display all user logon activity for a specified user within a specific time range
It looks for event 540 and 528 to identify logon activity</Value>
Filter: Dv Alls with: All of (Event Id in 528, 540, 4624, Start Date on or after (prompted), End Date on or before (prompted), Any of (UPPER(Primary Domain\User) = UPPER(Parameter: Domain\User), UPPER(Target Domain\User) = UPPER(Parameter: Domain\User)))

Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount

Link

 

DAC:
File Resource Property Changes

This report displays File Resource Property changes
For Windows Server 2012, it uses event 4911.

Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData

Link

 

DAC:
Central Access Policy For File Changes

This report displays changes to the Central Access Policy that applies to a File Resource.
For Windows Server 2012, it uses event 4913.

Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData

Link

 

DAC:
Object Attribute Changes

This report displays Object Attribute changes.
For Windows Server 2012, it uses events 5136 and 5137.

Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData

Link

 

 

 

 

 


(Note: Please re-type the double quote characters as they may be re-encoded into a format that is not compatible with OMS Log Analytics)




Check out the OpsMgr Featured Audit Collection Services (ACS) Dashboard:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/16/acs-dashboard-in-oms-your-audit-report-highlights-at-a-glance/ 

 

Additional Resources:

Log Analytics search reference by Bill Anderson:
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-search-reference/
     
Getting started with Operations Management Suite Security and Audit Solution by Yuri Diogenes
https://azure.microsoft.com/en-in/documentation/articles/oms-security-getting-started

Some Custom ACS Reports by Jimmy Harper
https://blogs.technet.microsoft.com/jimmyharper/2009/12/09/some-custom-acs-reports/

What is Log Analytics? by Brian Wren
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-overview/


TechNet: Collecting Security Events Using Audit Collection Services in Operations Manager
https://technet.microsoft.com/en-us/library/hh212908(v=sc.12).aspx

TechNet: Deploying ACS and ACS Reporting
https://technet.microsoft.com/en-us/library/hh298613(v=sc.12).aspx

 


 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.