- [Instructor] The Security and Audit feature in Log Analytics provides a comprehensive view into your organizations IT security. The feature has built-in search queries for notable issues that require your attention. Security and Audit collects Windows security events, Windows applications events, and Windows firewall logs by using the agents that you have enabled. The Security and Audit feature enables IT to actively monitor all resources, which can help minimize the effects of security incidents.
It also has security domains that you can use when monitoring resources. These security domains include Malware Assessment, Update Assessment, and Identity and Access. We'll look at each of these in separate slides. Malware Assessment. In a defense and debt approach each layer of protection is important for the overall security of your assets. Computers with detected threats and insufficient protection display in the malware assessment title under security domains.
By using the information on the malware assessment dashboard you can identify a plan to apply protection to the computers that need it. You can use the malware assessment dashboard to identify the following security issues. Active threats. Computers are compromised and have active threats in the system. Remediated threats. Computers are compromised, but the threats are remediated. Signature out of date. Computers have malware protection enabled, but the signature is out of date.
And no real-time protection. Computers do not have installed anti-malware. Update assessment. Applying the most recent security updates is a security best practice and you should incorporate it in your update management strategy. The Microsoft Monitoring Agent Services health service process reads update information from monitored computers and then sends this information to the Microsoft Operations Management Suite Service in the cloud for processing.
This service is configured to be automatic and it should always be running on the target computer. Monitoring identity and access. With users working from anywhere, using different devices and accessing multiple cloud-based and on-premises apps, protecting user credentials is imperative. In credential theft attacks an attacker initially gains access to a users credentials to access the system within a network. Many times this initial attack is only to access the network with a final goal being to discover privileged accounts.
Attackers will stay on the network using freely available tools to extract credentials from the sessions of other signed in accounts. Depending on the system configuration, these credentials can be extracted in the form of hashes, tickets, or plain text passwords. It is possible to identify such intruders before they compromise a privileged account. You can leverage OMS security and audit solutions to monitor identity and access. As part of your regular monitoring strategy, you must include identity monitoring.
You should look if there is a specific valid user name that has many attempts. This might indicate either an attacker that acquired the real username and tried to brute force or to use an automatic tool that uses hardcoded passwords that expired. The identity and access dashboard enables you to quickly identify potential threats related to identity and access to company's resources.
- What is Operations Management Suite (OMS)?
- Deploying and configuring OMS
- Collecting and analyzing data
- Analyzing Log Analytics data
- Using OMS to monitor an on-premises environment
- Identifying critical updates
- IT Service Management Connector