Forum Discussion
OMS query for ad login and log offs
Hi,
In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:
Logged off accounts:
SecurityEvent | where EventID == 4634 | sort by TimeGenerated desc
Logged on users
SecurityEvent | where EventID == 4624 | sort by TimeGenerated desc
These are single events and there are more additional events related to those. Sources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon
The Security & Audit solution contains some dashboards related to logins and logoff.
You also cannot gather security logs without actually using the Security & Audit solution.
Hope this helps!
Probably a daft question, but is security event ingestion and analysis from an on premise Windows server only possible with the Standard tier, or could I get away with the free Tier?
Ingesting windows security events is part of Azure Security Center and there is no way to make that data count as regular data. Of course there is possibility of using some automation to fetch those events on your own and upload via data ingestion API but that workaround will require some substantial development.
Turns out it was a GP issue. The engineer involved thought it was correct, but the policies in question were being overwritten. Thanks for your help anyway.
Hi,
There are two things that control what kind of security events are collected.
The first is :
I have mentioned that previously. You have to be on Common at least.
The second setting is in your servers or domain controller policy. You have to make sure that the audit policy on your computers logs logon and logoff events. If those events are present in the Windows Security event log and your setting is in Common level this would ingest logon/logoff events along with the other security events.
So having subscribed to standard tier, I still don't get those results.
A few more details. I'm monitoring three non-Azure servers, and have successfully been recording events for the past 12 months, but not logon/logoff events, which I need to have.
The subscription also contains a number of Azure servers, but I do not want OMS or security centre enabled on these.
In security center->security policy, I have turned on Standard tier, but have disabled it for the VM resource type. It is enabled for SQL Servers and App Services (but we have non of these) in this subscription.
Still no logon/logoff events.
What am I missing?
You will need the Standard tier in ASC to use the feature. This is stated on pricing page:
https://azure.microsoft.com/en-us/pricing/details/security-center/
Security event collection and search
I understand that, but I just want confirmation that I need Standard tier of Azure Security Center, and that I can't use the free Tier (of Azure Security Center).