Active Directory

Active Directory Security Logs are critical for InsightOps' attribution engine and security incident alerting capabilities. These logs allow InsightOps to record user logins, track admin activity, and alert on suspicious/malicious user activity. InsightOps' Collector software has the ability to pull logs from domain controllers using WMI - this is the recommended collection method, as InsightOps will automatically collect events of interest (full list of events collected at the bottom of this page).

Initial Setup Steps

  1. Click Data Collection from the InsightOps menu.
  2. Click Setup Event Source > Add Event Source from the Data Collection page.
  3. Click Active Directory from the Add Event Source page.
  4. Select the appropriate Collector from the **Collector **dropdown menu.
  5. Select **Microsoft Active Directory Security Logs **from the Event Source dropdown menu.
  6. Select the timezone the domain controller is set to (check the box if you want to display only U.S. time zones).
  7. Select the WMI Collection Method.
  8. Enter the IP address or fully qualified hostname of a domain controller in the **Server **field.
  9. Enter the AD Domain in the **User Domain **field.
  10. Select (or Create New) domain admin credential for collecting the events from the DC.
  11. Save.

Detailed Setup Steps

  1. From the Data Collection page in the InsightOps web GUI, click Setup Event Source --> Add Event Source.
  1. From the Add Event Source page, select Active Directory.
  2. In the event source setup pane, select Microsoft Active Directory Security Logs from the Event Source dropdown menu.
  3. Enter a display name - this is a logical name for this event source that will be seen in Log Search and manage event sources pages. We recommend using a combination of the event source type and host for display names (eg, AD - ADDC1.example.com).
  4. There are three collection methods for Active Directory: WMI, Syslog, and Log Aggregator. WMI is recommended.

WMI Collection Method

The most common way to collect Active Directory logs is to pull the events from domain controllers via WMI using a domain administrator service account. Domain admin rights are necessary due to the nature of the events being monitored - see below for a list of event codes that InsightOps collects and attributes.

Setup Instructions

  1. Collection Method - Select WMI
  2. Server - Enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
  3. User Domain - Enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
  4. Credential - Either select an existing domain administrator credential if you have already configured one, or create a new credential.

Events Monitored

The following event codes are pulled. Ensure your domain controllers log all of these events:

Event Code

Category

Subcategory

Description

1102

Non Audit (Event Log)

Log Clear

The audit log was cleared

4768

Account Logon

Audit Kerberos Authentication Service

A Kerberos authentication ticket (TGT) was requested

4769

Account Logon

Audit Kerberos Authentication Service

A Kerberos service ticket was requested

4728

Account Management

Audit Application Group Management

A member was added to a security-enabled global group

4732

Account Management

Audit Security Group Management

A member was added to a security-enabled local group

4756

Account Management

Audit Security Group Management

A member was added to a security-enabled universal group

4720

Account Management

Audit User Account Management

A user account was created

4722

Account Management

Audit User Account Management

A user account was enabled

4724

Account Management

Audit User Account Management

An attempt was made to reset an account's password

4725

Account Management

Audit User Account Management

A user account was disabled

4740

Account Management

Audit User Account Management

A user account was locked out

4767

Account Management

Audit User Account Management

A user account was unlocked

4741

Account Management

Audit Computer Account Management

A computer account was created

4624

Logon/Logoff

Audit Logon

An attempt was made to reset an account's password.

4625

Logon/Logoff

Audit Logon

An account failed to log on

4628

Logon/Logoff

Audit Logon

A logon was attempted using explicit credentials

4704

Policy Change

Audit Authorization Policy Change

A user right was assigned