Leveraging OMS Log Search to Analyze Security Events for a Specific Computer/User/EventID
In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to analyze security events collected for a specific computer, a particular user or an Event ID.
In ACS, there are 3 Forensic related SSRS audit reports available out-of-the-box that allow the user to provide details on all events occurring in their IT environment that are associated to computers, users or security events of interest for further investigation.
- The Forensic: All Events For Specified Computer Report,
- The Forensic: All Events For Specified User Report, and
- The Forensic: All Events With Specified Event ID Report
The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.
To retrieve and analyze the security events highlighted by these 3 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.
Forensic: All Events For Specified Computer:
The report shows all events generated from the specified computer, within a given date/time range.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:
The RDL file of the All Events For Specified Computer Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), UPPER(Domain\Computer) = (UPPER(Parameter: Domain\Computer) & "$"))
The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:
A search query to return all records of type SecurityEvent for a specific computer, within a specific time period:
let computerName = ""; //Enter Computer Name
SecurityEvent
| where Computer==computerNameA query to compare the number of records of type SecurityEvent for a specific computer, grouped by Activity within a specific time period:
let computerName = ""; //Enter Computer Name
SecurityEvent
| where Computer==computerName
| summarize count() by ActivityHere is an example of what the records returned would look like when using this log search query for a specific computer:
Forensic: All Events For Specified User
The report shows all events generated from the specified user account, within a given date/time range.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:
The RDL file of the All Events For Specified User Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (UPPER(Primary Domain\User) = UPPER(Parameter: Domain\User), UPPER(Target Domain\User) = UPPER(Parameter: Domain\User))
The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:
A search query to return all records of type SecurityEvent for a specific user account, within a specific time period:
let accountName = ""; //Enter a User Domain\\Account Name
SecurityEvent
| where Account == accountNameA query to compare the number of records of type SecurityEvent for a specific user account, grouped by Activity within a specific time period:
let accountName = ""; //Enter a User Domain\\Account Name
SecurityEvent
| where Account == accountName
| summarize count() by ActivityHere is an example of what the records returned would look like when using this log search query for a specific user account:
Forensic: All Events With Specified Event ID
The report shows all events generated from the specified Event ID, within a given date/time range.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:
The RDL file of the All Events For Specified Event ID Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Event Id = (prompted))
The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:
A search query to return all records of type SecurityEvent for a specific Event Id, within a specific time period:
let eventId = 0; //Replace 0 with an eventId
SecurityEvent
| where EventID == eventIdA query to compare the number of records of type SecurityEvent for a specific Event Id, grouped by Computer within a specific time period:
let eventId = 0; //Replace 0 with an eventId
SecurityEvent
| where EventID == eventId
| summarize count() by ComputerA query to compare the number of records of type SecurityEvent for a specific Event Id, grouped by Account within a specific time period:
let eventId = 0; //Replace 0 with an eventId
SecurityEvent
| where EventID == eventId
| summarize count() by Account
To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/