A few weeks ago the Operations Management Suite (OMS) product team announced that you could include search results in webhook payloads. Article here. This is really useful if you are into automation and specifically Azure Automation. It is now much easier in my opinion to get pertinent data to Azure Automation from OMS when you include search results in the OMS Alert.
First let’s look at a simple query, we’ll use the default query for finding when users were added to Domain Admins, which is already stored in OMS.
Type=SecurityEvent EventID=4728 OR EventID=4732 OR EventID=4756
As you can see there is a fair amount of information contained in this alert. Let’s add a Webhook that calls an Azure Automation runbook, to the Alert I already created in OMS so we can see what gets sent to Azure Automation.
Here is the PowerShell in my Azure Automation runbook.
In the first three lines we’re passing the Parameter $WebhookData into the runbook. This variable is actually persistent in Azure Automation runbooks and it can be null or not even included if you just want to call the runbook without passing it any data. I have set the runbook to run on my Hybrid Worker and drop the variables into text files on the local hdd.
param ( [object]$WebhookData ) if ($WebhookData -ne $null) { # Collect properties of WebhookData. $WebhookName = $WebhookData.WebhookName $WebhookHeaders = $WebhookData.RequestHeader $WebhookBody = $WebhookData.RequestBody $webhookname | out-file c:tempWebhookname.txt $webhookheaders | out-file c:tempwebhookheaders.txt $WebhookBody | out-file c:tempwebhookbody.txt
This is what I get when I open the WebhookBody text file.
There is a lot of information in there, but when you try to parse it and add pertinent information to PowerShell variables, you get empty results. To format it and be able to assign data to variables we need to do two things. We need to modify the alert in OMS and add a couple lines of PowerShell in the runbook.
First changing the Alert. We’ll add “IncludeSearchResults”:true” after checking the “include custom JSON payload.”
{"alertname":"#alertrulename","IncludeSearchResults":true}
Save the alert and then we add the PowerShell.
Second we’ll add the following to the runbook:
$SearchResults = (ConvertFrom-JSON $WebhookBody).SearchResults $SearchResultsValue = $SearchResults.value
I added some more out-file commands so we can look at the data.
Now I’ll generate the alert again and see what we get.
When I open SearchResultsValue.txt, this is what I get.
This is nicely formatted and easy to understand. More importantly I can now assign any one of the search result items on the left hand side to a PowerShell variable.
Let’s say in this example we want to get the MemberName and TargetAccount. These would be logical choices given the context of the alert. All we need to do now is add a ForEach loop and assign variables.
Foreach ($item in $SearchResultsValue) { $GroupMember=$item.MemberName $SecurityGroup=$item.TargetAccount }
The complete runbook now looks like this:
I’ll trigger the alert again and we’ll see the results.
From here it would be relatively easy to do some alert remediation in our on-prem Active Directory, now that we have the search result data available in PowerShell variables.