Leveraging OMS Log Search to Report on User Logon and Object Access Events

In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to retrieve records on user logon and object access based on the audit events theAudit Collection Services (ACS) in OpsMgr collects and reports on.

In ACS, there are 4 Usage related SSRS audit reports available out-of-the-box that allow the user to report on user logon and object access events that are occurring in their IT environment.

  1. The Usage: Object Access Report,
  2. The Usage: User Logon Report,
  3. The Usage: Privileged Logon, and
  4. The Usage: Sensitive Security Groups Changes

The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.
Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 4 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.

Usage: Object Access Report:

The report shows all object access related audit events within a given date/time range by searching for security events 4656 and 4663 stored in the ACS database.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image

Here is an example of a 4656 – A handle to an object was requested security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4656, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4656

image

Here is an example of a 4663 – An attempt was made to access an object security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4663, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4663

image

The main part of the SQL query used in the RDL file of the Object Access Report is:

SELECT *FROM AdtServer.dvAllWHERE (EventId = 4656 OR EventId = 4663) AND (CreationTime >= @StartDate) AND (CreationTime <= @EndDate)

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 560 or 567 or 4656 or 4663, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    SecurityEvent
    | where EventID==560 or EventID==567 or EventID==4656 or EventID==4663
    | project Computer, Activity, TimeGenerated, EventData

     
    Here is an example of what the records returned would look like when using this log search query:

    image

Usage: User Logon Report

The report shows all user logon activities for a specific user, within a given date/time range by searching for security event 4624 stored in the ACS database.
The following figure shows the input parameters for this SSRS Report in the Reporting workspace in the OpsMgr Operations Console or the Reporting site:

image

Here is an example of a 4624 – An account was successfully logged on security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 4624, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4624

image

The RDL file of the User Logon Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Event Id in 528, 540, 4624, Start Date on or after (prompted), End Date on or before (prompted), Any of (UPPER(Primary Domain\User) = UPPER(Parameter: Domain\User), UPPER(Target Domain\User) = UPPER(Parameter: Domain\User)))

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 528 or 540 or 4624, limiting the result to the Activity, Computer, TimeGenerated, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName and TargetAccount fields:

    SecurityEvent
    | where EventID==528 or EventID==540 or EventID==4624
    | project TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount

    Here is an example of what the records returned would look like when using this log search query:

    image

****Usage: Privileged Logon Report**** The report returns a list of privileged logon events occurring within a given date/time range by searching for security event 4672 stored in the ACS database. Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report: ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image216.png "image") Here is an example of a ***4672*** ***– Special privileges assigned to new logon*** security event as shown at the **Windows Security Auditing** technical documentation on **TechNet**: For more information about Event 4672, visit [https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4672](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4672 "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4672") ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image217.png "image") The RDL file of the Privileged Logon Report uses a [Semantic Query](https://msdn.microsoft.com/en-us/library/ff718741\(v=sql.105\).aspx), with the following filter condition: *Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 576, Event Id = 4672), Privileges does not contain "SeChangeNotifyPrivilege")* The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:
  • A search query to return all records of type SecurityEvent with EventID field containing 576 or 4672, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    SecurityEvent
    | where EventID==576 or EventID==4672
    | project TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList

    Note: As the PrivilegeList field is non-searchable in OMS, the exclusion of records containing "SeChangeNotifyPrivilege" can be done after exporting the all the records retrieved to Excel.

    Here is an example of what the records returned would look like when using this log search query:

    image 
     

****Usage: Sensitive Security Groups Changes Report**** The report returns information on sensitive security group changes within a given date/time range by searching for security events within the range of 4727 to 4735 or 4754 to 4758 or 4737 that are stored in the ACS database. Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report: [![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image_thumb154.png "image")](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image219.png)  Here is an example of a ***4735*** ***– A security-enabled local group was changed*** security event as shown at the **Windows Security Auditing** technical documentation on **TechNet**: For more information about Event 4735, visit [https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4735](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4735 "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4735") ![image](https://msdntnarchive.z22.web.core.windows.net/media/2016/08/image220.png "image")   The RDL file of the Sensitive Security Groups Changes Report uses a [Semantic Query](https://msdn.microsoft.com/en-us/library/ff718741\(v=sql.105\).aspx), with the following filter condition: *Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted). Any of (All of (Event Id \>=631, Event Id \<=639, Event Id=641, All of (Event Id \>= 658, Event Id \<= 662), All of (Event Id \>= 4727, Event Id \<= 4735), Event Id=4737. All of (Event Id \>= 4754, Event Id \<= 4758)))* The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:
  • A search query to return all records of type SecurityEvent with EventID field containing a value within the range of 4727 to 4735 or 4754 to 4758 or 631 to 639 or 658 to 662 or equals to 4737 or 641 , limiting the result to the Activity, GroupName, SubjectAccount, MemberName and TimeGenerated fields:

    SecurityEvent
    | where EventID between (4727 .. 4735) or EventID==4737 or EventID between (4754 .. 4758) or EventID between (631 .. 639) or EventID==641 or EventID between (658 .. 662)
    | project Activity, GroupName=TargetUserName, SubjectAccount, MemberName, TimeGenerated
    | order by Activity desc

    Here is an example of what the records returned would look like when using this log search query:

    image

To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/

 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.