Active Directory
Active Directory Security Logs are critical for InsightOps' attribution engine and security incident alerting capabilities. These logs allow InsightOps to record user logins, track admin activity, and alert on suspicious/malicious user activity. InsightOps' Collector software has the ability to pull logs from domain controllers using WMI - this is the recommended collection method, as InsightOps will automatically collect events of interest (full list of events collected at the bottom of this page).
Initial Setup Steps
- Click Data Collection from the InsightOps menu.
- Click Setup Event Source > Add Event Source from the Data Collection page.
- Click Active Directory from the Add Event Source page.
- Select the appropriate Collector from the **Collector **dropdown menu.
- Select **Microsoft Active Directory Security Logs **from the Event Source dropdown menu.
- Select the timezone the domain controller is set to (check the box if you want to display only U.S. time zones).
- Select the WMI Collection Method.
- Enter the IP address or fully qualified hostname of a domain controller in the **Server **field.
- Enter the AD Domain in the **User Domain **field.
- Select (or Create New) domain admin credential for collecting the events from the DC.
- Save.
Detailed Setup Steps
- From the Data Collection page in the InsightOps web GUI, click Setup Event Source --> Add Event Source.
- From the Add Event Source page, select Active Directory.
- In the event source setup pane, select Microsoft Active Directory Security Logs from the Event Source dropdown menu.
- Enter a display name - this is a logical name for this event source that will be seen in Log Search and manage event sources pages. We recommend using a combination of the event source type and host for display names (eg, AD - ADDC1.example.com).
- There are three collection methods for Active Directory: WMI, Syslog, and Log Aggregator. WMI is recommended.
WMI Collection Method
The most common way to collect Active Directory logs is to pull the events from domain controllers via WMI using a domain administrator service account. Domain admin rights are necessary due to the nature of the events being monitored - see below for a list of event codes that InsightOps collects and attributes.
Setup Instructions
- Collection Method - Select WMI
- Server - Enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
- User Domain - Enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
- Credential - Either select an existing domain administrator credential if you have already configured one, or create a new credential.
Events Monitored
The following event codes are pulled. Ensure your domain controllers log all of these events:
Event Code | Category | Subcategory | Description |
---|---|---|---|
1102 | Non Audit (Event Log) | Log Clear | The audit log was cleared |
4768 | Account Logon | Audit Kerberos Authentication Service | A Kerberos authentication ticket (TGT) was requested |
4769 | Account Logon | Audit Kerberos Authentication Service | A Kerberos service ticket was requested |
4728 | Account Management | Audit Application Group Management | A member was added to a security-enabled global group |
4732 | Account Management | Audit Security Group Management | A member was added to a security-enabled local group |
4756 | Account Management | Audit Security Group Management | A member was added to a security-enabled universal group |
4720 | Account Management | Audit User Account Management | A user account was created |
4722 | Account Management | Audit User Account Management | A user account was enabled |
4724 | Account Management | Audit User Account Management | An attempt was made to reset an account's password |
4725 | Account Management | Audit User Account Management | A user account was disabled |
4740 | Account Management | Audit User Account Management | A user account was locked out |
4767 | Account Management | Audit User Account Management | A user account was unlocked |
4741 | Account Management | Audit Computer Account Management | A computer account was created |
4624 | Logon/Logoff | Audit Logon | An attempt was made to reset an account's password. |
4625 | Logon/Logoff | Audit Logon | An account failed to log on |
4628 | Logon/Logoff | Audit Logon | A logon was attempted using explicit credentials |
4704 | Policy Change | Audit Authorization Policy Change | A user right was assigned |