In pursuit of my previous article of Monitoring Active Directory using Operational Management Suite, I have published my own solution of OMS Active Directory Security Audit Solution to Azure QuickStart Templates. From this blog post, I’m going to give you a good understanding about the solution and how you can implement it in your Azure subscription.
Before deploying this solution, I recommend reading my previous blog post of Monitoring Active Directory using OMS. In that post, I have talked about how we can leverage OMS to monitor Active directory using Microsoft default solutions such as AD health check, AD replication solution and how we can use Azure log analytics to search and query AD security events with data. From this new solution, I have use azure log analytics quires to monitor day to day activities and critical security information where Domain Controllers logged.
AD Security Audit Solution collects security events from domain controllers and filters them with Azure log analytics queries to visualize in OMS Dashboards. It has two attractive dashboards to display the following information.
OMS Log Analytics Workspace
Log analytics workplace is required to host this solution. You can either select the free version or the paid version. Free version supports 500mb of daily upload and 7 days of retention.
Azure Security Center license
Azure Security Center licensing is required to collect Security events and search from Domain controllers. This is also known as OMS Security and Compliance license. Azure Security Center is offered in two tiers: Free and Standard. The Standard tier is free for the first 60 days. You can either use the free tier or use the standard node license to all domain controllers.
OMS Agent installed in Domain controllers.
OMS agent should be installed on every domain controller.
OMS workplace name and Resource group name
To deploy the solution you should know the OMS workspace name and its related resource group name, for the current version you have to deploy it to the same resource group with the workspace
Follow these instructions to deploy the solution into an existing OMS workspace
https://azure.microsoft.com/en-us/resources/templates/oms-active-directory-security-audit-solution/
The ingestion will start 5-10 minutes post-deployment.
Note - It is important that you type the exact values for your workspace name and resource group name, and points to the regions where these resources are deployed.
If you enabled auditing on domain controllers, it will generate a fair amount of security data which you can use to search for events such as failed login or locked users. But searching this using native event viewer is not easy. OMS log analytics can be used to search these events and it will provide the information in rich presentable manner.
AD Security Audit solution is designed with the number of these important use cases most customer face day in today's business. It will help you to identify
Hope this solution helps
Cheers