Setting Up a Service Account
You need a service account to collect log data for InsightIDR. However, the account you use must meet specific requirements to work with InsightIDR.
You can designate an existing user account, or create a service account, that meets all of the following requirements:
- Active Directory Permissions
- LDAP Permissions
- Microsoft DNS Permissions
- Microsoft DHCP Account Permissions
- Endpoint Monitor
Active Directory Permissions
The Active Directory event source collects the domain controller security log, so your service account must be a domain account that is member of the Domain Admins group.
Alternatives to Domain Admin Accounts
If you do not want to add the service account to the Domain Admins group, there are three options you can employ:
- Insight Agent
- Non-Admin Domain Controller Account
You can install the Insight Agent on each domain controller, which is the preferred alternative to providing a Domain Admin account. If you decide to install the Insight Agent on your domain controllers, you do not need to create a domain account in the Domain Admins group.
The collection with this method is limited, as you won't be able to get additional logs from the Domain Controller using the Insight Agent. Only the events listed in the Insight Agent documentation are processed.
If you choose this method, you should also review the documentation to configure the Insight Agent to Send Additional Logs.
Collect domain controller events
By default, the Insight Agent collects audit log events. To collect user logins, login failures, and password changes for all endpoints managed by domain controllers that the Insight Agent is installed on, you need to enable domain controller events in InsightIDR.
- Go to the InsightIDR left menu, and click Settings.
- Select Insight Agent and click the Domain Controller Events tab.
- Switch the toggle ON.
Verify that logs are making it to the collector
- From the left menu, click Log Search to view your raw logs. Search and filter on the logsets for all Endpoint Agent Logs that are located under Active Directory Admin Activity, Asset Authentication and Host to IP Observations.
- Run the query
where(source_json.isDomainController=true)groupby(source_json.computerName)to filter only on Domain Controllers and return a grouping by Domain Controller.
- Verify that you can see parsed events for Domain Controllers coming through.
If you do not want to use the Insight Agent, using NXLog is the next preferred alternative. Learn how to use NXLog to collect security log events.
Non-Admin Domain Controller Account
Lastly, you can create a Non-Admin domain controller account. Note that Rapid7 does not support this method.
The collection of the LDAP event sources requires a domain account with read permissions to all users and groups in the domain.
Microsoft DNS Permissions
The Microsoft DNS event source requires that you use a service account that is a domain account with read permissions to the DNS audit trail written to the share of each DNS server.
When you configure logging in the DNS Management tool, you must specify where you want the log to go. Then you must manually create a folder for the log and place it there. You can name the log file anything you want during its configuration. To grant read permissions, create a file share and grant the service account access to the file share and the NTFS file system.
See DNS for more information.
Microsoft DHCP Permissions
The Microsoft DHCP event source requires that you use a service account with read permissions to collect log files, located by default here:
To grant read permissions, create a file share and grant the service account access to the file share and the NTFS file system.
If you choose to collect DHCP logs from the default path, you must use the Pattern Match field and use
DhcpSrvLog*.log as the pattern match. However, you can move the DHCP logs to a different location if it is more convenient. See Microsoft DHCP for more information.
Create a File Share
You can enable file sharing on Windows machines to share folders and disk volumes. The following are the three ways to enable a file share:
Create a File Share with Windows File Explorer
To enable file share using Windows File Explorer:
- Find the folder you want to share and right click it.
- Select Properties from the menu.
- Click the Advanced Sharing button.
- Select the “Share This Folder” box.
- Click the Permissions button.
- Select the users or groups who will have access to this folder. By default, the “Everyone” group has read access.
- After you select all users and groups that need access to the shared folder, select the Full Control option under the “Allow” column.
- Click OK.
Create a File Share with PowerShell
PowerShell is a command line shell for tasks and scripting languages.
To grant file share permissions with PowerShell:
- Open PowerShell as an Administrator.
- Run the command
New-SmbShare -Name scripts -Path 'E:scripts' -FullAccess Everyoneto grant all users access to the shared folder(s).
Create a File Share with Server Manager
If you have the File Server role installed, you can use PowerShell or a similar tool to apply the proper permissions on the Server Manager.
To grant file share permissions in Server Manager:
- In PowerShell, run
Get-WindowsFeature -Name FS-FileServerto confirm that Windows has the file server role. If it does not, install it with the command
Install-WindowsFeature -Name FS-FileServer -IncludeAllSubFeature -IncludeManagementTools.
- Open Server Manager.
- Select Files and Storage Services > Shares.
- On the right hand side, click the Shares dropdown and select New Share.
- When the New Share Wizard appears, choose a file share profile.
- Complete the File Share Wizard to create the file share.
See Endpoint Monitor for more information.