• Audit Alert Scenarios: System Center Operations Manager (OpsMgr) 2007 R2

    The other day I was asked to assist with implementing the scenarios below:

    • Scenario 1: Alert for changes to the ‘Domain Admin’ group membership
    • Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)
    • Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours
    • Scenario 4: Account locked out x number of times in a 24 hour period

    I’ve decided to blog about it as I am likely to need it again in the future and it may help someone else as well!

    Scenario 1: Alert for changes to the ‘Domain Admin’ group membership

    Prerequisites
    1. OpsMgr agent installed on domain controllers (more info...)
    2. Notification Channel, Subscriber & Subscription configured (more info...)
    3. Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)
    Step-by-Step

    Create an ‘Alert Generating Rule’ as below:
    (more info... and how to)
     
    Note: Rules are used here instead of monitors as monitors will affect Parent Monitors while rules will not.

      Operations Console > Authoring > Rules > Create a new rule

      Note

      Create a new destination management pack if required.

      Next

      image

      Select > ‘Windows Domain Controller’

      Note
      Un-tick the ‘Rule is enabled’ checkbox. 


      Next

      image

      Select Security as the log name.


      Next

      image

      Configure the event expression as depicted in the image.

      Next

       

      We will use the following event id’s in this section:

      632 – A member was added to a global group.

      633 – A member was removed from a global group.

      image

      Note there are two ways to do this:

      1. Use Parameter 3 in screenshot above (more info here and here) or;
      2. ‘Use parameter name not specified above’ and ‘EventDescription’.

      Method 1 is preferred.

      Change the severity and priority settings as required.


      Create
      image
       

      Next steps:

      1. Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
      2. Create a notification subscription for the rule. (more info...)

             

             

             

             

            Alert example

             

             

            image

            Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)

            Prerequisites
            1. OpsMgr agent installed on domain controllers (more info...)
            2. Notification Channel, Subscriber & Subscription configured (more info...)
            3. Enable ‘Audit Policy Change’ for ‘Default Domain Policy’ (more info... and how to)
            Step-by-Step

            Create an ‘Alert Generating Rule’ as below:
            (more info... and how to)

            Operations Console > Authoring > Rules > Create a new rule

            Note

            Create a new destination management pack if required.

            Next

            image
            Select > ‘Windows Domain Controller’

            Note
            Un-tick the ‘Rule is enabled’ checkbox. 


            Next
            image
            Select Security as the log name.


            Next
            image

            Configure the event expression as depicted in the image.

             

            Next

            We will use the following event id in this section:

            612 – An audit policy was changed.
            image

            Change the severity and priority settings as required.


            Create
            image
             

            Next steps:

            1. Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
            2. Create a notification subscription for the rule. (more info...)

             

             

             

             

            Alert example
            image

            Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours

            Disclaimer: This is a complex scenario and I am not sure that my proposed solution is the simplest...it works though! :-)

            The following is relatively easy to do though:

            · Create an alert for each Unsuccessful Logon.

            · Create an alert for each Unsuccessful Logon for a specific user.

            · Create one suppressed alert (i.e. repeat count is increased) for all Unsuccessful Logons.

            · Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx. I documented only this scenario below.

            Prerequisites
            1. OpsMgr agent installed on domain controllers (more info...)
            2. Notification Channel, Subscriber & Subscription configured (more info...) – not strictly speaking necessary for the proposed solution.
            3. Enable ‘Audit Account Logon Events’ for ‘Default Domain Controller Policy’ (more info... and how to)
            Step-By-Step

            (Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

            Create an ‘Alert Generating Rule’ as below:
            (more info... and how to)

            Operations Console > Authoring > Rules > Create a new rule

             

            Note

            Create a new destination management pack if required.

             

            Next

            image
            Select > ‘Windows Domain Controller’

            Note
            Un-tick the ‘Rule is enabled’ checkbox. 


            Next
            image
            Select Security as the log name.


            Next
            image

            Configure the event expression as depicted in the image.

             

            Next

            We will use the following event id in this section:
            675 - Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
            image
             
            Change the severity and priority settings as required.


            Alert Suppression
            image
            Configure the alert suppression fields as depicted in the image.


            Ok
            image
            Create image
             

            Next steps:

            Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)

             

             

             

             

             

             

            Alert example
            image
            Create a rule to resolve all unsuccessful logon alerts on a daily basis

            Operations Console > Authoring > Rules > Create a new rule

             

            Note

            Create a new destination management pack if required.

            Next

            image
            Select > ‘Root Management Server’ as the rule target.

            Note
            Un-tick the ‘Rule is enabled’ checkbox. 


            Next
            image
            Define the schedule as required. image
            Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory.

            Note
            Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.
            # ResolveUL.ps1
            # Author: Johan Vosloo
            # Date: 29-10-2009
            # Note: The name i.e. "Custom

            Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert.

            # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required.

            add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";

            Set-Location "c:\Program Files\System Center Operations Manager 2007";

            .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1;

            get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0")} | resolve-alert -comment "CLOSE daily informational alerts" | out-Null;

            Configure command line execution settings as depicted in the image.


            Create
            image
             

            Next steps:

            Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

             

             

             

             

            Create a rule to send notification when alert ‘RepeatCount’ equal xx within nn hours

            Operations Console > Authoring > Rules > Create a new rule

             

            Note

            Create a new destination management pack if required.

            Next

            image
            Select > ‘Root Management Server’ as the rule target.

            Note
            Un-tick the ‘Rule is enabled’ checkbox. 


            Next
            image
            Define the schedule as required. image
            Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory.

            Note
            Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.

            # NotifyULogon.ps1
            # Author: Johan Vosloo
            # Date: 29-10-2009
            # Credit: Adapted from http://contoso.se/blog/?p=290 # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required.
            # Change the Notification Recipient below.
            $Recipient = security@paris.com;
            add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";
            Set-Location "c:\Program Files\System Center Operations Manager 2007";
            .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1;
            # The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert.
            $alertdata = get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0") -and ($_.RepeatCount -gt "3") -and ($_.CustomField1 -lt 0)} |
            Foreach
            {
                $_.Id;
                $alert_id = $_.Id;
                $alert_name = $_.Name;
                $alert_TimeRaised = $_.TimeRaised;
                $alert_Desc = $_.Description;
                $alert_RepeatCount = $_.RepeatCount;
                $alert_Severity = $_.Severity;
                $alert_priority = $_.Priority;
                $alert_MonitoringObjectDisplayName = $_.MonitoringObjectDisplayName;
                If ($alert_RepeatCount -gt 3)
                {
                    # Send Email
                    If ($alert_ID -eq $NULL)
                    {"Alert ID is NULL, dont send e-mail";}
                    ELSEIF ($recipient -eq $NULL)
                    {"Recipient is NULL, dont send e-mail";}
                    ELSE
                    {
                        # Change the from address and the mailserver below
                        $smtpServer = "mailserver.paris.com";
                        $smtpClient = new-object system.net.mail.smtpClient($smtpServer);
                        $From = notification@paris.com;
                        $To = $recipient;
                        $Title = "Notification from Ops Mgr. $alert_name $alert_Severity";
                        $Body = @"
                        Notification from Operations Manager 2007
                        RepeatCount: $alert_RepeatCount
                        Raised: $alert_TimeRaised
                        Name: $alert_name
                        Object: $alert_MonitoringObjectDisplayName
                        Priority: $alert_Priority
                        Severity: $alert_Severity
                        Description: $alert_description
            "@
                        $SmtpClient.Send($From,$To,$Title,$Body);
                        # Update Custom Field 1 on the alert. Else the script will send multiple e-mails for the same alert
                        $alert = Get-Alert | where {$_.Id -eq $Alert_ID};
                        $alert.Customfield1 = "Ops Mgr has sent e-mail to $recipient";
                        $alert.Update("");
                    };
                };
            };

            Configure command line execution settings as depicted in the image.


            Create
            image
             

            Next steps:

            Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

             

             

             

            Scenario 4: Account locked out x number of times in a 24 hour period

            Disclaimer: This is another complex scenario and I am again not sure that my proposed solution is the simplest...it works though! J

            Prerequisites
            1. OpsMgr agent installed on domain controllers (more info...)
            2. Notification Channel, Subscriber & Subscription configured (more info...)
            3. Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)
            Step-By-Step

            (Create one suppressed alert per locked out user account. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

            Create an ‘Alert Generating Rule’ as below:
            (more info... and how to)

            Operations Console > Authoring > Rules > Create a new rule

             

            Note

            Create a new destination management pack if required.

            Next

            image
            Select > ‘Windows Domain Controller’

            Note
            Un-tick the ‘Rule is enabled’ checkbox. 


            Next
            image
            Select Security as the log name.


            Next
            image

            Configure the event expression as depicted in the image.

             

            Next

            We will use the following event id in this section:
            644 - A user account was auto locked.
            image
             
            Change the severity and priority settings as required.


            Alert Suppression
            image
            Configure the alert suppression fields as depicted in the image.


            Ok
            image
            Create image
             

            Next steps:

            1. Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
            2. Repeat ‘Create a rule to resolve all Unsuccessful Logon Alerts on a daily basis’ section in scenario 3 above.
            3. Repeat ‘Create a rule to send notification when RepeatCount equal xx within nn hours’ in scenario 3 above.
          1. Audit Report Scenarios: How to create custom reports with System Center Operations Manager 2007 R2 and Audit Collection Services (ACS)

            Scenarios that are discussed in this blog post include:

            • Scenario 1: Computers joined to the domain (names and description)
            • Scenario 2: User passwords expired
            • Scenario 3: User accounts locked out
            • Scenario 4: Group policy changes

            Scenario 1: Computers joined to the domain (names and description)

            The following Event Id’s will be used in this procedure:

            645 - A computer account was created.

            646 - A computer account was changed.

            647 - A computer account was deleted.

            Note: Computer description cannot be reported on as it is not a parameter of the events.

            Computer Accounts Created

            Step1
            Operations Console > Reporting > Audit Reports > Design a new report
            image
            Step 2
            Select fields as shown in the image from ‘Explorer pane, Fields:’ section
            image 
            Step 3
            Rename fields
            image
            Step 4
            Right click inside the ‘Date’ field (i.e. 1/1/2009)
            > Format > Select a format to suit your requirements
            image
            Step 5
            Right click inside the ‘Computer’ field > Edit Formula > Enter the formula as indicated in the image
            image
            Step 6
            Select Filter from the toolbar. Add Event Id and select 645

            Note
            Event Id 645 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
            image
            Report example image

            Computer Accounts Deleted

            Save the report created above as a different name, change the title and simply change the event id in step 6 above to 647 to report on deleted computer accounts.

            Report example image

            Computer Accounts Changed

            Step1
            Operations Console > Reporting > Audit Reports > Design a new report
            image
            Step 2
            Select fields as shown in the image from ‘Explorer pane, Fields:’ section
            and rename as appropriate
            image
            Step 3
            Right click inside the ‘Date’ field (i.e. 1/1/2009)
            > Format > Select a format to suit your requirements
            image
            Step 4
            Right click inside the ‘Action’ field > Edit Formula > Enter the formula as indicated in the image
            image
            Step 5
            Select Filter from the toolbar. Add Event Id and equals 647. Also add  
            String 06 and not equal to -

            Note
            Event Id 647 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
            image
            Report example image

            Scenario 2: User passwords expired

            Event Id 535 (Logon failure. The password for the specified account has expired) will be used in this procedure.

            Step1
            Operations Console > Reporting > Audit Reports > Design a new report
            image
            Step 2
            Select fields as shown in the image from ‘Explorer pane, Fields:’ section
            and rename as appropriate
            image
            Step 3
            Right click inside the ‘Date’ field (i.e. 1/1/2009)
            > Format > Select a format to suit your requirements
            image
            Step 4
            Select Filter from the toolbar. Add Event Id and equals 535. Also add  
            String 06 and not equal to -

            Note
            Event Id 535 will not be available if Audit logon events is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or there were no logon attempts by users with expired passwords.
            image
            Report example image

            Scenario 3: User accounts locked out

            Event Id 644 (A user account was auto locked) will be used in this procedure.

            Step1
            Operations Console > Reporting > Audit Reports > Design a new report
            image
            Step 2
            Select fields as shown in the image from ‘Explorer pane, Fields:’ section
            and rename as appropriate
            image
            Step 3
            Right click inside the ‘Date’ field (i.e. 1/1/2009)
            > Format > Select a format to suit your requirements
            image
            Step 4
            Select Filter from the toolbar. Add Event Id and equals 644.
            Note
            Event Id 644 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or if the Account Lockout Policy is not configured with a threshold for logon attempts.
            image
            Report example image

            Scenario 4: Group policy changes

            Event Id 566 (A generic object operation took place) will be used in this procedure.

            Step1
            Operations Console > Reporting > Audit Reports > Design a new report
            image
            Step 2
            Select fields as shown in the image from ‘Explorer pane, Fields:’ section
            and rename as appropriate
            image
            Step 3
            Right click inside the ‘Date’ field (i.e. 1/1/2009)
            > Format > Select a format to suit your requirements
            image
            Step 4
            Select Filter from the toolbar. Add Event Id and equals 566. Also add String 01 contains groupPolicyContainer 

            Note
            Event Id 566 will not be available if Audit Directory Service Access is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
            image
            Step 5
            Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
            image
            Step 6
            Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
            image
            Report example image
            Note: I added a text box with the KB URL to convert GPO GUID’s to GPO names.
          2. Quick Tip: How to run an ACS Forwarder, Collector, RMS and DC on the same host

            1. Manually enable the ‘Operations Manager Audit Forwarding Service’ (AdtAgent.exe).
            2. Regedit > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AdtAgent\Parameters] > New > Multi-String Value > AdtServers > ‘CollectorFQDN’

            Note: Step 2 resolved Event ID 4369 (with a blank list of collectors) for me.

            Hopefully this configuration of roles will only ever be used in a lab environment!