Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)

Previously on Microsoft Azure Operational Insights Preview Series:

Security and Audit Intelligence Pack is probably the most powerful IP of all. That IP gathers a lot of logs basically every security log on every machines you are monitoring with Operational Insights. And if you have tried doing that with SCOM Audit Collection Services in the past you know it is not an easy job to do. Azure Operational Insights solves that problem you just enable it and the OpInsights team takes care of supporting the infrastructure for all this data and updating the IP itself, you just consume the end result and make the analysis based on the data.

Now before enabling this IP keep in mind that uploads a lot of data. For a 57 machines where we have 1 SMB storage server, 4 Hyper-V servers and the rest is virtual machines we have seen up to 44GB uploaded data per day. As this information is based on preview always look for the latest data on this topic.

You can find the Security and Audit IP in the Gallery:


Until data is being gathered you will not be able to click on the tile and dive deep:


After several hours you will see data:


Clicking on the tile opens a lot of information:


You will notice that this data is scoped for the last 1 day. The reason for this is to show you day to day trends.

I will not focus on every single tile you see here in this dashboard as when you click on every single tile this will lead you to a search query. And those predefined queries are there to help you explore so you can make your own queries that makes sense in your environment.

We can find a KB article with some security Event IDs and search by them:

Let’s say I am choosing Event 4720 which should show me what are the user accounts that are created:

Type=SecurityEvent  EventID=4720 | Select TargetUserName,UserPrincipalName,TargetSid,TargetDomaunName,SubjectAccount

It is a very simple query that I can execute and for example I can scope for the last 7 days:


Although that query is very simple it gives me powerful results as I search across every domain controller I am monitoring. Imagine situations where I have two separate environments but for example I want to see results from both of them on one place. That is the power of Operational Insights.

When you are trying this services I would recommend to try to convert every audit you had in the past related to Windows security logs into search queries. Keep in mind the services is still in preview so there might be some glitches or missing scenarios. Weather this service is GA or in Preview it is always good to express your suggestions in the UserVoice to help improve it.

One thought on “Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.