Previously on Microsoft Azure Operational Insights Preview Series:
- Microsoft Azure Operational Insights Preview Series – System Update Assessment (Part 1)
- Microsoft Azure Operational Insights Preview Series – Malware Assessment (Part 2)
- Microsoft Azure Operational Insights Preview Series – Log Management (Part 3)
- Microsoft Azure Operational Insights Preview Series – Capacity Planning (Part 4)
- Microsoft Azure Operational Insights Preview Series – Change Tracking (Part 5)
- Microsoft Azure Operational Insights Preview Series – Time Matters in Dashboard (Part 6)
- Microsoft Azure Operational Insights Preview Series – SQL Assessment (Part 7)
- Microsoft Azure Operational Insights Preview Series – Connecting Directly with Microsoft Monitoring Agent (Part 8)
- Microsoft Azure Operational Insights Preview Series – Alert Management (Part 9)
- Microsoft Azure Operational Insights Preview Series – The Azure Portal Experience (Part 10)
- Microsoft Azure Operational Insights Preview Series – Usability Improvements (Part 11)
- Microsoft Azure Operational Insights Preview Series – AD Assessment (Part 12)
- Microsoft Azure Operational Insights Preview Series – Removing Legacy Configuration Assessment (Part 13)
- Microsoft Azure Operational Insights Preview Series – New Onboarding User Experience (Part 14)
- Microsoft Azure Operational Insights Preview Series – Plans and Retention (Part 15)
- Microsoft Azure Operational Insights Preview Series – Collecting Logs from Azure Diagnostics (Part 16)
Security and Audit Intelligence Pack is probably the most powerful IP of all. That IP gathers a lot of logs basically every security log on every machines you are monitoring with Operational Insights. And if you have tried doing that with SCOM Audit Collection Services in the past you know it is not an easy job to do. Azure Operational Insights solves that problem you just enable it and the OpInsights team takes care of supporting the infrastructure for all this data and updating the IP itself, you just consume the end result and make the analysis based on the data.
Now before enabling this IP keep in mind that uploads a lot of data. For a 57 machines where we have 1 SMB storage server, 4 Hyper-V servers and the rest is virtual machines we have seen up to 44GB uploaded data per day. As this information is based on preview always look for the latest data on this topic.
You can find the Security and Audit IP in the Gallery:
Until data is being gathered you will not be able to click on the tile and dive deep:
After several hours you will see data:
Clicking on the tile opens a lot of information:
You will notice that this data is scoped for the last 1 day. The reason for this is to show you day to day trends.
I will not focus on every single tile you see here in this dashboard as when you click on every single tile this will lead you to a search query. And those predefined queries are there to help you explore so you can make your own queries that makes sense in your environment.
We can find a KB article with some security Event IDs and search by them:
http://support.microsoft.com/kb/977519
Let’s say I am choosing Event 4720 which should show me what are the user accounts that are created:
Type=SecurityEvent EventID=4720 | Select TargetUserName,UserPrincipalName,TargetSid,TargetDomaunName,SubjectAccount
It is a very simple query that I can execute and for example I can scope for the last 7 days:
Although that query is very simple it gives me powerful results as I search across every domain controller I am monitoring. Imagine situations where I have two separate environments but for example I want to see results from both of them on one place. That is the power of Operational Insights.
When you are trying this services I would recommend to try to convert every audit you had in the past related to Windows security logs into search queries. Keep in mind the services is still in preview so there might be some glitches or missing scenarios. Weather this service is GA or in Preview it is always good to express your suggestions in the UserVoice to help improve it.
One thought on “Microsoft Azure Operational Insights Preview Series – Security and Audit (Part 17)”