OMS: Getting the most out of OMS security features

Yesterday I hosted a workshop at Microsoft Belux about OMS security and compliancy features built-in in the OMS suite. It’s always nice to talk people through the different things which are included + give tips and tricks based on their questions.

As a lot of questions are returning I decided to bundle them in an overview blog post how you could effectively tune your environment. This is not a “how to” to setup OMS but just a summary of the small tips and tricks.

If you need a full “how to” setup OMS security check here: https://docs.microsoft.com/en-us/azure/operations-management-suite/oms-security-getting-started

1. Add your IIS logs to the mix

A significant portion of the insights on how you are doing regarding security comes from you IIS logs. Assuming that you have an OMS agent installed and added to your workspace it is invaluable to send these logs to your workspace as well for indexing and feeding the different users which are taking benefit from this knowledge.

• Install an agent on the web server and connect it to your workspace. (I’m assuming you know how to do this)
• Open your workspace and open settings by clicking the gear icon on top of your workspace
• Go to Data => IIS Logs => tick the box “Collect W3C IIS Log files. From this moment on your IIS logs will be gathered, uploaded to OMS and indexed. They will be automatically used to feed the security solution amongst other solutions.

     

To show you how important / reliant the Security solution is on IIS log data I’ve included the stats in my workspace.

Go to Security and Audit:

Scroll to the right to Threat Intelligence and click on the Detected threat types dial:

So check in the left corner you can see that the type of data is almost 50% based on the IIS logs. So make sure to add them

2. Limit the amount of security events uploaded to your workspace

Another handy tip is limiting the amount of data sent to your workspace to protect your usage. It used to be only possible to send all or nothing but just recently there’s a filter added to what events will be uploaded.

To select this filter go to your security and audit solution:



Click the gear icon on top left corner:

 

use one of the predefined filters:



For more info on the filters click the “For additional details” link.

To summarize the different filters check the different scenarios.

I’ve added to the list of events which are included in each scenario for your reference:



3. Check your usage (especially in a POC scenario)

Adding the security logs can have a significant impact on your uploaded data in your workspace and can cause overage payments or bad POC due to suspension of your workspace due to breach of max amount data uploaded a day.

To check the usage of the security events follow the following procedure:

Go into the main screen of your workspace and select usage:



Scroll to the middle of the screen and look for Data Volume by solution => click on “Security”



Check the graph to see which machines are consuming the most of the usage and try to take corrective actions.

 

In summary

These are just some tips and tricks to get the most out of your security solution. This solution is heavily dependant on other solutions (anti malware, compliancy,…) so the more solutions you deploy and configure the more clear the picture will be on how you are doing on the security field.

Stay tuned for more tips and tricks which will help you to get the full grasp and value out of your OMS investments.