Active Directory

Active Directory Security Logs are critical for InsightOps' attribution engine and security incident alerting capabilities. These logs allow InsightOps to record user logins, track admin activity, and alert on suspicious/malicious user activity. InsightOps' Collector software has the ability to pull logs from domain controllers using WMI - this is the recommended collection method, as InsightOps will automatically collect events of interest (full list of events collected at the bottom of this page).

1. Click Data Collection from the InsightOps menu.
2. Click Setup Event Source > Add Event Source from the Data Collection page.
3. Click Active Directory from the Add Event Source page.
4. Select the appropriate Collector from the **Collector **dropdown menu.
5. Select **Microsoft Active Directory Security Logs **from the Event Source dropdown menu.
6. Select the timezone the domain controller is set to (check the box if you want to display only U.S. time zones).
7. Select the WMI Collection Method.
8. Enter the IP address or fully qualified hostname of a domain controller in the **Server **field.
9. Enter the AD Domain in the **User Domain **field.
10. Select (or Create New) domain admin credential for collecting the events from the DC.
11. Save.

1. From the Data Collection page in the InsightOps web GUI, click Setup Event Source --> Add Event Source.

2. From the Add Event Source page, select Active Directory.
3. In the event source setup pane, select Microsoft Active Directory Security Logs from the Event Source dropdown menu.
4. Enter a display name - this is a logical name for this event source that will be seen in Log Search and manage event sources pages. We recommend using a combination of the event source type and host for display names (eg, AD - ADDC1.example.com).
5. There are three collection methods for Active Directory: WMI, Syslog, and Log Aggregator. WMI is recommended.

WMI Collection Method

The most common way to collect Active Directory logs is to pull the events from domain controllers via WMI using a domain administrator service account. Domain admin rights are necessary due to the nature of the events being monitored - see below for a list of event codes that InsightOps collects and attributes.

Setup Instructions

1. Collection Method - Select WMI
2. Server - Enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
3. User Domain - Enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
4. Credential - Either select an existing domain administrator credential if you have already configured one, or create a new credential.

The following event codes are pulled. Ensure your domain controllers log all of these events: