Forum Discussion

Connor Bescos's avatar
Connor Bescos
Copper Contributor
Feb 22, 2018
Solved

OMS query for ad login and log offs

Hi all,   Installed log analytics on a domain controller.  Hoping to use it to build a quick dashboard for user logon and log off times.   Can we do this and can anyone point me in the right ...
azure monitor
solutions
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Feb 22, 2018

    Hi,

    In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:

    Logged off accounts:

    SecurityEvent
| where EventID == 4634 
| sort by TimeGenerated desc

    Logged on users

    SecurityEvent
| where EventID == 4624 
| sort by TimeGenerated desc

    These are single events and there are more additional events related to those. Sources:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon

     

    The Security & Audit solution contains some dashboards related to logins and logoff. 

    You also cannot gather security logs without actually using the Security & Audit solution.

    Hope this helps!

Jonatan Kragh Hovgaard's avatar
Jonatan Kragh Hovgaard
Copper Contributor
Aug 24, 2018

Isn't it a bit outrageous to remove SecurityEvents from the Azure Log Analytics and force the customers to purchase another solution (Security & Audit) in order to centralize logging of security related events, I mean the customer can still do it with Application and System logs.

 

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Aug 25, 2018
I wan to state that I am not and do not work for Microsoft. There was never ability to gather security events without the Security and Audit solution (now ASC) so nothing was removed. That is just the history without me taking any side.
  • Lloyd Adams's avatar
    Lloyd Adams
    Iron Contributor
    Feb 01, 2019

    I;m surprised that this is not all or nothing -  I can see a small set of security events (eg 4663, 4985), but in no way all of them, and definitely not the 'interesting' ones.  Is this simply an oversight? (In fact, 4663 is causing severe per node overage and costing us money, so I'd like to stop them being processed.  Only having access to the reporting side of things, I don't know if this is even possible).

    • Stanislav_Zhelyazkov's avatar
      Stanislav_Zhelyazkov
      MVP
      Feb 04, 2019

      Hi,

      In ASC you have 4 options for setting which events are gathered.

      - All Events

      - Common

      - Minimal

      - None

      https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-collection-tier

      Additionally on your windows servers you can configure your audit policy in order to log only certain security events. That way ASC will gather only those that are generated.

      This is expensive as you are onboarding to Azure Security Center which has many other features besides just gathering security events.

      • Lloyd Adams's avatar
        Lloyd Adams
        Iron Contributor
        Feb 05, 2019

        Probably a daft question, but is security event ingestion and analysis from an on premise Windows server only possible with the Standard tier, or could I get away with the free Tier? 

Resources