Leveraging OMS Log Search to Report on Dynamic Access Control Usage


In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to retrieve records on Dynamic Access Control (DAC) usage based on the audit events the Audit Collection Services (ACS) in OpsMgr collects and reports on.

In ACS, there are 3 new DAC SSRS reports available out-of-the-box that were included from System Center 2012 Service Pack 1 (SP1) onwards. OpsMgr provides ACS support for Dynamic Access Control as enabled by Windows Server 2012. ACS collects DAC related audit events from the relevant machines (file servers, domain controllers) and these reports enable auditors and compliance officers to report on the use of Dynamic Access Control in the IT environment.

  1. The DAC: File Resource Property Changes Report,
  2. The DAC: Central Access Policy For File Changes, and
  3. The DAC: Object Attribute Changes


The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 3 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.



DAC: File Resource Property Changes:

The report shows File Resource Property changes for Windows Server 2012, within a given date/time range by searching for security event 4911 stored in the ACS database.

Here is an example of a 4911 – Resource attributes of the object were changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4911, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4911

image 
 


The main part of the SQL query used in the RDL file of the File Resource Property Changes Report is:

select *
from AdtServer.dvOldResourceAttributes as ORA
inner join AdtServer.dvAll as A on ORA.EventId = A.Id
where ORA.OldClaimDisplayName IN (@ResourceAttribute) and A.PrimaryDomain like ‘%’ + ISNULL(@Domain,”) + ‘%’ and A.PrimaryUser like ‘%’ + ISNULL(@User,”) + ‘%’and A.String03 like ‘%’ + ISNULL(@FilePath,”) + ‘%’ and A.EventId = 4911 and A.CreationTime > @StartDate and A.CreationTime < @EndDate
union
select *
from AdtServer.dvNewResourceAttributes as NRA
inner join AdtServer.dvAll as A on NRA.EventId = A.Id
where NRA.NewClaimDisplayName IN (@ResourceAttribute) and A.PrimaryDomain like ‘%’ + ISNULL(@Domain,”) + ‘%’ and A.PrimaryUser like ‘%’ + ISNULL(@User,”) + ‘%’ and A.String03 like ‘%’ + ISNULL(@FilePath,”) + ‘%’ and A.EventId = 4911 and A.CreationTime > @StartDate and A.CreationTime < @EndDate



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 4911, limiting the result to the Activity, Computer, TimeGenerated, SubjectAccount and EventData fields:

    Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData






DAC: Central Access Policy For File Changes Report

The report shows changes to the Central Access Policy that applies to a File Resource, within a given date/time range by searching for security event 4913 stored in the ACS database.

Here is an example of a 4913 – Central Access Policy on the object was changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4913, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4913

image 




The main part of the SQL query used in the RDL file of the Central Access Policy For File Changes Report is:

select *
from AdtServer.dvAll as A
where A.PrimaryDomain like ‘%’ + ISNULL(@Domain,”) + ‘%’ and A.PrimaryUser like ‘%’ + ISNULL(@User,”) + ‘%’ and A.String03 like ‘%’ + ISNULL(@FilePath,”) + ‘%’    and A.EventId = 4913 and A.CreationTime > @StartDate and A.CreationTime < @EndDate



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 4913, limiting the result to the Activity, Computer, TimeGenerated, SubjectAccount and EventData fields:

    Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData







DAC: Object Attribute Changes Report


The report shows Object Attribute changes for Windows Server 2012, within a given date/time range by searching for security events 5136 or 5137 stored in the ACS database.

Here is an example of a 5136 – A directory service object was modified security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 5136, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-5136

image 
 

Here is an example of a 5137 – A directory service object was created security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 5137, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-5137

image 



The main part of the SQL query used in the RDL file of the Object Attribute Changes Report is:

select *
from AdtServer.dvAll as A
where (A.EventId = 5136 or A.EventId = 5137) and A.String07 = @ClassName and A.String05 like ‘%’ + ISNULL(@ObjectName,”) + ‘%’ and A.CreationTime > @StartDate and A.CreationTime < @EndDate



The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 5136 or 5137, limiting the result to the Activity, Computer, TimeGenerated, SubjectAccount and EventData fields:

    Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData








 
To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/


 




Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.