Microsoft Operations Management Suite is Azure Cloud-based solution which is to manage and monitor Cloud and on-premise workload while not limiting to a specific vendor or a specific Operating system. OMS Supports hybrid and multi-cloud environments, including Microsoft's Azure, Amazon Web Services (AWS), OpenStack, Windows Server, Linux, and VMware.
Active directory is the baseline directory service on many organizations. Regardless of Microsoft services, other applications and services also highly depend on Active Directory as their identity provider. Undouble it’s the most critical platform in an organization which needs careful monitoring and auditing.
Why OMS for monitoring Active Directory
There are many tools to monitor and audit Active directory operations. Tools from SolarWinds, Manage Engines ADManager are much more popular and provide detail information on AD operations. But these are much more sophisticated solutions which have a higher licensing cost. I cannot say OMS is a better tool but rather simple and if you use it correctly you can get the same result as like an enterprise tool.
OMS is with four components, Log analytics, Automation, Protection & Recovery and Security & Compliance. These components can be used to monitor and manage various workloads. And OMS management solutions provide rich output while combining these solutions. Currently, there are two Active directory related management solutions provided by Microsoft. These come with Azure log analytics part of OMS. So, prices are applied only to log analytics. Also, AD auditing can be performed using azure log analytics search queries. It’s a rich language which you can easily write a query to get the desired output in a printable manner.
Before we start
Installing OMS Agent
AD Health check solution formally known as AD assessment is several health check assessments which run on regular intervals in domain controllers to identify issues and risks and provide recommendations to improve the existing infrastructure up to Microsoft best practices.
Its Free – you can use this solution with the free OMS log analytics bundle of 7 days retention and mbs data upload.
Login to the OMS portal or Azure Portal- Solution gallery – select Active Directory Health Check – Install
After a while, you can see the data collected from domain controllers are processed and shown in the Health Check solution. Click any error or recommendations which you need to correct.
Note – if you cannot see all the domain controllers or data is not collected, you go to registry editor of particular DC to identify AD assessment is executed and time of it last executed. If you deleted the LastExecuted registry key, AD Assessment will run again in that domain controller.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-28d5fc07-da6e-43b2-8ef3-e1b9bd8cc180\Solutions\ADAssessment
AD Replication status solution will analyze the replication status of each connected domain controllers. It will help to identify and troubleshoot AD replication issues.
Its Free – you can use this solution with the free OMS log analytics bundle of 7 days retention 500 mbs of data upload.
Login to the OMS portal or Azure Portal - Solution gallery – select Active Directory Replication – Install
After a while, you can see the data collected from domain controllers are processed and shown in the AD Replication solution. If there are no errors it will show as destination server with no errors.
Note - If you cannot see all the domain controllers or data is not collected you can navigate to the following registry value and delete the Lastexecuted key. AD replication monitor will run again in that domain controller and you can see the Lastexecuted key is newly generated.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-28d5fc07-da6e-43b2-8ef3-e1b9bd8cc180\Solutions\ADReplication
If you enabled auditing on domain controllers, it will generate a far amount of security data which you can use to search for events such as failed login or locked users. But searching this using native event viewer is not easy. OMS log analytics can be used to search these events and it will provide the information in rich presentable manner. Azure log analytics search query language also easy to understand. You can write queries and save those in log analytics for regular monitoring. Also, you can create dashboards using queries and regular monitor changes.
Some important use cases most customer face day in today's business
Not Free – to audit and monitor security events you should deploy the Security & Audit solution. Keep in mind that since 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data.
Following queries were made by me while analyzing the security events and relating them to the process. You can always improve these by adding more conditions and filters,
Users logon to the domain by time ascending
SecurityEvent
| where AccountType =~ "user" and EventID == 4624
| summarize LastLogin = max(TimeGenerated ) by Account
| sort by LastLogin
Failed logon attempts by users
SecurityEvent
| where EventID == 4771
| summarize AggregatedValue = count() by TargetUserName
Failed logon attempts by Computer
SecurityEvent
| where EventID == 4771
| summarize AggregatedValue = count() by IpAddress
Locked Accounts
SecurityEvent
| where EventID == 4740
| extend Source= TargetDomainName
| summarize count() by TargetUserName,Source
User Account Created
SecurityEvent
| where (EventID == 624 or EventID == 4720)
| extend CreatedBy = SubjectAccount
| project TimeGenerated, TargetAccount, CreatedBy, Computer
User Account Deleted
SecurityEvent
| where (EventID == 630 or EventID == 4726)
| extend DeletedBy = SubjectAccount
| project TimeGenerated, TargetAccount, DeletedBy, Computer
Groups Created
SecurityEvent
| where (EventID == 631 or EventID == 4727)
| extend CreatedBy = SubjectUserName
| extend GroupName = TargetUserName
| project CreatedBy, GroupName, Activity, TimeGenerated
Group Deleted
SecurityEvent
| where (EventID == 634 or EventID == 4730)
| extend DeletedBy = SubjectUserName
| extend GroupName = TargetUserName
| project DeletedBy, GroupName, Activity, TimeGenerated
Group Membership Changes
search in (SecurityEvent) EventID == 4728 or EventID == 4732 or EventID == 4756 or EventID == 632 or EventID == 636 or EventID == 660 or EventID == 4729 or EventID == 4733 or EventID == 4757 or EventID == 633 or EventID == 637 or EventID == 661
| project Activity , MemberName, TargetUserName, TimeGenerated
| sort by TimeGenerated desc
As above examples, you can develop more quires find the required information from security logs. Microsoft has provided guides and playing grounds to easily understand the language - https://docs.loganalytics.io/index
Hope this post has given you the knowledge on how to use Operations Management suite and Azure log analytics to monitor the Active directory. For my future posts, I’m hoping to release a full management solution with dashboards to audit and monitor the active directory.
Cheers