A colleague of mine asked if he could use Azure Sentinel / Log Analytics to audit the usage of a Windows File server, hence this blog post saw the light of day.
In migration projects, you might need to see, who is actually using the file server??? Before you start migrating data or deleting data that you might not even need anymore. Therefore, you might need to do an audit of who is using it over a course of 14 days to verify that you don’t delete or migrate data that is actively being used.
Within Windows, you don’t have a lot of built-in mechanisms to do audit checks of file access to a fileserver and share. You have the option of using the MMC window, but it only provides a real-time view usage and does not provide historical context.
However, you have the option of using the audit mechanics in Windows to generate Security Audit Logs which you then collect into Log Analytics with or without Sentinel. If you already have Sentinel in place on the machine and is being used to collect Security logs then you do not need to do step 2.
This is simple to do, in three steps we need to do the following.
1: Setup file audit on the fileserver – This is typically done using local group policy settings on the machine(s) since we only want this to apply to the file servers we want to audit.
This means that for all access to the file share, there will be several audit logs that will be generated in the security event log of that machine.
2: Setup DCR (Data Collection Rules) in Azure Monitor for the machine. If the machine is running in Azure the DCR will automatically install the Azure Monitor agent, however if the file server is on-prem or running elsewhere you will need to install the Azure Arc agent on the machine first and then install the Azure Monitoring agent.
– Setup Azure Arc agent – Connect hybrid machines to Azure using a deployment script – Azure Arc | Microsoft Learn
– Once the VM is installed with the Azure Arc agent you can then configure the Azure Monitoring agent as an extension on the machine using the Azure Portal as seen in the screenshot below
Once the Azure Monitor agent is installed go into Azure Monitor | Data Collection Rules | Create | And define a Windows based DCR collection as seen in the screenshot below.
NOTE: This DCR rule and region has nothing to do with where the logs are collected, it is just where the actual rule will be placed.
Then click Resources | Add Resources and add the Azure Arc VM. Once you have added the file server(s) Then click Collect and Deliver | Add data source and define the Security audit logs as seen in the following screenshot.
Then in the Destination pane define a Log Analytics workspace where you want the logs to be stored. In a couple of minutes, once the agent downloads the DCR configuration it will start to upload File Share and Detailed File Share audit logs to the Log Analytics Workspace that we have configured.
3: Define Kusto queries to get the overview we want
Since Windows Event logs are stored in XML that means that we need to parse the XML content to get the information we want in a semi structured way.
Using this Kusto query it will go trough all the events collected in the Events table and create separate columns for UPN, Share, Filenames
Event | where TimeGenerated > ago(7d) | extend NewField=parse_xml(EventData) | extend UPN = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(NewField.DataItem)).EventData)).Data))[2].["#text"]) | extend file = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(NewField.DataItem)).EventData)).Data))[9].["#text"]) | extend share = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(NewField.DataItem)).EventData)).Data))[7].["#text"]) | where parse_json(tostring(parse_json(tostring(parse_json(tostring(NewField.DataItem)).EventData)).Data))[7].["#text"] == "\\\\*\\D"
Then we can use filtering mechanisms to see for instance which users have accessed the share
summarize count() by UPN, share
And we then get views like this.
Which allows us to get a view of which users that have access the fileshare for the last 30 days for instance. We can also check at the most frequently access files as well.
| summarize count() by file, UPN | sort by count_ desc