In this blog I will demonstrate how to collect the SMBv1 audit events in Azure Log Analytics. I will also show a simple query to extract the IP information from these events which can be exported to a CSV file if needed.
The Windows Servers should have the Log Analytics agent installed and connected to your Log Analytics Workspace in Azure. I’ve included an article in the references section with detailed information on how to connect your on premise servers to Azure Log Analytics.
SMBv1 auditing should already be enabled on the Windows Servers. Refer to the related articles section for more information on this.
Configure the Log Analytics Workspace
From the Azure Portal browse to your Log Analytics Workspace and select Advanced Settings. On the Advanced settings blade, select Data then Windows Event Logs.
There are many pre-populated event logs that can be selected as per the example below. The SMB Server audit log is not in this list though so I will need to add this manually.
The easiest way to get the full name of the log is to open Windows Event Viewer, browse to the required log and selecting properties. The full name of the log can be copied from the properties windows as shown below.
Enter the full name of the log in space provided and select the + button to add the log.
Select the event levels to collect (Error, Warning, Information). I keep all selected for the SMB Server audit logs although the audit log events will be logged as informational.
Log Analytics Query
Now that we have enabled the collection of the SMBv1 audit events we can start running queries in Log Analytics to list all the audit events to obtain the IP addresses of clients that are still using SMBv1. It may take a few minutes for the events to show in Log Analytics.
Select Logs from the menu on the left, in your Log Analytics workspace to run a query. I will start with a simple query to list all the events in the ‘Microsoft-Windows-SMBServer/Audit‘ event log for the last 12 hours:
Event | where EventLog == 'Microsoft-Windows-SMBServer/Audit' | where TimeGenerated > ago(12h)
All the events are listed but the IP addresses that I need are listed in the ParameterXml field in the following format:
I can update my query with the parse command to obtain only the IP address from the ParameterXml field and then project (list) only the IP address and the computer name where the event was logged:
| parse ParameterXml with * "<Param>" SourceIP "</Param>" * | project Computer,SourceIP
The full query will look like this:
Event | where EventLog == 'Microsoft-Windows-SMBServer/Audit' | where TimeGenerated > ago(12h) | parse ParameterXml with * "<Param>" SourceIP "</Param>" * | project Computer,SourceIP
Only the computer name where the event was logged and the IP address is listed in the results pane. Use the Export menu at the top to export the data to a CSV file.
It is easy to collect events from your servers when they are connected to an Azure Log Analytics workspace. Adding the SMBv1 audit event log to Log Analytics will make it easier to find those SMBv1 clients to remediate before disabling SMBv1 on your servers.