OMS PowerShell

Below is some example PowerShell which integrates with OMS (Operations Management Suite). It has some examples on how you can pull out OMS saved searches and run saved searches.

It also has some examples of gathering some information from the Security & Audit solution working with some particular security domains.

To be able to use PowerShell against OMS successfully, you can’t logon to PowerShell using a Microsoft account. You need to use an organisational based account. This same account would need to have the necessary permissions against OMS.

2016-10-24_1450

I recommend you install this Azure PowerShell module https://github.com/Azure/azure-powershell/releases/tag/v3.0.0-September2016 as this contains the cmdlets you need to work with OMS. If you install this, skip the first few lines of the script.

#region Install Modules
# Run as Administrator
Find-Module AzureRM.OperationalInsights | Install-Module
# Or run as the current user
Install-Module AzureRM.OperationalInsights Scope CurrentUser
#endregion
#region Auto Logon to Azure & choose Azure subscription
### Auto Log into Azure with an Organisational Account
$secpasswd = ConvertTo-SecureString "MyPassword" AsPlainText Force
$Cred = New-Object System.Management.Automation.PSCredential ("account@TenantName.onmicrosoft.com", $secpasswd)
LoginAzureRmAccount Credential $cred
$Subscription = (Get-AzureRmSubscription | Out-GridView Title "Choose a Source & Target Subscription …" PassThru)
Get-AzureRmSubscription SubscriptionName $Subscription.SubscriptionName WarningAction SilentlyContinue | Select-AzureRmSubscription
#endregion
$ResourceGroupName = "mms-eus"
$WorkSpaceName = "c6d60c3c-3f1d-412d-a736-0338f372d709"
##########################################################################################
################################# Saved Searches ##################################
##########################################################################################
# See all saved searches
$query = Get-AzureRmOperationalInsightsSavedSearch `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName
$query.value | fl ID, @{Name='Category';Expression={$_.properties.Category}}, @{Name='DisplayName';Expression={$_.properties.DisplayName}}
# Run a saved search – Saved Search name 01
$result = Get-AzureRmOperationalInsightsSavedSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
SavedSearchId "system update assessment|Saved Search name 01"
$result.value | ConvertFrom-Json
# Run a saved search – Saved Search name 02
$result = Get-AzureRmOperationalInsightsSavedSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
SavedSearchId "alert management|Saved Search name 02"
$result.value | ConvertFrom-Json
##########################################################################################
############################### Identity & Access #################################
##########################################################################################
# Identity & Access – Number of security events per user name
$dynamicQuery = "Type=SecurityEvent | Measure count() by TargetUserName"
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-17T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
# Identity & Access – Number of security events per user name
$dynamicQuery = "Type=SecurityEvent TargetUserName=UserName EventID=4625"
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-17T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
# Identity & Access – Grouped Accounts Failed Logons
$dynamicQuery = 'Type=SecurityEvent EventID=4625 | measure count() by TargetAccount'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
# Identity & Access – Failed Logons by a specific account
$dynamicQuery = 'Type=SecurityEvent EventID=4625 TargetAccount="ADMINISTRATOR"'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
##########################################################################################
############################## Threat Intelligence ################################
##########################################################################################
# Threat Intelligence – Threats
$dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) | measure count() by IndicatorThreatType'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
# Threat Intelligence – Look at all Botnets
$dynamicQuery = 'MaliciousIP=* AND (RemoteIPCountry=* OR MaliciousIPCountry=*) AND (((Type=WireData AND Direction=Outbound) OR (Type=CommonSecurityLog AND CommunicationDirection=Outbound)) OR (Type=W3CIISLog OR (Type = WireData AND Direction= Inbound) OR (Type = CommonSecurityLog AND CommunicationDirection= Inbound))) IndicatorThreatType=Botnet'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
##########################################################################################
######################### Security Baseline Assessment ############################
##########################################################################################
# Security Baseline Assessment – Failed Logons by a specific account
$dynamicQuery = 'Type=SecurityEvent EventID=4624 | Measure count() as LogonCount by Account | Where LogonCount<5'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$result.Value | ConvertFrom-Json
# Security Baseline Assessment – Failed Logons by a specific account
$dynamicQuery = 'Type=SecurityBaseline AnalyzeResult=Failed RuleSeverity=Critical'
$StartDateAndTime = "2016-10-10T18:20:58.8Z"
$EndDateAndTime = "2016-10-18T18:30:58.8Z"
$result = Get-AzureRmOperationalInsightsSearchResults `
ResourceGroupName $ResourceGroupName `
WorkspaceName $WorkSpaceName `
Query $dynamicQuery `
Start $StartDateAndTime `
End $EndDateAndTime Top 20
$SecurityBaselineAssessment = $result.Value | ConvertFrom-Json

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s