Leveraging OMS Log Search to Capture Audit Failures and Audit Log Tampering

In this post, we look at how we can leverage the Security and Audit solution in OMS and using log searches to capture audit failures and audit log tampering based on the audit events theAudit Collection Services (ACS) in OpsMgr collects and reports on.

In ACS, there are 2 System Integrity related SSRS audit reports available out-of-the-box that allow the user to report on audit failures and audit logs cleared events that are occurring in their IT environment:

  1. The System Integrity: Audit Failure Report, and
  2. The System Integrity: Audit Log Cleared Report

The Security and Audit solution in OMS Log Analytics however provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention.

Adding the Security and Audit solution to an OMS workspace will allow Windows security events, Windows application events, and Windows firewall logs to be collected using direct agents or MMA agents that the user enabled.
For further information, refer to Security and Audit solution in Log Analytics by Bill Anderson.

To retrieve and analyze the security events highlighted by these 2 ACS Audit Reports in OMS Log Analytics, the SQL query search conditions used in these reports can be used as the filter expressions in OMS log search queries against records collected by the Security and Audit solution.

System Integrity: Audit Failure Report:

The report returns a list of computers with audit failure events within a given date/time range by searching for security events 4612 stored in the ACS database. Event 4612 indicates that the system failed to log audit events due to lack of resources.This is a serious problem and should be resolved as soon as possible to prevent further loss of audit events.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image

For more information about 4612 – Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits , visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4612

The RDL file of the Audit Failure Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 516, Event Id = 4612))

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 516 or 4612, limiting the result to the Activity and Computer fields:

    SecurityEvent
    | where EventID==516 or EventID==4612
    | project TimeGenerated, Activity, Computer

System Integrity: Audit Log Cleared Report

The report returns a list of computers with audit log cleared events and by whom within a given date/time range by searching for security events 1102 stored in the ACS database. Event 1102 indicates that somebody has cleared the Audit Log. This may suggest the person who cleared the log is trying to cover his/her tracks on the computer.
Running this report for a specific date/time range via the Reporting workspace in the OpsMgr Operations Console or the Reporting site will produce the following SSRS Report:

image

Here is an example of a 1102 – The audit log was cleared security event as shown at the Windows Security Auditing technical documentation on TechNet:
For more information about Event 1102, visit https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-1102

image

The RDL file of the Audit Log Cleared Report uses a Semantic Query, with the following filter condition:
Dv Alls with: All of (Start Date on or after (prompted), End Date on or before (prompted), Any of (Event Id = 517, Event Id = 1102))

The search condition from this SQL Query can be used as the filter expression of OMS log searches against Security and Audit solution records like the following example:

  • A search query to return all records of type SecurityEvent with EventID field containing 517 or 1102, limiting the result to the Activity, Computer, TimeGenerated and EventData fields:

    SecurityEvent
    | where EventID==517 or EventID==1102
    | project Activity, Computer, TimeGenerated, EventData

    Here is an example of what the records returned would look like when using this log search query:

    image

To view the complete mapping between all Audit Collection Services (ACS) SSRS reports and search queries used in OMS Log Analytics, refer to:
https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/

 

 

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.