共用方式為


OMS Free Tier Solution Based Billing Tracker – Security & Audit

On June 19, 2017, a new pricing model was introduced to the OMS Security and Compliance management offer and it applies to all OMS pricing tiers including the Free Tier. Solutions like the Security & Audit Solution if added anytime after the above cutoff date (June 19, 2017), will be free for the first 60 days. After the 60-day trial for the continuous use of this solution, a per node billing will be applied. This feature is called Solution Based Billing as this new billing is based on a specific solution instead of the pricing tier. This change will not affect an OMS Workspace if the Security & Audit Solution was added before June 19, 2017.
For more information, please visit the Security and Compliance Pricing site.
image  

This post features a custom OMS Dashboard – the Free Tier Solution Based Billing Tracker - Security & Audit – that extends the Log Analytics Usage and AzureActivity typed records. (Usage typed records are used primarily to drive the OMS Usage Dashboard and AzureActivity typed records are collected and stored by the OMS Azure Log Analytics Solution. This OMS Dashboard helps detect and list Security & Audit Solution related activities captured in the Azure Activity Log, like Add or Remove, that is happening in a particular workspace after June 19, 2017, and verifies whether or not the Solution Based Billing feature has been enabled for the Security & Audit Solution added in that OMS Workspace in the Free Tier. If the Solution Based Billing feature is enabled, per node billing after 60 days of continuous use of the Security & Audit Solution will apply.
The .omsview JSON file for the OMS Free Tier Solution Based Billing Tracker for the Security & Audit Solution can now be downloaded from the TechNet Gallery.

 image          image
 
The OMS Free Tier Solution Based Billing Tracker Dashboard – Security & Audit consists of a summary tile on the main page of the OMS Portal that shows

  1. The number of computers connected and sending data to the Security & Audit Solution
  2. A “1” if Solution Based Billing has been activated for the Security & Audit Solution of this OMS Workspace, and “0” if otherwise,

within a default 24 Hour window.

The following views are available when drilling-in from the summary tile:

  1. Information View – Provides a summary description for the OMS Free Tier Solution Based Billing Tracker - Security & Audit Dashboard, links to obtain further information and to download the .omsview JSON file for the dashboard.
  2. View 1 (Retention - 90 Days | Source - Azure Log) – Provides a last 24-hour summary of the number of times the Security & Audit Solution was added successfully after June 19, 2017 on the 2-Numbers Tile section, and lists the Security & Audit Solution related activities captured in the Azure Activity Log after June 19, 2017, like Add or Remove, order by date and time on the List section of the View.
  3. View 2 (Retention - 7 Days) – Provides a last 24-hour summary of the number of computers connected and sending data to the Security &Audit Solution on the Single Number Tile section, and returns a “YES” if Billing has been enabled for the Security & Audit Solution of the OMS Workspace in the Free Tier (when LinkedMeterId!="00000000-0000-0000-0000-000000000000" ),and a “NO”if otherwise on the List section of the View.
  4. View 3 (Retention - 7 Days) – Provides a chart of the total size of data uploaded by computers monitored by the Security & Audit Solution (in MB) over a 24-hour period on the Line Chart & Callout section, and returns a “YES” if Solution Based Billing specifically has been activated for the Security & Audit Solution of the OMS Workspace in the Free Tier (when LinkedMeterId="15e6182d-2afe-4c9e-8c23-4062bd80b3d4" in the Free Tier),and a “NO”if otherwise on the List section of the View.

image 

An OMS Workspace with the Security & Audit Solution added before June 19, 2017 would look like this example:

image
 

To implement the OMS Free Tier Solution Based Billing Tracker Dashboard – Security & Audit Dashboard to an OMS Workspace, download the .omsview JSON file from the TechNet Gallery and upload the file to the OMS Workspace using the Import option in the View Designer.

image

Here is the main log search query that extends the Azure Activity Log records in Log Analytics and is used to lists the Security & Audit Solution related activities captured after June 19, 2017:
Type=AzureActivity Resource=Security TimeGenerated>2017-06-19T00:00 | select OperationName, TimeGenerated

Here is the query that provides further filtering to look for records of the Security & Audit Solution being added successfully after June 19, 2017:
Type=AzureActivity Resource=Security ActivityStatus=Succeeded ActivitySubstatus=Created* TimeGenerated>2017-06-19T00:00

Since the AzureActivity typed records from the Azure Activity Logs are available in an OMS Workspace for 90 days, the list of Security & Audit Solution related activities beyond 7 days after June 19, 2017, like when was the solution added or removed, can be retrieved with these log search query to help with further analysis or auditing. Note that if the Azure Subscription has multiple OMS Workspaces, then the Azure Activity Log will contain the events from all the OMS Workspaces and accessible in these Workspaces as well.
 

Here are the main log search queries that extends the Log Analytics Usage records and used within theFree Tier Solution Based Billing Tracker - Security & Audit Dashboard to detect whether Solution Based Billing has been enabled for the Security and Audit Solution in an OMS Workspace in the Free Tier:

  1. Returns a “YES” if Billing has been enabled for the Security & Audit Solution of the OMS Workspace in the Free Tier, and a “NO” if otherwise
    Type=Usage DataType=SecurityEvent MeterId="2073b0aa-c836-4642-9d97-0635f52e3520" | Extend if(termfreq(LinkedMeterId,"00000000-0000-0000-0000-000000000000"),"NO", "YES") as IsFreeTierBilled| select IsFreeTierBilled| Top 1
  2. Returns a “YES” if Solution Based Billing has been activated for the Security & Audit Solution of the OMS Workspace in the Free Tier, and a “NO” if otherwise:
    Type=Usage DataType=SecurityEvent MeterId="2073b0aa-c836-4642-9d97-0635f52e3520" | Extend if(termfreq(LinkedMeterId,"15e6182d-2afe-4c9e-8c23-4062bd80b3d4"),"YES","NO") as Billing| select Billing | Top 1

OMS Alerts can be configured to send notifications to recipients (via emails or SMS) if Solution Based Billing is enabled or Security & Audit Solution activities from the Azure Activity Log is detected.

Here is a mapping of the Display Name to Meter ID GUID of some of the OMS Pricing Tiers:

  OMS Pricing Tier Display Name Meter ID GUID Comments
  Free 2073b0aa-c836-4642-9d97-0635f52e3520  
  OMS 15e6182d-2afe-4c9e-8c23-4062bd80b3d4 Not Free
  Standard 99762400-c6ee-4f87-91ba-0508f1638e21 Legacy
     

If the Linked Meter Id of SecurityEvent related Usage typed records from the Security & Audit Solution is not overriden and still maintains the default value of "00000000-0000-0000-0000-000000000000" , it indicates that billing has not been enabled for the Security & Audit Solution in this OMS Workspace, as shown in the picture below for an OMS Workspace in the Free Tier:
image 

If the Linked Meter Id of SecurityEvent related Usage typed records from the Security & Audit Solution is overriden with a value NOT EQUALS to  "00000000-0000-0000-0000-000000000000" , it indicates that billing has been enabled for the Security & Audit Solution in this OMS Workspace, and Solution Based Billing has been enabled if the Linked Meter Id is EQUAL to “15e6182d-2afe-4c9e-8c23-4062bd80b3d4" , as shown in the picture below for an OMS Workspace in the Free Tier:
 image 

In this case, after 60 days of trial for the continuous use of this solution, a per node billing will be applied.

Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.