Active Directory

Active Directory Security Logs are critical for InsightIDR's attribution engine and security incident alerting capabilities. These logs allow InsightIDR track failed logons for non-machine accounts, such as JSmith.

Active Directory provides authentication and administrative events for your domain users. The Insight Platform can collect significant events from the security log on domain controllers. You should add in one Active Directory (AD) event source for each domain controller in your organization.

InsightIDR's Collector software has the ability to pull logs from domain controllers using WMI - this is the recommended collection method, as InsightIDR will automatically collect events of interest (full list of events collected at the bottom of this page).

If you are using Azure in your environment, click here for more information.

You can configure this event source using two methods:

Before You Begin

To prepare to collect Active Directory event sources:

  • Open ports 135, 139, and 445 between the collector and the AD event source for each domain controller.
  • If you’re not configuring this event source with NXLog, make sure you have access to a domain account that is a member of the Domain Admins group

Alternatives to Domain Admin Accounts

If you don't want to add your service account to the Domain Admins group, there are alternative options in addition to NXLog: Insight Agent and Non-Admin Domain Controller Account.

Configure with a Domain Admin Account

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Active Directory icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select WMI as the collection methods.
  8. In the "Server" field, enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
  9. In the "User Domain" field, enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
  10. Select an existing domain administrator credential, or optionally create a new credential.
  11. In the "Password" field, enter the password for Active Directory.
  12. Select Save.

What Ports Does Active Directory Use?

Active Directory uses ports 134 and 445. See Ports Used by InsightIDR for more information.

Configure With NXLog

If you don’t want to use a Domain Admin account to collect Active Directory log events from your environment, you can configure NXLog to collect these events for you. To configure with NXLog:

  1. Download and install NXLog. For instructions on how to do this, see the NXLog page.
  2. From your InsightIDR dashboard, select Data Collection on the left menu.
  3. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  4. From the User Attribution section, click the Active Directory icon. The Add Event Source panel appears.
  5. Choose your collector.
  6. Select Microsoft Active Directory Security Logs as your event source and give it a descriptive name.
  7. Choose the time zone that matches the location of your event source logs.
  8. Click the Listen for Syslog button.
  9. In the Port field, enter in a port you wish to use for this event source. You cannot use a port that you already use for another event source.
  10. For Protocol, use either UDP or TCP. Although this event source supports both protocols, be aware that NXLog must be configured to send logs using the protocol you select.
  11. Click Save.
  12. Follow the instructions in the Active Directory section of the NXLog page to edit the nxlog.conf file to collect the Security Log and forward it to InsightIDR.

Active Directory and Azure

Authentication Activity with Azure

As in corporate networks, the domain controller orchestrates authentication events for the Azure cloud domain.

Self Managed Domain Controllers If you manage your own domain controller in Azure, configure the AD event source with WMI as described in the steps above.

Azure AD Domain Services If you are using Azure AD domain services, you will not have access to the security logs that record user authentications. In order for InsightIDR to ingest these events, they must be retrieved from individual endpoints rather than the centralized domain controller.

Install The Insight Agent on all of your Azure assets in order to retrieve all of the authentication activity.

Azure Administrator Activity

Self Managed Domain Controllers You can track administrator activity by configuring the standard AD event source using WMI.

Azure AD Domain Services At this time, InsightIDR does not support administrator activity tracking for Azure AD Domain Services. However, you can achieve partial coverage by configuring the Microsoft Office 365 event source.

Events Monitored

The following event codes are pulled. Ensure your domain controllers log all of these events:

Event Code

Category

Subcategory

Description

1102

Non Audit (Event Log)

Log Clear

The audit log was cleared.

4624

Logon/Logoff

Audit Logon

An account was successfully logged on.

4625

Logon/Logoff

Audit Logon

An account failed to log on.

4648

Logon/Logoff

Audit Logon

A logon was attempted using explicit credentials.

4704

Policy Change

Audit Authorization Policy Change

A user right was assigned.

4720

Account Management

Audit User Account Management

A user account was created.

4722

Account Management

Audit User Account Management

A user account was enabled.

4724

Account Management

Audit User Account Management

An attempt was made to reset an account's password.

4725

Account Management

Audit User Account Management

A user account was disabled.

4728

Account Management

Security Group Management

A member was added to a security-enabled global group.

4732

Account Management

Security Group Management

A member was added to a security-enabled local group.

4738

Account Management

Audit User Account Management

A user account was changed.

4740

Account Management

Audit User Account Management

A user account was locked out.

4741

Account Management

Audit Computer Account Management

A computer account was created.

4756

Account Management

Audit Security Group Management

A member was added to a security-enabled universal group.

4767

Account Management

Audit User Account Management

A user account was unlocked.

4768

Account Logon

Kerberos Authentication Service

A Kerberos authentication ticket (TGT) was requested.

4769

Account Logon

Kerberos Service Ticket Operations

A Kerberos service ticket was requested.