Tag: ACS

Deciding ‘Event Collection vs. Alert’ rule

Question example of two cartoon people discussing something. Both have thought bubble cartoons looming overhead.

 

Ever run through an event log scenario deciding ‘event collection vs. alert rule’ is the way to filter out the needle from the haystack?   There’s a few ways to do this with Monitoring tools.   If you’re cloud centric, a KQL query (assuming you’re collecting the event logs, if you’re using Operations Manager (SCOM), there’s a few ways to consume the events.   SCOM ACS is basically a DB for collecting Security events, and typically is an unused feature in SCOM by most customers.  Kevin Holman’s had many blog posts for ACS, testing the filter, as well as a management pack (MP)  fragment (blog here, GitHub fragment library here).

 

 

Let’s walk through criteria deciding ‘event collection vs. alert rule’:

  1. Do the event(s) happen often?  If so, how often?
  2. Can you filter the event description to limit the amount of gathered event?
  3. Do you need match count or samples before action required?  (i.e. count x events in y time)
  4. Is there a regulatory or compliance requirement to collect every event?
  5. Is this something you want to visualize with PowerBI?
  6. For better visualizations, would the EventID help view/sort data in a tabular output?   i.e. Think PowerShell property) as well as TimeRaised/TimeGenerated, and Event Description

 

Example – DC Security events

When there is a regulatory requirement to collect events, we need to decide ‘event collection vs. alert rule, and IF we can filter for specific pieces of the event.  Holman has examples of alert parameters, and dynamic data, which are very useful to get the needles out of the haystacks.  Depending on your goals, use event parameters, or leverage CustomFields in the alert to build required fields.

 

Depending on the requirements, event collection is useful to collect related EventID’s with RegularExpressions.   Use Event rules WHEN action is required.  Leverage Regular expressions help filter what we collect (via event collection or alert rule.   By extension, utilize CustomFields in the alerts to help the presentation or SQL query towards a PowerBI report.

 

Let’s talk about regular expressions examples for rules (or monitors)

 

MatchesRegularExpression

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>^(Security ID:.*admin*)|^(Security ID:.*[des]a*)$</Pattern>
</RegExExpression>
</Expression>

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005BooleanRegularExpression</Operator>
<Pattern>^(4625|4740)$</Pattern>
</RegExExpression>
</Expression>

 

Contains example

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>Proactive DailyTasks ADDS Monitors close automation for</Pattern>
</RegExExpression>
</Expression>

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>Params/Param[2]</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>dnsserver</Pattern>
</RegExExpression>
</Expression>

 

DoesNotContain example

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type=”String”>EventDescription</XPathQuery>
</ValueExpression>
<Operator>DoesNotContainSubstring</Operator>
<Pattern>None</Pattern>
</RegExExpression>
</Expression>

Holman MP Fragment example of specific EventID:

<Rule ID=”Rule.StateChangeAlerts” Enabled=”true” Target=”SCOMMagementServer.Class” ConfirmDelivery=”true” Remotable=”true” Priority=”Normal” DiscardLevel=”100″>
<Category>EventCollection</Category>
<DataSources>
<DataSource ID=”DS” TypeID=”Windows!Microsoft.Windows.EventCollector”>
<ComputerName>$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
<LogName>TestAPP</LogName>
<AllowProxying>false</AllowProxying>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”UnsignedInteger”>600</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”String”>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”String”>APP Test Log Monitoring</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID=”CollectToDB” TypeID=”SC!Microsoft.SystemCenter.CollectEvent” />
<WriteAction ID=”CollectToDW” TypeID=”SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData” />
</WriteActions>
</Rule>

 

Lastly, let’s talk about the use of CustomFields to add additional data to the alert, but NOT in the event description (Holman’s blog here)

For the tabular view of alert data (from PowerShell as with SQL query of Alerts view, we might need to display the data, such as EventDisplayNumber, TimeRaised, Message, (alternate is Parameters, or UnformattedDescription).  Additionally, check alert output details, from the SCOM MS in PowerShell via get-SCOMAlert -name “MonitorDisplayNameHere” | fl | more

 

Leverage Custom Fields to add

EventID       $Data/EventDisplayNumber$

Event Category    $Data/EventCategory$

 

Happy Authoring!

 

Additional links

How to collect events – but not ALL the events?

 

https://learn.microsoft.com/en-us/answers/questions/69667/scom-event-collection-rule

Positive SSL by Comodo SSL
Positive SSL by Comodo SSL