Forum Discussion

Copper Contributor

Feb 21, 2018

Solved

OMS query for ad login and log offs

Hi all, Installed log analytics on a domain controller. Hoping to use it to build a quick dashboard for user logon and log off times. Can we do this and can anyone point me in the right ...

azure monitor

solutions

Stanislav_Zhelyazkov
Feb 21, 2018
Hi,

In order to monitor security events you will need to deploy the Security & Audit solution. Keep in mind that since Ignite 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data. Once you deploy and configure Security & Audit solution there are two simple queries that you can use to see that data:

Logged off accounts:

SecurityEvent | where EventID == 4634 | sort by TimeGenerated desc

Logged on users

SecurityEvent | where EventID == 4624 | sort by TimeGenerated desc

These are single events and there are more additional events related to those. Sources:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon

The Security & Audit solution contains some dashboards related to logins and logoff.

You also cannot gather security logs without actually using the Security & Audit solution.

Hope this helps!

Stanislav_Zhelyazkov

MVP

Feb 03, 2019

Hi,

In ASC you have 4 options for setting which events are gathered.

- All Events

- Common

- Minimal

- None

https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-collection-tier

Additionally on your windows servers you can configure your audit policy in order to log only certain security events. That way ASC will gather only those that are generated.

This is expensive as you are onboarding to Azure Security Center which has many other features besides just gathering security events.

Lloyd Adams

Iron Contributor

Feb 05, 2019

Probably a daft question, but is security event ingestion and analysis from an on premise Windows server only possible with the Standard tier, or could I get away with the free Tier?

Stanislav_Zhelyazkov
MVP
Feb 05, 2019
Ingesting windows security events is part of Azure Security Center and there is no way to make that data count as regular data. Of course there is possibility of using some automation to fetch those events on your own and upload via data ingestion API but that workaround will require some substantial development.
- Lloyd Adams
  Iron Contributor
  Feb 05, 2019
  I understand that, but I just want confirmation that I need Standard tier of Azure Security Center, and that I can't use the free Tier (of Azure Security Center).
  - Stanislav_Zhelyazkov
    MVP
    Feb 05, 2019
    You will need the Standard tier in ASC to use the feature. This is stated on pricing page:
    
    https://azure.microsoft.com/en-us/pricing/details/security-center/
    
    Security event collection and search