Using Azure Security Center and Log Analytics to Audit Use of NTLM

The purpose of this post is to show how you can collect and query security events of interest from Windows servers. To do this we will use:

  • Azure Security Center to collect events
  • Log Analytics Workspace to store events
  • Kusto query language to query stored events

As an example, we are going to collect 4624 (An account was successfully logged on) events from multiple machines. This event is generated on the destination machine when a logon session is created and can be used to audit for NTLM authentication. See the link below for more details:

How to audit use of NTLMv1 on a -based https://support.microsoft.com/en-ca/help/4090105

What is Kusto?

Kusto is a big-data engine for log and telemetry search and analytics, and powers Azure Log Analytics along with many other Microsoft products, such as Azure Application Insights, Azure Time Series Insights, Azure Security Center, and more. Use this link to learn more about the query language.

Why audit for NTLMv1?

The fact that the NTLMv1 response generation uses the relatively weak DES algorithm and a fixed-length 16-byte random number makes it highly susceptible to brute-force attacks. In comparison, the NTLMv2 response uses the stronger HMAC-MD5 algorithm and a challenge of variable length.

To put it into perspective, NTLMv2 was introduced in Windows NT 4.0 SP4

See links at the bottom of the page for more information.

Decisions, decisions!

Azure Security Center Tiering

For Azure Security Center to collect the data we need, you will need to configure Standard tiering. This can be done in one of three different ways:

  • At the subscription alone – choose this option if you want to store the events in the workspace created by Security Center, and not in an existing workspace
  • At the Log Analytics Workspace alone – choose this option if the subscription contains multiple VMs and you only want Security Center to manage a subset of them
  • Both; the recommended option
clipboard_image_0.png

Monitoring Agent Installation

Data collection from the source machines is done using the Microsoft Monitoring Agent (MMA), the installation of which can be done in several different ways:

  • You can enable Auto Provision on Security Center to automatically deploy the agent for your Azure VMs. This option ensures any new VMs are automatically onboarded
clipboard_image_1.png

Costs

  • Storing data in log analytics might incur additional charges for data storage.
  • Depending on the number of resources being monitored, enabling Standard tiering in Security Center can lead to additional costs.

Use the Pricing calculator (https://azure.microsoft.com/en-ca/pricing/calculator/) to configure and estimate costs.

Connect Azure VMs to Log Analytics Workspace

  1. Create a Log Analytics Workspace if you do not already have one.
clipboard_image_2.png
  1. In your list of Log Analytics workspaces, select the workspace created earlier.
  2. On the left-hand menu, under Workspace Data Sources, select Virtual machines.
  3. In the list of Virtual machines, select a virtual machine you want to install the agent on. Notice that the Log Analytics connection status for the indicates that it is Not connected.
clipboard_image_3.png
  1. In the details for your virtual machine, select Connect. The agent is automatically installed and configured for your Log Analytics workspace. This process takes a few minutes, during which time the Status shows Connecting.
  2. After you install and connect the agent, the Log Analytics connection status will be updated with This workspace.
clipboard_image_4.png

Connect Physical Servers to Log Analytics Workspace

The steps in https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows show how to install and configure the Microsoft Monitoring agent manually.

Configure Auditing on Servers

Use Group Policy Objects to enable subcategory-level auditing on the machines:

  • Computer Configuration Policies Windows Settings Security Settings Local Policies Security Options
    • Audit: Shut down system immediately if unable to log security audits – Disabled
    • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings – Enabled
  • Computer Configuration Policies Windows Settings Security Settings Advanced Audit Configuration
PolicySetting
Domain Controllersnon-Domain Controllers
Account Logon
Audit Credential ValidationSuccess, FailureSuccess, Failure
Audit Authentication ServiceFailure 
Audit Service Ticket OperationsFailure 
Account Management
Audit Computer Account ManagementSuccess, FailureSuccess
Audit Other Account Management EventsSuccess, FailureSuccess, Failure
Audit Security Group ManagementSuccess, FailureSuccess, Failure
Audit User Account ManagementSuccess, FailureSuccess, Failure
Detailed Tracking
Audit Process CreationSuccessSuccess
DS Access
Audit Directory Service AccessSuccess, Failure 
Audit Directory Service ChangesSuccess, Failure 
Logon/Logoff
Audit Account LockoutSuccessSuccess
Audit LogoffSuccessSuccess
Audit LogonSuccess, FailureSuccess, Failure
Audit Special LogonSuccessSuccess
Policy Change
Audit Audit Policy ChangeSuccess, FailureSuccess, Failure
Audit Authentication Policy ChangeSuccessSuccess
Privilege Use
Audit Sensitive Privilege UseSuccess, FailureSuccess, Failure
System
Audit IPsec DriverSuccess, FailureSuccess, Failure
Audit Other System EventsSuccess, FailureSuccess, Failure
Audit Security State ChangeSuccess, FailureSuccess, Failure
Audit Security System ExtensionSuccess, FailureSuccess, Failure
Audit System IntegritySuccess, FailureSuccess, Failure

Note:

  • Ensure the event logs on your servers are sized correctly so that they are not rolled over too quickly by enabling additional audit logging.
  • Use the command AuditPol /get /category:* locally on a server to verify that the right audit policy is being applied.

Data collection in Azure Security Center

  1. Under the Security Center main menu, select Pricing & settings.
clipboard_image_5.png

As mentioned earlier, the recommended option is to enable Standard tiering for both the subscription and for the workspace. This ensures you receive recommendations on resources other than just virtual machines. The subsections below show both.

Workspace Configuration

  1. Select the desired Workspace in which you intend to connect the agent and select Standard pricing tier. Click Save.

You will be billed (Number of VMs) * $15 per month (or, more correctly, (Number of VMs) * $0.02 per hour. Only powered-on VMs are billed, and billing is hourly.

clipboard_image_6.png
  1. Select the appropriate data collection tier. Common provides a full user audit trail in this set.
clipboard_image_7.png

Note:

These security events sets are available only on Security Center's Standard tier.

To see a list of events collected see Data collection in Azure Security Center – https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection#data-collection-tier

clipboard_image_8.png

Subscription configuration

  1. Select the applicable Subscription and select Standard pricing tier.

Disable any resource types that you do not want to collect data for, and then click Save.

clipboard_image_9.png
  1. If you did not want to manually connect the VMs to the workspace, enable auto-provisioning on Security Center to automatically deploy the agent for your Azure VMs. This is done under the Data Collection node
clipboard_image_10.png

Verify Data Collection

  1. Click on the Log Analytics Workspace -> Logs
  2. In the query pane, expand Security, click on the icon to the right of SecurityEvent to show sample records from the table
  3. Click Run
clipboard_image_11.png
  1. This is a common way to take a glance at a table and understand its structure and content.

Log Query

Under the Log Analytics Workspace -> Logs, type the queries and click Run.

clipboard_image_12.png

Summarizing list of events

The following query:

  • returns all events logged over the past 7 days
  • with ID 4624 and by a user account
  • groups them by the Account,Computer, IpAddress and AuthenticationPackageName fields
  • and sorts them by decreasing order of the number of results in each group.

SecurityEvent

| where TimeGenerated > ago(7d)

| where EventID == 4624 and AccountType == “User”

| summarize count() by Account, Computer, IpAddress, AuthenticationPackageName

| sort by count_

clipboard_image_13.png

Selecting specific columns

The following query:

  • returns all events logged over the past 7 days
  • with ID 4624, by a user account and NTLM is used for authentication
  • specifies that the following columns be included in the result: EventID, TimeGenerated, Account, Computer, IpAddress, LogonType, AuthenticationPackageName, LmPackageName, LogonProcessName
  • and sorts them by decreasing order of TimeGenerated column, with null values placed at the end.

SecurityEvent

| where TimeGenerated > ago(7d)

| where EventID == 4624 and AccountType == “User” and AuthenticationPackageName == “NTLM”

| project EventID, TimeGenerated, Account, Computer, IpAddress, LogonType, AuthenticationPackageName, LmPackageName, LogonProcessName

| sort by TimeGenerated desc nulls last

clipboard_image_14.png

The columns in the query correspond to the XML data fields in the event as shown below.

clipboard_image_15.png

Remember, you can ignore the event for security protocol usage information when the event is logged for “ANONYMOUS LOGON”.

clipboard_image_16.png

Exporting query data

Log Analytics supports several exporting methods:

  • Excel: Save the results as a CSV file.
  • : Export the results to .
  • Share a link: The query itself can be shared as a link which can then be sent and executed by other users that have access to the same workspace.
clipboard_image_17.png

Saving queries

Once you have created a useful query, you might want to save it or share with others. The Save icon is on the top bar.

clipboard_image_18.png
clipboard_image_19.png

Loading saved queries

The Query Explorer icon is at the top-right area. This lists all saved queries by category. It also enables you to mark specific queries as Favorites to quickly find them in the future. Double-click a saved query to add it to the current window.

clipboard_image_20.png

There you have it – we configured Azure Security Center to collect events from windows servers, store them on a Log Analytics Workspace and used KQL  to query the saved logs for audit for NTLM authentication.

You can extend this to cover a wide range of auditable events. See https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor for one such list.

References

 

This article was originally published by Microsoft’s System Center Blog. You can find the original article here.