Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)

Article, Azure, Azure Automation, Azure Operational Insights Preview, Azure Site Recovery, Hybrid Security, Log Analytics, Microsoft, Operational Insights, Operational Insights, Operations Management Suite, Software, System Center, System Center Operations Manager 3 Minutes

Previously on Microsoft Azure Operational Insights Preview Series:

Security and Audit Intelligence Pack is probably the most powerful IP of all. That IP gathers a lot of logs basically every security log on every machines you are monitoring with Operational Insights. And if you have tried doing that with SCOM Audit Collection Services in the past you know it is not an easy job to do. Azure Operational Insights solves that problem you just enable it and the OpInsights team takes care of supporting the infrastructure for all this data and updating the IP itself, you just consume the end result and make the analysis based on the data.

Now before enabling this IP keep in mind that uploads a lot of data. For a 57 machines where we have 1 SMB storage server, 4 Hyper-V servers and the rest is virtual machines we have seen up to 44GB uploaded data per day. As this information is based on preview always look for the latest data on this topic.

You can find the Security and Audit IP in the Gallery:

image

Until data is being gathered you will not be able to click on the tile and dive deep:

image

After several hours you will see data:

image

Clicking on the tile opens a lot of information:

image

You will notice that this data is scoped for the last 1 day. The reason for this is to show you day to day trends.

I will not focus on every single tile you see here in this dashboard as when you click on every single tile this will lead you to a search query. And those predefined queries are there to help you explore so you can make your own queries that makes sense in your environment.

We can find a KB article with some security Event IDs and search by them:

http://support.microsoft.com/kb/977519

Let’s say I am choosing Event 4720 which should show me what are the user accounts that are created:

Type=SecurityEvent  EventID=4720 | Select TargetUserName,UserPrincipalName,TargetSid,TargetDomaunName,SubjectAccount

It is a very simple query that I can execute and for example I can scope for the last 7 days:

image

Although that query is very simple it gives me powerful results as I search across every domain controller I am monitoring. Imagine situations where I have two separate environments but for example I want to see results from both of them on one place. That is the power of Operational Insights.

When you are trying this services I would recommend to try to convert every audit you had in the past related to Windows security logs into search queries. Keep in mind the services is still in preview so there might be some glitches or missing scenarios. Weather this service is GA or in Preview it is always good to express your suggestions in the UserVoice to help improve it.

Published by Stanislav Zhelyazkov

Stanislav Zhelyazkov has been working in IT since 2007. Stanislav has started his IT career as a Help Desk Specialist in 2007 while studying Informatics in the University of Ruse. He also worked in HP Enterprise Services (now known as DXC), maintaining large corporate IT infrastructures for clients in Holland, Switzerland and Germany and was involved in a Private Cloud project based on MS Hyper-V and System Center. He was also in the role of Principal Consultant in Lumagate developing and consulting companies on Azure, OMS, management and Private clouds. Currently he is Cloud Infrastructure Engineer at Sentia Denmark. Stanislav is active community member at MSDN forums providing answers on Azure. His blogposts can be found at www.cloudadministrator.net or www.systemcentercentral.com.

Published

One thought on “Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)

  1. Pingback: Microsoft Azure Operational Insights Preview Series – General Availability (Part 18) | Cloud Administrator

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.