Security Monitoring: Audit Policy Monitoring for a SCOM Environment

One of the new features that will be added to the next release of Security Monitoring is a new Audit Policy Monitor Type. I don’t know if this is something that will beneficial to the average IT administrator, but I did make this a public monitor type so that people who do their own MP Authoring will have access to this type to create monitors for their own audit settings if they so choose. The Security Monitoring MP will use this to set a monitor state for audit settings that it requires in order to properly monitor your environment. My goal for this is to move you away from needing the specific GPO that I’ve written to capture it. This was done for a couple reasons. The first being that the generic GPO has more auditing turned on that what was needed. It was simply a best guess as to what this MP currently tracks and could potentially track down the road. The second means that it now shows you exactly what setting needs to be set.

The architecture is relatively simple. It is a PowerShell script that uses auditpol.exe to get the audit results of the server being targeted. Auditpol’s documentation can be found here. The script is relatively straight forward, taking the desired audit subcommand and parsing out the current setting (Success, Failure, Success and Failure, and No Auditing). It returns that value in a property bag that is used by the Monitor Type. On top of typical values used by the monitor type (Interval and Sync) the type adds the following input: Result. The Result input will allow you to write a monitor using this monitor type comparing the result from the property bag to what you want it to be. Here is some sample code from a monitor that uses this monitor type:

<UnitMonitor ID=”Security.Monitoring.SecurityAudit.ProcessCreationDC” Accessibility=”Public” Enabled=”true” Target=”Windows!Microsoft.Windows.Server.DC.Computer” ParentMonitorID=”Health!System.Health.ConfigurationState” Remotable=”true” Priority=”Normal” TypeID=”ALIAS!Security.Monitoring.AuditPolMonitorType” ConfirmDelivery=”false”>
          <OperationalState ID=”ResultBad” MonitorTypeStateID=”ResultBad” HealthState=”Warning” />
          <OperationalState ID=”ResultGood” MonitorTypeStateID=”ResultGood” HealthState=”Success” />

          <SubCommandAuditSetting>Process Creation</SubCommandAuditSetting>
          <Result>Success and Failure</Result>


The items in blue are the ones that relate to this monitor type. The items in red are items that Auditpol.exe will need to get the correct results. In the case of this sample the Process Creation setting (which generates 4688 events) needs to have a “Success and Failure” setting. I didn’t put a ton of logic into this, so to be fair, you’ll need to match the exact value (meaning that a value of Success only would in this case generate a state change).

As with any custom MP authoring, it goes without saying that you would need to know the Alias of the Security Monitoring MP in order to properly fill in the type ID.