SOLVED
Home

OMS query for ad login and log offs

%3CLINGO-SUB%20id%3D%22lingo-sub-162689%22%20slang%3D%22en-US%22%3EOMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162689%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInstalled%20log%20analytics%20on%20a%20domain%20controller.%26nbsp%3B%20Hoping%20to%20use%20it%20to%20build%20a%20quick%20dashboard%20for%20user%20logon%20and%20log%20off%20times.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20we%20do%20this%20and%20can%20anyone%20point%20me%20in%20the%20right%20direction%20for%20the%20query%20to%20run%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-162689%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESolutions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369560%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369560%22%20slang%3D%22en-US%22%3E%3CP%3ETurns%20out%20it%20was%20a%20GP%20issue.%26nbsp%3B%20The%20engineer%20involved%20thought%20it%20was%20correct%2C%20but%20the%20policies%20in%20question%20were%20being%20overwritten.%26nbsp%3B%20Thanks%20for%20your%20help%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-369266%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369266%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20things%20that%20control%20what%20kind%20of%20security%20events%20are%20collected.%3C%2FP%3E%0A%3CP%3EThe%20first%20is%20%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23workspace-configuration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23workspace-configuration%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EI%20have%20mentioned%20that%20previously.%20You%20have%20to%20be%20on%20Common%20at%20least.%3C%2FP%3E%0A%3CP%3EThe%20second%20setting%20is%20in%20your%20servers%20or%20domain%20controller%20policy.%20You%20have%20to%20make%20sure%20that%20the%20audit%20policy%20on%20your%20computers%20logs%20logon%20and%20logoff%20events.%20If%20those%20events%20are%20present%20in%20the%20Windows%20Security%20event%20log%20and%20your%20setting%20is%20in%20Common%20level%20this%20would%20ingest%20logon%2Flogoff%20events%20along%20with%20the%20other%20security%20events.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-366689%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366689%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20having%20subscribed%20to%20standard%20tier%2C%20I%20still%20don't%20get%20those%20results.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20few%20more%20details.%20I'm%20monitoring%20three%20non-Azure%20servers%2C%20and%20have%20successfully%20been%20recording%20events%20for%20the%20past%2012%20months%2C%20but%20not%20logon%2Flogoff%20events%2C%20which%20I%20need%20to%20have.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20subscription%20also%20contains%20a%20number%20of%20Azure%20servers%2C%20but%20I%20do%20not%20want%20OMS%20or%20security%20centre%20enabled%20on%20these.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20security%20center-%26gt%3Bsecurity%20policy%2C%20I%20have%20turned%20on%20Standard%20tier%2C%20but%26nbsp%3Bhave%20disabled%20it%20for%20the%20VM%20resource%20type.%26nbsp%3B%20It%20is%20enabled%20for%20SQL%20Servers%20and%20App%20Services%20(but%20we%20have%20non%20of%20these)%20in%20this%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20no%20logon%2Flogoff%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20am%20I%20missing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330796%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330796%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20will%20need%20the%20Standard%20tier%20in%20ASC%20to%20use%20the%20feature.%20This%20is%20stated%20on%20pricing%20page%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fsecurity-center%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fpricing%2Fdetails%2Fsecurity-center%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ESecurity%20event%20collection%20and%20search%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330795%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330795%22%20slang%3D%22en-US%22%3E%3CP%3EI%20understand%20that%2C%20but%20I%20just%20want%20confirmation%20that%20I%20need%20Standard%20tier%20of%20Azure%20Security%20Center%2C%20and%20that%20I%20can't%20use%20the%20free%20Tier%20(of%20Azure%20Security%20Center).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330792%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330792%22%20slang%3D%22en-US%22%3E%3CP%3EIngesting%20windows%20security%20events%20is%20part%20of%20Azure%20Security%20Center%20and%20there%20is%20no%20way%20to%20make%20that%20data%20count%20as%20regular%20data.%20Of%20course%20there%20is%20possibility%20of%20using%20some%20automation%20to%20fetch%20those%20events%20on%20your%20own%20and%20upload%20via%20data%20ingestion%20API%20but%20that%20workaround%20will%20require%20some%26nbsp%3B%20substantial%20development.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330788%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330788%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20a%20daft%20question%2C%20but%20is%20security%20event%20ingestion%20and%20analysis%20from%20an%20on%20premise%20Windows%20server%20only%20possible%20with%20the%20Standard%20tier%2C%20or%20could%26nbsp%3BI%20get%20away%20with%20the%20free%20Tier%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330043%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330043%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EIn%20ASC%20you%20have%204%20options%20for%20setting%20which%20events%20are%20gathered.%3C%2FP%3E%0A%3CP%3E-%20All%20Events%3C%2FP%3E%0A%3CP%3E-%20Common%3C%2FP%3E%0A%3CP%3E-%20Minimal%3C%2FP%3E%0A%3CP%3E-%20None%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAdditionally%20on%20your%20windows%20servers%20you%20can%20configure%20your%20audit%20policy%20in%20order%20to%20log%20only%20certain%20security%20events.%20That%20way%20ASC%20will%20gather%20only%20those%20that%20are%20generated.%3C%2FP%3E%0A%3CP%3EThis%20is%20expensive%20as%20you%20are%20onboarding%20to%20Azure%20Security%20Center%20which%20has%20many%20other%20features%20besides%20just%20gathering%20security%20events.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-329446%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-329446%22%20slang%3D%22en-US%22%3E%3CP%3EI%3Bm%20surprised%20that%20this%20is%20not%20all%20or%20nothing%20-%26nbsp%3B%20I%20can%20see%20a%20small%20set%20of%20security%20events%20(eg%204663%2C%204985)%2C%20but%20in%20no%20way%20all%20of%20them%2C%20and%20definitely%20not%20the%20'interesting'%20ones.%26nbsp%3B%20Is%20this%20simply%20an%20oversight%3F%20(In%20fact%2C%204663%20is%20causing%20severe%20per%20node%20overage%20and%20costing%20us%20money%2C%20so%20I'd%20like%20to%20stop%20them%20being%20processed.%26nbsp%3B%20Only%20having%20access%20to%20the%20reporting%20side%20of%20things%2C%20I%20don't%20know%20if%20this%20is%20even%20possible).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237093%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237093%22%20slang%3D%22en-US%22%3EI%20wan%20to%20state%20that%20I%20am%20not%20and%20do%20not%20work%20for%20Microsoft.%20There%20was%20never%20ability%20to%20gather%20security%20events%20without%20the%20Security%20and%20Audit%20solution%20(now%20ASC)%20so%20nothing%20was%20removed.%20That%20is%20just%20the%20history%20without%20me%20taking%20any%20side.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-237041%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-237041%22%20slang%3D%22en-US%22%3E%3CP%3EIsn't%20it%20a%20bit%26nbsp%3Boutrageous%20to%20remove%20SecurityEvents%20from%20the%20Azure%20Log%20Analytics%20and%20force%20the%20customers%20to%20purchase%20another%20solution%20(Security%20%26amp%3B%20Audit)%20in%20order%20to%20centralize%20logging%20of%20security%20related%20events%2C%20I%20mean%20the%20customer%20can%20still%20do%20it%20with%20Application%20and%20System%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162697%22%20slang%3D%22en-US%22%3ERe%3A%20OMS%20query%20for%20ad%20login%20and%20log%20offs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162697%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EIn%20order%20to%20monitor%20security%20events%20you%20will%20need%20to%20deploy%20the%20Security%20%26amp%3B%20Audit%20solution.%20Keep%20in%20mind%20that%20since%20Ignite%202017%20that%20solution%20is%20now%20part%20of%20Azure%20Security%20Center%20rather%20Log%20Analytics%20which%20means%20separate%20pricing.%20Azure%20Security%20Center%20uses%20Log%20Analytics%20platform%20for%20storing%20data.%20Once%20you%20deploy%20and%20configure%20Security%20%26amp%3B%20Audit%20solution%20there%20are%20two%20simple%20queries%20that%20you%20can%20use%20to%20see%20that%20data%3A%3C%2FP%3E%0A%3CP%3ELogged%20off%20accounts%3A%3C%2FP%3E%0A%3CPRE%3ESecurityEvent%0A%7C%20where%20EventID%20%3D%3D%204634%20%0A%7C%20sort%20by%20TimeGenerated%20desc%20%3C%2FPRE%3E%0A%3CP%3ELogged%20on%20users%3C%2FP%3E%0A%3CPRE%3ESecurityEvent%0A%7C%20where%20EventID%20%3D%3D%204624%20%0A%7C%20sort%20by%20TimeGenerated%20desc%20%3C%2FPRE%3E%0A%3CP%3EThese%20are%20single%20events%20and%20there%20are%20more%20additional%20events%20related%20to%20those.%20Sources%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Faudit-logoff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Faudit-logoff%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Faudit-logon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Faudit-logon%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Security%20%26amp%3B%20Audit%20solution%20contains%20some%20dashboards%20related%20to%20logins%20and%20logoff.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20also%20cannot%20gather%20security%20logs%20without%20actually%20using%20the%20Security%20%26amp%3B%20Audit%20solution.%3C%2FP%3E%0A%3CP%3EHope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Connor Bescos
New Contributor

Hi all,

 

Installed log analytics on a domain controller.  Hoping to use it to build a quick dashboard for user logon and log off times.

 

Can we do this and can anyone point me in the right direction for the query to run?

12 Replies
Highlighted
Solution

Hi,

In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:

Logged off accounts:

SecurityEvent
| where EventID == 4634 
| sort by TimeGenerated desc 

Logged on users

SecurityEvent
| where EventID == 4624 
| sort by TimeGenerated desc 

These are single events and there are more additional events related to those. Sources:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon

 

The Security & Audit solution contains some dashboards related to logins and logoff. 

You also cannot gather security logs without actually using the Security & Audit solution.

Hope this helps!

Highlighted

Isn't it a bit outrageous to remove SecurityEvents from the Azure Log Analytics and force the customers to purchase another solution (Security & Audit) in order to centralize logging of security related events, I mean the customer can still do it with Application and System logs.

 

Highlighted
I wan to state that I am not and do not work for Microsoft. There was never ability to gather security events without the Security and Audit solution (now ASC) so nothing was removed. That is just the history without me taking any side.
Highlighted

I;m surprised that this is not all or nothing -  I can see a small set of security events (eg 4663, 4985), but in no way all of them, and definitely not the 'interesting' ones.  Is this simply an oversight? (In fact, 4663 is causing severe per node overage and costing us money, so I'd like to stop them being processed.  Only having access to the reporting side of things, I don't know if this is even possible).

Highlighted

Hi,

In ASC you have 4 options for setting which events are gathered.

- All Events

- Common

- Minimal

- None

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-c...

Additionally on your windows servers you can configure your audit policy in order to log only certain security events. That way ASC will gather only those that are generated.

This is expensive as you are onboarding to Azure Security Center which has many other features besides just gathering security events.

Highlighted

Probably a daft question, but is security event ingestion and analysis from an on premise Windows server only possible with the Standard tier, or could I get away with the free Tier? 

Highlighted

Ingesting windows security events is part of Azure Security Center and there is no way to make that data count as regular data. Of course there is possibility of using some automation to fetch those events on your own and upload via data ingestion API but that workaround will require some  substantial development.

Highlighted

I understand that, but I just want confirmation that I need Standard tier of Azure Security Center, and that I can't use the free Tier (of Azure Security Center).

Highlighted

You will need the Standard tier in ASC to use the feature. This is stated on pricing page:

https://azure.microsoft.com/en-us/pricing/details/security-center/

Security event collection and search

Highlighted

So having subscribed to standard tier, I still don't get those results.

 

A few more details. I'm monitoring three non-Azure servers, and have successfully been recording events for the past 12 months, but not logon/logoff events, which I need to have.

 

The subscription also contains a number of Azure servers, but I do not want OMS or security centre enabled on these. 

 

In security center->security policy, I have turned on Standard tier, but have disabled it for the VM resource type.  It is enabled for SQL Servers and App Services (but we have non of these) in this subscription.

 

Still no logon/logoff events.

 

What am I missing?

Highlighted

Hi,

There are two things that control what kind of security events are collected.

The first is :

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#worksp...

I have mentioned that previously. You have to be on Common at least.

The second setting is in your servers or domain controller policy. You have to make sure that the audit policy on your computers logs logon and logoff events. If those events are present in the Windows Security event log and your setting is in Common level this would ingest logon/logoff events along with the other security events.

Highlighted

Turns out it was a GP issue.  The engineer involved thought it was correct, but the policies in question were being overwritten.  Thanks for your help anyway.

Related Conversations