InsightIDR

Active Directory

Active Directory Security Logs are critical for InsightIDR's attribution engine and security incident alerting capabilities. These logs allow InsightIDR track failed logons for non-machine accounts, such as JSmith.

Active Directory provides authentication and administrative events for your domain users. The Insight Platform can collect significant events from the security log on domain controllers. You should add in one Active Directory (AD) event source for each domain controller in your organization.

InsightIDR's Collector software has the ability to pull logs from domain controllers using WMI - this is the recommended collection method, as InsightIDR will automatically collect events of interest (full list of events collected at the bottom of this page).

If you are using Azure in your environment, click here for more information.

Before You Begin

To prepare to collect Active Directory event sources, you need to:

  • Open ports 135, 139, and 445 between the collector and the AD event source for each domain controller.
  • Access to a domain account that is a member of the Domain Admins group

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.

  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.

  3. From the “Security Data” section, click the Active Directory icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.

  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select WMI as the collection methods.
  8. In the "Server" field, enter the Fully Qualified Domain Name (FQDN) of an Active Directory Domain Controller that the Collector will be able to reach.
  9. In the "User Domain" field, enter the user domain this domain controller administers. If there are multiple domains, then you will need to set up one event source per domain.
  10. Select an existing domain administrator credential, or optionally create a new credential.
  11. In the "Password" field, enter the password for Active Directory.
  12. Select Save.

What Ports Does Active Directory Use?

Active Directory uses ports 134 and 445. See Ports Used by InsightIDR for more information.

Active Directory and Azure

Authentication Activity with Azure

As in corporate networks, the domain controller orchestrates authentication events for the Azure cloud domain.

Self Managed Domain Controllers
If you manage your own domain controller in Azure, configure the AD event source with WMI as described in the steps above.

Azure AD Domain Services
If you are using Azure AD domain services, you will not have access to the security logs that record user authentications. In order for InsightIDR to ingest these events, they must be retrieved from individual endpoints rather than the centralized domain controller.

Install The Insight Agent on all of your Azure assets in order to retrieve all of the authentication activity.

Azure Administrator Activity

Self Managed Domain Controllers
You can track administrator activity by configuring the standard AD event source using WMI.

Azure AD Domain Services
At this time, InsightIDR does not support administrator activity tracking for Azure AD Domain Services. However, you can achieve partial coverage by configuring the Microsoft Office 365 event source.

Events Monitored

The following event codes are pulled. Ensure your domain controllers log all of these events:

Event Code
Category
Subcategory
Description

1102

Non Audit (Event Log)

Log Clear

The audit log was cleared.

4624

Logon/Logoff

Audit Logon

An account was successfully logged on.

4625

Logon/Logoff

Audit Logon

An account failed to log on.

4648

Logon/Logoff

Audit Logon

A logon was attempted using explicit credentials.

4704

Policy Change

Audit Authorization Policy Change

A user right was assigned.

4720

Account Management

Audit User Account Management

A user account was created.

4722

Account Management

Audit User Account Management

A user account was enabled.

4724

Account Management

Audit User Account Management

An attempt was made to reset an account's password.

4725

Account Management

Audit User Account Management

A user account was disabled.

4728

Account Management

Audit Application Group Management

A member was added to a security-enabled global group.

4732

Account Management

Audit Application Group Management

A member was added to a security-enabled local group.

4738

Account Management

Audit User Account Management

A user account was changed.

4740

Account Management

Audit User Account Management

A user account was locked out.

4741

Account Management

Audit Computer Account Management

A computer account was created.

4756

Account Management

Audit Security Group Management

A member was added to a security-enabled universal group.

4767

Account Management

Audit User Account Management

A user account was unlocked.

4768

Account Logon

Audit Kerberos Authentication Service

A Kerberos authentication ticket (TGT) was requested.

4769

Account Logon

Audit Kerberos Authentication Service

A Kerberos service ticket was requested.

Active Directory


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.