Using Azure Sentinel To Monitor Server Reboots

One of the items I feel is import to monitor is server reboots. Not only should server reboots be in change control, you should understand who rebooted a server and why.

Most monitoring systems will tell you when a server reboot, but not who rebooted the server or the process used to reboot a server.

Using Azure Sentinel you can collect server reboot events very easily.  The Event ID you need to collect is 1074 and the provider is User32.

The query you would write in Azure Sentinel to collect this event

System!*[System[(EventID=1074)]]  and [System[Provider[@Name='User32']]]

If you are using Windows Event Forwarding (WEC), this is the query that you would need  to place on the WEC server.

<QueryList>

<Query Id="0" Path="System">

<Select Path="System">*[System[Provider[@Name='User32'] and (EventID=1074)]]</Select>

</Query>

</QueryList>

Once you have started collecting the events, you can use the following query to filter the event log and also you can use this query in Azure Sentinel Automation to send you a daily report of server reboots.

WindowsEvent
| union SecurityEvent
| where EventID ==1074
| project EventData_dynamic, TimeGenerated, Computer
| parse EventData_dynamic with * "param2" Server "param3" Stuff "param7" User
| project TimeGenerated, Computer, User

This is a simple and easy method to collect server reboots events and also send reports on those reboots. You can catch the people who I call naughty rebooters :)

TBJ Consulting

TBJ Consulting