Category Archives: Security & Compliance

OMS and System Center: What's New in September 2017

Even the month of September is full of news and different updates have affected Operations Management Suite (OMS) and System Center, also thanks to Ignite 2017, the annual Microsoft conference of this week in Orlando. This article contains a summary accompanied by useful references for further study.

Operations Management Suite (OMS)

  • OMS Customers are using the solution Security & Compliance are given the option to use the features found in ’Azure Security Center in order to have a unified management of security and protection of their systems, all without additional cost. This is particularly useful to be able to manage workloads across hybrid environments, regardless of where they reside, on Azure, on-premises, or on other public clouds. Within the Azure Security Center will be automatically handle the security of the systems that are already connected to the solution OMS Security & Compliance and you can add additional machines simply by installing the Microsoft Monitoring Agent. To see details of the features offered I invite you to consult the publication OMS customers can now use Azure Security Center to protect their hybrid cloud workloads. In this regard it is worth noting that to enable the features just in time VM access, dynamic application controls and network threat detection of Azure resources you must select pricing tier Security Center Standard for the Subscription or the Resource Group.

Figure 1 – List of features for the protection of hybrid environments

  • The Azure portal now includes two features related to Operations Management Suite (OMS): Workspace Settings and View Designer. From the Azure portal you can access the settings of the workspace OMS as shown in the following figure:

    Figure 2 – Settings of the Workspace who are accessible from the Azure Portal

Also, the View Designer, that allows you to create custom views, is now accessible directly from the Log Analytics section of Azure portal:

Figure 3 – View Designer available directly from the portal Azure

  • As already announced in a dedicated article the update of Log Analytics has introduced a new powerful query language. In this useful article highlighted the main changes introduced by the new language.
  • Another interesting new feature is the ability to run query not only on single workspace OMS, but in a transversal way across multiple workspace. To learn more about you can see Query across resources.
  • Article Monitoring SQL Azure Data Sync using OMS Log Analytics returns the configuration to be carried out in order to monitor the solution SQL Azure Data Sync using a custom solution OMS. Azure SQL Data Sync allows you to synchronize data in both directions or unidirectional between different Azure SQL database andor to SQL database on-premises. With this procedure you can detect error conditions or warning in the synchronization process so simple, thanks to OMS.
  • To help you to track the Big Data application involving different technologies was announced in preview the ability to monitor cluster HDInsight with Azure Log Analytics . In this video there are the details of how HDInsight customers can monitor and debug Hadoop, Spark, HBase, Kafka, Interactive Query and cluster Storm.


  • In OMS there is a new solution Virtual Machine Manager (VMM) Analytics for centralizing in Log Analytics the jobs of one or more Virtual Machine Manager to have an overall view of the health and performance of the virtualization infrastructure managed by System Center Virtual Machine Manager.

Figure 4 – Overview of VMM Analytics solution


  • Released a new version of the OMS agent for Linux systems that mainly has solved some bugs and introduced an updated version of some of the main components. For more details and to get the updated version please refer to the official GitHub page OMS Agent for Linux GA v 1.4.1-45

Figure 5 – Bug fixes and what's new for the OMS agent for Linux


System Center

System Center Configuration Manager

  • Released the Cumulative Update 6 for UNIX and Linux clients of Configuration Manager. It is a new version of the client that fixes several bugs and adds support for new Linux distributions. This release also removed support for Unix and Linux distributions even obsolete discontinued by vendor. Customers using the SCCM clients with these versions may continue to use the client updated to Cumulative Update 5. The release announcement and further details can be found in this article.
  • During Ignite 2017 was announced an interesting feature called co-management that interest the management of the device using either System Center Configuration Manager and Microsoft Intune. With Windows 10 Fall Creators Update there is the possibility to make the join of the device both to the Active Directory domain (AD) on-premises and to Azure AD in the cloud. This expands the possibilities for management of devices using the Configuration Manager client and the MDM agent of Intune. To deepen this topic, you can look in the video section of the Ignite site the sessions with the following reference codes: BRK3057, BRK3075, BRK3076 and BRK2079.

Figure 7 – Co-management devices with SCCM and Intune


System Center Updates Publisher

By accessing this page you can select the way you find most suitable to test and evaluate free Operations Management Suite (OMS).

OMS and System Center: What's New in August 2017

This article summarizes the main new features and includes upgrades, concerning Operations Management Suite (OMS) and System Center, that were announced during the month of August.

Operations Management Suite (OMS)

Log Analytics

  • For Log Analytics was published what may be called the most significant upgrade from the date of issue. Among the main changes introduced by this update there is a new powerful query language, the introduction of the new Advanced Analytics portal and greater integration with Power BI. For more details, I invite you to consult the specific article Log Analytics: a major update evolves the solution.

Figure 1 – Upgrade of Log Analytics


  • The agent who for Linux systems is constantly evolving and we released a new version that has fixed some bugs and improved error handling during onboarding of agent for easier troubleshooting: OMS Agent for Linux GA v 1.4.0-45

Figure 2 – Bug fixes and what's new for the OMS agent for Linux


  • The OMS solution Network Performance Monitor has been improved and enhanced with the following new features:
    • The diagnostic agent: the solution now provides the ability to monitor in a specific view the health status of various agents deployed on the network and in case of problems NPM reports useful diagnostic information for troubleshooting.
    • Hop-by-hop latency breakdown: the topology map of the network has been enriched with details of timings found between two specific points.
    • Availability on the Azure Portal: as well as continuing to be available from OMS can be added from the Marketplace Azure and used directly by the Azure Portal.
    • Presence in additional region of Azure: the solution is now also available for the region Azure West Central US.

For more details see the announcement Improvements to the who Network Performance Monitor.

  • The emerging technology is becoming more widespread and monitor containers Docker becomes an essential component. For this reason the OMS team announced the availability of the new solution Container Monitoring that allows you to:
    • Display in a unique location information for all hosts container.
    • Learn which containers are running, where I am and with which image.
    • See audit information concerning action taken on container.
    • View and search logs for troubleshooting without needing access to hosts Docker.
    • Locate the containers that are consuming an excessive amount of resources on the host.
    • Display performance information centrally about the container about CPU usage, of memory, storage and network.

Figure 3 – Synthesis pathway of solution Container Monitoring

Full details on the solution Container Monitoring you can consult them in the document Container Monitoring solution in Log Analytics.

  • Released in preview the new solution for the monitoring of Azure Logic Apps. The solution displays various information about the status of logic app and then drill down to see details useful for troubleshooting. All aspects of this solution you can consult them in Microsoft's official documentation.

Security and Audit

  • The baseline assessment of OMS Security is enhanced with functionality Web security baseline assessment that was announced in public preview and lets you scan the web server with Internet Information Services (IIS) to check for security vulnerabilities and provides useful recommendations regarding the correct environment setup. The document Baseline Assessment in Operations Management Suite Web Security and Audit Solution shows additional information about.

Figure 4 – Assessment dashboard of Web security baseline


System Center

System Center Configuration Manager

  • Last month it was released version 1706 for the Current Branch (CB) System Center Configuration Manager as described in the article OMS and System Center: What's New in July 2017. In date 8 August was released a package update to correct some errors that were encountered during the first deployment, but this package introduced problems therefore on 11 August has been replaced with a new version. For those who have updated SCCM to version 1706 between August 8 and August 11 you need to install an additional update as documented in Microsoft knowledge base article Update for System Center Configuration Manager version 1706, first wave. This update can be installed by accessing the node "Updates and Servicing" of the SCCM console. A further update will be released in the coming week to who made the SCCM update to version 1706 prior to August 8.
  • Released version 1708 for the branch Technical Preview of System Center Configuration Manager: Update 1708 for Configuration Manager Technical Preview Branch – Available Now!. I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

System Center Operations Manager

Following the news about the SCOM Management Pack 2016:

  • Advanced Threat Analytics 1.7 Management Pack version
  • Service Map Management Pack in public preview: Thanks to this new MP you can integrate maps are created dynamically by the OMS Service solution Map with diagrams of the Distributed Application in Operations Manager to ensure that the latter are dynamically generated and maintained.

For more information I invite you to consult related documentation available online.

Figure 5 – Integration of the Service Map of who and the SCOM Distributed App

  • Available a hotfix to solve some problems related to the WMI monitor health.

How to connect third-party security solutions at OMS

Between the various features of Operations Management Suite (OMS) There is a possibility to collect events generated in standard form Common Event Format (CEF) and events generated by Cisco ASA devices. Many vendors of security solutions generate events and log files matching the syntax defined in the standard CEF for interoperability with other solutions. Configuring the sending of data in this format to who and adopting the solution OMS Security and Audit You can correlate the different information collected, leverage the powerful search engine of OMS to monitor your infrastructure, retrieve audit information, detect problems and use Threat Intelligence.

This article will be fleshed out the necessary steps to integrate the logs generated by Cisco Adaptive Security Appliance (ASA) within the who. Before you can configure this integration you must have a Linux machine with installed agent OMS (version 1.2.0-25 or later) and configure it to forward the logs are received by the who to the workspace. For installation and onboard Linux agent I refer you to the official Microsoft documentation: Steps to install the OMS Agent for Linux.

Figure 1 – Architecture for collecting logs from Cisco ASA in OMS

Cisco ASA apparatus must be configured to forward events to the Linux machine defined as collector. To do this you can use Cisco ASA device management tools such as Cisco Adaptive Security Device Manager:

Figure 2 – Syslog Server configuration example Cisco ASA

On the Linux machine must be running the syslog daemon will send events to UDP port 25226 local. The agent who is listening on this port for all incoming events.

For this configuration, you must create the file Security-config-omsagent. conf respecting the following specifications depending on the type of Syslog running on Linux machine. For example, a sample configuration to send all events with facility local4 the agent who is as follows:

  • If daemon rsyslog the file must be present in the directory /etc/d/rsyslog. with the following content:
#OMS_facility = local4

local4.* @
  • If daemon syslog-ng the file must be present in the directory /etc/syslog-ng/ with the following content:
#OMS_facility = local4  

filter f_local4_oms { facility(local4); };  

destination security_oms { TCP("" port(25226)); };  

log { source(src); filter(f_local4_oms); destination(security_oms); };  

The next step is the creation of the configuration file Fluentd named security_events. conf that lets you collect and make parsing of events received by the agent who. The file you can download it from GitHub repository and must be copied into the directory /etc/opt/microsoft/omsagent/<workspace id>/conf/d/omsagent..

Figure 3 – Configuration file Fluentd the agent OMS

At this point, to make the changes, You must restart the syslog daemon and agent who through the following commands:

  • Restarting Syslog daemon:
sudo service rsyslog restart or sudo/etc/init.d/syslog-ng restart
  • Restart agent OMS:
sudo/opt/microsoft/omsagent/bin/service_control restart

Complete these steps the agent who should view the log to see if there are any errors using the command:

tail/var/opt/microsoft/omsagent/<workspace id>/logs/omsagent.log

After finishing the configuration from the who portal you can type in the query Log Search Type = CommonSecurityLog to analyze data collected from the Cisco ASA:

Figure 4 – Query to see Cisco ASA events collected at OMS

Log collection is enriched by Threat Intelligence present in solution Security & Compliance Thanks to an almost real-time correlation of data collected in the repository OMS with information from leading vendor of Threat Intelligence and with the data provided by the Microsoft security centers allows you to identify the nature and results of any attacks involving our systems, including the network equipment.

By accessing the solution Security And Audit from the OMS section appears Threat Intelligence:

Figure 5 – Information of Threat Intelligence

By selecting the tile Detected threat types You can see details about intrusion attempts that in the following case involving the Cisco ASA:

Figure 5 – Detected threat on Cisco ASA

In this article you entered the configuration details of Cisco ASA, but similar configurations you can make them for all solutions that support the generation of events in standard form Common Event Format (CEF). To configure the integration of Check Point Securtiy Gateway with who I refer you to the document Configuring your Check Point Security Gateways to send logs to Microsoft who.


Using Operations Management Suite there is a chance to consolidate and to correlate events from different products that provide security solutions allowing you to have a complete overview of your infrastructure and respond quickly and accurately to any incident of security.

OMS Log Analytics: the Update Management solution for Linux systems

Using the Operations Manager Update Management Solution Suite (OMS) you have the ability to centrally manage and control the update status of systems in heterogeneous environments both Windows and Linux machines and independently from their placement, on-premises rather than in the cloud. In this article, we explored aspects of solution regarding Linux systems.

The Update Management solution allows you to quickly assess the status of updates available on all servers with the OMS agent installed and is able to start the process of installing the missing updates. Linux systems are configured to use this solution require in addition to the presence of ’ agent who Powershell Desired State Configuration (DSC) for Linux andHybrid Runbook Automation Worker (installed automatically).

The solution currently supports the following Linux distributions:

  • CentOS 6 (x 86/x 64) and CentOS 7 (x 64).
  • Red Hat Enterprise 6 (x 86/x 64) and Red Hat Enterprise 7 (x 64).
  • SUSE Linux Enterprise Server 11 (x 86/x 64) and SUSE Linux Enterprise Server 12 (x 64).
  • Ubuntu 12.04 LTS and later (x 86/x 64).

In addition to work correctly you need the Linux system has access to an update repository. In this regard it is worth noting that at the moment there is a chance by who to select which updates to apply, but ’ all available updates are available from the update repository configured on the machine. To have more control over updates to apply you may evaluate the ’ using a custom update repository created and contains only the updates that you want to approve.

The following diagram shows the flow of operations being carried out by the solution to move towards compliance status and the workspace who to apply the missing updates:

Figure 1 – Flow of operations performed on Linux systems

  1. The agent who for Linux scans each 3 hours to detect missing updates and reports the outcome of the scan to the workspace who.

Figure 2 – OMS Dashboard Update Management solution

  1. The operator using the dashboard OMS can refer to update assessments and define the schedule for deployment of updates:

Figure 3 – Management of Update Deployment

Figure 4 – OMS Dashboard Update Management solution

In creating the Update Deployment is defined a name, the list of systems to be involved, that can be provided explicitly or by using a query of Log Analytics, and scheduling.

  1. The component Hybrid Runbook Worker running on Linux systems checks for maintenance Windows and the availability of any deployment to apply. In this regard it is good to specify that enabling the solution to Update Management every Linux system connected to the workspace who is automatically configured as Hybrid Runbook Worker to perform runbook created to deploy updates. Also every system managed by the solution is a Hybrid Runbook Worker Group within the Automation OMS Account following the naming convention Hostname_GUID:

Figure 5 – Hybrid Worker Groups

  1. If a machine has an Update Deployment (as a direct member or because it belongs to a specific group of computers) on it starts the package manager (Yum, Apt, Zypper) to install updates. Installing updates is driven by who through specific runbook Automation within Azure. These are not visible in Azure runbook Automation and require no configuration by the administrator.

Figure 6 – Azure Automation Account used by the solution of Update Management

  1. After Setup OMS agent for Linux and the basic status of Update Deployment and compliance to the workspace who.


Microsoft Operations Management Suite is a tool that lets you manage and monitor heterogeneous environments. Still today, unfortunately, you are faced to the debate on the real need to maintain regularly updated Linux systems, but considering some recent security incident caused by outdated systems, It is evident that it is good to have a solution that allows you to manage updates for Linux machines. The solution to Update Management of OMS is constantly evolving, but already today enables us to control and manage the distribution of updates also on Linux systems in a simple and efficient way.

For more details, I invite you to consult Microsoft's official documentation Solution for Update Management of OMS.

To further explore this and other features you can activate free OMS.


OMS Security: Antimalware solution Assessment presentation

Microsoft Operations Management Suite (OMS) offers an interesting solution named Antimalware Assessment with which you can monitor the status of anti-malware protection on the entire infrastructure and easily detect potential threats.

In order to use the Antimalware solution Assessment you must subscribe to l ’ offer "Security & Compliance "OMS. The installation of the solution can be made by following the procedure described at the beginning of the article OMS Security: Threat Intelligence or by going directly to theAzure Marketplace. After having activated the OMS is not required no further configuration and is ready to be used.

La solution thanks to an easy-to-navigate dashboard shows real-time antimalware protection systems without active and is able to show a status in OMS antimalware for the following products:

  • Windows Defender on Windows 8, Windows 8.1, Windows 10 and Windows Server 2016.
  • Windows Security Center (WSC) on Windows 8, Windows 8.1, Windows 10, Windows Server 2016.
  • System Center Endpoint Protection (version 4.5.216 or later).
  • Antimalware extension and Windows Malicious Software Removal Tool (MSRT) activated on the VMS in Azure.
  • Symantec Endpoint 12. x and 14 x.
  • Trend Micro Deep 9.6.

At the moment only detects installations of some solutions of third party vendors such as Symantec and Trend Micro, but probably this list is set to increase.

On monitored systems by who is made an assessment about security by checking the status of the antimalware product, performing analysis on a regular basis, and if you are using signatures from as little as seven days.

The portal home page who is the tile that reports a summary Assessment of the State of anti-malware infrastructure:

Figure 1 – Antimalware Assessment tile

By selecting this tile leads to Antimalware solution dashboard Assessment that categorizes the information collected and reported in 4 different tile:

  • Threat Status
  • Detected Threats
  • Protection Status
  • Type of Protection

Figure 2 – Antimalware Dashboard Assessment

The first two tile focus on observations of infections with the type of malware intercepted, infected systems and highlighting situations where the antimalware ’ was not able to clean your system from ’ infection.

Selecting the infected machine or the name of the malware is returned on the page Log Search where you can see the details of the threat detected:

Figure 3 – Details of the threat detected

Selecting the link View next to the name of threat you are directed to the Microsoft malicious software encyclopedia:

Figure 4 – Search all internal Microsoft ’ encyclopedia of malware

By selecting the name of the malware you can consult the card with all details about all ’ infection:

Figure 5 – Card with malware information

The remaining tile shows useful information on the State of infrastructure security:

  • Which machines are not protected and why (agent disabled, signature not updated or not scan made recently) so you can take corrective action.
  • The list of machines detected on antimalware solutions.

From these tile you can easily do a drill down to see the list of affected machines, such as the list of machines without a real time protection enabled:

Figure 6 – Machines with no real time protection


You can count on a tool that can quickly identify systems with antimalware protection not sufficient or compromised machines from malware is crucial to mitigate attempts at compromise of corporate data and avoid major incidents of security. Microsoft Operations Management Suite (OMS) In addition to these features it includes other important solutions in this area making it a great tool to ensure the security and compliance of your infrastructure. To further explore this and other features you can try the OMS for free.

OMS Security: Threat Intelligence

Among the various features offered by Operations Management Suite (OMS) There is the possibility to activate the solution called Security & Compliance that identifies, evaluate and mitigate potential risks of security on our systems. The solution you can turn it on easily with just a few steps:

  1. I log into the portal who and I select the tile "Solutions Gallery"

Figure 1 – Step 1: activating solution Security & Compliance

  1. Among the various solutions offered have the ability to add "Security & Compliance " that currently includes the solution "Antimalware Assessment"e"Security and Audit"

Figure 2 – Step 2: activating solution Security & Compliance

  1. Select the Workspace who and by pressing the button Create the solution is added and made available for use

Figure 3 – Step 3: activating solution Security & Compliance

As a result of the activation of the ’ solution who will connect to systems with the agent installed to perform a security assessment that may initially require up to several hours, then return the processed data in the portal. The solution is able to examine both Windows and Linux machines and helps protect l ’ infrastructure be it on-premises or in the cloud. In this article we'll delve into the functioning of the mechanism of Threat Intelligence.

Figure 4 – Architecture Threat Intelligence

Threat Intelligence plays a vital role in ’ solution scope of security of OMS thanks to a nearly real-time correlation of data collected in the repository OMS with information from leading vendor of Threat Intelligence and with the data provided by the Microsoft security centers. Let us not forget that Microsoft is constantly working to protect their services in the cloud and therefore has a unique visibility and widespread threats that can potentially affect our systems. Providing this functionality Microsoft enables its customers to benefit easily of his knowledge to protect resources, detect attacks and act the same with a quick response without having to resort to complex integration scenarios.

Threat Intelligence is able to provide the following information that enable teams of security to make the necessary actions and to understand the possible level of impairment of their systems:

  • Detect the nature of the attack
  • Determines the intent of the attack, useful to understand if it is a targeted attack at your organization to acquire specific information or if it is a random and massive attack
  • Identifies where the attack
  • Intercepts any compromised systems and reports the server performing traffic considered malevolent outwards
  • Reports which files have been possibly accessed

To access the information in the main portal dashboard Threat Intelligence who select the tile "Security and Audit":

Figure 5 – Tile Security and Audit

On the dashboard "Security and Audit" is the section Threat Intelligence then reset:

Figure 6 – Information of Threat Intelligence

In tile Server with outbound malicious traffic monitored server systems are reported that are generating malicious traffic from the Internet. If they are reported immediately should undertake in this tile systems of remedies.

In tile Detected threat types shows a summary of threat detected recently:

Figure 7 – Tile Detected threat types

By selecting the tile you can also obtain more details about:

Figure 8 – Details about the threat detected

Threat Intelligence also provides the map display of the attacks which enables you to quickly identify which part of the globe are made. Orange arrows indicate the presence of incoming malicious traffic, While Red arrows indicate malicious traffic outbound to certain location. By selecting a specific arrow you will get more details about the source of the attack:

Figure 9 – Threat Intelligence map


Detect potential attacks and respond quickly and effectively to security incidents that occur in your environment is crucial. Activating the solution "Security & Compliance"the Microsoft Operations Management Suite (OMS) You can use Threat Intelligence to enhance the effectiveness of its strategies in security and have a powerful tool that can minimize the amount of potential incidents of security. For those interested to further deepen this and other features of the who remember that you can try the OMS for free.