AWS Managed Microsoft AD

AWS Managed Microsoft AD is the cloud based active directory service offered by Amazon Web Services. You can configure AWS Managed Microsoft AD to send LDAP data to InsightIDR for tracking and alerting purposes.

Before you begin

Configure AWS Managed Microsoft AD

Task 1: Create AWS Managed Microsoft AD Service

  1. In the AWS console, search for “Directory Service”, select AWS Managed Microsoft AD as your directory type, and click Next.
  1. Provide the domain name that will be used for the domain, and enter a password.
  1. In Directory Details, make note of the DNS addresses that will be used by InsightIDR to poll the LDAP data. You will need this information when setting up your event source in InsightIDR.

Task 2: Configure DHCP Option Set

Configure the DHCP options set and assign it to the VPC in use. This allows any instances in that VPC to point to the specified domain and DNS servers to resolve their domain names.

  1. Open the Amazon VPC console and in the navigation pane, click Create DHCP Options Set.
  1. Name your DHCP options set, and enter the Domain Name and Domain name servers.
  1. Choose Create DHCP options set, select the newly added DHCP options set, and click Save.

Task 3: Deploy an instance to manage users and groups

After you set up a domain service, you can create a new instance to manage Users and Groups in AWS Managed Microsoft AD.

For instructions, see https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_users_groups.html.

Task 4: (Optional) Run a test LDAP query from the new instance

Once you’ve completed the setup, we recommend that you test the connection using a tool approved by your organization. In this section, we’ll walk you through our test case.

For the purposes of our example, we created a couple of EC2 instances, naming the first R7AWS-ADMGMT (used for managing AD users & groups), and the second instance named R7AWS-VM1. Both are joined to the newly created domain and as an additional step, we tested the LDAP connection from R7AWS-VM1.

We tested the connection using Idp.exe (which you can download HERE), and the following results show a successful connection, and that the instance is polling the AD user account information.

Set up an LDAP event-source in InsightIDR

When you complete this step, be sure to use the credentials provided to you when you created the AWS Managed Microsoft AD Directory Service.

To set up an event source:

  1. From the left menu, select Data Collection. The Data Collection page appears.
  2. Click the Setup Event Source dropdown and choose Add Event Source.
  3. Under User Attribution, select LDAP. The Add Event Source panel appears.
  4. Choose your collector and select Microsoft Active Directory LDAP.
  5. Choose the timezone that matches the location of your event source logs.
  6. In the Server field, enter the DNS address you noted in step 3 of Create AWS Managed Directory Service.
  7. In the Refresh Rate field, enter the refresh rate in hours.
  8. In the User Domain field, enter the AD Domain.
  9. In the Credentials field, enter the domain credentials that you created.
  10. In the Password field, enter the password to access the LDAP server.
  11. (Optional) In the Base DN field, enter the value for your Base Distinguished Name.
  12. (Optional) Enter the name of the group that has admin privileges.
  13. Click Save.

Verify the configuration

Once you’ve added your event source, you should verify that InsightIDR is successfully pulling LDAP data.

To verify the configuration:

  1. In InsightIDR, navigate to Data Collection and select the Event-Sources tab.
  2. Under Product Type, choose LDAP and click View raw log to confirm that LDAP queries are successfully running.

A successful LDAP poll:

'{"physicalDeliveryOfficeName":"Home","whenCreated":"20191205012438.0Z","manager":"CN=bclinton,OU=Users,OU=r7aws,DC=r7aws,DC=local","sAMAccountName":"fflinstone","givenName":"Fred","distinguishedName":"CN=Fred Flinstone,OU=Users,OU=r7aws,DC=r7aws,DC=local","title":"Rock Miner","objectGUID":"MT/MCXDbkkObo7iaJQKmtQ==","sn":"Flintstone","department":"Mining Division","userAccountControl":"66048","userPrincipalName":"fflinstone@r7aws.local","pwdLastSet":"132199826781552103"}

{"physicalDeliveryOfficeName":"Del Rio","whenCreated":"20191205021039.0Z","manager":"CN=bclinton,OU=Users,OU=r7aws,DC=r7aws,DC=local","sAMAccountName":"cwhite","givenName":"Chuck","distinguishedName":"CN=Chuck White,OU=Users,OU=r7aws,DC=r7aws,DC=local","title":"Fuller Brush Salesman","objectGUID":"iCHgbaS6KU2ri9MwpQWItg==","sn":"White","department":"Sales Division","userAccountControl":"66048","userPrincipalName":"cwhite@r7aws.local","pwdLastSet":"132199854395196939"}'