Setting Up a Service Account
You need a service account to collect log data for InsightIDR. However, the account you use must meet specific requirements to work with InsightIDR.
You can designate an existing user account, or create a service account, that meets all of the following requirements:
- Active Directory Permissions
- LDAP Permissions
- Microsoft DNS Permissions
- Microsoft DHCP Permissions
- Create a File Share
- Endpoint Monitor
Active Directory Permissions
The Active Directory event source collects the domain controller security log to properly attribute all of your organizations’s events to the users involved. To set up the Active Directory event source, we strongly recommend you use a service account that is member of the Domain Admins group.
Alternatives to Domain Admin Accounts
- Non-Admin Domain Controller Account
- NXLog
- Insight Agent (Not advised, learn why)
Domain Admin Accounts
InsightIDR is designed to automate many of the day-to-day security monitoring tasks that are often taken for granted. In order to collect the data about authentication and administrative activity from your network, the solution needs your permission to gather these events.
Having a domain admin account is the best option because it saves you from completing a complex re-configuration of production domain controllers to allow remote Distributed Component Object Model (DCOM) and Windows Management Instrumentation (WMI) permissions.
Why Do I Need a Domain Admin Account?
Watching the Watchers: InsightIDR audits access to administrator accounts, flags anomalous administrator events, and notifies you to new (or re-enabled) accounts.
Endpoint Monitoring: InsightIDR collects endpoint logs from systems throughout the network, providing visibility into local administrators along with notifying you to indicators of compromise at the endpoint. See the Endpoint Monitor for more information.
Service Account Auditing: InsightIDR also tracks service accounts (including its own), tracing activity to ensure it is consistent. If a service account is used irregularly (such as from a new source server), InsightIDR will notify you to the anomalous and potentially malicious activity.
See Non-Expiring and Service Accounts for information on how InsightIDR recognizes Service Accounts, or see Set Up a Service Account for permission information.
Credential Security: All credentials you create in the InsightIDR interface are sent straight to your own Collector(s), where the credentials are salted, hashed, and stored. Your credentials are never saved in the Insight cloud. InsightIDR is designed to catch compromised credentials.
Use a Domain Admin account!
Using a Domain Admin account drastically increases your visibility into network activity.
Non-Admin Domain Controller Account
If you have restrictions in your environment that do not allow you to use a Domain Admin account, we recommend you create a Non-Admin domain controller account. The steps required to use this method require more manual effort than using a Domain Admin account.
NXLog
You can install Nxlog on all your domain controllers and then configure it to collect the domain controller security logs. This is a third party tool that needs to be downloaded and installed on all your domain controllers.
Learn how to use NXLog to collect security log events.
Insight Agent
You can also install the Insight Agent on each domain controller instead of creating a domain account in the Domain Admins group. If you choose to use the Insight Agent method, note that collection of log data is limited.
Installing the Insight Agent on domain controllers could lead to data ingestion failure
- When a Domain Controller becomes extremely busy (that is, generating events at a rate greater than 100 events per second), the Insight Agent might fail to collect every event. This data powers some of InsightIDR’s built-in detection rules, therefore some potentially malicious user activity could be missed.
- Only the events listed in the Insight Agent documentation are processed. You will not be able to get additional logs from the Domain Controller using the Insight Agent.
If you choose this method, you should also review the documentation to configure the Insight Agent to Send Additional Logs.
Collect domain controller events
By default, the Insight Agent collects audit log events. To collect user logins, login failures, and password changes for all endpoints managed by domain controllers that the Insight Agent is installed on, you need to enable domain controller events in InsightIDR.
- Go to the InsightIDR left menu, and click Settings.
- Select Insight Agent and click the Domain Controller Events tab.
- Switch the toggle ON.
Verify that logs are making it to the collector
- From the left menu, click Log Search to view your raw logs. Search and filter on the logsets for all Endpoint Agent Logs that are located under Active Directory Admin Activity, Asset Authentication and Host to IP Observations.
- Run the query
where(source_json.isDomainController=true)groupby(source_json.computerName)
to filter only on Domain Controllers and return a grouping by Domain Controller. - Verify that you can see parsed events for Domain Controllers coming through.
LDAP Permissions
The collection of the LDAP event sources requires a domain account with read permissions to all users and groups in the domain.
Microsoft DNS Permissions
The Microsoft DNS event source requires that you use a service account that is a domain account with read permissions to the DNS audit trail written to the share of each DNS server.
When you configure logging in the DNS Management tool, you must specify where you want the log to go. Then you must manually create a folder for the log and place it there. You can name the log file anything you want during its configuration. To grant read permissions, create a file share and grant the service account access to the file share and the NTFS file system.
See DNS for more information.
Microsoft DHCP Permissions
The Microsoft DHCP event source requires that you use a service account with read permissions to collect log files, located by default here: C:\Windows\system32\dhcp
.
To grant read permissions, create a file share and grant the service account access to the file share and the NTFS file system.
If you choose to collect DHCP logs from the default path, you must use the Pattern Match field and use DhcpSrvLog*.log
as the pattern match. However, you can move the DHCP logs to a different location if it is more convenient. See Microsoft DHCP for more information.
Create a File Share
You can enable file sharing on Windows machines to share folders and disk volumes. The following are the three ways to enable a file share:
Create a File Share with Windows File Explorer
To enable file share using Windows File Explorer:
- Find the folder you want to share and right click it.
- Select Properties from the menu.
- Click the Advanced Sharing button.
- Select the “Share This Folder” box.
- Click the Permissions button.
- Select the users or groups who will have access to this folder. By default, the “Everyone” group has read access.
- After you select all users and groups that need access to the shared folder, select the Full Control option under the “Allow” column.
- Click OK.
Create a File Share with PowerShell
PowerShell is a command line shell for tasks and scripting languages.
To grant file share permissions with PowerShell:
- Open PowerShell as an Administrator.
- Run the command
New-SmbShare -Name scripts -Path 'E:scripts' -FullAccess Everyone
to grant all users access to the shared folder(s).
Create a File Share with Server Manager
If you have the File Server role installed, you can use PowerShell or a similar tool to apply the proper permissions on the Server Manager.
To grant file share permissions in Server Manager:
- In PowerShell, run
Get-WindowsFeature -Name FS-FileServer
to confirm that Windows has the file server role. If it does not, install it with the commandInstall-WindowsFeature -Name FS-FileServer -IncludeAllSubFeature -IncludeManagementTools
. - Open Server Manager.
- Select Files and Storage Services > Shares.
- On the right hand side, click the Shares dropdown and select New Share.
- When the New Share Wizard appears, choose a file share profile.
- Complete the File Share Wizard to create the file share.
Endpoint Scan
See Endpoint Scan for more information.