Skip to content

Instantly share code, notes, and snippets.

@tyconsulting tyconsulting/Create-ACSSavedSearches.ps1

Created Dec 17, 2016
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
Create-ACSSavedSearches.ps1
#requires -Version 5.0 -Modules AzureRM.OperationalInsights, AzureRM.profile
<#
============================================================================================================================
AUTHOR: Tao Yang
DATE: 17-12-2016
Version: 1.0
Comment:
- Create OMS saved searches to that map SCOM ACS reports that are
- Listed in Wei Hao Lim's blog post:
- https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/
============================================================================================================================
#>
#region class definition
Class OMSSavedSearch
{
[String]$Name
[String]$Category
[String]$Query
OMSSavedSearch ([String]$Name, [String]$Category, [String]$Query)
{
$this.Name = $Name
$this.Category = $Category
$this.Query = $Query
}
}
#endregion
#region Add saved search queries
$Category = 'ACS Reports'
$arrSavedSearches = @()
#Access Violation Account Locked
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation Account Locked Details', $Category, 'Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279')
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation Account Locked Events Count', $Category, 'Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | measure count() by EventID')
#Access Violation: Unsuccessful Logon Attempts
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Details', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d)  | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName')
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Target Account Count', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount')
#Account Management: Domain and Built-in Administrators Membership Changes
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Details', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d)  | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName')
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Target Account Count', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount')
#Account Management: Passwords Change Attempts by Non-owner
$arrSavedSearches += [OMSSavedSearch]::new('Account Management: Passwords Change Attempts by Non-owner', $Category, 'Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!="ANONYMOUS LOGON" TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!="ANONYMOUS LOGON" | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select  TimeGenerated, Computer, TargetAccount, ChangedBy')
#Account Management: User Accounts Created
$arrSavedSearches += [OMSSavedSearch]::new('Account Management: User Accounts Created', $Category, 'Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer')
#Account Management: User Accounts Deleted
$arrSavedSearches += [OMSSavedSearch]::new('Account Management: User Accounts Created', $Category, 'Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer')
#Forensic: All Events For Specified Computer
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified Computer (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>"')
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified Computer Activity Count (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>" | measure count() by Activity')
#Forensic: All Events For Specified User
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified User (Update <<User Domain\\Account Name>>)', $Category, 'Type=SecurityEvent Account="<<User Domain\\Account Name>>"')
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified User Activity Count (Update <<User Domain\\Account Name>>)', $Category, 'Type=SecurityEvent Account="<<User Domain\\Account Name>>" | measure count() by Activity')
#Forensic: All Events With Specified Event ID
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events With Specified Event ID (Update <<Event Id>>)', $Category, 'Type=SecurityEvent EventID="<<Event Id>>"')
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events With Specified Event ID (Update <<Event Id>>) Count by Computer', $Category, 'Type=SecurityEvent EventID="<<Event Id>>" | measure count() by Computer')
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events With Specified Event ID (Update <<Event Id>>) Count by Account', $Category, 'Type=SecurityEvent EventID="<<Event Id>>" | measure count() by Account')
#Planning: Event Counts
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Event Counts', $Category, 'Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity')
#Planning: Event Counts by Computer
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Event Counts by Computer by activity (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>" | measure count() by Activity')
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Event Counts by Computer by Event ID (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>" | measure count() by EventID')
#Planning: Hourly Event Distribution
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Hourly Event Distribution', $Category, 'Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour')
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Hourly Event Distribution Filter by Event ID range (Update [xx..yy])', $Category, 'Type=SecurityEvent EventID!=0 AND EventID:[xx..yy] | measure count() AS Count by Activity Interval 1Hour')
#Planning: Logon Counts of Privileged Users
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Logon Counts of Privileged Users', $Category, 'Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!="NT AUTHORITY" AND AccountType!="Machine" | Select SubjectAccount, PrivilegeList')
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Logon Counts of Privileged Users Count by SubjectAccount', $Category, 'Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!="NT AUTHORITY" AND AccountType!="Machine" | Measure Count() by SubjectAccount')
#Policy: Account Policy Changed
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Account Policy Changed', $Category, 'Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData')
#Policy: Audit Policy Changed
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Audit Policy Changed', $Category, 'Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData')
#Policy: Object Permissions Changed
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Object Permissions Changed', $Category, 'Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData')
#Policy: Privilege Added Or Removed
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Privilege Added Or Removed', $Category, 'Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData')
#System Integrity: Audit Failure
$arrSavedSearches += [OMSSavedSearch]::new('System Integrity: Audit Failure', $Category, 'Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer')
#System Integrity: Audit Log Cleared
$arrSavedSearches += [OMSSavedSearch]::new('System Integrity: Audit Log Cleared', $Category, 'Type=SecurityEvent EventID=517 OR EventID=1102 | Select Activity, Computer, TimeGenerated, EventData')
#Usage: Object Access
$arrSavedSearches += [OMSSavedSearch]::new('Usage: Object Access', $Category, 'Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData')
#Usage: Privileged logon
$arrSavedSearches += [OMSSavedSearch]::new('Usage: Privileged logon', $Category, 'Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList')
#Usage: Sensitive Security Groups Changes
$arrSavedSearches += [OMSSavedSearch]::new('Usage: Sensitive Security Groups Changes', $Category, 'Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated')
#Usage: User Logon
$arrSavedSearches += [OMSSavedSearch]::new('Usage: User Logon', $Category, 'Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount')
#DAC: File Resource Property Changes
$arrSavedSearches += [OMSSavedSearch]::new('DAC: File Resource Property Changes', $Category, 'Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData')
#DAC: Central Access Policy For File Changes
$arrSavedSearches += [OMSSavedSearch]::new('DAC: Central Access Policy For File Changes', $Category, 'Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData')
#DAC: Object Attribute Changes
$arrSavedSearches += [OMSSavedSearch]::new('DAC: Object Attribute Changes', $Category, 'Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData')
#endregion
#region Login to Azure and create the saved searches
#Login to Azure
Write-Output -InputObject 'Log in to Azure'
$LoginToAzure = $null = Add-AzureRmAccount -WarningAction SilentlyContinue
#Get Azure Sub
$Subscriptions = Get-AzureRmSubscription -WarningAction SilentlyContinue
Write-Output -InputObject 'Choose Azure Subscription where OMS Log Analytics Workspace is located:'
for ($i = 1;$i -le $Subscriptions.count; $i++)
{
Write-Host -Object "$i. $($Subscriptions[$i-1].SubscriptionName)"
}
[int]$ans = Read-Host -Prompt 'Enter selection'
$subscription = $Subscriptions[$ans-1]
$null = Set-AzureRmContext -SubscriptionName $subscription.SubscriptionName
Write-Output -InputObject ''
#Get OMS workspace
Write-Output -InputObject 'Select OMS Log Analytics Workspace:'
$OMSWorkspaces = Get-AzureRmOperationalInsightsWorkspace
for ($i = 1;$i -le $OMSWorkspaces.count; $i++)
{
Write-Host -Object "$i. $($OMSWorkspaces[$i-1].Name)"
}
[int]$ans = Read-Host -Prompt 'Enter selection'
$OMSWorkspace = $OMSWorkspaces[$ans-1]
#Create saved searches
Write-Output -InputObject 'Start creating saved searches'
Foreach ($item in $arrSavedSearches)
{
Write-Output -InputObject " - Creating saved search - Category: '$($item.Category)', Search Query: '$($item.Name)'"
$SavedSearchId = [GUID]::NewGuid().Tostring()
$NewSavedSearch = New-AzureRmOperationalInsightsSavedSearch -ResourceGroupName $OMSWorkspace.ResourceGroupName -WorkspaceName $OMSWorkspace.Name -SavedSearchId $SavedSearchId -DisplayName $item.Name -Category $item.Category -Query $item.Query -Version 1
}
Write-Output -InputObject 'Done!'
#endregion
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.