Getting started with Operations Management Suite Security and Audit Solution
This document helps you get started quickly with Operations Management Suite (OMS) Security and Audit solution capabilities by guiding you through each option.
What is OMS?
Microsoft Operations Management Suite (OMS) is Microsoft's cloud-based IT management solution that helps you manage and protect your on-premises and cloud infrastructure. For more information about OMS, read the article Operations Management Suite.
OMS Security and Audit dashboard
The OMS Security and Audit solution provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention. The Security and Audit dashboard is the home screen for everything related to security in OMS. It provides high-level insight into the security state of your computers. It also includes the ability to view all events from the past 24 hours, 7 days, or any other custom time frame. To access the Security and Audit dashboard, follow these steps:
- In the Microsoft Operations Management Suite main dashboard click Settings tile in the left.
- In the Settings blade, under Solutions click Security and Audit option.
The Security and Audit dashboard appears:
If you are accessing this dashboard for the first time and you don’t have devices monitored by OMS, the tiles will not be populated with data obtained from the agent. Once you install the agent, it can take some time to populate, therefore what you see initially may be missing some data as they are still uploading to the cloud. In this case, it is normal to see some tiles without tangible information. Read Connect Windows computers directly to OMS for more information on how to install OMS agent in a Windows system and Connect Linux computers to OMS for more information on how to perform this task in a Linux system.
The agent collects the information based on the current events that are enabled, for instance computer name, IP address and user name. However no document/files, database name or private data are collected.
Solutions are a collection of logic, visualization, and data acquisition rules that address key customer challenges. Security and Audit is one solution, others can be added separately. Read the article Add solutions for more information on how to add a new solution.
The OMS Security and Audit dashboard is organized in four major categories:
- Security Domains: in this area you will be able to further explore security records over time, access malware assessment, update assessment, network security, identity and access information, computers with security events and quickly have access to Azure Security Center dashboard.
- Notable Issues: this option will allow you to quickly identify the number of active issues and the severity of these issues.
- Detections (Preview): enables you to identify attack patterns by visualizing security alerts as they take place against your resources.
- Threat Intelligence: enables you to identify attack patterns by visualizing the total number of servers with outbound malicious IP traffic, the malicious threat type and a map that shows where these IPs are coming from.
- Common security queries: this option provides you a list of the most common security queries that you can use to monitor your environment. When you click in one of those queries, it opens the Search blade with the results for that query.
for more information on how OMS keeps your data secure, read How OMS secures your data.
When monitoring resources, it is important to be able to quickly access the current state of your environment. However it is also important to be able to track back events that occurred in the past that can lead to a better understanding of what’s happening in your environment at certain point in time.
data retention is according to the OMS pricing plan. For more information visit the Microsoft Operations Management Suite pricing page.
Incident response and forensics investigation scenarios will directly benefit from the results available in the Security Records over Time tile.
When you click on this tile, the Search blade will open, showing a query result for Security Events (Type=SecurityEvents) with data based on the last seven days, as shown below:
The search result is divided in two panes: the left pane gives you a breakdown of the number of security events that were found, the computers in which these events were found, the number of accounts that were discovered in these computers and the types of activities. The right pane provides you the total results and a chronological view of the security events with the computer’s name and event activity. You can also click Show More to view more details about this event, such as the event data, the event ID and the event source.
for more information about OMS search query, read OMS search reference.
This option enables you to quickly identify computers with insufficient protection and computers that are compromised by a piece of malware. Malware assessment status and detected threats on the monitored servers are read, and then the data is sent to the OMS service in the cloud for processing. Servers with detected threats and servers with insufficient protection are shown in the malware assessment dashboard, which is accessible after you click in the Antimalware Assessment tile.
Just like any other live tile available in OMS Dashboard, when you click on it, the Search blade will open with the query result. For this option, if you click in the Not Reporting option under Protection Status, you will have the query result that shows this single entry that contains the computer’s name and its rank, as shown below:
rank is a grade giving to reflect the status of the protection (on, off, updated, etc.) and threats that are found. Having that as a number helps to make aggregations.
If you click in the computer’s name, you will have the chronological view of the protection status for this computer. This is very useful for scenarios in which you need to understand if the antimalware was once installed and at some point it was removed.
This option enables you to quickly determine the overall exposure to potential security problems, and whether or how critical these updates are for your environment. OMS Security and Audit solution only provide the visualization of these updates, the real data comes from Update Management Solutions, which is a different module within OMS. Here an example of the updates:
For more information about Update Management solution, read Update Management solution in OMS.
Identity and Access
Identity should be the control plane for your enterprise, protecting your identity should be your top priority. While in the past there were perimeters around organizations and those perimeters were one of the primary defensive boundaries, nowadays with more data and more apps moving to the cloud the identity becomes the new perimeter.
currently the data is based only on Security Events login data (event ID 4624) in the future Office365 logins and Azure AD data will also be included.
By monitoring your identity activities you will be able to take proactive actions before an incident takes place or reactive actions to stop an attack attempt. The Identity and Access dashboard provides you an overview of your identity state, including the number of failed attempts to log on, the user’s account that were used during those attempts, accounts that were locked out, accounts with changed or reset password and currently number of accounts that are logged in.
When you click in the Identity and Access tile you will see the following dashboard:
The information available in this dashboard can immediately assist you to identify a potential suspicious activity. For example, there are 338 attempts to log on as Administrator and 100% of these attempts failed. This can be caused by a brute force attack against this account. If you click on this account you will obtain more information that can assist you to determine the target resource for this potential attack:
The detailed report provides important information about this event, including: the target computer, the type of logon (in this case Network logon), the activity (in this case event 4625) and a comprehensive timeline of each attempt.
This tile can be used to access all computers that actively have security events. When you click in this tile you will see the list of computers with security events and the number of events on each computer:
You can continue your investigation by clicking on each computer and review the security events that were flagged.
By using the Threat Intelligence option available in OMS Security and Audit, IT administrators can identify security threats against the environment, for example, identify if a particular computer is part of a botnet. Computers can become nodes in a botnet when attackers illicitly install malware that secretly connects this computer to the command and control. It can also identify potential threats coming from underground communication channels, such as darknet. Learn more about Threat Intelligence by reading Monitoring and responding to security alerts in Operations Management Suite Security and Audit Solution article.
In some scenarios, you may notice a potential malicious IP that was accessed from one monitored computer:
This alert and others within the same category, are generated via OMS Security by leveraging Microsoft Threat Intelligence. The Threat Intelligence data is collected by Microsoft as well as purchased from leading threat intelligence providers. This data is updated frequently and adapted to fast-moving threats. Due to its nature, it should be combined with other sources of security information while investigating a security alert.
Microsoft, together with industry and government organizations worldwide, defines a Windows configuration that represents highly secure server deployments. This configuration is a set of registry keys, audit policy settings, and security policy settings along with Microsoft’s recommended values for these settings. This set of rules is known as Security baseline. Read Baseline Assessment in Operations Management Suite Security and Audit Solution for more information about this option.
Azure Security Center
This tile is basically a shortcut to access Azure Security Center dashboard. Read Getting started with Azure Security Center for more information about this solution.
The main intent of this group of options is to provide a quick view of the issues that you have in your environment, by categorizing them in Critical, Warning and Informational. The Active issue type tile it’s a visualization of these issues, but it doesn’t allow you to explore more details about them, for that you need to use the lower part of this tile that has the name of the issue (NAME), how many objects had this happen (COUNT) and how critical it is (SEVERITY).
You can see that these issues were already covered in different areas of the Security Domains group, which reinforces the intent of this view: visualize the most important issues in your environment from a single place.
The main intent of this option is to allow IT to quickly identify potential threats to their environment via and the severity of this threat.
This option can also be used during an incident response investigation to perform the assessment and obtain more information about the attack.
For more information on how to use OMS for Incident Response, watch this video: How to Leverage the Azure Security Center & Microsoft Operations Management Suite for an Incident Response.
The new threat intelligence section of the Security and Audit solution visualizes the possible attack patterns in several ways: the total number of servers with outbound malicious IP traffic, the malicious threat type and a map that shows where these IPs are coming from. You can interact with the map and click on the IPs for more information.
Yellow pushpins on the map indicate incoming traffic from malicious IPs. It is not uncommon for servers that are exposed to the internet to see incoming malicious traffic, but we recommend reviewing these attempts to make sure none of them was successful. These indicators are based on IIS logs, WireData and Windows Firewall logs.
Common security queries
The list of common security queries available can be useful for you to rapidly access resource’s information and customize it based on your environment’s needs. These common queries are:
- All Security Activities
- Security Activities on the computer "computer01.contoso.com" (replace with your own computer name)
- Security Activities on the computer "computer01.contoso.com" for account "Administrator" (replace with your own computer and account names)
- Log on Activity by Computer
- Accounts who terminated Microsoft antimalware on any computer
- Computers where the Microsoft antimalware process was terminated
- Computers where "hash.exe" was executed (replace with different process name)
- All Process names that were executed
- Log on Activity by Account
- Accounts who remotely logged on the computer "computer01.contoso.com" (replace with your own computer name)
In this document, you were introduced to OMS Security and Audit solution. To learn more about OMS Security, see the following articles: