Monday, February 19, 2018

OMS Security and Azure Scoped Configurations

At one of my clients, we are making heavy use of OMS for our dashboarding and centralized reporting.  One of our servers, however, makes many calls out to network resources.  This results in multiple firewall connection opening/closing.  What was happening then was we were routinely using up over our limit for OMS consumption.

Being that this is a backend server, and there are alternate ways to monitor network traffic, we have decided to de-scope this server from the security solution.  In the old days, you would have to actually disconnect this server from OMS altogether, and thus lose out on all the other benefits (such as metrics monitoring and alerting).

Luckily, we now have scoped configurations (currently in preview) that can help us target our OMS solutions.  The goal of this post is to discuss how to set this up.  For reference, you can find the official documentation here.

Setting up scoped configurations is actually super easy.  Step 1 involves creating a saved search and designating it as a computer group.

 

When you click on add, you get prompted to create a new saved search.  You might want to use the analytics features to determine the query before clicking on add here since the editor isn't really that great.





 Make sure to select "Save this query as a computer group" when creating the query.  One other tip here is to make uses of the heartbeat table to select the computer names you want.  Here is the elements within the heartbeat table.



After you have created a saved search to your liking, you can then simply added it to the scoped configurations for the desired solution.  In this case, we added it to both security center, and security center free.













I am pleased to report that by adding this solution targeting, the security logs from the particular server were no longer being pulled in to our OMS workspace, thus resolving the issue of storing too many logs.  Ideally, it would be nice to further customize this (maybe I do want the security logs for other events, but not for network events), but those features are not available currently without affecting all resources.