Leveraging OMS Log Search to Report on User Logon and Object Access Events


In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to retrieve records on user logon and object access based on the audit events the Audit Collection Services (ACS) in OpsMgr collects and reports on.

In ACS, there are 4 Usage related SSRS audit reports available out-of-the-box that allow the user to report on user logon and object access events that are occurring in their IT environment.

  1. The Usage: Object Access Report,
  2. The Usage: User Logon Report,
  3. The Usage: Privileged Logon, and
  4. The Usage: Sensitive Security Groups Changes


The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 4 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.




Usage: Object Access Report:

The report shows all object access related audit events within a given date/time range by searching for security events 4656 and 4663 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image 


Here is an example of a 4656 – A handle to an object was requested security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4656, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4656

image 


Here is an example of a 4663 – An attempt was made to access an object security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4663, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4663

image



The main part of the SQL query used in the RDL file of the Object Access Report is:

SELECT *
FROM   AdtServer.dvAll
WHERE  (EventId = 4656 OR EventId = 4663) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 560 or 567 or 4656 or 4663, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData
     
    Here is an example of what the records returned would look like when using this log search query:

    image






Usage: User Logon Report

The report shows all user logon activities for a specific user, within a given date/time range by searching for security event 4624 stored in the ACS database.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:

image 


Here is an example of a 4624 – An account was successfully logged on security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4624, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4624

image  



The RDL file of the User Logon Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Event Id in 528, 540, 4624, Start Date on or after (prompted), End Date on or before (prompted), Any of (UPPER(Primary Domain\User) = UPPER(Parameter: Domain\User), UPPER(Target Domain\User) = UPPER(Parameter: Domain\User)))


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 528 or 540 or 4624, limiting the result to the Activity, Computer, TimeGenerated, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName and TargetAccount fields:

    Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount

    Here is an example of what the records returned would look like when using this log search query:

    image






Usage: Privileged Logon Report


The report returns a list of privileged logon events occurring within a given date/time range by searching for security event 4672 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image
 


Here is an example of a 4672 – Special privileges assigned to new logon security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4672, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4672

image 



The RDL file of the Privileged Logon Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 576, Event Id = 4672), Privileges does not contain “SeChangeNotifyPrivilege”)


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 576 or 4672, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount and PrivilegeList

    Note: As the PrivilegeList field is non-searchable in OMS, the exclusion of records containing “SeChangeNotifyPrivilege” can be done after exporting the all the records retrieved to Excel.

    Here is an example of what the records returned would look like when using this log search query:

    image 
     





Usage: Sensitive Security Groups Changes Report

The report returns information on sensitive security group changes within a given date/time range by searching for security events within the range of 4727 to 4735 or 4754 to 4758 or 4737 that are stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image 


Here is an example of a 4735 – A security-enabled local group was changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4735, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4735

image  



The RDL file of the Sensitive Security Groups Changes Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted). Any of (All of (Event Id >=631, Event Id <=639, Event Id=641, All of (Event Id >= 658, Event Id <= 662), All of (Event Id >= 4727, Event Id <= 4735), Event Id=4737. All of (Event Id >= 4754, Event Id <= 4758)))


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing a value within the range of 4727 to 4735 or 4754 to 4758 or 631 to 639 or 658 to 662 or equals to 4737 or 641 , limiting the result to the Activity, GroupName, SubjectAccount, MemberName and TimeGenerated fields:

    Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated

    Here is an example of what the records returned would look like when using this log search query:

    image







 
 
To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/


 




Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.