%3CLINGO-SUB%20id%3D%22lingo-sub-1077045%22%20slang%3D%22en-US%22%3EUsing%20Azure%20Security%20Center%20and%20Log%20Analytics%20to%20Audit%20Use%20of%20NTLM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077045%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20purpose%20of%20this%20post%20is%20to%20show%20how%20you%20can%20collect%20and%20query%20security%20events%20of%20interest%20from%20Windows%20servers.%20To%20do%20this%20we%20will%20use%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAzure%20Security%20Center%20to%20collect%20events%3C%2FLI%3E%0A%3CLI%3ELog%20Analytics%20Workspace%20to%20store%20events%3C%2FLI%3E%0A%3CLI%3EKusto%20query%20language%20to%20query%20stored%20events%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20an%20example%2C%20we%20are%20going%20to%20collect%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fauditing%2Fevent-4624%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4624%3C%2FA%3E%20(An%20account%20was%20successfully%20logged%20on)%20events%20from%20multiple%20machines.%20This%20event%20is%20generated%20on%20the%20destination%20machine%20when%20a%20logon%20session%20is%20created%20and%20can%20be%20used%20to%20audit%20for%20NTLM%20authentication.%20See%20the%20link%20below%20for%20more%20details%3A%3C%2FP%3E%0A%3CP%3EHow%20to%20audit%20use%20of%20NTLMv1%20on%20a%20Windows%20Server-based%20domain%20controller%20-%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-ca%2Fhelp%2F4090105%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-ca%2Fhelp%2F4090105%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1059594554%22%20id%3D%22toc-hId-1059594554%22%3EWhat%20is%20Kusto%3F%3C%2FH3%3E%0A%3CP%3EKusto%20is%20a%20big-data%20engine%20for%20log%20and%20telemetry%20search%20and%20analytics%2C%20and%20powers%20Azure%20Log%20Analytics%20along%20with%20many%20other%20Microsoft%20products%2C%20such%20as%20Azure%20Application%20Insights%2C%20Azure%20Time%20Series%20Insights%2C%20Azure%20Security%20Center%2C%20and%20more.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fconcepts%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20link%20to%20learn%20more%20about%20the%20query%20language.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--747859909%22%20id%3D%22toc-hId--747859909%22%3EWhy%20audit%20for%20NTLMv1%3F%3C%2FH3%3E%0A%3CP%3EThe%20fact%20that%20the%20NTLMv1%20response%20generation%20uses%20the%20relatively%20weak%20DES%20encryption%20algorithm%20and%20a%20fixed-length%2016-byte%20random%20number%20makes%20it%20highly%20susceptible%20to%20brute-force%20attacks.%20In%20comparison%2C%20the%20NTLMv2%20response%20uses%20the%20stronger%20HMAC-MD5%20algorithm%20and%20a%20challenge%20of%20variable%20length.%3C%2FP%3E%0A%3CP%3ETo%20put%20it%20into%20perspective%2C%20NTLM%3CSTRONG%3E%3CEM%3Ev2%3C%2FEM%3E%3C%2FSTRONG%3E%20was%20introduced%20in%20Windows%20NT%204.0%20SP4%3C%2FP%3E%0A%3CP%3ESee%20links%20at%20the%20bottom%20of%20the%20page%20for%20more%20information.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--758363013%22%20id%3D%22toc-hId--758363013%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1729149820%22%20id%3D%22toc-hId-1729149820%22%3EDecisions%2C%20decisions!%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1875256002%22%20id%3D%22toc-hId--1875256002%22%3EAzure%20Security%20Center%20Tiering%3C%2FH3%3E%0A%3CP%3EFor%20Azure%20Security%20Center%20to%20collect%20the%20data%20we%20need%2C%20you%20will%20need%20to%20configure%20%3CSTRONG%3EStandard%3C%2FSTRONG%3E%20tiering.%20This%20can%20be%20done%20in%20one%20of%20three%20different%20ways%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAt%20the%20subscription%20%3CEM%3Ealone%3C%2FEM%3E%20%E2%80%93%20choose%20this%20option%20if%20you%20want%20to%20store%20the%20events%20in%20the%20workspace%20created%20by%20Security%20Center%2C%20and%20not%20in%20an%20existing%20workspace%3C%2FLI%3E%0A%3CLI%3EAt%20the%20Log%20Analytics%20Workspace%20%3CEM%3Ealone%3C%2FEM%3E%20-%20choose%20this%20option%20if%20the%20subscription%20contains%20multiple%20VMs%20and%20you%20only%20want%20Security%20Center%20to%20manage%20a%20subset%20of%20them%3C%2FLI%3E%0A%3CLI%3EBoth%3B%20the%20recommended%20option%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20504px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162753i6B392C9BF3E4886C%2Fimage-dimensions%2F504x282%3Fv%3D1.0%22%20width%3D%22504%22%20height%3D%22282%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-612256831%22%20id%3D%22toc-hId-612256831%22%3EMonitoring%20Agent%20Installation%3C%2FH3%3E%0A%3CP%3EData%20collection%20from%20the%20source%20machines%20is%20done%20using%20the%20Microsoft%20Monitoring%20Agent%20(MMA)%2C%20the%20installation%20of%20which%20can%20be%20done%20in%20several%20different%20ways%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20can%20enable%20Auto%20Provision%20on%20Security%20Center%20to%20automatically%20deploy%20the%20agent%20for%20your%20Azure%20VMs.%20This%20option%20ensures%20any%20new%20VMs%20are%20automatically%20onboarded%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162754iB9875DABA44321DA%2Fimage-dimensions%2F506x157%3Fv%3D1.0%22%20width%3D%22506%22%20height%3D%22157%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnable%20the%20Log%20Analytics%20VM%20Extension%3B%20this%20is%20the%20method%20shown%20below.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flearn%2Fquick-collect-azurevm%23enable-the-log-analytics-vm-extension%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flearn%2Fquick-collect-azurevm%23enable-the-log-analytics-vm-extension%3C%2FA%3E%20for%20more%20details.%3C%2FLI%3E%0A%3CLI%3EManually%20install%20the%20agent%20and%20configure%20it%20to%20report%20to%20the%20Log%20Analytics%20workspace%3B%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-ca%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-ca%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1195197632%22%20id%3D%22toc-hId--1195197632%22%3ECosts%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3EStoring%20data%20in%20log%20analytics%20might%20incur%20additional%20charges%20for%20data%20storage.%3C%2FLI%3E%0A%3CLI%3EDepending%20on%20the%20number%20of%20resources%20being%20monitored%2C%20enabling%20Standard%20tiering%20in%20Security%20Center%20can%20lead%20to%20additional%20costs.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EUse%20the%20Pricing%20calculator%20(%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-ca%2Fpricing%2Fcalculator%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-ca%2Fpricing%2Fcalculator%2F%3C%2FA%3E)%20to%20configure%20and%20estimate%20costs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1205700736%22%20id%3D%22toc-hId--1205700736%22%3EConnect%20Azure%20VMs%20to%20Log%20Analytics%20Workspace%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ECreate%20a%20Log%20Analytics%20Workspace%20if%20you%20do%20not%20already%20have%20one.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162755i877FBAF3497DD35C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3EIn%20your%20list%20of%20Log%20Analytics%20workspaces%2C%20select%20the%20workspace%20created%20earlier.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20left-hand%20menu%2C%20under%20%3CSTRONG%3EWorkspace%20Data%20Sources%3C%2FSTRONG%3E%2C%20select%20%3CSTRONG%3EVirtual%20machines%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EIn%20the%20list%20of%20%3CSTRONG%3EVirtual%20machines%3C%2FSTRONG%3E%2C%20select%20a%20virtual%20machine%20you%20want%20to%20install%20the%20agent%20on.%20Notice%20that%20the%20%3CSTRONG%3ELog%20Analytics%20connection%20status%3C%2FSTRONG%3E%20for%20the%20VM%20indicates%20that%20it%20is%20%3CSTRONG%3ENot%20connected%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20502px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162757iF24C1C0FC5E075DD%2Fimage-dimensions%2F502x452%3Fv%3D1.0%22%20width%3D%22502%22%20height%3D%22452%22%20alt%3D%22clipboard_image_3.png%22%20title%3D%22clipboard_image_3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EIn%20the%20details%20for%20your%20virtual%20machine%2C%20select%20%3CSTRONG%3EConnect%3C%2FSTRONG%3E.%20The%20agent%20is%20automatically%20installed%20and%20configured%20for%20your%20Log%20Analytics%20workspace.%20This%20process%20takes%20a%20few%20minutes%2C%20during%20which%20time%20the%20%3CSTRONG%3EStatus%3C%2FSTRONG%3E%20shows%20%3CSTRONG%3EConnecting%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EAfter%20you%20install%20and%20connect%20the%20agent%2C%20the%20%3CSTRONG%3ELog%20Analytics%20connection%20status%3C%2FSTRONG%3E%20will%20be%20updated%20with%20%3CSTRONG%3EThis%20workspace%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162756i5A46B3E39E82CE8B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_4.png%22%20title%3D%22clipboard_image_4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1281812097%22%20id%3D%22toc-hId-1281812097%22%3EConnect%20Physical%20Servers%20to%20Log%20Analytics%20Workspace%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20steps%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%3C%2FA%3E%20show%20how%20to%20install%20and%20configure%20the%20Microsoft%20Monitoring%20agent%20manually.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--525642366%22%20id%3D%22toc-hId--525642366%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--659327090%22%20id%3D%22toc-hId--659327090%22%3EConfigure%20Auditing%20on%20Servers%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20Group%20Policy%20Objects%20to%20enable%20subcategory-level%20auditing%20on%20the%20machines%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EComputer%20Configuration%20%5C%20Policies%20%5C%20Windows%20Settings%20%5C%20Security%20Settings%20%5C%20Local%20Policies%20%5C%20Security%20Options%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EAudit%3A%20Shut%20down%20system%20immediately%20if%20unable%20to%20log%20security%20audits%20-%20Disabled%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EAudit%3A%20Force%20audit%20policy%20subcategory%20settings%20(Windows%20Vista%20or%20later)%20to%20override%20audit%20policy%20category%20settings%20%E2%80%93%20Enabled%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EComputer%20Configuration%20%5C%20Policies%20%5C%20Windows%20Settings%20%5C%20Security%20Settings%20%5C%20Advanced%20Audit%20Configuration%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22536%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%222%22%20width%3D%22277%22%3E%3CP%3E%3CSTRONG%3EPolicy%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20colspan%3D%222%22%20width%3D%22259%22%3E%3CP%3E%3CSTRONG%3ESetting%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3E%3CSTRONG%3EDomain%20Controllers%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%3CSTRONG%3Enon-Domain%20Controllers%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3EAccount%20Logon%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Credential%20Validation%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Kerberos%20Authentication%20Service%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3EFailure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Kerberos%20Service%20Ticket%20Operations%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3EFailure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3EAccount%20Management%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Computer%20Account%20Management%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Other%20Account%20Management%20Events%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Security%20Group%20Management%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20User%20Account%20Management%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3EDetailed%20Tracking%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Process%20Creation%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3EDS%20Access%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Directory%20Service%20Access%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Directory%20Service%20Changes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3ELogon%2FLogoff%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Account%20Lockout%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Logoff%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Logon%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Special%20Logon%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3EPolicy%20Change%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Audit%20Policy%20Change%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Authentication%20Policy%20Change%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3EPrivilege%20Use%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Sensitive%20Privilege%20Use%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%223%22%20width%3D%22536%22%3E%3CP%3E%3CSTRONG%3ESystem%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20IPsec%20Driver%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Other%20System%20Events%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Security%20State%20Change%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20Security%20System%20Extension%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22277%22%3E%3CP%3EAudit%20System%20Integrity%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22115%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3ESuccess%2C%20Failure%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnsure%20the%20event%20logs%20on%20your%20servers%20are%20sized%20correctly%20so%20that%20they%20are%20not%20rolled%20over%20too%20quickly%20by%20enabling%20additional%20audit%20logging.%3C%2FLI%3E%0A%3CLI%3EUse%20the%20command%20%3CSTRONG%3EAuditPol%20%2Fget%20%2Fcategory%3A*%3C%2FSTRONG%3E%20locally%20on%20a%20server%20to%20verify%20that%20the%20right%20audit%20policy%20is%20being%20applied.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1828185743%22%20id%3D%22toc-hId-1828185743%22%3EData%20collection%20in%20Azure%20Security%20Center%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EUnder%20the%20Security%20Center%20main%20menu%2C%20select%20Pricing%20%26amp%3B%20settings.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20507px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162758i49BA1839D013B058%2Fimage-dimensions%2F507x222%3Fv%3D1.0%22%20width%3D%22507%22%20height%3D%22222%22%20alt%3D%22clipboard_image_5.png%22%20title%3D%22clipboard_image_5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20mentioned%20earlier%2C%20the%20recommended%20option%20is%20to%20enable%20Standard%20tiering%20for%20both%20the%20subscription%20and%20for%20the%20workspace.%20This%20ensures%20you%20receive%20recommendations%20on%20resources%20other%20than%20just%20virtual%20machines.%20The%20subsections%20below%20show%20both.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-149813999%22%20id%3D%22toc-hId-149813999%22%3EWorkspace%20Configuration%3C%2FH3%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3ESelect%20the%20desired%20Workspace%20in%20which%20you%20intend%20to%20connect%20the%20agent%20and%20select%20%3CSTRONG%3EStandard%3C%2FSTRONG%3E%20pricing%20tier.%20Click%20Save.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EYou%20will%20be%20billed%20(Number%20of%20VMs)%20*%20%2415%20per%20month%20(or%2C%20more%20correctly%2C%20(Number%20of%20VMs)%20*%20%240.02%20per%20hour.%20Only%20powered-on%20VMs%20are%20billed%2C%20and%20billing%20is%20hourly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20504px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162761i82D7B974E1B5710C%2Fimage-dimensions%2F504x257%3Fv%3D1.0%22%20width%3D%22504%22%20height%3D%22257%22%20alt%3D%22clipboard_image_6.png%22%20title%3D%22clipboard_image_6.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3ESelect%20the%20appropriate%20data%20collection%20tier.%20%3CSTRONG%3ECommon%3C%2FSTRONG%3E%20provides%20a%20full%20user%20audit%20trail%20in%20this%20set.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162759iBADEB04B52205C6E%2Fimage-dimensions%2F506x215%3Fv%3D1.0%22%20width%3D%22506%22%20height%3D%22215%22%20alt%3D%22clipboard_image_7.png%22%20title%3D%22clipboard_image_7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThese%20security%20events%20sets%20are%20available%20only%20on%20Security%20Center%E2%80%99s%20Standard%20tier.%3C%2FP%3E%0A%3CP%3ETo%20see%20a%20list%20of%20events%20collected%20see%20Data%20collection%20in%20Azure%20Security%20Center%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%23data-collection-tier%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162760iC25EB8C97EB44860%2Fimage-dimensions%2F506x239%3Fv%3D1.0%22%20width%3D%22506%22%20height%3D%22239%22%20alt%3D%22clipboard_image_8.png%22%20title%3D%22clipboard_image_8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1657640464%22%20id%3D%22toc-hId--1657640464%22%3ESubscription%20configuration%3C%2FH3%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3ESelect%20the%20applicable%20Subscription%20and%20select%20%3CSTRONG%3EStandard%3C%2FSTRONG%3E%20pricing%20tier.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EDisable%20any%20resource%20types%20that%20you%20do%20not%20want%20to%20collect%20data%20for%2C%20and%20then%20click%20%3CSTRONG%3ESave%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20505px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162763i22E7A77268731DC7%2Fimage-dimensions%2F505x306%3Fv%3D1.0%22%20width%3D%22505%22%20height%3D%22306%22%20alt%3D%22clipboard_image_9.png%22%20title%3D%22clipboard_image_9.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3E%3CEM%3E%3CU%3EIf%20you%20did%20not%20want%20to%3C%2FU%3E%3C%2FEM%3E%20manually%20connect%20the%20VMs%20to%20the%20workspace%2C%20enable%20auto-provisioning%20on%20Security%20Center%20to%20automatically%20deploy%20the%20agent%20for%20your%20Azure%20VMs.%20This%20is%20done%20under%20the%20%3CSTRONG%3EData%20Collection%3C%2FSTRONG%3E%20node%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162762i7B743E6A2167DA2E%2Fimage-dimensions%2F506x472%3Fv%3D1.0%22%20width%3D%22506%22%20height%3D%22472%22%20alt%3D%22clipboard_image_10.png%22%20title%3D%22clipboard_image_10.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-700789650%22%20id%3D%22toc-hId-700789650%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1106664813%22%20id%3D%22toc-hId--1106664813%22%3EVerify%20Data%20Collection%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EClick%20on%20the%20Log%20Analytics%20Workspace%20-%26gt%3B%20%3CSTRONG%3ELogs%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EIn%20the%20query%20pane%2C%20expand%20%3CSTRONG%3ESecurity%3C%2FSTRONG%3E%2C%20click%20on%20the%20icon%20to%20the%20right%20of%20%3CSTRONG%3ESecurityEvent%3C%2FSTRONG%3E%20to%20show%20sample%20records%20from%20the%20table%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3ERun%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20509px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162764i5D28FCD5DEF111D4%2Fimage-dimensions%2F509x206%3Fv%3D1.0%22%20width%3D%22509%22%20height%3D%22206%22%20alt%3D%22clipboard_image_11.png%22%20title%3D%22clipboard_image_11.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EThis%20is%20a%20common%20way%20to%20take%20a%20glance%20at%20a%20table%20and%20understand%20its%20structure%20and%20content.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-1380848020%22%20id%3D%22toc-hId-1380848020%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--426606443%22%20id%3D%22toc-hId--426606443%22%3ELog%20Query%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnder%20the%20Log%20Analytics%20Workspace%20-%26gt%3B%20%3CSTRONG%3ELogs%3C%2FSTRONG%3E%2C%20type%20the%20queries%20and%20click%20%3CSTRONG%3ERun%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20509px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162766i8342E8F8F64C7A5A%2Fimage-dimensions%2F509x313%3Fv%3D1.0%22%20width%3D%22509%22%20height%3D%22313%22%20alt%3D%22clipboard_image_12.png%22%20title%3D%22clipboard_image_12.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--2104978187%22%20id%3D%22toc-hId--2104978187%22%3ESummarizing%20list%20of%20events%3C%2FH3%3E%0A%3CP%3EThe%20following%20query%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ereturns%20all%20events%20logged%20over%20the%20past%207%20days%3C%2FLI%3E%0A%3CLI%3Ewith%20ID%204624%20and%20by%20a%20user%20account%3C%2FLI%3E%0A%3CLI%3Egroups%20them%20by%20the%20Account%2CComputer%2C%20IpAddress%20and%20AuthenticationPackageName%20fields%3C%2FLI%3E%0A%3CLI%3Eand%20sorts%20them%20by%20decreasing%20order%20of%20the%20number%20of%20results%20in%20each%20group.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESecurityEvent%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20where%20EventID%20%3D%3D%204624%20and%20AccountType%20%3D%3D%20%22User%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20summarize%20count()%20by%20Account%2C%20Computer%2C%20IpAddress%2C%20AuthenticationPackageName%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20sort%20by%20count_%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20506px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162765iEF472880D618B20A%2Fimage-dimensions%2F506x556%3Fv%3D1.0%22%20width%3D%22506%22%20height%3D%22556%22%20alt%3D%22clipboard_image_13.png%22%20title%3D%22clipboard_image_13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-382534646%22%20id%3D%22toc-hId-382534646%22%3ESelecting%20specific%20columns%3C%2FH3%3E%0A%3CP%3EThe%20following%20query%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ereturns%20all%20events%20logged%20over%20the%20past%207%20days%3C%2FLI%3E%0A%3CLI%3Ewith%20ID%204624%2C%20by%20a%20user%20account%20and%20NTLM%20is%20used%20for%20authentication%3C%2FLI%3E%0A%3CLI%3Especifies%20that%20the%20following%20columns%20be%20included%20in%20the%20result%3A%20EventID%2C%20TimeGenerated%2C%20Account%2C%20Computer%2C%20IpAddress%2C%20LogonType%2C%20AuthenticationPackageName%2C%20LmPackageName%2C%20LogonProcessName%3C%2FLI%3E%0A%3CLI%3Eand%20sorts%20them%20by%20decreasing%20order%20of%20TimeGenerated%20column%2C%20with%20null%20values%20placed%20at%20the%20end.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESecurityEvent%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20where%20EventID%20%3D%3D%204624%20and%20AccountType%20%3D%3D%20%22User%22%20and%20AuthenticationPackageName%20%3D%3D%20%22NTLM%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20project%20EventID%2C%20TimeGenerated%2C%20Account%2C%20Computer%2C%20IpAddress%2C%20LogonType%2C%20AuthenticationPackageName%2C%20LmPackageName%2C%20LogonProcessName%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%7C%20sort%20by%20TimeGenerated%20desc%20nulls%20last%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20504px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162767iC2145531D30BE32F%2Fimage-dimensions%2F504x228%3Fv%3D1.0%22%20width%3D%22504%22%20height%3D%22228%22%20alt%3D%22clipboard_image_14.png%22%20title%3D%22clipboard_image_14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20columns%20in%20the%20query%20correspond%20to%20the%20XML%20data%20fields%20in%20the%20event%20as%20shown%20below.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20501px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162770i24C3543D3FA3739B%2Fimage-dimensions%2F501x341%3Fv%3D1.0%22%20width%3D%22501%22%20height%3D%22341%22%20alt%3D%22clipboard_image_15.png%22%20title%3D%22clipboard_image_15.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERemember%2C%20you%20can%20ignore%20the%20event%20for%20security%20protocol%20usage%20information%20when%20the%20event%20is%20logged%20for%20%22ANONYMOUS%20LOGON%22.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20666px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162768iCA9D5FFE2CB5E646%2Fimage-dimensions%2F666x163%3Fv%3D1.0%22%20width%3D%22666%22%20height%3D%22163%22%20alt%3D%22clipboard_image_16.png%22%20title%3D%22clipboard_image_16.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--726757876%22%20id%3D%22toc-hId--726757876%22%3EExporting%20query%20data%3C%2FH3%3E%0A%3CP%3ELog%20Analytics%20supports%20several%20exporting%20methods%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExcel%3A%20Save%20the%20results%20as%20a%20CSV%20file.%3C%2FLI%3E%0A%3CLI%3EPower%20BI%3A%20Export%20the%20results%20to%20Power%20BI.%3C%2FLI%3E%0A%3CLI%3EShare%20a%20link%3A%20The%20query%20itself%20can%20be%20shared%20as%20a%20link%20which%20can%20then%20be%20sent%20and%20executed%20by%20other%20users%20that%20have%20access%20to%20the%20same%20workspace.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20607px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162769iDC05515355F0FB21%2Fimage-dimensions%2F607x122%3Fv%3D1.0%22%20width%3D%22607%22%20height%3D%22122%22%20alt%3D%22clipboard_image_17.png%22%20title%3D%22clipboard_image_17.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1760754957%22%20id%3D%22toc-hId-1760754957%22%3ESaving%20queries%3C%2FH3%3E%0A%3CP%3EOnce%20you%20have%20created%20a%20useful%20query%2C%20you%20might%20want%20to%20save%20it%20or%20share%20with%20others.%20The%20Save%20icon%20is%20on%20the%20top%20bar.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20606px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162772iBE8CB9AC60E4AED8%2Fimage-dimensions%2F606x153%3Fv%3D1.0%22%20width%3D%22606%22%20height%3D%22153%22%20alt%3D%22clipboard_image_18.png%22%20title%3D%22clipboard_image_18.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162771i711AA2D40D432BD4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_19.png%22%20title%3D%22clipboard_image_19.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--46699506%22%20id%3D%22toc-hId--46699506%22%3ELoading%20saved%20queries%3C%2FH3%3E%0A%3CP%3EThe%20Query%20Explorer%20icon%20is%20at%20the%20top-right%20area.%20This%20lists%20all%20saved%20queries%20by%20category.%20It%20also%20enables%20you%20to%20mark%20specific%20queries%20as%20Favorites%20to%20quickly%20find%20them%20in%20the%20future.%20Double-click%20a%20saved%20query%20to%20add%20it%20to%20the%20current%20window.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20600px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162773iA33CF4BAE27BA201%2Fimage-dimensions%2F600x159%3Fv%3D1.0%22%20width%3D%22600%22%20height%3D%22159%22%20alt%3D%22clipboard_image_20.png%22%20title%3D%22clipboard_image_20.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20you%20have%20it%20%E2%80%93%20we%20configured%20Azure%20Security%20Center%20to%20collect%20events%20from%20windows%20servers%2C%20store%20them%20on%20a%20Log%20Analytics%20Workspace%20and%20used%20KQL%26nbsp%3B%20to%20query%20the%20saved%20logs%20for%20audit%20for%20NTLM%20authentication.%3C%2FP%3E%0A%3CP%3EYou%20can%20extend%20this%20to%20cover%20a%20wide%20range%20of%20auditable%20events.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Fplan%2Fappendix-l--events-to-monitor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Fplan%2Fappendix-l--events-to-monitor%3C%2FA%3E%20for%20one%20such%20list.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1983236688%22%20id%3D%22toc-hId--1983236688%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-504276145%22%20id%3D%22toc-hId-504276145%22%3EReferences%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAzure%20Security%20Center%20frequently%20asked%20questions%20(FAQ)%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-faq%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-faq%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EOverview%20of%20log%20queries%20in%20Azure%20Monitor%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Flog-query-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Flog-query-overview%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAzure%20Monitor%20log%20query%20examples%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fexamples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fexamples%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ESecurity%20Watch%3A%20The%20Most%20Misunderstood%20Windows%20Security%20Setting%20of%20All%20Time%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Ftechnet-magazine%2Fcc160954(v%3Dmsdn.10)%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Ftechnet-magazine%2Fcc160954(v%3Dmsdn.10)%3Fredirectedfrom%3DMSDN%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%3EStop%20using%20LAN%20Manager%20and%20NTLMv1%20-%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmiriamxyra%2F2017%2F11%2F07%2Fstop-using-lan-manager-and-ntlmv1%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fmiriamxyra%2F2017%2F11%2F07%2Fstop-using-lan-manager-and-ntlmv1%2F%3C%2FA%3E%3CEM%3E%20(Content%20may%20be%20archived%3B%20if%20so%2C%20search%20TechNet%20and%20MSDN%20blog%20archive)%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%3EAuditing%20and%20restricting%20NTLM%20usage%20guide%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fjj865674(v%3Dws.10)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fjj865674(v%3Dws.10)%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1077045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162791iCB953FF254034BF5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-12-20_165225.jpg%22%20title%3D%222019-12-20_165225.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20Azure%20Security%20Center%20and%20Log%20Analytics%20to%20store%20security%20events%20from%20Windows%20servers%20and%20KQL%20to%20query%20them%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1077045%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELijuVarghese%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

The purpose of this post is to show how you can collect and query security events of interest from Windows servers. To do this we will use:

  • Azure Security Center to collect events
  • Log Analytics Workspace to store events
  • Kusto query language to query stored events

 

As an example, we are going to collect 4624 (An account was successfully logged on) events from multiple machines. This event is generated on the destination machine when a logon session is created and can be used to audit for NTLM authentication. See the link below for more details:

How to audit use of NTLMv1 on a Windows Server-based domain controller - https://support.microsoft.com/en-ca/help/4090105

 

What is Kusto?

Kusto is a big-data engine for log and telemetry search and analytics, and powers Azure Log Analytics along with many other Microsoft products, such as Azure Application Insights, Azure Time Series Insights, Azure Security Center, and more. Use this link to learn more about the query language.

 

 

Why audit for NTLMv1?

The fact that the NTLMv1 response generation uses the relatively weak DES encryption algorithm and a fixed-length 16-byte random number makes it highly susceptible to brute-force attacks. In comparison, the NTLMv2 response uses the stronger HMAC-MD5 algorithm and a challenge of variable length.

To put it into perspective, NTLMv2 was introduced in Windows NT 4.0 SP4

See links at the bottom of the page for more information.

 

Decisions, decisions!

 

Azure Security Center Tiering

For Azure Security Center to collect the data we need, you will need to configure Standard tiering. This can be done in one of three different ways:

  • At the subscription alone – choose this option if you want to store the events in the workspace created by Security Center, and not in an existing workspace
  • At the Log Analytics Workspace alone - choose this option if the subscription contains multiple VMs and you only want Security Center to manage a subset of them
  • Both; the recommended option

 

clipboard_image_0.png

 

Monitoring Agent Installation

Data collection from the source machines is done using the Microsoft Monitoring Agent (MMA), the installation of which can be done in several different ways:

  • You can enable Auto Provision on Security Center to automatically deploy the agent for your Azure VMs. This option ensures any new VMs are automatically onboarded

 

clipboard_image_1.png

 

Costs

  • Storing data in log analytics might incur additional charges for data storage.
  • Depending on the number of resources being monitored, enabling Standard tiering in Security Center can lead to additional costs.

Use the Pricing calculator (https://azure.microsoft.com/en-ca/pricing/calculator/) to configure and estimate costs.

 

Connect Azure VMs to Log Analytics Workspace

 

  1. Create a Log Analytics Workspace if you do not already have one.

 

clipboard_image_2.png

  1. In your list of Log Analytics workspaces, select the workspace created earlier.
  2. On the left-hand menu, under Workspace Data Sources, select Virtual machines.
  3. In the list of Virtual machines, select a virtual machine you want to install the agent on. Notice that the Log Analytics connection status for the VM indicates that it is Not connected.

clipboard_image_3.png

  1. In the details for your virtual machine, select Connect. The agent is automatically installed and configured for your Log Analytics workspace. This process takes a few minutes, during which time the Status shows Connecting.
  2. After you install and connect the agent, the Log Analytics connection status will be updated with This workspace.

 

clipboard_image_4.png

 

Connect Physical Servers to Log Analytics Workspace

 

The steps in https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows show how to install and configure the Microsoft Monitoring agent manually.

 

Configure Auditing on Servers

 

Use Group Policy Objects to enable subcategory-level auditing on the machines:

  • Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options
    • Audit: Shut down system immediately if unable to log security audits - Disabled
    • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings – Enabled
  • Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Configuration

 

Policy

Setting

Domain Controllers

non-Domain Controllers

Account Logon

Audit Credential Validation

Success, Failure

Success, Failure

Audit Kerberos Authentication Service

Failure

 

Audit Kerberos Service Ticket Operations

Failure

 

Account Management

Audit Computer Account Management

Success, Failure

Success

Audit Other Account Management Events

Success, Failure

Success, Failure

Audit Security Group Management

Success, Failure

Success, Failure

Audit User Account Management

Success, Failure

Success, Failure

Detailed Tracking

Audit Process Creation

Success

Success

DS Access

Audit Directory Service Access

Success, Failure

 

Audit Directory Service Changes

Success, Failure

 

Logon/Logoff

Audit Account Lockout

Success

Success

Audit Logoff

Success

Success

Audit Logon

Success, Failure

Success, Failure

Audit Special Logon

Success

Success

Policy Change

Audit Audit Policy Change

Success, Failure

Success, Failure

Audit Authentication Policy Change

Success

Success

Privilege Use

Audit Sensitive Privilege Use

Success, Failure

Success, Failure

System

Audit IPsec Driver

Success, Failure

Success, Failure

Audit Other System Events

Success, Failure

Success, Failure

Audit Security State Change

Success, Failure

Success, Failure

Audit Security System Extension

Success, Failure

Success, Failure

Audit System Integrity

Success, Failure

Success, Failure

 

Note:

  • Ensure the event logs on your servers are sized correctly so that they are not rolled over too quickly by enabling additional audit logging.
  • Use the command AuditPol /get /category:* locally on a server to verify that the right audit policy is being applied.

 

Data collection in Azure Security Center

 

  1. Under the Security Center main menu, select Pricing & settings.

 

clipboard_image_5.png

 

As mentioned earlier, the recommended option is to enable Standard tiering for both the subscription and for the workspace. This ensures you receive recommendations on resources other than just virtual machines. The subsections below show both.

 

Workspace Configuration

  1. Select the desired Workspace in which you intend to connect the agent and select Standard pricing tier. Click Save.

You will be billed (Number of VMs) * $15 per month (or, more correctly, (Number of VMs) * $0.02 per hour. Only powered-on VMs are billed, and billing is hourly.

 

clipboard_image_6.png

 

  1. Select the appropriate data collection tier. Common provides a full user audit trail in this set.

 

clipboard_image_7.png

 

Note:

These security events sets are available only on Security Center’s Standard tier.

To see a list of events collected see Data collection in Azure Security Center - https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-c...

 

clipboard_image_8.png

 

Subscription configuration

  1. Select the applicable Subscription and select Standard pricing tier.

Disable any resource types that you do not want to collect data for, and then click Save.

 

clipboard_image_9.png

 

  1. If you did not want to manually connect the VMs to the workspace, enable auto-provisioning on Security Center to automatically deploy the agent for your Azure VMs. This is done under the Data Collection node

 

clipboard_image_10.png

 

Verify Data Collection

 

  1. Click on the Log Analytics Workspace -> Logs
  2. In the query pane, expand Security, click on the icon to the right of SecurityEvent to show sample records from the table
  3. Click Run

 

clipboard_image_11.png

 

  1. This is a common way to take a glance at a table and understand its structure and content.

 

Log Query

 

Under the Log Analytics Workspace -> Logs, type the queries and click Run.

clipboard_image_12.png

 

Summarizing list of events

The following query:

  • returns all events logged over the past 7 days
  • with ID 4624 and by a user account
  • groups them by the Account,Computer, IpAddress and AuthenticationPackageName fields
  • and sorts them by decreasing order of the number of results in each group.

 

SecurityEvent

| where TimeGenerated > ago(7d)

| where EventID == 4624 and AccountType == "User"

| summarize count() by Account, Computer, IpAddress, AuthenticationPackageName

| sort by count_

 

clipboard_image_13.png

 

Selecting specific columns

The following query:

  • returns all events logged over the past 7 days
  • with ID 4624, by a user account and NTLM is used for authentication
  • specifies that the following columns be included in the result: EventID, TimeGenerated, Account, Computer, IpAddress, LogonType, AuthenticationPackageName, LmPackageName, LogonProcessName
  • and sorts them by decreasing order of TimeGenerated column, with null values placed at the end.

 

SecurityEvent

| where TimeGenerated > ago(7d)

| where EventID == 4624 and AccountType == "User" and AuthenticationPackageName == "NTLM"

| project EventID, TimeGenerated, Account, Computer, IpAddress, LogonType, AuthenticationPackageName, LmPackageName, LogonProcessName

| sort by TimeGenerated desc nulls last

 

clipboard_image_14.png

The columns in the query correspond to the XML data fields in the event as shown below.

clipboard_image_15.png

 

Remember, you can ignore the event for security protocol usage information when the event is logged for "ANONYMOUS LOGON".

clipboard_image_16.png

 

Exporting query data

Log Analytics supports several exporting methods:

  • Excel: Save the results as a CSV file.
  • Power BI: Export the results to Power BI.
  • Share a link: The query itself can be shared as a link which can then be sent and executed by other users that have access to the same workspace.

clipboard_image_17.png

 

Saving queries

Once you have created a useful query, you might want to save it or share with others. The Save icon is on the top bar.

clipboard_image_18.png

 

clipboard_image_19.png

 

Loading saved queries

The Query Explorer icon is at the top-right area. This lists all saved queries by category. It also enables you to mark specific queries as Favorites to quickly find them in the future. Double-click a saved query to add it to the current window.

clipboard_image_20.png

 

There you have it – we configured Azure Security Center to collect events from windows servers, store them on a Log Analytics Workspace and used KQL  to query the saved logs for audit for NTLM authentication.

You can extend this to cover a wide range of auditable events. See https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor for one such list.

 

References