The purpose of this post is to show how you can collect and query security events of interest from Windows servers. To do this we will use:
As an example, we are going to collect 4624 (An account was successfully logged on) events from multiple machines. This event is generated on the destination machine when a logon session is created and can be used to audit for NTLM authentication. See the link below for more details:
How to audit use of NTLMv1 on a Windows Server-based domain controller - https://support.microsoft.com/en-ca/help/4090105
Kusto is a big-data engine for log and telemetry search and analytics, and powers Azure Log Analytics along with many other Microsoft products, such as Azure Application Insights, Azure Time Series Insights, Azure Security Center, and more. Use this link to learn more about the query language.
The fact that the NTLMv1 response generation uses the relatively weak DES encryption algorithm and a fixed-length 16-byte random number makes it highly susceptible to brute-force attacks. In comparison, the NTLMv2 response uses the stronger HMAC-MD5 algorithm and a challenge of variable length.
To put it into perspective, NTLMv2 was introduced in Windows NT 4.0 SP4
See links at the bottom of the page for more information.
For Azure Security Center to collect the data we need, you will need to configure Standard tiering. This can be done in one of three different ways:
Data collection from the source machines is done using the Microsoft Monitoring Agent (MMA), the installation of which can be done in several different ways:
Use the Pricing calculator (https://azure.microsoft.com/en-ca/pricing/calculator/) to configure and estimate costs.
The steps in https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows show how to install and configure the Microsoft Monitoring agent manually.
Use Group Policy Objects to enable subcategory-level auditing on the machines:
Policy |
Setting |
|
Domain Controllers |
non-Domain Controllers |
|
Account Logon |
||
Audit Credential Validation |
Success, Failure |
Success, Failure |
Audit Kerberos Authentication Service |
Failure |
|
Audit Kerberos Service Ticket Operations |
Failure |
|
Account Management |
||
Audit Computer Account Management |
Success, Failure |
Success |
Audit Other Account Management Events |
Success, Failure |
Success, Failure |
Audit Security Group Management |
Success, Failure |
Success, Failure |
Audit User Account Management |
Success, Failure |
Success, Failure |
Detailed Tracking |
||
Audit Process Creation |
Success |
Success |
DS Access |
||
Audit Directory Service Access |
Success, Failure |
|
Audit Directory Service Changes |
Success, Failure |
|
Logon/Logoff |
||
Audit Account Lockout |
Success |
Success |
Audit Logoff |
Success |
Success |
Audit Logon |
Success, Failure |
Success, Failure |
Audit Special Logon |
Success |
Success |
Policy Change |
||
Audit Audit Policy Change |
Success, Failure |
Success, Failure |
Audit Authentication Policy Change |
Success |
Success |
Privilege Use |
||
Audit Sensitive Privilege Use |
Success, Failure |
Success, Failure |
System |
||
Audit IPsec Driver |
Success, Failure |
Success, Failure |
Audit Other System Events |
Success, Failure |
Success, Failure |
Audit Security State Change |
Success, Failure |
Success, Failure |
Audit Security System Extension |
Success, Failure |
Success, Failure |
Audit System Integrity |
Success, Failure |
Success, Failure |
Note:
As mentioned earlier, the recommended option is to enable Standard tiering for both the subscription and for the workspace. This ensures you receive recommendations on resources other than just virtual machines. The subsections below show both.
You will be billed (Number of VMs) * $15 per month (or, more correctly, (Number of VMs) * $0.02 per hour. Only powered-on VMs are billed, and billing is hourly.
Note:
These security events sets are available only on Security Center’s Standard tier.
To see a list of events collected see Data collection in Azure Security Center - https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-c...
Disable any resource types that you do not want to collect data for, and then click Save.
Under the Log Analytics Workspace -> Logs, type the queries and click Run.
The following query:
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4624 and AccountType == "User"
| summarize count() by Account, Computer, IpAddress, AuthenticationPackageName
| sort by count_
The following query:
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4624 and AccountType == "User" and AuthenticationPackageName == "NTLM"
| project EventID, TimeGenerated, Account, Computer, IpAddress, LogonType, AuthenticationPackageName, LmPackageName, LogonProcessName
| sort by TimeGenerated desc nulls last
The columns in the query correspond to the XML data fields in the event as shown below.
Remember, you can ignore the event for security protocol usage information when the event is logged for "ANONYMOUS LOGON".
Log Analytics supports several exporting methods:
Once you have created a useful query, you might want to save it or share with others. The Save icon is on the top bar.
The Query Explorer icon is at the top-right area. This lists all saved queries by category. It also enables you to mark specific queries as Favorites to quickly find them in the future. Double-click a saved query to add it to the current window.
There you have it – we configured Azure Security Center to collect events from windows servers, store them on a Log Analytics Workspace and used KQL to query the saved logs for audit for NTLM authentication.
You can extend this to cover a wide range of auditable events. See https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor for one such list.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.