Active Directory

The Active Directory event source is the collection of the Domain Controller Security logs. The security logs from Domain Controllers have a lot of forensic value, since they provide authentication events for endpoints within the domain. You can see the list of monitored events at the end of this documentation.

Active Directory Security Logs are critical for InsightIDR's attribution engine and security incident detection capabilities. These logs allow InsightIDR track failed logons for non-machine accounts, such as JSmith.

Active Directory provides authentication and administrative events for your domain users. The Insight Platform can collect significant events from the security log on domain controllers. You should add in one Active Directory (AD) event source for each domain controller in your organization.

To set up Active Directory, you’ll need to:

  1. Review “Before you Begin” and note any requirements.
  2. Choose a data collection method and configure Active Directory to send data to your Collector.
  3. If you are using Azure in your environment, read about Authentication Activity with Azure.
  4. Verify the configuration works.

Additionally:

  1. Troubleshoot common issues.
  2. See the list of monitored events.

Before You Begin

To prepare to collect Active Directory event sources:

Alternatives to Domain Admin Accounts

This documentation details the different methods to configure Active Directory. If you don't want to add your service account to the Domain Admins group, there are alternative options including using a Non-Admin Domain Controller Account, NXLog, and the Insight Agent.

Configuration options for Active Directory event source

There are different options you can use to collect the Domain Controllers security logs:

WMIInsight AgentNXLogWMI without Domain Admin account
Most commonly usedEasy to deployGood alternative for few domain controllersNeeds additional user permissions
Domain admin accountNon domain admin accountNon domain admin accountNon domain admin account
Can collect all events from security logsCan collect only specific events; Not recommended for Domain Controllers that generate a high number of eventsCan collect all events from security logsCan collect all events from security logs
SupportedSupportedSupportedSupported

Let's review each method:

  • Windows Management Instrumentation (WMI)

This is the most commonly used method. It requires using a Domain Admin Account credential.

With WMI, the Collector uses the protocol Windows Management Implementation to connect to the Domain Controller. Then it collects the log entries and sends them out for processing.

This method allows you to pull out all the security logs. If you choose this method, you can follow the configuration steps listed below in this documentation.

If you prefer to limit the number of domain admins in your environment, you can review the other configuration options below: WMI with a non-admin domain controller account, NXLog, or the Insight Agent.

  • WMI without Domain Admin account

For this method, you need to change permission on the domain controller to allow a non-admin domain controller account to access the security log using WMI. Read the documentation for using a non-admin domain controller account.

  • NXLog

You can install NXLog on all your domain controllers and then configure it to collect the domain controller security logs.

This is a third party tool that needs to be downloaded and installed on all your domain controllers. It can be a good alternative if you prefer not to set up a service account and have few domain controllers.

However, it can be more demanding to configure if you have a lot of domain controllers, since you have to install and configure it on each one.

You can follow the steps to configure Active Directory with Nxlog in the steps listed below in this documentation.

  • Insight Agent

Prevent duplication with the Insight Agent

To collect the domain controller Security log events, use either the Active Directory event source or the Insight Agent. Using both may result in duplicate events being collected.

You can configure the Insight Agent to collect these events by going to Settings > Insight Agent > Domain Controller Events.

If you want to use the Insight Agent, you need to have an Agent installed on all your domain controllers. This method does not require a service account.

If you choose to use the Insight Agent method, note that collection of log data is limited:

  • When a Domain Controller becomes extremely busy (i.e. generating a high number of events), the Insight Agent cannot keep up with ingestion and this could potentially result in a failure to collect all events. This data powers some of InsightIDRs built-in detection rules, therefore some of these could be missed.
  • Additionally, only the events listed in the Insight Agent documentation are processed. You will not be able to get additional logs from the Domain Controller using the Insight Agent, unlike the WMI event souce which allows you to collect the entire security log if desired, by enabling unparsed data.

If you choose this method, you should review the documentation to configure the Insight Agent to Send Additional Logs.

Configure with a Domain Admin Account using WMI

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Active Directory in the event sources search bar.
    • In the Product Type filter, select Active Directory.
  3. Select the Microsoft Active Directory Security Logs event source tile.
  4. Choose your collector and event source. You can also name your event source.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed data based on the type of events you want to monitor. When this option is not selected, Active Directory only collects the events that InsightIDR considers to be forensically valuable. When this option is selected, Active Directory pulls the entire logs.
  7. Select WMI as the collection methods (WMI is the standard collection method).
  8. In the "Server" field, enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
  9. In the "User Domain" field, enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
  10. Select an existing domain administrator credential, or optionally create a new credential.
  11. In the "Password" field, enter the password for Active Directory.
  12. Select Save.

What Ports Does Active Directory Use?

Active Directory uses ports 135 and 445. See Ports Used by InsightIDR for more information.

Configure With NXLog

If you don’t want to use a Domain Admin account to collect Active Directory log events from your environment, you can configure NXLog to collect these events for you.

To configure with NXLog:

  1. Download and install NXLog. For instructions on how to do this, see the NXLog page.
  2. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  3. Do one of the following:
    • Search for Active Directory in the event sources search bar.
    • In the Product Type filter, select Active Directory.
  4. Select the Microsoft Active Directory Security Logs event source tile.
  5. Choose your collector.
  6. Select Microsoft Active Directory Security Logs as your event source and give it a descriptive name.
  7. Choose the time zone that matches the location of your event source logs.
  8. Click the Listen on Network Port button.
  9. In the Port field, enter in a port you wish to use for this event source. You cannot use a port that you already use for another event source.
  10. For Protocol, use either UDP or TCP. Although this event source supports both protocols, be aware that NXLog must be configured to send logs using the protocol you select.
  11. Click Save.
  12. Follow the instructions in the Active Directory section of the NXLog page to edit the nxlog.conf file to collect the Security Log and forward it to InsightIDR.

Active Directory and Azure

Authentication Activity with Azure

As in corporate networks, the domain controller orchestrates authentication events for the Azure cloud domain.

Self Managed Domain Controllers If you manage your own domain controller in Azure, configure the AD event source with WMI as described in the steps above.

Azure AD Domain Services If you are using Azure AD domain services, you will not have access to the security logs that record user authentications. In order for InsightIDR to ingest these events, they must be retrieved from individual endpoints rather than the centralized domain controller.

Install The Insight Agent on all of your Azure assets in order to retrieve all of the authentication activity.

Azure Administrator Activity

Self Managed Domain Controllers You can track administrator activity by configuring the standard AD event source using WMI.

Azure AD Domain Services At this time, InsightIDR does not support administrator activity tracking for Azure AD Domain Services. However, you can achieve partial coverage by configuring the Microsoft Office 365 event source.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector:

  1. Click Data Collection in the left menu of InsightIDR and navigate to the Event Sources tab. Find the new event source that was just created and click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu of InsightIDR.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the name you gave to your event source.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Authentication events monitored by the Active Directory event source

This is the list of events collected by default when using WMI collection method, as InsightIDR considers them to be forensically useful. To collect more events, check the Send Unparsed Data option while configuring Active Directory as an event source.

Events Monitored

The following event codes are pulled. Ensure your domain controllers log all of these events:

Event Code

Category

Subcategory

Description

1102

Non Audit (Event Log)

Log Clear

The audit log was cleared.

4624

Logon/Logoff

Audit Logon

An account was successfully logged on.

4625

Logon/Logoff

Audit Logon

An account failed to log on.

4648

Logon/Logoff

Audit Logon

A logon was attempted using explicit credentials.

4704

Policy Change

Audit Authorization Policy Change

A user right was assigned.

4720

Account Management

Audit User Account Management

A user account was created.

4722

Account Management

Audit User Account Management

A user account was enabled.

4724

Account Management

Audit User Account Management

An attempt was made to reset an account's password.

4725

Account Management

Audit User Account Management

A user account was disabled.

4728

Account Management

Security Group Management

A member was added to a security-enabled global group.

4732

Account Management

Security Group Management

A member was added to a security-enabled local group.

4738

Account Management

Audit User Account Management

A user account was changed.

4740

Account Management

Audit User Account Management

A user account was locked out.

4741

Account Management

Audit Computer Account Management

A computer account was created.

4756

Account Management

Audit Security Group Management

A member was added to a security-enabled universal group.

4767

Account Management

Audit User Account Management

A user account was unlocked.

4768

Account Logon

Kerberos Authentication Service

A Kerberos authentication ticket (TGT) was requested.

4769

Account Logon

Kerberos Service Ticket Operations

A Kerberos service ticket was requested.

Check that you are getting events from Active Directory

The section below goes through the amount of events that you can get from Active Directory.

You can also review the Troubleshooting documentation. It explains how to check if Active Directory is correctly getting events.

When to send unparsed logs for Active Directory

During configuration, it's possible to choose to send unparsed data based on the type of events you want to monitor.

This documentation from Microsoft has the complete list of events that Active Directory can monitor: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor. There are many different events that can be logged into the security logs. Not all of them can be useful for what you need. How events get into the security log depends on how you configure your audit policy and how busy the domain is.

If the auditing on your domain is very granular, more events will be written to the domain controller security logs. If the auditing on your domain is not very granular, less events will get into the domain controller security logs. You can modify the Advanced Audit Policies of your domain controller using the instructions on this documentation from Microsoft: https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection.

How much gets into the security logs also depends on how busy the domain is. If it's a large domain, domain controllers are very busy. It's not unusual for them to get million of events written into the security logs.

Tip: Consider getting unparsed data from Active Directory

By default, InsightIDR will only get the most valuable events from an event source. However, for the particular case of Active Directory, based on your audit policy and how busy your domain is, you might want to consider to get unparsed data to get all the events that are available.