Leveraging OMS Log Search to Track Policy and Permission Changes


In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to track changes in audit policies and account permissions based on the audit events the Audit Collection Services (ACS) in OpsMgr collects and reports on.

In ACS, there are 4 Policy related SSRS audit reports available out-of-the-box that allow the user to track policy and permission changes in their IT environment:

  1. The Policy: Account Policy Changed Report,
  2. The Policy: Audit Policy Changed Report,
  3. The Policy: Object Permissions Changed, and
  4. The Policy: Privilege Added Or Removed


The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.

Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 4 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.




Policy: Account Policy Changed Report
:

The report returns information on account policy changes in the domain within a given date/time range by searching for security event 4739 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image 


Here is an example of a 4739 – Domain Policy was changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4739, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4739

image 



The main part of the SQL query used in the RDL file of the Account Policy Changed Report is:

SELECT *
FROM   AdtServer.dvAll
WHERE  (EventId = 643 OR EventId = 4739) AND (CreationTime >=@StartDate) AND (CreationTime <= @EndDate)



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 643 or 4739, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData
     






Policy: Audit Policy Changed Report

The report returns information on system audit policy changes within a given date/time range by searching for security event 4719 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image


Here is an example of a 4719 – System audit policy was changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4719, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4719

image 


The main part of the SQL query used in the RDL file of the Audit Policy Changed Report is:

SELECT *
FROM   AdtServer.dvAll AS dvAll_1
WHERE  (EventId = 4719) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 612 or 4719, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData






Policy: Object Permissions Changed Report


The report returns information on object permission changes within a given date/time range by searching for security event 4670 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image 


Here is an example of a 4670 – Permissions on an object were changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4670, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4670

image 
 

The main part of the SQL query used in the RDL file of the Object Permissions Changed Report is:

SELECT *
FROM   AdtServer.dvAll
WHERE (EventId = 4670) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)


The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 4670, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData

    Here is an example of what would be shown on the time selector in the user interface of the portal if this log search query found some matching records:

    image






Policy: Privilege Added Or Removed Report

The report returns information on privileges being granted or removed within a given date/time range by searching for security events 4704 or 4705 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image 


Here is an example of a 4704 – A user right was assigned security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4704, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4704

image 
 

Here is an example of a 4705 – A user right was removed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4705, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4705

 image 



The main part of the SQL query used in the RDL file of the Privilege Added Or Removed Report is:

SELECT *
FROM   AdtServer.dvAll AS dvAll_1
WHERE  (EventId = 4704 OR EventId = 4705) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 621 or 622 or 4704 or 4705, limiting the result to the TimeGenerated, Activity and EventData fields:

    Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData






 
 
To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/


 


Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.