ACS Dashboard in OMS: Your Audit Report Highlights in a Glance


This post demonstrates how the OMS Log search queries listed in the mapping table for each ACS Audit Report can be used to drive visualizations for an OpsMgr Featured Audit Collection Services (ACS) Dashboard based on the security events collected by the Security and Audit Solutions in OMS Log Analytics.

image 

The ACS Summary Tile and Dashboard can be configured using the OMS View Designer feature in your OMS Log Analytics workspace. Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.

Here are the steps to create the Summary Tile for the ACS Dashboard, and the Visualization Parts (Views) in the Dashboard Overview that provides a highlight for each ACS Audit Report using the log search queries listed in the mapping table:
(Note: Total time to create the ACS Dashboard in your OMS workspace using the View Designer may take up to 2 hours.)


Step 1: Create the ACS Summary Tile

image 

Preferred Tile Type: Two Timelines Tile
Explanation: To compare the total number of security events collected by the Security and Audit Solution with all the security events that are reported by the ACS Audit Reports, in total and over the last 7 days.
Configuration Overview:

  • Chart query for all security events (ALL SEC EVENTS):
    Type=SecurityEvent EventID!=0
  • Chart query for ACS focused security events (ACS SEC EVENTS):
    Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 OR EventID:[529..537] OR EventID=539 OR EventID=4625 OR EventID=4728 OR EventID=4732 OR EventID=4756 OR EventID=632 OR EventID=636 OR EventID=660 OR EventID=4729 OR EventID=4733 OR EventID=4757 OR EventID=633 OR EventID=637 OR EventID=661 OR EventID=4723 OR EventID=4724 OR EventID:[627..628] OR EventID=624 OR EventID=630 OR EventID=4726 OR EventID=4720 OR EventID=576 OR EventID=4672 OR EventID=643 OR EventID=4739 OR EventID=612 OR EventID=4719 OR EventID=4670 OR EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] OR EventID=516 OR EventID=4612 OR EventID=517 OR EventID=1102 OR EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 OR EventID=576 OR EventID=4672 OR EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] OR EventID=528 OR EventID=540 OR EventID=4624
  • Calculation Operation: Sum
  • Time Interval Duration: 7 days

 



Step 2: Create the Further Information and Forensic Views in the Dashboard Overview

 image 

Further Information View:
Preferred Visualization Part: Information Part
Explanation: Provides a shortcut to the ACS Reports to OMS Search Queries Mapping Table for the user to acquire further information on the topic.
Configuration Overview:



Forensic View:
Preferred Visualization Part: List of Queries Part
Explanation: Displays a list of search queries to analyze security events collected for a specific computer, a particular user or an Event ID. The user can click on each query and fill in the values for the filter replacing the <<string>> to display its results.
Configuration Overview:

  • Query 1 Friendly Name: All Events For Specified Computer
  • Query 1 Search query: Type=SecurityEvent Computer=”<<Computer Name>>”
  • Query 2 Friendly Name: All Events For Specified Computer grouped by Activity
  • Query 2 Search query: Type=SecurityEvent Computer=”<<Computer Name>>” | measure count() by Activity
  • Query 3 Friendly Name: All Events For Specified User
  • Query 3 Search query: Type=SecurityEvent Account=”<<User Domain\\Account Name>>”
  • Query 4 Friendly Name: All Events For Specified User grouped by Activity
  • Query 4 Search query: Type=SecurityEvent Account=”<<User Domain\\Account Name>>” | measure count() by Activity
  • Query 5 Friendly Name: All Events With Specified Event ID
  • Query 5 Search query: Type=SecurityEvent EventID=”<<Event Id>>”
  • Query 6 Friendly Name: All Events With Specified Event ID grouped by Computer
  • Query 6 Search query: Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Computer
  • Query 7 Friendly Name: All Events With Specified Event ID grouped by Account
  • Query 7 Search query: Type=SecurityEvent EventID=”<<Event Id>>” | measure count() by Account

(Note: Please re-type the double quote characters as they may be re-encoded into a format that is not compatible with OMS Log Analytics)

For more information, please refer to the following post:
Leveraging OMS Log Search to Analyze Security Events for a Specific Computer/User/EventID
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/03/leveraging-oms-log-search-to-analyze-security-events-for-a-specific-computerusereventid/





Step 3: Create the Planning and System Integrity Check Views in the Dashboard Overview

image 

Event Counts and Hourly Distribution View:

Preferred Visualization Part: Line chart, Callout, & List Part
Explanation: The header displays a line chart of the distribution of all security events collected by the Security and Audit Solution on an hourly interval within the last 7 days. The callout shows the average amount of security events collected per hour and the list displays the top 10 security events with the highest count collected over the last 7 days.
Configuration Overview:

  • Header Title: Hourly Event Distribution
  • Line Chart Query: Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour
  • Callout Title: Avg per hour
  • Operation: Average
  • Column titles: Event Id – Activity, Value: Count
  • List Query: Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity
  • Navigation Query: Type=SecurityEvent EventID!=0 | measure count() AS Count by Computer


For more information, please refer to the following post:
Leveraging OMS Log Search to Help Planning and Tuning of Audit Policies
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/02/leveraging-oms-log-search-to-help-planning-and-tuning-of-audit-policies/



Logon Counts of Privileged Users View:

Preferred Visualization Part: Number and List Part
Explanation: The header has a single number showing the total number of logon counts of privilege users and the list displays the top 10 privilege users with the highest logon counts over the last 7 days.
Configuration Overview:

  • Tile Legend: Logon Counts
  • Tile Query:
    Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine”
  • Column titles: User Account, Value: Count
  • List Query:
    Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Measure Count() by SubjectAccount
  • Navigation Query:
    Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!=”NT AUTHORITY” AND AccountType!=”Machine” | Select SubjectAccount, PrivilegeList

(Note: Please re-type the double quote characters as they may be re-encoded into a format that is not compatible with OMS Log Analytics)

For more information, please refer to the following post:
Leveraging OMS Log Search to Help Planning and Tuning of Audit Policies
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/02/leveraging-oms-log-search-to-help-planning-and-tuning-of-audit-policies/



System Integrity Check View:

Preferred Visualization Part: Two number and List Part
Explanation: The header has one number showing the number of audit failures and a separate number showing the number of times the audit logs were cleared over the last 7 days. The list displays the number of times the audit log was cleared per hour over the last 10 hours.
Configuration Overview:

  • Tile Legend 1: Audit Failure
  • Tile Query 1: Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer
  • Tile Legend 2: Audit Log Cleared
  • Tile Query 2: Type=SecurityEvent EventID=517 OR EventID=1102 | Select TimeGenerated, Activity, Computer
  • Column titles: Date Audit Log Cleared, Value: Count (Hourly Interval)
  • List Query: Type=SecurityEvent EventID=517 OR EventID=1102 | measure count() AS EventPerHour interval 1Hour
  • Navigation Query: Type=SecurityEvent EventID=517 OR EventID=516 OR EventID=1102 OR EventID=4612 | Select TimeGenerated, Activity, Computer


For more information, please refer to the following post:
Leveraging OMS Log Search to Capture Audit Failures and Audit Log Tampering:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/04/leveraging-oms-log-search-to-track-audit-failures-and-audit-log-tampering/





Step 4: Create the Access Violation Related Activities View in the Dashboard Overview


image


Access Violation Related Activities View:

Preferred Visualization Part: Two number and List Part
Explanation: The header has one number showing the total number of accounts locked and a separate number showing the number unsuccessful logon attempts over the last 7 days. The list displays the top 10 accounts with the highest number of failed logon attempts over the last 7 days.
Configuration Overview:

  • Tile Legend 1: Account Locked
  • Tile Query 1: Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279
  • Tile Legend 2: Unsuccessful Logon Attempts
  • Tile Query 2:
    Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d)  | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName
  • Column titles: Account Failed to Logon, Value: Count
  • List Query: Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount
  • Navigation Query: Type=SecurityEvent EventID=624 OR EventID=4720 OR EventID=630 OR EventID=4726 | Select TimeGenerated, TargetAccount, Activity, Computer


For more information, please refer to the following post:
Leveraging OMS Log Search to Identify Potential Access Violation Activities
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/30/leveraging-oms-log-searches-to-identify-potential-access-violation-activities/





Step 5: Create the Account Management Views in the Dashboard Overview

image 

User Accounts Created Or Deleted View:

Preferred Visualization Part: Two number and List Part
Explanation: The header has one number showing the total number of user accounts created and a separate number showing the total number of user accounts deleted over the last 7 days. The list displays the top 10 user accounts created or deleted related security events with the highest count over the last 7 days.
Configuration Overview:

  • Tile Legend 1: User Accounts Created
  • Tile Query 1: Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer
  • Tile Legend 2: User Accounts Deleted
  • Tile Query 2: Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer
  • Column titles: Event Id – Activity, Value: Count
  • List Query: Type=SecurityEvent EventID=624 OR EventID=4720 OR EventID=630 OR EventID=4726 | Measure Count() by Activity
  • Navigation Query: Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279


For more information, please refer to the following post:
Leveraging OMS Log Search for Account Management and Audit Reporting
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/31/leveraging-oms-log-search-for-account-management-and-audit-reporting/



Domain and Built-in Administrators Membership Changes View:
Preferred Visualization Part: Two number and List Part
Explanation: The header has one number showing the total number of members added and a separate number showing the number members removed over the last 7 days. The list displays the top 10 user membership change related security events with the highest count over the last 7 days.
Configuration Overview:

  • Tile Legend 1: Member Added
  • Tile Query 1:
    Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756 OR EventID=632 OR EventID=636 OR EventID=660 AND (“*512” OR “S-1-5-32-544”) | Extend “Add Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer
  • Tile Legend 2: Member Removed
  • Tile Query 2:
    Type=SecurityEvent EventID=4729 OR EventID=4733 OR EventID=4757 OR EventID=633 OR EventID=637 OR EventID=661 AND (“*512” OR “S-1-5-32-544”)  Extend “Remove Member” AS Action | Select Action, TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer
  • Column titles: Event Id – Activity, Value: Count
  • List Query:
    Type=SecurityEvent EventID:[4728..4729] OR EventID:[4732..4733] OR EventID:[4756..4757] OR EventID:[632..633] OR EventID:[636..637] OR EventID:[660..661] AND (“*512” OR “S-1-5-32-544”) | measure Count() by Activity
  • Navigation Query:
    Type=SecurityEvent EventID:[4728..4729] OR EventID:[4732..4733] OR EventID:[4756..4757] OR EventID:[632..633] OR EventID:[636..637] OR EventID:[660..661] AND (“*512” OR “S-1-5-32-544”) | Select TargetUserName, Activity, SubjectAccount, MemberName, TimeGenerated, Computer

(Note: Please re-type the double quote characters as they may be re-encoded into a format that is not compatible with OMS Log Analytics)

For more information, please refer to the following post:
Leveraging OMS Log Search for Account Management and Audit Reporting
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/31/leveraging-oms-log-search-for-account-management-and-audit-reporting/



Password Change Attempts by Non-owner View:

Preferred Visualization Part: Number and List Part
Explanation: The header has a single number showing the total number of password change attempts by non-owner and the list displays the top 10 account that are non-owners with the highest number of password changes over the last 7 days.
Configuration Overview:

  • Tile Legend: Password Change Attempts
  • Tile Query:
    Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount}
  • Column titles: Changed By, Value: Count
  • List Query:
    Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount} | Measure Count() by SubjectAccount
  • Navigation Query:
    Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!=”ANONYMOUS LOGON” | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select  TimeGenerated, Computer, TargetAccount, ChangedBy

(Note: Please re-type the double quote characters as they may be re-encoded into a format that is not compatible with OMS Log Analytics)

For more information, please refer to the following post:
Leveraging OMS Log Search for Account Management and Audit Reporting
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/31/leveraging-oms-log-search-for-account-management-and-audit-reporting/





Step 6: Create the Policy Views in the Dashboard Overview


image 

Account and Audit Policy Changed View:

Preferred Visualization Part: Two number and List Part
Explanation: The header has one number showing the total number of account policy changed and a separate number showing the total number of audit policy changed over the last 7 days. The list displays the top 10 account and audit policy changed related security events with the highest count over the last 7 days.
Configuration Overview:

  • Tile Legend 1: Account Policy Changed
  • Tile Query 1: Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData
  • Tile Legend 2: Audit Policy Changed
  • Tile Query 2: Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData
  • Column titles: Event Id – Activity, Value: Count
  • List Query: Type=SecurityEvent EventID=612 OR EventID=643 OR EventID=4719 OR EventID=4739 | measure count() by Activity
  • Navigation Query: Type=SecurityEvent EventID=612 OR EventID=643 OR EventID=4719 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData


For more information, please refer to the following post:
Leveraging OMS Log Search to Track Policy and Permission Changes
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/05/leveraging-oms-log-search-to-track-policy-and-permission-changes/



Object Permissions Changed View:
Preferred Visualization Part: Number and List Part
Explanation: The header has a single number showing the total number of object permission changes and the list displays the top 10 computers with the highest count of object permission changes over the last 7 days.
Configuration Overview:

  • Tile Legend: Object Permissions Changed
  • Tile Query: Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData
  • Column titles: Computer, Value: Count
  • List Query: Type=SecurityEvent EventID=4670 | measure count() by Computer
  • Navigation Query: Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData


For more information, please refer to the following post:
Leveraging OMS Log Search to Track Policy and Permission Changes
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/05/leveraging-oms-log-search-to-track-policy-and-permission-changes/



Privilege Added Or Removed View:
Preferred Visualization Part: Number and List Part
Explanation: The header has a single number showing the total number of privilege added or privilege removed events and the list displays the top 10 computers with the highest count of privilege added or privilege removed events over the last 7 days.
Configuration Overview:

  • Tile Legend: Privilege Added Or Removed
  • Tile Query: Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData
  • Column titles: Computer, Value: Count
  • List Query: Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | measure count() by Computer
  • Navigation Query: Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData


For more information, please refer to the following post:
Leveraging OMS Log Search to Track Policy and Permission Changes
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/05/leveraging-oms-log-search-to-track-policy-and-permission-changes/






Step 7: Create the Usage Views in the Dashboard Overview

image 

User and Privileged Logons View:

Preferred Visualization Part: Two number and List Part
Explanation: The header has one number showing the total number of user logon events and a separate number showing the total number of privileged logon events over the last 7 days. The list displays the top 10 user and privileged logon related security events with the highest count over the last 7 days.
Configuration Overview:

  • Tile Legend 1: User Logon
  • Tile Query 1:
    Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount
  • Tile Legend 2: Privileged Logon
  • Tile Query 2: Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList
  • Column titles: Event Id – Activity, Value: Count
  • List Query: Type=SecurityEvent EventID=576 OR EventID=4672 OR EventID=528 OR EventID=540 OR EventID=4624 | measure count() by Activity
  • Navigation Query: Type=SecurityEvent EventID=576 OR EventID=4672 OR EventID=528 OR EventID=540 OR EventID=4624


For more information, please refer to the following post:
Leveraging OMS Log Search to Report on User Logon and Object Access Events
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/05/leveraging-oms-log-search-to-report-on-user-logon-and-object-access-events/



Sensitive Security Groups Changes View:

Preferred Visualization Part: Number and List Part
Explanation: The header has a single number showing the total number of sensitive security groups changes and the list displays the top 10 related security events with the highest count over the last 7 days..
Configuration Overview:

  • Tile Legend: Sensitive Security Groups Changes
  • Tile Query:
    Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated
  • Column titles: Event Id – Activity, Value: Count
  • List Query:
    Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | measure count() by Activity
  • Navigation Query:
    Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated


For more information, please refer to the following post:
Leveraging OMS Log Search to Report on User Logon and Object Access Events
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/05/leveraging-oms-log-search-to-report-on-user-logon-and-object-access-events/



Object Access View:
Preferred Visualization Part: Number and List Part
Explanation: The header has a single number showing the total number of all object access related events over the last 7 days. The list displays the number of object access related events being logged per hour over the last 10 hours.
Configuration Overview:

  • Tile Legend: All Object Access Related Audit Event
  • Tile Query: T
    ype=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData
  • Column titles: Date Event Logged, Value: Count (Hourly Interval)
  • List Query:
    Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | measure count() AS EventPerHour interval 1Hour | sort TimeGenerated desc
  • Navigation Query:
    Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData


For more information, please refer to the following post:
Leveraging OMS Log Search to Report on User Logon and Object Access Events
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/08/05/leveraging-oms-log-search-to-report-on-user-logon-and-object-access-events/





A shout out and kudos to my colleague Meir Mendelovich (OMS PM) for sharing his knowledge and his time in helping me validate the mapping table and ACS Dashboard in OMS.






To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/


 


Additional Resources:

Log Analytics View Designer by Brian Wren
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-view-designer/

Log Analytics View Designer Tile Reference by Brian Wren
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-view-designer-tiles/

Log Analytics View Designer visualization part reference by Brian Wren
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-view-designer-parts/

 



 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.