Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)


Previously on Microsoft Azure Operational Insights Preview Series:

Security and Audit Intelligence Pack is probably the most powerful IP of all. That IP gathers a lot of logs basically every security log on every machines you are monitoring with Operational Insights. And if you have tried doing that with SCOM Audit Collection Services in the past you know it is not an easy job to do. Azure Operational Insights solves that problem you just enable it and the OpInsights team takes care of supporting the infrastructure for all this data and updating the IP itself, you just consume the end result and make the analysis based on the data.

Now before enabling this IP keep in mind that uploads a lot of data. For a 57 machines where we have 1 SMB storage server, 4 Hyper-V servers and the rest is virtual machines we have seen up to 44GB uploaded data per day. As this information is based on preview always look for the latest data on this topic.

You can find the Security and Audit IP in the Gallery:

image

Until data is being gathered you will not be able to click on the tile and dive deep:

image

After several hours you will see data:

image

Clicking on the tile opens a lot of information:

image

You will notice that this data is scoped for the last 1 day. The reason for this is to show you day to day trends.

I will not focus on every single tile you see here in this dashboard as when you click on every single tile this will lead you to a search query. And those predefined queries are there to help you explore so you can make your own queries that makes sense in your environment.

We can find a KB article with some security Event IDs and search by them:

http://support.microsoft.com/kb/977519

Let’s say I am choosing Event 4720 which should show me what are the user accounts that are created:

Type=SecurityEvent  EventID=4720 | Select TargetUserName,UserPrincipalName,TargetSid,TargetDomaunName,SubjectAccount

It is a very simple query that I can execute and for example I can scope for the last 7 days:

image

Although that query is very simple it gives me powerful results as I search across every domain controller I am monitoring. Imagine situations where I have two separate environments but for example I want to see results from both of them on one place. That is the power of Operational Insights.

When you are trying this services I would recommend to try to convert every audit you had in the past related to Windows security logs into search queries. Keep in mind the services is still in preview so there might be some glitches or missing scenarios. Weather this service is GA or in Preview it is always good to express your suggestions in the UserVoice to help improve it.

Advertisements

One thought on “Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s