Share via


Leveraging OMS Log Search to Track Policy and Permission Changes

In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to track changes in audit policies and account permissions based on the audit events theAudit Collection Services (ACS) in OpsMgr collects and reports on.

In ACS, there are 4 Policy related SSRS audit reports available out-of-the-box that allow the user to track policy and permission changes in their IT environment:

  1. The Policy: Account Policy Changed Report,
  2. The Policy: Audit Policy Changed Report,
  3. The Policy: Object Permissions Changed, and
  4. The Policy: Privilege Added Or Removed

The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.

Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 4 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.

Policy: Account Policy Changed Report:

The report returns information on account policy changes in the domain within a given date/time range by searching for security event 4739 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image 

Here is an example of a 4739 – Domain Policy was changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4739, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4739

image

The main part of the SQL query used in the RDL file of the Account Policy Changed Report is:

SELECT *FROM AdtServer.dvAllWHERE (EventId = 643 OR EventId = 4739) AND (CreationTime >=@StartDate) AND (CreationTime <= @EndDate)

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 643 or 4739, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    SecurityEvent
    | where EventID==643 or EventID==4739
    | project Computer, Activity, TimeGenerated, EventData

     

Policy: Audit Policy Changed Report

The report returns information on system audit policy changes within a given date/time range by searching for security event 4719 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image

Here is an example of a 4719 – System audit policy was changed security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4719, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4719

image

The main part of the SQL query used in the RDL file of the Audit Policy Changed Report is:

SELECT *FROM AdtServer.dvAll AS dvAll_1WHERE (EventId = 4719) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 612 or 4719, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    SecurityEvent
    | where EventID==612 or EventID==4719
    | project Computer, Activity, TimeGenerated, EventData

****Policy: Object Permissions Changed Report**** The report returns information on object permission changes within a given date/time range by searching for security event 4670 stored in the ACS database. Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report: ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image166.png "image") Here is an example of a ***4670*** ***– Permissions on an object were changed*** security event as shown at the **Windows Security Auditing** technical documentation on **TechNet**: For more information about Event 4670, visit [https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4670](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4670 "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4670") ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image167.png "image") The **main part** of the SQL query used in the RDL file of the Object Permissions Changed Report is:

SELECT *FROM AdtServer.dvAllWHERE (EventId = 4670) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 4670, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    SecurityEvent
    | where EventID==4670
    | project TimeGenerated, Activity, Computer, EventData

    Here is an example of what would be shown on the time selector in the user interface of the portal if this log search query found some matching records:

    image

****Policy: Privilege Added Or Removed Report**** The report returns information on privileges being granted or removed within a given date/time range by searching for security events 4704 or 4705 stored in the ACS database. Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report: ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image169.png "image")  Here is an example of a ***4704*** ***– A user right was assigned*** security event as shown at the **Windows Security Auditing** technical documentation on **TechNet**: For more information about Event 4704, visit [https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4704](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4704 "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4704") ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image170.png "image")  Here is an example of a ***4705*** ***– A user right was removed*** security event as shown at the **Windows Security Auditing** technical documentation on **TechNet**: For more information about Event 4705, visit [https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4705](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4705 "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4705") ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image171.png "image") The **main part** of the SQL query used in the RDL file of the Privilege Added Or Removed Report is:

SELECT * FROM AdtServer.dvAll AS dvAll_1WHERE (EventId = 4704 OR EventId = 4705) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 621 or 622 or 4704 or 4705, limiting the result to the TimeGenerated, Activity and EventData fields:

    SecurityEvent
    | where EventID between (608 .. 609) or EventID between (621 .. 622) or EventID between (4704 .. 4705)
    | project TimeGenerated, Activity, Computer, EventData

To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/

 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.