Microsoft Active Directory Security Logs
The Active Directory event source is the collection of the Domain Controller Security logs. The security logs from Domain Controllers have a lot of forensic value, since they provide authentication events for endpoints within the domain. You can see the list of monitored events at the end of this documentation.
Active Directory Security Logs are critical for InsightIDR's attribution engine and security incident detection capabilities. These logs allow InsightIDR track failed logons for non-machine accounts, such as JSmith.
Active Directory provides authentication and administrative events for your domain users. The Insight Platform can collect significant events from the security log on domain controllers. You should add in one Active Directory (AD) event source for each domain controller in your organization.
To set up Active Directory, you’ll need to:
- Review “Before you Begin” and note any requirements.
- Choose a data collection method and configure Active Directory to send data to your Collector.
- If you are using Azure in your environment, read about Authentication Activity with Azure.
- Verify the configuration works.
Additionally:
- Troubleshoot common issues.
- See the list of monitored events.
Before You Begin
To prepare to collect Active Directory event sources:
- Open ports 135, 139, and 445 between the Collector and the Active Directory event source for each domain controller.
- Set up a Service Account and add it to the Domain Admins group (this documentation explains how to set up a service account).
- Ensure that your Active Directory settings match Microsoft’s Security Baselines at a minimum. You can also review the following for more information on auditing for each of these event types:
Alternatives to Domain Admin Accounts
This documentation details the different methods to configure Active Directory. If you don't want to add your service account to the Domain Admins group, there are alternative options including using a Non-Admin Domain Controller Account, NXLog, and the Insight Agent.
Configuration options for Active Directory event source
There are different options you can use to collect the Domain Controllers security logs:
| WMI | Insight Agent | NXLog | WMI without Domain Admin account |
|---|---|---|---|
| Most commonly used | Easy to deploy | Good alternative for few domain controllers | Needs additional user permissions |
| Domain admin account | Non domain admin account | Non domain admin account | Non domain admin account |
| Can collect all events from security logs | Can collect only specific events; Not recommended for Domain Controllers that generate a high number of events | Can collect all events from security logs | Can collect all events from security logs |
| Supported | Supported | Supported | Supported |
Let's review each method:
- Windows Management Instrumentation (WMI)
This is the most commonly used method. It requires using a Domain Admin Account credential.
With WMI, the Collector uses the protocol Windows Management Implementation to connect to the Domain Controller. Then it collects the log entries and sends them out for processing.
This method allows you to pull out all the security logs. If you choose this method, you can follow the configuration steps listed below in this documentation.
If you prefer to limit the number of domain admins in your environment, you can review the other configuration options below: WMI with a non-admin domain controller account, NXLog, or the Insight Agent.
- WMI without Domain Admin account
For this method, you need to change permission on the domain controller to allow a non-admin domain controller account to access the security log using WMI. Read the documentation for using a non-admin domain controller account.
- NXLog
You can install NXLog on all your domain controllers and then configure it to collect the domain controller security logs.
This is a third party tool that needs to be downloaded and installed on all your domain controllers. It can be a good alternative if you prefer not to set up a service account and have few domain controllers.
However, it can be more demanding to configure if you have a lot of domain controllers, since you have to install and configure it on each one.
You can follow the steps to configure Active Directory with Nxlog in the steps listed below in this documentation.
- Insight Agent
Prevent duplication with the Insight Agent
To collect the domain controller Security log events, use either the Active Directory event source or the Insight Agent. Using both may result in duplicate events being collected.
You can configure the Insight Agent to collect these events by going to Settings > Insight Agent > Domain Controller Events.
If you want to use the Insight Agent, you need to have an Agent installed on all your domain controllers. This method does not require a service account.
If you choose to use the Insight Agent method, note that collection of log data is limited:
- When a Domain Controller becomes extremely busy (i.e. generating a high number of events), the Insight Agent cannot keep up with ingestion and this could potentially result in a failure to collect all events. This data powers some of InsightIDRs built-in detection rules, therefore some of these could be missed.
- Additionally, only the events listed in the Insight Agent documentation are processed. You will not be able to get additional logs from the Domain Controller using the Insight Agent, unlike the WMI event souce which allows you to collect the entire security log if desired, by enabling unparsed data.
If you choose this method, you should review the documentation to configure the Insight Agent to Send Additional Logs.
Configure with a Domain Admin Account using WMI
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Active Directory in the event sources search bar.
- In the Product Type filter, select Active Directory.
- Select the Microsoft Active Directory Security Logs event source tile.
- Choose your collector and event source. You can also name your event source.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed data based on the type of events you want to monitor. When this option is not selected, Active Directory only collects the events that InsightIDR considers to be forensically valuable. When this option is selected, Active Directory pulls the entire logs.
- Select WMI as the collection methods (WMI is the standard collection method).
- In the "Server" field, enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
- In the "User Domain" field, enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
- Select an existing domain administrator credential, or optionally create a new credential.
- In the "Password" field, enter the password for Active Directory.
- Select Save.
What Ports Does Active Directory Use?
Active Directory uses ports 135 and 445. See Ports Used by InsightIDR for more information.
Configure With NXLog
If you don’t want to use a Domain Admin account to collect Active Directory log events from your environment, you can configure NXLog to collect these events for you.
To configure with NXLog:
- Download and install NXLog. For instructions on how to do this, see the NXLog page.
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Active Directory in the event sources search bar.
- In the Product Type filter, select Active Directory.
- Select the Microsoft Active Directory Security Logs event source tile.
- Choose your collector.
- Select Microsoft Active Directory Security Logs as your event source and give it a descriptive name.
- Choose the time zone that matches the location of your event source logs.
- Click the Listen on Network Port button.
- In the Port field, enter in a port you wish to use for this event source. You cannot use a port that you already use for another event source.
- For Protocol, use either UDP or TCP. Although this event source supports both protocols, be aware that NXLog must be configured to send logs using the protocol you select.
- Click Save.
- Follow the instructions in the Active Directory section of the NXLog page to edit the
nxlog.conffile to collect the Security Log and forward it to InsightIDR.
Active Directory and Azure
Authentication Activity with Azure
As in corporate networks, the domain controller orchestrates authentication events for the Azure cloud domain.
Self Managed Domain Controllers If you manage your own domain controller in Azure, configure the AD event source with WMI as described in the steps above.
Azure AD Domain Services If you are using Azure AD domain services, you will not have access to the security logs that record user authentications. In order for InsightIDR to ingest these events, they must be retrieved from individual endpoints rather than the centralized domain controller.
Install The Insight Agent on all of your Azure assets in order to retrieve all of the authentication activity.
Azure Administrator Activity
Self Managed Domain Controllers You can track administrator activity by configuring the standard AD event source using WMI.
Azure AD Domain Services At this time, InsightIDR does not support administrator activity tracking for Azure AD Domain Services. However, you can achieve partial coverage by configuring the Microsoft Office 365 event source.
Verify the configuration
Complete the following steps to view your logs and ensure events are making it to the Collector:
- Click Data Collection in the left menu of InsightIDR and navigate to the Event Sources tab. Find the new event source that was just created and click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
- Click Log Search in the left menu of InsightIDR.
- Select the applicable Log Sets and the Log Names within them. The Log Name will be the name you gave to your event source.
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.
Authentication events monitored by the Active Directory event source
This is the list of events collected by default when using WMI collection method, as InsightIDR considers them to be forensically useful. To collect more events, check the Send Unparsed Data option while configuring Active Directory as an event source.
Events Monitored
The following event codes are pulled. Ensure your domain controllers log all of these events:
Event Code | Category | Subcategory | Description |
|---|---|---|---|
1102 | Non Audit (Event Log) | Log Clear | The audit log was cleared. |
4624 | Logon/Logoff | Audit Logon | An account was successfully logged on. |
4625 | Logon/Logoff | Audit Logon | An account failed to log on. |
4648 | Logon/Logoff | Audit Logon | A logon was attempted using explicit credentials. |
4704 | Policy Change | Audit Authorization Policy Change | A user right was assigned. |
4720 | Account Management | Audit User Account Management | A user account was created. |
4722 | Account Management | Audit User Account Management | A user account was enabled. |
4724 | Account Management | Audit User Account Management | An attempt was made to reset an account's password. |
4725 | Account Management | Audit User Account Management | A user account was disabled. |
4728 | Account Management | Security Group Management | A member was added to a security-enabled global group. |
4732 | Account Management | Security Group Management | A member was added to a security-enabled local group. |
4738 | Account Management | Audit User Account Management | A user account was changed. |
4740 | Account Management | Audit User Account Management | A user account was locked out. |
4741 | Account Management | Audit Computer Account Management | A computer account was created. |
4756 | Account Management | Audit Security Group Management | A member was added to a security-enabled universal group. |
4767 | Account Management | Audit User Account Management | A user account was unlocked. |
4768 | Account Logon | Kerberos Authentication Service | A Kerberos authentication ticket (TGT) was requested. |
4769 | Account Logon | Kerberos Service Ticket Operations | A Kerberos service ticket was requested. |
Check that you are getting events from Active Directory
The section below goes through the amount of events that you can get from Active Directory.
You can also review the Troubleshooting documentation. It explains how to check if Active Directory is correctly getting events.
When to send unparsed logs for Active Directory
During configuration, it's possible to choose to send unparsed data based on the type of events you want to monitor.
This documentation from Microsoft has the complete list of events that Active Directory can monitor: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor. There are many different events that can be logged into the security logs. Not all of them can be useful for what you need. How events get into the security log depends on how you configure your audit policy and how busy the domain is.
If the auditing on your domain is very granular, more events will be written to the domain controller security logs. If the auditing on your domain is not very granular, less events will get into the domain controller security logs. You can modify the Advanced Audit Policies of your domain controller using the instructions on this documentation from Microsoft: https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection.
How much gets into the security logs also depends on how busy the domain is. If it's a large domain, domain controllers are very busy. It's not unusual for them to get million of events written into the security logs.
Tip: Consider getting unparsed data from Active Directory
By default, InsightIDR will only get the most valuable events from an event source. However, for the particular case of Active Directory, based on your audit policy and how busy your domain is, you might want to consider to get unparsed data to get all the events that are available.