Leveraging OMS Log Search to Analyze Security Events for a Specific Computer/User/EventID


 In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to analyze security events collected for a specific computer, a particular user or an Event ID.

In
ACS, there are 3 Forensic related SSRS audit reports available out-of-the-box that allow the user to provide details on all events occurring in their IT environment that are associated to computers, users or security events of interest for further investigation.

  1. The Forensic: All Events For Specified Computer Report,
  2. The Forensic: All Events For Specified User Report, and
  3. The Forensic: All Events With Specified Event ID Report


The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to
Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 3 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.


Forensic: All Events For Specified Computer:

The report shows all events generated from the specified computer, within a given date/time range.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:

image 


The RDL file of the All Events For Specified Computer Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), UPPER(Domain\Computer) = (UPPER(Parameter: Domain\Computer) & “$”))


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent for a specific computer, within a specific time period:

    Type=SecurityEvent Computer=”<<Computer Name>>”

  • A query to compare the number of records of type SecurityEvent for a specific computer, grouped by Activity within a specific time period:

    Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity


    Here is an example of what the records returned would look like when using this log search query for a specific computer:

    image




Forensic: All Events For Specified User

The report shows all events generated from the specified user account, within a given date/time range.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:

image 


The RDL file of the All Events For Specified User Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (UPPER(Primary Domain\User) = UPPER(Parameter: Domain\User), UPPER(Target Domain\User) = UPPER(Parameter: Domain\User))


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent for a specific user account, within a specific time period:

    Type=SecurityEvent Account=”<<User Domain\\Account Name>>”

  • A query to compare the number of records of type SecurityEvent for a specific user account, grouped by Activity within a specific time period:

    Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | measure count() by Activity


    Here is an example of what the records returned would look like when using this log search query for a specific user account:

    image 


Forensic: All Events With Specified Event ID 

The report shows all events generated from the specified Event ID, within a given date/time range.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:

image 


The RDL file of the All Events For Specified Event ID Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Event Id = (prompted))


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent for a specific Event Id, within a specific time period:

    Type=SecurityEvent EventID=”<<Event Id>>”


  • A query to compare the number of records of type SecurityEvent for a specific Event Id, grouped by Computer within a specific time period:

    Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Computer


  • A query to compare the number of records of type SecurityEvent for a specific Event Id, grouped by Account within a specific time period:

    Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Account

 





To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/


 



Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.