#requires -Version 5.0 -Modules AzureRM.OperationalInsights, AzureRM.profile | |
<# | |
============================================================================================================================ | |
AUTHOR: Tao Yang | |
DATE: 17-12-2016 | |
Version: 1.0 | |
Comment: | |
- Create OMS saved searches to that map SCOM ACS reports that are | |
- Listed in Wei Hao Lim's blog post: | |
- https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2016/07/25/mapping-acs-reports-to-oms-search-queries/ | |
============================================================================================================================ | |
#> | |
#region class definition | |
Class OMSSavedSearch | |
{ | |
[String]$Name | |
[String]$Category | |
[String]$Query | |
OMSSavedSearch ([String]$Name, [String]$Category, [String]$Query) | |
{ | |
$this.Name = $Name | |
$this.Category = $Category | |
$this.Query = $Query | |
} | |
} | |
#endregion | |
#region Add saved search queries | |
$Category = 'ACS Reports' | |
$arrSavedSearches = @() | |
#Access Violation Account Locked | |
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation Account Locked Details', $Category, 'Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279') | |
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation Account Locked Events Count', $Category, 'Type=SecurityEvent EventID=539 OR EventID=644 OR EventID=4740 OR EventID=6279 | measure count() by EventID') | |
#Access Violation: Unsuccessful Logon Attempts | |
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Details', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName') | |
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Target Account Count', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount') | |
#Account Management: Domain and Built-in Administrators Membership Changes | |
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Details', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | Select TargetAccount, IpAddress, Computer, LogonProcessName, AuthenticationPackageName, LogonTypeName') | |
$arrSavedSearches += [OMSSavedSearch]::new('Access Violation: Unsuccessful Logon Attempts Target Account Count', $Category, 'Type=SecurityEvent EventID:[529..537] OR EventID=539 OR (EventID=4625 AND Status=0xc000006d) | measure count() by TargetAccount') | |
#Account Management: Passwords Change Attempts by Non-owner | |
$arrSavedSearches += [OMSSavedSearch]::new('Account Management: Passwords Change Attempts by Non-owner', $Category, 'Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!="ANONYMOUS LOGON" TargetAccount NOT IN {Type=SecurityEvent (EventID=4723 OR EventID=4724 OR EventID:[627..628]) AND SubjectAccount!="ANONYMOUS LOGON" | measure count() by SubjectAccount} | EXTEND SubjectAccount AS ChangedBy | Select TimeGenerated, Computer, TargetAccount, ChangedBy') | |
#Account Management: User Accounts Created | |
$arrSavedSearches += [OMSSavedSearch]::new('Account Management: User Accounts Created', $Category, 'Type=SecurityEvent (EventID=624 OR EventID=4720) | EXTEND SubjectAccount AS CreatedBy | Select TimeGenerated, TargetAccount, CreatedBy, Computer') | |
#Account Management: User Accounts Deleted | |
$arrSavedSearches += [OMSSavedSearch]::new('Account Management: User Accounts Created', $Category, 'Type=SecurityEvent (EventID=630 OR EventID=4726) | EXTEND SubjectAccount AS DeletedBy | Select TimeGenerated, TargetAccount, DeletedBy, Computer') | |
#Forensic: All Events For Specified Computer | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified Computer (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>"') | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified Computer Activity Count (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>" | measure count() by Activity') | |
#Forensic: All Events For Specified User | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified User (Update <<User Domain\\Account Name>>)', $Category, 'Type=SecurityEvent Account="<<User Domain\\Account Name>>"') | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events For Specified User Activity Count (Update <<User Domain\\Account Name>>)', $Category, 'Type=SecurityEvent Account="<<User Domain\\Account Name>>" | measure count() by Activity') | |
#Forensic: All Events With Specified Event ID | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events With Specified Event ID (Update <<Event Id>>)', $Category, 'Type=SecurityEvent EventID="<<Event Id>>"') | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events With Specified Event ID (Update <<Event Id>>) Count by Computer', $Category, 'Type=SecurityEvent EventID="<<Event Id>>" | measure count() by Computer') | |
$arrSavedSearches += [OMSSavedSearch]::new('Forensic: All Events With Specified Event ID (Update <<Event Id>>) Count by Account', $Category, 'Type=SecurityEvent EventID="<<Event Id>>" | measure count() by Account') | |
#Planning: Event Counts | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Event Counts', $Category, 'Type=SecurityEvent EventID!=0 | measure count() AS Count by Activity') | |
#Planning: Event Counts by Computer | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Event Counts by Computer by activity (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>" | measure count() by Activity') | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Event Counts by Computer by Event ID (Update <<Computer Name>>)', $Category, 'Type=SecurityEvent Computer="<<Computer Name>>" | measure count() by EventID') | |
#Planning: Hourly Event Distribution | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Hourly Event Distribution', $Category, 'Type=SecurityEvent EventID!=0 | measure count() AS Count by TimeGenerated Interval 1Hour') | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Hourly Event Distribution Filter by Event ID range (Update [xx..yy])', $Category, 'Type=SecurityEvent EventID!=0 AND EventID:[xx..yy] | measure count() AS Count by Activity Interval 1Hour') | |
#Planning: Logon Counts of Privileged Users | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Logon Counts of Privileged Users', $Category, 'Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!="NT AUTHORITY" AND AccountType!="Machine" | Select SubjectAccount, PrivilegeList') | |
$arrSavedSearches += [OMSSavedSearch]::new('Planning: Logon Counts of Privileged Users Count by SubjectAccount', $Category, 'Type=SecurityEvent EventID=576 OR EventID=4672 AND SubjectDomainName!="NT AUTHORITY" AND AccountType!="Machine" | Measure Count() by SubjectAccount') | |
#Policy: Account Policy Changed | |
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Account Policy Changed', $Category, 'Type=SecurityEvent EventID=643 OR EventID=4739 | Select Computer, Activity, TimeGenerated, EventData') | |
#Policy: Audit Policy Changed | |
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Audit Policy Changed', $Category, 'Type=SecurityEvent EventID=612 OR EventID=4719 | Select Computer, Activity, TimeGenerated, EventData') | |
#Policy: Object Permissions Changed | |
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Object Permissions Changed', $Category, 'Type=SecurityEvent EventID=4670 | Select TimeGenerated, Activity, Computer, EventData') | |
#Policy: Privilege Added Or Removed | |
$arrSavedSearches += [OMSSavedSearch]::new('Policy: Privilege Added Or Removed', $Category, 'Type=SecurityEvent EventID:[608..609] OR EventID:[621..622] OR EventID:[4704..4705] | Select TimeGenerated, Activity, Computer, EventData') | |
#System Integrity: Audit Failure | |
$arrSavedSearches += [OMSSavedSearch]::new('System Integrity: Audit Failure', $Category, 'Type=SecurityEvent EventID=516 OR EventID=4612 | Select TimeGenerated, Activity, Computer') | |
#System Integrity: Audit Log Cleared | |
$arrSavedSearches += [OMSSavedSearch]::new('System Integrity: Audit Log Cleared', $Category, 'Type=SecurityEvent EventID=517 OR EventID=1102 | Select Activity, Computer, TimeGenerated, EventData') | |
#Usage: Object Access | |
$arrSavedSearches += [OMSSavedSearch]::new('Usage: Object Access', $Category, 'Type=SecurityEvent EventID=560 OR EventID=567 OR EventID=4656 OR EventID=4663 | Select Computer, Activity, TimeGenerated, EventData') | |
#Usage: Privileged logon | |
$arrSavedSearches += [OMSSavedSearch]::new('Usage: Privileged logon', $Category, 'Type=SecurityEvent EventID=576 OR EventID=4672 | Select TimeGenerated, Activity, Computer, SubjectAccount, PrivilegeList') | |
#Usage: Sensitive Security Groups Changes | |
$arrSavedSearches += [OMSSavedSearch]::new('Usage: Sensitive Security Groups Changes', $Category, 'Type=SecurityEvent EventID:[4727..4735] OR EventID=4737 OR EventID:[4754..4758] OR EventID:[631..639] OR EventID=641 OR EventID:[658..662] | EXTEND TargetUserName As GroupName | Select Activity, GroupName, SubjectAccount, MemberName, TimeGenerated') | |
#Usage: User Logon | |
$arrSavedSearches += [OMSSavedSearch]::new('Usage: User Logon', $Category, 'Type=SecurityEvent EventID=528 OR EventID=540 OR EventID=4624 | Select TimeGenerated, Activity, Computer, IpAddress, AuthenticationPackageName, LogonProcessName, LogonTypeName, TargetAccount') | |
#DAC: File Resource Property Changes | |
$arrSavedSearches += [OMSSavedSearch]::new('DAC: File Resource Property Changes', $Category, 'Type=SecurityEvent EventID=4911 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData') | |
#DAC: Central Access Policy For File Changes | |
$arrSavedSearches += [OMSSavedSearch]::new('DAC: Central Access Policy For File Changes', $Category, 'Type=SecurityEvent EventID=4913 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData') | |
#DAC: Object Attribute Changes | |
$arrSavedSearches += [OMSSavedSearch]::new('DAC: Object Attribute Changes', $Category, 'Type=SecurityEvent EventID=5136 OR EventID=5137 | Select Computer, Activity, TimeGenerated, SubjectAccount, EventData') | |
#endregion | |
#region Login to Azure and create the saved searches | |
#Login to Azure | |
Write-Output -InputObject 'Log in to Azure' | |
$LoginToAzure = $null = Add-AzureRmAccount -WarningAction SilentlyContinue | |
#Get Azure Sub | |
$Subscriptions = Get-AzureRmSubscription -WarningAction SilentlyContinue | |
Write-Output -InputObject 'Choose Azure Subscription where OMS Log Analytics Workspace is located:' | |
for ($i = 1;$i -le $Subscriptions.count; $i++) | |
{ | |
Write-Host -Object "$i. $($Subscriptions[$i-1].SubscriptionName)" | |
} | |
[int]$ans = Read-Host -Prompt 'Enter selection' | |
$subscription = $Subscriptions[$ans-1] | |
$null = Set-AzureRmContext -SubscriptionName $subscription.SubscriptionName | |
Write-Output -InputObject '' | |
#Get OMS workspace | |
Write-Output -InputObject 'Select OMS Log Analytics Workspace:' | |
$OMSWorkspaces = Get-AzureRmOperationalInsightsWorkspace | |
for ($i = 1;$i -le $OMSWorkspaces.count; $i++) | |
{ | |
Write-Host -Object "$i. $($OMSWorkspaces[$i-1].Name)" | |
} | |
[int]$ans = Read-Host -Prompt 'Enter selection' | |
$OMSWorkspace = $OMSWorkspaces[$ans-1] | |
#Create saved searches | |
Write-Output -InputObject 'Start creating saved searches' | |
Foreach ($item in $arrSavedSearches) | |
{ | |
Write-Output -InputObject " - Creating saved search - Category: '$($item.Category)', Search Query: '$($item.Name)'" | |
$SavedSearchId = [GUID]::NewGuid().Tostring() | |
$NewSavedSearch = New-AzureRmOperationalInsightsSavedSearch -ResourceGroupName $OMSWorkspace.ResourceGroupName -WorkspaceName $OMSWorkspace.Name -SavedSearchId $SavedSearchId -DisplayName $item.Name -Category $item.Category -Query $item.Query -Version 1 | |
} | |
Write-Output -InputObject 'Done!' | |
#endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment