OMS: Getting the most out of OMS security features

12:55 pm in OMS by Dieter Wijckmans

 

Yesterday I hosted a workshop at Microsoft Belux about OMS security and compliancy features built-in in the OMS suite. It’s always nice to talk people through the different things which are included + give tips and tricks based on their questions.

As a lot of questions are returning I decided to bundle them in an overview blog post how you could effectively tune your environment. This is not a “how to” to setup OMS but just a summary of the small tips and tricks.

tips_tricks

If you need a full “how to” setup OMS security check here: https://docs.microsoft.com/en-us/azure/operations-management-suite/oms-security-getting-started

1. Add your IIS logs to the mix

A significant portion of the insights on how you are doing regarding security comes from you IIS logs. Assuming that you have an OMS agent installed and added to your workspace it is invaluable to send these logs to your workspace as well for indexing and feeding the different users which are taking benefit from this knowledge.

  • Install an agent on the web server and connect it to your workspace. (I’m assuming you know how to do this)
    • Open your workspace and open settings by clicking the gear icon on top of your workspaceprintscreen-24-02-2017 0000
    • Go to Data => IIS Logs => tick the box “Collect W3C IIS Log files. From this moment on your IIS logs will be gathered, uploaded to OMS and indexed. They will be automatically used to feed the security solution amongst other solutions.

          printscreen-24-02-2017 0001

    To show you how important / reliant the Security solution is on IIS log data I’ve included the stats in my workspace.
    Go to Security and Audit:

printscreen-24-02-2017 0002

    Scroll to the right to Threat Intelligence and click on the Detected threat types dial:
    printscreen-24-02-2017 0003
    So check in the left corner you can see that the type of data is almost 50% based on the IIS logs. So make sure to add them
    printscreen-24-02-2017 0004

    2. Limit the amount of security events uploaded to your workspace

    Another handy tip is limiting the amount of data sent to your workspace to protect your usage. It used to be only possible to send all or nothing but just recently there’s a filter added to what events will be uploaded.

    To select this filter go to your security and audit solution:

    printscreen-24-02-2017 0002

    Click the gear icon on top left corner:

     printscreen-24-02-2017 0006

    use one of the predefined filters:

    printscreen-24-02-2017 0007

    For more info on the filters click the “For additional details” link.

    To summarize the different filters check the different scenarios.

    I’ve added to the list of events which are included in each scenario for your reference:

    2-OMS-110816

    3. Check your usage (especially in a POC scenario)

    Adding the security logs can have a significant impact on your uploaded data in your workspace and can cause overage payments or bad POC due to suspension of your workspace due to breach of max amount data uploaded a day.

    To check the usage of the security events follow the following procedure:

    Go into the main screen of your workspace and select usage:

    printscreen-24-02-2017 0008

    Scroll to the middle of the screen and look for Data Volume by solution => click on “Security”

    printscreen-24-02-2017 0009

    Check the graph to see which machines are consuming the most of the usage and try to take corrective actions.

    printscreen-24-02-2017 0010 

    In summary

    These are just some tips and tricks to get the most out of your security solution. This solution is heavily dependant on other solutions (anti malware, compliancy,…) so the more solutions you deploy and configure the more clear the picture will be on how you are doing on the security field.

    Stay tuned for more tips and tricks which will help you to get the full grasp and value out of your OMS investments.