Security has become an even more important topic in the last decade, due in part to several public security breaches of well-known companies. These security breaches increase every year not only in number but in size as well, and the threat actors have grown more sophisticated (skilled, funded, and organized) over time. To be able to prevent, detect and intercept such breaches in time, we need to incorporate new tools and methods. Operations Management Suite (OMS) has a security offering that consists of a couple of solutions, and also integrates with a few other solutions that are part of Insights & Analytics offering.
In this chapter, we will go through the Antimalware Assessment and Security and Audit solutions. Additionally, we will see how we can leverage Log Analytics for auditing PowerShell and Windows Firewall port rules. By learning how to use these OMS solutions you will be able to improve your organizations security posture.
The Malware Assessment solution identifies which servers are infected with malware or in risk of infection in your environment. To provide malware status, the machines that are added in OMS must have one of the following agents installed:
The Microsoft Monitoring Agent (MMA) reads antimalware protection status and detected threats on servers with those agents, and then sends the data to Log Analytics for processing. From Log Analytics, the data can be queried to show protection and threat status for the monitored systems.
Note: Windows Management Framework (WMF) 3.0 or later is required on the servers where any of the listed agents are installed.
Follow these steps to add Antimalware Assessment solution.
FIGURE 1. ANTIMALWARE ASSESSMENT SOLUTION
Note: Antimalware Assessment solution can be deployed via Azure marketplace as well.
One of the prerequisites of using Antimalware Assessment solution is to have a machine connected to OMS that has a supported agent installed. Follow these steps to install the antimalware extension on the Azure VM.
Note: The VM must also be connected to OMS with Microsoft Monitoring Agent or through System Center Operations Manager.
FIGURE 2. EXTENSIONS BLADE
Note: If your Azure VM is Windows Server 2016 there is no need to install Microsoft Antimalware extension as Windows Defender is part of the OS.
Excluded Files and Locations:
Excluded File and Locations:
Excluded File Extensions:
Excluded Processes:
Real-Time Protection: Enabled
Run A Scheduled Scan: Enabled
Scan Type: Full
Scan Day: Saturday
Scan Time: 120
FIGURE 3. MICROSOFT ANTIMALWARE EXTENSION
Once you add the Antimalware Assessment solution, you will start to see malware related data in OMS whether you have machines with supported antimalware agents or not. Those machines that do not have a supported antimalware agent will be reported with status "No Real Time Protection".
Follow these steps to search Antimalware Assessment Data.
FIGURE 4. ANTIMALWARE OVERVIEW TILE
Depending on your environment you may see different results.
FIGURE 5. ANTIMALWARE ASSESSMENT DASHBOARDS
Type=ProtectionStatus
FIGURE 6. MALWARE ASSESSMENT DATA
Type:ProtectionStatus TimeGenerated>NOW-2HOUR | measure max(ProtectionStatusRank) as Rank by DeviceName | where Rank>=270
FIGURE 7. MACHINES WITH NO ANTI-MALWARE PROTECTION
Note: The copied text from http://www.eicar.org/86-0-Intended-use.html is not real malware. It serves as a test. Complete description is provided on the web page.
FIGURE 8. ANTI-MALWARE TESTFILE
Note: Antimalware Assessment data is gathered on an hourly interval.
FIGURE 9. MALWARE THREAT
FIGURE 10. MALWARE THREAT DETAILS
Note: Currently, threat detection does not work for Symantec Endpoint Protection and Trend Micro Deep Security agents.
Security and Audit is a solution that helps in performing forensic analysis, security breach pattern investigation, threat detection and auditing capabilities. Data for Security and Audit is ingested from various sources, depending on the type of node. For Windows machines, security data is collected from Security Event log, Windows Firewall log and AppLocker event log. For Linux machines, security data is collected from syslog. As soon as data is generated in those logs, it is sent to the OMS service. Additionally, security baselines scans are performed every day for Windows machines. The solution is partially functional just by your adding it to your OMS workspace, but some additional configurations are required for full functionality. One such functionality is a feature named Malicious IP. The Windows Firewall logs log information about communication with Public IP addresses. On an hourly basis, OMS connects to Microsoft Threat Intelligence Center (MSTIC) and gets the latest information on Public IP address that are related to suspicious activities. The MSTIC team works with various threat intelligence partners to gather and provide this consolidated list to the OMS service. OMS will match the data from MSTIC to the Public IPs your servers are communicating with. That joined data is exposed in OMS and can be searched. For those Malicious IPs, information like Threat type and Threat Description is available in the fields returned. Other solutions, like Wire Data 2.0 and IIS logs also gather network communication data. When those solutions are added, they can increase the effect of this intelligence by providing more information.
Note: Security event log generates high velocity data. This requires the data to be send immediately to the OMS service. When SCOM is used as data source, the data is not forwarded to the SCOM Management server and from there uploaded to OMS but rather it is send directly from the Microsoft monitoring agent to the OMS service. This behavior prevents performance issues on the SCOM Management Server.
Follow these steps to add Security and Audit solution.
FIGURE 11. SECURITY AND AUDIT SOLUTION PAGE
Note: You can add Security and Audit solution from Azure Marketplace as well. If you deploy Security & Compliance from either Azure or OMS portal the solution will be deployed along with it.
FIGURE 12. SECURITY AND AUDIT SOLUTION DEFAULT ALERTS
Security and Audit solution offers centralized settings for what Windows events will be collected. Execute the steps below to configure Security and Audit solution settings:
FIGURE 13. SETTINGS PAGE – SOLUTIONS
FIGURE 14. SECURITY AND AUDIT SOLUTION
FIGURE 15. SECURITY AND AUDIT SETTINGS
Table 1 provides information for all available options in Security and Audit settings.
Setting | Description | Windows Security Event IDs | AppLocker event IDs |
All events | OMS will collect all Windows Security and AppLocker event logs. For customers who want to make sure all events are collected. | all | all |
Common | OMS will collect a standard set of events to enable common security and audit tasks. This is a set of events that will satisfy most customers and allow them a full audit trial. | 1102, 4626, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737,4739, 4740, 4754, 4755, 4756, 4767, 4825, 4946, 4948, 4956, 5024, 5033, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1107, 1108, 4608, 4610, 4611, 4614, 4616, 4622, 4634, 4647, 4648, 4649, 4658, 4661, 4662, 4665, 4666, 4667, 4670, 4673, 4674, 4675, 4689, 4690, 4697, 4704, 4705, 4716, 4717, 4718, 4725, 4726, 4729, 4733, 4738, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4757, 4760, 4761, 4762, 4764, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4985, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 8222, 26401, 30004 | 8001, 8002 |
Minimal | OMS will collect the minimal set of events that are required for threat detections. By enabling this option, you won't be able to have a full audit trail. A smaller set of events for customers who want to minimize the event volume. | 1102, 4626, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737,4739, 4740, 4754, 4755, 4756, 4767, 4825, 4946, 4948, 4956, 5024, 5033 | 8001, 8002 |
None | No security or AppLocker events will be collected. Security and Audit solution will only present data based on agent assessment, such as Antimalware, Security Baseline, and Update. For customers who choose this option, their security dashboards will have only Windows Firewall logs and proactive assessments like antimalware, baseline, and update. | None | None |
TABLE 1. SECURITY SETTINGS
If you have configured OMS to gather All events from Security and Audit settings, you will still need to configure what kind of auditing events are being logged on your Windows servers. This is configured through Windows audit policies. More security events can be enabled or disabled through policies thus providing more or less data in OMS and visibility into your environment. The steps below walk through configuring audit policies in domain group policies, but the same steps can be executed with local group policies as well.
Follow these steps to configure advanced audit policies.
FIGURE 16. ADVANCED AUDIT POLICIES
AppLocker audit events need to be configured to provide you with information what executables, installers scripts, and packages are used in your environment. That data can be used to find executables that are running in your environment.
Follow these steps to configure AppLocker Policies for Audit Only.
FIGURE 17. APPLOCKER POLICIES
FIGURE 18. APPLOCKER PROPERTIES
FIGURE 19. CREATE EXECUTABLE RULES WIZARD
Windows Firewall Log Policies are also not configured by default like AppLocker policies. You will need to configure them in order OMS agent to collect them in Log Analytics through Security and Audit solution.
Follow these steps to configure Windows Firewall Log Policies.
FIGURE 20. WINDOWS FIREWALL WITH ADVANCED SECURITY POLICIES
FIGURE 21. LOGGING SETTINGS FOR WINDOWS FIREWALL PROFILES
Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats by using information from multiple data-sources in your network to learn the behavior of users and other entities in the organization and build a behavioral profile about them and by leveraging ATA's proprietary network parsing engine to capture and parse network traffic of multiple protocols. Microsoft ATA functionality is similar to Threat Detection feature in Security and Audit solution. ATA will log any suspicious activities and when the integration with Log Analytics is setup the information for those activities will appear in SecurityDetection type along with Threat Detections from Security and Audit solution.
Execute the following steps to setup the integration with Microsoft ATA:
FIGURE 22. MICROSOFT ATA CONSOLE
Syslog server endpoint: 127.0.0.7: 5114
Transport: UDP
Format: RFC5424
FIGURE 23. SYSLOG SERVER CONFIGURATION
FIGURE 24. SYSLOG NOTIFICATIONS
FIGURE 25. MICROSOFT ATA SUSPICIOUS ACTIVITY
FIGURE 26. MICROSOFT ATA SUSPICIOUS ACTIVITY IN OMS
Note: You may see the same activities logged twice but with different provider field value. Initially, basic integration was provided between OMS Log Analytics and Microsoft ATA. That basic integration is still active but it will be deprecated in the future. Events from that old integration are logged with Provider field value Microsoft ATA, where the new integration is using Advanced Threat Analytics value.
The Security and Audit solution can be integrated with 3rd party devices and systems that generate Common Event Format (CEF) logs. In such a scenario, you will have the 3rd party system which sends syslog events to a Linux-based machine that is connected to your OMS Log Analytics workspace. The Linux-based machines receives the syslog events and forwards them to the workspace. Basically, the Linux machine acts as forwarder.
Execute the steps below to ingest logs from Cisco ASA device to Log Analytics:
sudo vi /etc/opt/microsoft/omsagent/conf/omsagent.conf
FIGURE 27. OMSAGENT.CONF FILE
<source>
type syslog
port 25225 bind 0.0.0.0 protocol_type udp tag oms.security
format /^(?<time>(?:\w+ ){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/
</source>
<filter oms.security.**> type filter_syslog_security
</filter>
FIGURE 28. SECURITY_EVENTS.CONF FILE
10. This will tell the OMS agent to listen on the specified port for syslog events being send, format the appropriately and forwards them to Log Analytics workspace.
Press ESC key and enter :wq to save the configuration.
Note: In this example, we've modified security_events.conf to be different from the proposed one located at https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/installer/conf/omsagent.d/security_events.conf . In the example given from OMS Agent for Linux repository, the syslog events are first send to rsyslog or syslog-ng service and then forwarded to the OMS agent. In our example, I am using solution proposed by Daniele Grandini (https://nocentdocent.wordpress.com/2016/09/14/msoms-collecting-cisco-asa-events-the-right-way/ ) where syslog events are directly send to the OMS agent.
FIGURE 29. ENABLE LOGGING
FIGURE 30. ADD SYSLOG SERVER
FIGURE 31. ADD SYSLOG SERVER SEVERITY CONFIGURATION
FIGURE 32. CONFIGURE TIMESTAMP AND HOSTNAME
FIGURE 33. COMMONSECURITYLOG TYPE
Some steps in this scenario are specific to Cisco ASA device but most of them are generic and can be used to forward events from any 3rd party device that supports CEF format.
Note: The full documentation on this scenario is available at https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/Security-Events-Preview-Configuration.md .
In Windows, we have the Windows Security Event log to collect security events and audit Windows based systems. Linux has a similar capability called Linux Auditing System, also known as Auditd. Auditd allows you to create an audit trail, which is basically a log for every action on the server. Security-relevant events can be recorded via Auditd. These events can be analyzed for malicious or unauthorized activities. The OMS team is currently working on integration with Auditd for the Security and Audit solution and in this section, we will have a glimpse of what that integration looks like.
In the steps below, we will go through a scenario where we have Linux machine configured with Auditd and logs are ingested into Log Analytics. On that Linux machine, a successful brute force attack is being made, some executables are downloaded and then executed to perform malicious actions.
FIGURE 34. LOGIN ATTEMPS ON LINUX MACHINES LOG
FIGURE 35. SUCCESSFUL LOGIN ATTEMPT ON LINUX MACHINE
FIGURE 36. WGET EXECUTED RECORD
FIGURE 37. PROCESS CREATION RECORDS
FIGURE 38. ALL EXECUTED PROCESSES
The simple scenario above illustrates the kind of audit data is being collected by Log Analytics. We can easily imagine how in the near future this data can be used for further integration with Security and Audit solution where we can be notified about threat detections and notable security issues appearing in our Linux environments.
Note: Auditd integration is currently in private preview.
To take full advantage of the Security and Audit solution, the following data sources or solutions need to be configured as well:
When we take a walk through the dashboards in Security and Audit solution in the next sections, we will explain which ones visualize data from which sources.
Execute the steps below to navigate to Security and Audit solution dashboards:
FIGURE 39. SECURITY AND AUDIT TILE
FIGURE 40. SECURITY AND AUDIT DASHBOARDS
The dashboards are divided into four groups: Security Domains, Notable Issues, Detections, and Threat Intelligence.
In Security Domains group, there are 8 tiles and one dashboard. The dashboard shows the number of security events over time. Counted are all the records present in SecurityEvent type. Windows security events are registered to this type. You can click on the dashboard to visualize the data in a bigger chart.
When you click on the Antimalware assessment, tile it will lead you to the same dashboards available from Antimalware solution we covered earlier in this chapter. The benefit of this shortcut is that you have all your security data into centralized dashboard.
The Update Assessment tile leads to the dashboards for Update Management solution.
This solution was covered in "Chapter 5: Change and Update Management".
The Network Security Tile leads to dashboards showing network data from different sources in the context of security. The Wire Data 2.0 solution feeds most of the dashboards in this view. Wire Data 2.0 stores its data as type WireData. Additionally, data from types W3CIISLog (IIS log ingestion), WindowsFirewall (Windows Firewall log ingestion), CommonSecurityLog (Common Event Format and Cisco ASA log ingestion) and DnsEvents (DDI Analytics solution) are also used for data related to Malicious IP communication.
Execute the steps below to explore Network Security dashboards:
FIGURE 41. NETWORK SECURITY DASHBOARDS
FIGURE 42. MALCIIOUS IPS DATA
Note: Malicious IP data is inserted for Wire Data logs, IIS logs, Windows Firewall logs and Common Security Logs. These logs are scanned on a regular interval and if any inbound or outbound communication is found with a malicious IP, additional data is inserted into the records of those logs. That additional data is represented with fields like MaliciousIP, IndicatorThreatType, TLPLevel, Confidence, IsActive, etc.
Identity and Access security domain leads to a group of dashboards that can immediately assist you in identifying potentially suspicious activities. By monitoring your identityrelated activities, you will be able to take proactive steps before an incident takes place or reactive actions to stop an attack attempt.
Execute the steps below to explore Identity and Access dashboards:
FIGURE 43. IDENTITYT AND ACCESS DASHBOARDS
FIGURE 44. FAILED LOGINS - AZURE ACCOUNT
This tile can be used to access the number of computers that are reporting with the different security log types, as shown in Figure 45.
FIGURE 45. NUMBER OF COMPUTERS BY SECURITY LOGS
To view better summarization of security data by computer, execute the following steps:
FIGURE 46. COMPUTER SECURITY BIEW
You can use this view to get quick security summary per computer.
This tile is a shortcut to Threat intelligence dashboard. Threat Intelligence takes advantage of Malicious IP information and visualizes the data from on interactive map, as shown in Figure 47.
FIGURE 47. THREAT INTELLIGENCE DASHBOARD
When you click on the map on malicious incoming or outgoing traffic, you will get additional information, such as an overview of the threat and maybe even link to full report, as shown in Figure 48.
FIGURE 48. THREAT INTELLIGENCE REPORT
Additionally, you can zoom in and out on the map, click on the results on the threat breakdown dashboard group or threat details group. Malicious IP is produced the same way as explained earlier in this chapter.
The Baseline Assessment tile leads to the Security Baseline Assessment dashboard.
Microsoft, together with industry and government organizations worldwide, defines a Windows configuration that represents highly secure server deployments. Such a configuration is represented by registry keys, audit policy settings, and security policy settings and their recommended values from Microsoft on the Windows operating system. This set of rules is known as a Security baseline. The Security and Audit solution has all this information and will scan your computers on the state of these settings.
Note: Security Baseline Assessment currently works on Windows Server 2008 R2 and above. Support for Linux is planned for future release as described at https://blogs.technet.microsoft.com/msoms/2016/08/12/use-oms-security-to-assess-the-security-configuration-baseline/ .
Execute the steps below to explore the Security Baseline Assessment feature:
FIGURE 49. SECURITY BASELINE ASSESSMENT DASHBOARDS
FIGURE 50. SECURITY BASELINE ASSESSED COMPUTERS
FIGURE 51. SECURITYBASELINESUMMARY TYPE
FIGURE 52. SECURITY BASELINE RULE VIEW
FIGURE 53. FAILED SECURITY BASELINE RULE
Azure Automation Configuration Management can be used for applying these rules and making sure is no drift in desired configuration. The Security and Audit solution will make sure you are compliant with all the baseline rules. Once a computer becomes compliant with a rule, upon the next scan this will be reported in the security baseline summary for that computer.
The Azure Security Center tile is just a shortcut to Security Center in Azure portal.
Notable issues help you identify potential issues in your environment. Each issue is assigned and grouped by severity, as shown in Figure 54.
FIGURE 54. NOTABLE ISSUES DASHBOARD
There are 3 types of severities: Critical, Warning and Info. Some of these issues are already covered in the different dashboards of the Security and Audit solution. This dashboard visualizes the most important ones. Behind each notable issue, there is query that is being executed when the dashboard is loaded. These queries are saved in 3 saved search categories, as shown in Figure 55.
FIGURE 55. NOTABLE ISSUES QUERIES
The Notable issues dashboard is extensible. If you save a query inside one of those 3 saved searches categories and that query returns results it will show up in the dashboard list.
Execute the steps below to add a Notable issue:
Note: In order to get results, AppLocker auditing must be configured and MIMIKATZ.exe must have been run on a computer.
FIGURE 56. ADDING NOTABLE ISSUE
FIGURE 57. ADDED NOTABLE ISSUE
You can extend this dashboard with queries that target other log types that are not part of the Security and Audit solution.
Detections is a feature that analyzes the security events and looks for patterns to indicate a threat. At the backend, it is using advanced analytics and techniques like behavioral analysis. As a cloud solution, the built-in security detection logic is updated constantly with new attack patterns. The full list of detections is not disclosed to protect the customers using the solution. Detections are stored in SecurityDetection type. All detections generated from the Security and Audit solution or from the Microsoft Advanced Threat Analytics (ATA) integration will appear in the Detections dashboard, as shown in Figure 58.
FIGURE 58. DETECTIONS DASHBOARD
Note: This feature heavily relies on configuring AppLocker policies and enabling security event 4688 with process command line field. Process command line field is available from Windows Server 2012 R2, Windows 8.1 and above. More information can be found at https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4688
As the list of detections is not disclosed, it is hard to simulate a detection. There are a few known detections, like masking an exe file with a double extension, as shown in Figure 59.
FIGURE 59. SUSPICIOUS DOUBLE EXTENSION FILE DETECTION
Threat intelligence is the same feature described earlier. In this group, you have quick access to the world map with the incoming and outgoing malicious traffic, as well some breakdowns of the threats, as shown in Figure 60.
FIGURE 60. THREAT INTELLIGENCE GROUP DASHBOARDS
The capabilities in Log Analytics, like Log Management, can be used to provide auditing on other services that are not available out of the box in Security and Audit. In this section, we will show how we can provide auditing for Windows Firewall configuration and PowerShell.
Note: When you setup these advanced scenarios their usage will count against Insights & Analytics offering when per node licensing is chosen.
Follow these steps to configure and use Windows Firewall Configuration auditing.
FIGURE 61. ADDING WINDOWS FIREWALL LOG
FIGURE 62. WINDOWS FIREWALL WITH ADVANCED SECURITY CONSOLE
Type=Event EventLog="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventID=2005
FIGURE 63. WINDOWS FIREWALL CONFIGURATION LOG
FIGURE 64. EXTRACT FIELDS
Give a name to the field, like FirewallRuleName_CF and click Extract.
FIGURE 65. EXTRACT FIREWALL RULE NAME FIELD
FIGURE 66. EXTRACT FIREWALL RULE USER FIELD
Type=Event EventLog="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventID=2005
FIGURE 67. CUSTOM FIELDS POPULATED
You can extract more fields from the same log. For example, you can extract if the rule has been enabled during the modification or it has been disable. Active field with value 1 is enabled and value 0 is disabled.
PowerShell can be audited with Log Analytics through some simple steps. As a result, you will be able to see what PowerShell commands are executed in your environment and by whom.
Follow these steps to audit PowerShell.
Note: Character * enables audit logs for all PowerShell commands. If you want to enable logging for specific PowerShell modules, you can enter names of the modules, such as ActiveDirectory.
FIGURE 68. TURN ON MODULE LOGGING POLICY
FIGURE 69. ADDING POWERSHELL AUDIT LOG
Type=Event EventLog="Microsoft-Windows-PowerShell/Operational" EventID=4103
FIGURE 70. POWERSHELL AUDIT LOGS
FIGURE 71. EXTRACT FIELDS
FIGURE 72. EXTRACT FIELDS
FIGURE 73. EXTRACT POWERSHELL COMMAND FIELD
FIGURE 74. FINE-TUNING EXTRACTION
FIGURE 75. CORRECT EXTRACTION
Type=Event EventLog="Microsoft-Windows-PowerShell/Operational" EventID=4103 PowerShellUser_CF!="CLOUDADMINISTRA\\SYSTEM" | measure count() by PowerShellUser_CF
FIGURE 76. NUMBER OF POWERSHELL COMMANDS PER USER
Type=Event EventLog="Microsoft-Windows-PowerShell/Operational" EventID=4103 PowerShellUser_CF!="CLOUDADMINISTRA\\SYSTEM" | measure count() by PowerShellCommand_CF
FIGURE 77. POWERSHELL COMMAND EXECUTION COUNT
FIGURE 78. RESTART-COMPUTER COMMAND LOG
Security is a topic that every person in an organization should be concerned about. Preventing or stopping a security breach is key for the success of your organization.
In this chapter, we have demonstrated the Security and Audit solution in OMS. We have shown how to configure it and take full advantage of its features, integrations, and extensibility in protecting and auditing your organization. We hope you will use the hands-on examples provided in this chapter and continue further exploration of the service in the context of security. In the next chapter, we will explore Protection and Recovery in OMS.