OMS Journey – Lets add a solution – Security and Compliance

One of the nice things about OMS is that it comes with a lot of prebuilt solutions.  By adding those solutions to your dashboard, OMS will automatically start collecting the necessary information to populate the solution.

The main solution I immediately get asked to implement for clients is the Security & Compliance solution. This solution allows you to:

  • Quickly identify issues such as missing security updates, outdated malware, vulnerable OS configurations, and unusual access or network activity
  • Use advanced  security analytics and Microsoft threat intelligence to detect attacks in near real-time
  • Reduce investigation time with built-in threat intelligence and rapid search of security data
  • Use security data and insights to demonstrate compliance and easily generate evidence for auditors

 

Let’s see how easy it is to add this solution to the workspace. Navigate to your dashboard and click the Solutions Gallery button.

 

image

 

Select Security & Compliance (its the bright Orange icon)

 

image

 

You’ll see a description of the solution, which is made up of multiple other solutions, and examples of the dashboards. To add this solution to your workspace, click the Add button.

 

image

 

Go back to the main dashboard and you will see the two new items:

 

image

 

It says to let it run overnight so I will let it run overnight.

 

Good morning!  I’m back!

 

So the next morning when I check my dashboard, I see this:

 

image

 

We will dive more into all this information in future posts. For now I want to show one quick thing it immediately highlighted for me.

Click the Security and Audit dashboard in the main workspace to open up the solution.

Under Notable issues, it shows 158 failed logon attempts (this is my azure machine that has a public IP address):

 

image

 

If I click that, it shows me that someone has tried to log into this machine using both ADMINISTRATOR and ADMIN as an account.

 

image

 

If I click on ADMINISTRATOR, it shows me the detailed information for each failed log on

 

image

 

I can see from this that an external IP address is trying to log into my VM that is exposed to the internet.  Someone is trying to hack my server. This could be fun.

  • Add Your Comment