Use OMS to check policy changes

Highlighted
Occasional Contributor

We are using OMS with the new query language. We are trying to get a report from OMS when a policy change has been made at our Windows 2012 R2 active directory. Does any one has some examples how to make this query. The information that we wan't to get is, wat has been changed.

Probably we need to extend the information that will be send to OMS.

 

Who can give my hints to do this.

2 Replies
Highlighted

This is a feature that has been request https://feedback.azure.com/forums/267889-log-analytics/suggestions/6519278-change-tracking-group-pol...

 

The only was you could do this at the moment would be to monitor the Sysvol folders for changes, but i would only be able to inform you changes where made, not what was changed.

Highlighted

Hi Kent, thank you for this information, I will look for the requested feature and vote for this. I Hope it will be possible in the futher

 

For the first thing that I need it, when does audit policy change.  I look at event 4739. Then I need to check in the AD what has been changed. I would be better that you can monitor on every event for allerting.

 

let timeframe = 30d;

let timeframetot = 0d;

SecurityEvent

| where TimeGenerated > ago(timeframe) and TimeGenerated < ago(timeframetot)

| where EventID == 4739

|  summarize count() by Computer,AccountType, Activity, TimeGenerated, EventData