When I cover new Operations Management Suite features I do not just introduce them. I put them in a real world scenario so I can give you more value from reading my blog posts. Whether you are an IT Pro, Dev or DevOps I hope you will find this blog post useful. For the past several years there have been a numerous of public security breaches. Security has become even more important topic that everyone in the IT industry should care about no matter it is in personal life or at work. With this blog post I would like to introduce you to a solution that will help you stay more secure. Depends on the scale and features you use it can be free or you will be paying reasonable price. That solution is Operations Management Suite (MSOMS) and more specifically feature called “Malcious IP” introduced a couple of weeks ago.
Malicious IP is enabled when one of the following solutions/features are used:
- Firewall Logs
- IIS Logs
But even if you use just one enough is sufficient to show results. Using more than one will give you results from different perspective.
Now as an IT you definitely have personal computer or work computer or may be both. If these machines are Windows 8.1 or higher you are good to go for using WireData solution on client. Operations Management Suite (OMS) has a free tier which will give you the possibility to upload 500 MB of data every day to the service. That data will be retained for 7 days in the service. For the way we will use OMS to protect our PCs this free tier is perfect.
First we will start by creating OMS workspace with free tier. If you have Azure subscription you can do it trough the Azure Portal:
If you do not have Azure subscription do not worry. You can logon to the OMS Portal with Microsoft Account and create free tier there. It is super easy.
Now that you have logged to the OMS portal you can go to the Solutions Gallery and add Wire Data solution:
The next step is to install the Microsoft Management Agent and connect it to your newly created OMS workspace. For that purpose you need to go to Settings tile in OMS. There you will find link to download the agent for 32-bit windows or 64-bit windows operating system. On that page you will also see your OMS workspace ID and your Primary Key. Those are needed as input when you install the agent to connect it to your OMS workspace.
I’ve downloaded the agent and started the installation on my personal computer. I am using Windows 10 but as I’ve said it will work on 8.1 as well:
Make sure to select “Connect the agent to Microsoft Azure Operational Insights”:
Enter your workspace ID and Workspace Primary Key:
When the installation finishes successfully you are already uploading data to OMS:
In several minutes you will see data visible in OMS:
To be able to see data related for Malicious IP you will have to wait a couple of hours. I’ve waited and when I’ve executed the following query:
* | measure count() by MaliciousIP
I was already seeing my computer communicating with a few IPs from the dark corners of Internet.
Now seeing that is normal. Seeing a lot more communication to such IPs and traffic going to them that is probably not normal and can signal that may be your machine is infected. With OMS you can dig deeper into the logs and see more information of course like the Process that is sending data to that IP and so on. I encourage you to explore it.
The beauty of this solution is that is free and it is uploading a very small amount of data to OMS. For around 12 hours my PC uploaded around 1.4 MBs to OMS:
So you can even attach more than one PC to your OMS workspace and monitor the traffic. With the search query syntax in OMS you can view data for different computers easily.
I encourage you to test this scenario and protect yourself with Operations Management Suite and why not even protect your company as well.