How to selectively collect security events by using Microsoft Operations Management Suite?

UPDATE: Post updated on 20th April with information about security events required to populate pre-defined queries and tiles that come with the Security and Audit solution.

 

Operations Management Suite Security and Audit Solution enables you to collect security events from managed computers. Once enabled, it configures Agents on managed computers to send all security events to the Cloud. Depending on the audit policy, as well as on the size and complexity of your environment this can potentially produce a large volume of event data that is sent to the MS OMS workspace, causing you to reach free daily data transfer limit or generating the higher service cost. In a large scale enterprise environment, the amount of security data logged on Active Directory domain controllers can be tremendous.

In case if you are using Operations Management Suite in a scenario where managed computers are not attached to OMS directly and you are using OMS Connector for SCOM instead, then you are able to configure your SCOM environment to selectively collect security events from managed computers. By this I mean that you have flexibility to control:

  1. which security events should be sent to the Cloud and
  2. which managed computers should be within the scope of the security event log collection.

Let me try to provide an overview of required steps in this blog post.

For this exercise, we will store all configuration and overrides within the separate management pack.

Create new SCOM management pack within the on-premises SCOM environment.

041216_1614_Howtoselect1.png

To configure integration with the OMS workspace, we will then create new computer group which will contain Windows computer objects of managed computers that should be in scope of the security event log collection.

041216_1614_Howtoselect2.png

Leave it empty at the moment, without any members and store it in the custom management pack created in the previous step.

To configure that computer objects which will be members of the new computer group created in the previous step are OMS-enabled, go to the Administration workspace, expand Operations Management Suite, and then click Managed Computers. Click the Add a Computer/Group link in the Tasks pane and search for the newly created computer group. Click Add, and then click OK.

3a - OMS Add Group

Newly created computer group should now be visible in the Managed Computers node under the Operations Management Suite in the Administration workspace of the Operations console.

3b - OMS Add Group

When the Security and Audit Solution is added to the OMS workspace, Microsoft System Center Advisor Security Event Collection management pack gets imported into the on-premises SCOM environment that is connected to the Microsoft OMS workspace.

Microsoft System Center Advisor Security Event Collection

This management pack contains the Collect Security Events rule.

4a - Collect Security Events rule

It collects security events for the Security and Audit Solution and sends them to the Cloud.

To modify the default behavior of the Security and Audit Solution which defines that OMS-enabled managed computers send all security events to the Cloud, we need to create an override first. Purpose of this override is to disable the Collect Security Events rule. This is done by creating an override for the Enabled parameter for all objects of the Windows Computer class. In order to give this override precedence, make sure that the override is created with the Enforced parameter enabled as shown in the screenshot below.

4b - Create override for the Collect Security Events rule

Store override in the previously-created custom management pack.

To confirm that the override has been created as expected, open the Overrides Summary for the Collect Security Events

4c - Overrides summary for the Collect Security Events rule

Now that we have an override in place which ensures that all security events are not sent to the Cloud by default from all OMS-enabled computers, next step is to create a custom rule which will define the list of specific security events which should be included/excluded from the security event log collection. Start the Create Rule Wizard and select the Collection Rules -> Event Based -> NT Event Log. Make sure that the new rule is stored in the custom management pack that we created earlier.

5a - rule creation

Give it a meaningful name and description, scope it over the Windows Computer class and leave it disabled by default, as shown in the screenshot below.

5b - rule creation

Specify Security as an event log name to read events from.

5c - rule creation

Define the list of specific security events that you want to include or exclude from the security event log collection on the Build Event Expression page of the Create Rule Wizard. Configuration of this rule depends on the audit policy, compliance requirements of your company and specifics of your IT environment. On the example shown in the screenshot below, I’ve decided to exclude four specific security events from the collection.

5d - rule creation

NOTE: Scroll down to see the list of security events that need to be collected for the Security and Audit solution.

Finish the Create Rule Wizard, open the Properties of the newly created rule and then go to the Configuration. What you will notice here is that this rule would store collected security events to the OperationsManager and OperationsManagerDW databases.

6 - rule properties before

The default response must be modified and that is done by editing the custom management pack where this rule is stored. To do that, let’s export the custom management pack and open it in Notepad or preferred XML editor. Locate the WriteActions node of the custom security event collection rule and replace the following configuration:

<WriteActions>

<WriteAction ID="WriteToDB" TypeID="SystemCenter!Microsoft.SystemCenter.CollectEvent" />

<WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData" />

</WriteActions>

… with this:

<WriteActions>

<WriteAction ID="HttpWA" TypeID="IPTypes!Microsoft.SystemCenter.CollectHighVolumeDirectChannelCloudEvent" />

</WriteActions>

CollectHighVolumeDirectChannelCloudEvent write action is actually a reference to the High Volume Direct Channel Cloud Event Collection Write Action response that is defined in the Microsoft System Center Advisor Types Library management pack. This Write Action ensures that data is sent directly from the Agent (managed computer) to the MS OMS cloud and not to the Management Server first. In addition, data sent by this Write Module is indexed as SecurityEvent type of the data on the MS OMS side.

To be able to use this Write Action in our management pack, we must also ensure that reference to the Microsoft System Center Advisor Types Library management pack is added to our custom management pack:

<Reference Alias=”IPTypes”>

<ID>Microsoft.IntelligencePacks.Types</ID>

<Version>7.0.10609.0</Version>

<PublicKeyToken>31bf3856ad364e35</PublicKeyToken>

</Reference>

Now, scroll down to the DisplayStrings section of the custom management pack XML file and remove references to the WriteToDW and the WriteToDB sub-elements which are references to the Write Actions which we don’t plan to use. If you don’t do that, you will most likely receive an error during the management pack import.

management pack edit

And finally, scroll up to the Identity section of the custom management pack XML file and increase the version number. Now you are ready for the import of the updated custom management pack.

Once management pack import is finished, again open the Properties of the custom rule and then go to the Configuration. You should now see High Volume Direct Channel Cloud Event Collection Write Action as a default response action for this rule.

6 - rule properties after

Now the only thing remaining is to configure an override for the custom rule in order to enable it for the computer group we created earlier. Right-click on the custom rule and then select Overrides -> Override the Rule -> For a group

7a - override creation

Set the override value of the Enabled parameter to True.

7b - override creation

Open Overrides Summary for the custom rule to double-check that override was created successfully.

7c - override creation

Now populate the custom computer group and watch security events flow into the Microsoft OMS workspace.

When configuring custom security event collection rules, take into account that the following security events are required by the Security and Audit solution in order to populate pre-defined queries, visualization tiles and graphs that come with the Security and Audit solution:

21
43
104
219
400, 410
517
560
865-868
882
1000
1001
1007, 1008
1102
2087
3001, 3002
3003, 3004
3010, 3023
4104
4624
4624
4625
4626
4657
4663
4688
4698
4699
4700
4701
4702
4713
4719
4720
4722
4740
4767
4912
4946
4947
4948
4949
4950
4956
5024
5025
5029
5030
5033
5034
5035
5037
5038
5858
6281
8002-8007
10154
64004

 

For more information, refer to the Anatomy of an Event Collection Rule for Azure Operational Insights (Advanced targeting when using OpsMgr attach) blog post by Daniele Muscetta. Big thanks to Satya Vel for help around this topic.

 

Advertisements
How to selectively collect security events by using Microsoft Operations Management Suite?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s