Azure Operational Insights: Security and Audit


In one of my last OpsMgr deployments I configured Audit Collection Services for auditing security related information. ACS is still working great but there were no improvements made to ACS since OpsMgr 2007 R2. So it’s lacking high-availability possibilities, for now I’ve created my own solution, but still it’s a pity that there is not much improvement. With OpInsights we get a new solution for security auditing. With the Intelligence Pack Security and Audit you can send your security information to OpInsights, when uploaded you can use the OpInsights functionality to query your information.

But let’s take a look to this plugin based on my experience with deploying ACS on premise.

Data Retention
One of the main topics of ACS deployments is the retention of the data. With security audit data we’re talking about a lot of data. The amount of data is affecting the retention. In ACS deployments you can get out-of-the box a retention of 30-90 days (based on the amount of data). With the Audit Manager Solution of Secure Vantage is was possible to increase this to 6-8 years. But since Secure Vantage is not answering on any communication channels it’s difficult to sell and use their solution. But how about retention in OpInsights. The Security and Audit Plugin does not contain any additional settings regarding data retention. So we have to look to the retention settings of OpInsights. The following table will give the answer:

Subcription Free Standard Premium
Price Free $ 1,15 /GB $ 1,75/GB
Daily Data Limit 500 MB None None
Data Retention Period 7 days 1 month 12 months

The conclusion looking to data retention is that we can get a retention of 12 months with the premium paid subscription. So currently there is no long-term data retention available in OpInsights.

Amount of Data
As described above the amount of data is an important parameter in the security auditing solution. With Windows 2003 and 2008 you can only configure the audit policy with the original 8 audit categories. On those machines a lot of events are generated. From 2008 R2 you can configure the advanced auditing policy where you can define in more detail what you want to audit. But still al of events are created. With OpInsights you are going to sync all those events to the cloud. As you can see above the price model is based on the amount of data you sync to OpInsights. Still I think that compared to buying storage in your datacenter the price is comparable.

Reporting and Dashboarding
Most of the ACS environments which I have seen using the data mainly for generating reports. Those reports are used to check the occurrence of events. Unfortunately there is no reporting functionality in OpInsights. So it’s not possible to create and schedule reports based on events en parameters. You can export the query data to Excel, but this cannot be scheduled at this moment.

But with OpInsights you will get dashboard functionality based on the collected data, with OpsMgr ACS we didn’t have that kind of functionality. With OpInsights we can create rich visualizations around the security data, really powerful. The question will be: can the dashboard functionality replace the reporting requirements of on premise deployments of ACS?

Another big improvement is the speed of querying the collected data. In ACS environments with a lot of data querying the database takes a lot of time. With OpInsights this problem is history. With OpInsights you can query the data easily and it’s very fast. For me that is the biggest improvement we get with using the Security and Audit Intelligence Pack. But how can we configure this Intelligence Pack and what other steps are needed before you can use it:

  1. The first step is to create an audit policy. This can be done through Group Policies. I advise you to configure the ‘Advanced Audit Policy’. With this advanced Policy you will get subcategories on which you can filter. This only works from Windows 2008 R2 and later. If you have Windows 2003 or 2008 servers you also have to configure the ‘normal’ audit policy.

  2. When the policy is configured and applied to your servers you can go to Operational Insights and click on Intelligence Packs

  3. Click on ‘Security and Audit’ and click on Add.

  4. When added you will see that the Intelligence Pack is added to the Overview Dashboard.

  5. On your agents you will see that the following Management Packs are received by OpIsights

Now you have to wait until the first assessment is done by OpInsights. When this first assessment is completed you can start using the dashboard and query functionality. Some screenshots of the Security and Audit plugin:

Overview Widget:

Overview Dashboard:

Custom Widgets:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.