UPDATE: Post updated on 20th April with information about security events required to populate pre-defined queries and tiles that come with the Security and Audit solution.
Operations Management Suite Security and Audit Solution enables you to collect security events from managed computers. Once enabled, it configures Agents on managed computers to send all security events to the Cloud. Depending on the audit policy, as well as on the size and complexity of your environment this can potentially produce a large volume of event data that is sent to the MS OMS workspace, causing you to reach free daily data transfer limit or generating the higher service cost. In a large scale enterprise environment, the amount of security data logged on Active Directory domain controllers can be tremendous.
In case if you are using Operations Management Suite in a scenario where managed computers are not attached to OMS directly and you are using OMS Connector for SCOM instead, then you are able to configure your SCOM environment to selectively collect security events from managed computers. By this I mean that you have flexibility to control:
- which security events should be sent to the Cloud and
- which managed computers should be within the scope of the security event log collection.
Let me try to provide an overview of required steps in this blog post.
For this exercise, we will store all configuration and overrides within the separate management pack.
Create new SCOM management pack within the on-premises SCOM environment.
To configure integration with the OMS workspace, we will then create new computer group which will contain Windows computer objects of managed computers that should be in scope of the security event log collection.
Leave it empty at the moment, without any members and store it in the custom management pack created in the previous step.
To configure that computer objects which will be members of the new computer group created in the previous step are OMS-enabled, go to the Administration workspace, expand Operations Management Suite, and then click Managed Computers. Click the Add a Computer/Group link in the Tasks pane and search for the newly created computer group. Click Add, and then click OK.
Newly created computer group should now be visible in the Managed Computers node under the Operations Management Suite in the Administration workspace of the Operations console.
When the Security and Audit Solution is added to the OMS workspace, Microsoft System Center Advisor Security Event Collection management pack gets imported into the on-premises SCOM environment that is connected to the Microsoft OMS workspace.
This management pack contains the Collect Security Events rule.
It collects security events for the Security and Audit Solution and sends them to the Cloud.
To modify the default behavior of the Security and Audit Solution which defines that OMS-enabled managed computers send all security events to the Cloud, we need to create an override first. Purpose of this override is to disable the Collect Security Events rule. This is done by creating an override for the Enabled parameter for all objects of the Windows Computer class. In order to give this override precedence, make sure that the override is created with the Enforced parameter enabled as shown in the screenshot below.
Store override in the previously-created custom management pack.
To confirm that the override has been created as expected, open the Overrides Summary for the Collect Security Events
Now that we have an override in place which ensures that all security events are not sent to the Cloud by default from all OMS-enabled computers, next step is to create a custom rule which will define the list of specific security events which should be included/excluded from the security event log collection. Start the Create Rule Wizard and select the Collection Rules -> Event Based -> NT Event Log. Make sure that the new rule is stored in the custom management pack that we created earlier.
Give it a meaningful name and description, scope it over the Windows Computer class and leave it disabled by default, as shown in the screenshot below.
Specify Security as an event log name to read events from.
Define the list of specific security events that you want to include or exclude from the security event log collection on the Build Event Expression page of the Create Rule Wizard. Configuration of this rule depends on the audit policy, compliance requirements of your company and specifics of your IT environment. On the example shown in the screenshot below, I’ve decided to exclude four specific security events from the collection.
NOTE: Scroll down to see the list of security events that need to be collected for the Security and Audit solution.
Finish the Create Rule Wizard, open the Properties of the newly created rule and then go to the Configuration. What you will notice here is that this rule would store collected security events to the OperationsManager and OperationsManagerDW databases.
The default response must be modified and that is done by editing the custom management pack where this rule is stored. To do that, let’s export the custom management pack and open it in Notepad or preferred XML editor. Locate the WriteActions node of the custom security event collection rule and replace the following configuration:
<WriteActions> <WriteAction ID="WriteToDB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent" /> <WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData" /> </WriteActions>
… with this:
<WriteActions> <WriteAction ID="HttpWA" TypeID="IPTypes!Microsoft.SystemCenter.CollectHighVolumeDirectChannelCloudEvent" /> </WriteActions>
CollectHighVolumeDirectChannelCloudEvent write action is actually a reference to the High Volume Direct Channel Cloud Event Collection Write Action response that is defined in the Microsoft System Center Advisor Types Library management pack. This Write Action ensures that data is sent directly from the Agent (managed computer) to the MS OMS cloud and not to the Management Server first. In addition, data sent by this Write Module is indexed as SecurityEvent type of the data on the MS OMS side.
To be able to use this Write Action in our management pack, we must also ensure that reference to the Microsoft System Center Advisor Types Library management pack is added to our custom management pack:
Now, scroll down to the DisplayStrings section of the custom management pack XML file and remove references to the WriteToDW and the WriteToDB sub-elements which are references to the Write Actions which we don’t plan to use. If you don’t do that, you will most likely receive an error during the management pack import.
And finally, scroll up to the Identity section of the custom management pack XML file and increase the version number. Now you are ready for the import of the updated custom management pack.
Once management pack import is finished, again open the Properties of the custom rule and then go to the Configuration. You should now see High Volume Direct Channel Cloud Event Collection Write Action as a default response action for this rule.
Now the only thing remaining is to configure an override for the custom rule in order to enable it for the computer group we created earlier. Right-click on the custom rule and then select Overrides -> Override the Rule -> For a group
Set the override value of the Enabled parameter to True.
Open Overrides Summary for the custom rule to double-check that override was created successfully.
Now populate the custom computer group and watch security events flow into the Microsoft OMS workspace.
When configuring custom security event collection rules, take into account that the following security events are required by the Security and Audit solution in order to populate pre-defined queries, visualization tiles and graphs that come with the Security and Audit solution:
For more information, refer to the Anatomy of an Event Collection Rule for Azure Operational Insights (Advanced targeting when using OpsMgr attach) blog post by Daniele Muscetta. Big thanks to Satya Vel for help around this topic.