Microsoft Active Directory over LDAP

When Microsoft Active Directory (AD) username reporting is enabled, Plixer Scrutinizer is able to retrieve domains, datasources, and first/last seen details for AD users and report the information in various web interface views and functions.

This integration relies on the Plixer AD Users utility to retrieve username data and forward it to Plixer Scrutinizer as IPFIX flows.

The Plixer AD Users utility reads a Windows event log file, continually parses authentication events, and sends event data to an IPFIX collector (Plixer Scrutinizer) for viewing in the Explore > Entities > Usernames table in the web UI. If the AD Users service is stopped, the last sent event record ID is saved to last_recordID.txt. If this file exists, only events with record IDs greater than the number in the file will be sent to Plixer Scrutinizer. This feature helps avoid duplicate events being sent to the collector or a lapse in the authentication events processed should the program restart.

Plixer AD Users 2.0.0

Plixer AD Users 2.0.0 allows integration with the Plixer ML engine 19.4.0. When configured, both Active Directory authentication events and sign-in logs from designated Azure storage containers are processed by the ML engine. The result is model generation used to detect anomalies, send alerts, and generate reports for usernames or email (Azure) login data.

Note

Azure login data typically categorizes users by email.

For Azure sign-in logs, there is a configuration setting to pull logs older than the specified number of minutes to account for any missed events back to a certain time. The Plixer ML engine will remove duplicates of both AD and Azure events for model generation.

Configuring the servers

User permissions

By default, the Plixer AD Users installer configures the program to run using a local system account and this is the recommended configuration. However, the program can also be configured to run as a different user.

If not using a local system account, the user who is configured to run the Plixer AD Users service needs to:

  • Have administrator privileges

  • Have permissions to query domain controller event logs by being added to the event log readers built-in group

  • Have Log on as a service rights if running as a service

Domain controller audit policies

To allow authentication events to be collected, logon/logoff audit policies on the domain controller must be enabled.

To do this, make the following changes to the domain controller’s default policies:

  1. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

  2. Enable Success and Failure for Audit Logoff and Audit Logon.

The advanced audit policies require that another group policy override setting is enabled. To do this, follow these steps:

  1. Expand Computer Configuration > Policies > Windows Settings > Local Policies > Security Options.

  2. Select Audit: Force audit policy subcategory settings.

  3. Tick Define this policy setting, and then tick Enable.

Event forwarding

Running Plixer AD Users directly on the Active Directory server does not require any additional configuration, other than ensuring that the config file points to Security.evtx.

To run Plixer AD Users on a separate event collection server joined to the same domain as the Active Directory server/domain controller, follow these steps:

  1. On the Active Directory server(s), run the following command from an elevated-permissions command prompt: C:\> winrm quickconfig

  2. On the event collection server, run the following command from an elevated-permissions command prompt: C:\> wecutil qc

  3. Establish a subscription by performing the following on the event collection server:

    • As an Administrator, launch Event Viewer, and then click Subscriptions.

    • In the Actions pane, click Create Subscription.

    • Enter a subscription name.

    • Select Computers, and then enter your Active Directory server(s).

    • Go to Destination log > Forwarded Events, and then select Keep User Account as Machine Account.

    • Select Events, then select Security for Event logs, and then enter the following event IDs to include: 4624,4634,4647,6272-6274,6278,6279.

Plixer ML engine

The Azure storage account name and Azure storage account key will need to be entered during the setup script. Apart from this, no further configuration is required on the Plixer ML engine.

If the user did not configure AD Users to send Azure data during the initial setup process of their ML engine (i.e. responded “no” to the example prompt included below), user can re-run /home/plixer/ml/setup.sh on the ML engine, which will prompt the user again if they would like to configure Azure for AD Users.

Re-running setup.sh on an ML engine that has already been configured and running does not take the user through the entire configuration process again. It only applies any changes or updates made to the ML engine configuration since the last time it was run (e.g. Azure credentials that were not previously entered).

The following is an example of a Plixer ML engine setup script:

Successfully upgraded PXI deployment
Will you configure AD Users to send Azure data to your ML engine? (yes/no):
yes
Configuring Azure storage account info...
Enter your Azure storage account name:
<Your Azure storage account name>
Enter your Azure storage account key:
<Your Azure storage account key>
secret/azure-backup created

Note

Plixer ML engine 19.4.0 only supports integration with one Azure storage account. If storage account credentials were entered previously (i.e. for configuring an Azure backup or previous sign-in log storage), they should be changed accordingly to the storage account containing Azure sign-in data for AD Users.

Existing Azure storage account credentials that were submitted to the ML engine previously (either for AD Users or as an Azure backup) can be changed with the following commands:

kubectl -n pxi delete secret azure-backup --ignore-not-found
kubectl -n pxi create secret generic azure-backup --from-literal=azure.client.secondary.account=<Your storage account name> --from-literal=azure.client.secondary.key=<Your storage account key>

Microsoft Azure

To archive both interactive and non-interactive sign-in logs to a storage account, create a storage account, and then set up archiving for the sign-in logs to that storage account.

To set up a storage account, do the following:

  1. Sign in to the Microsoft Azure portal.

  2. Under All Services, select Storage Accounts, and then select Create.

  3. If necessary, configure your storage account if needed. No AD Users-specific configuration is required here.

  4. Take note of the storage account name, and then after configuring, select Create.

  5. Under Storage Accounts, select Access Keys under Security + Networking to generate and save the value of the key for the storage account.

Setting up the Plixer AD Users utility

Once the domain controller has been correctly configured, set up Plixer AD Users on a Windows computer as follows:

  1. Download the Plixer AD Users 2.0.0 product package: ad-users-2.0.0.zip

    • This archive includes the ad-users.exe executable file, the ad-users-installer.exe installer, and the ad-users.yml config file.

    • The checksum for the zip file can be found here: ad-users-2.0.0.zip.sha256

  2. Run ad-users-installer.exe, and then go through the installation steps.

    Important

    Make sure that you select No to use recommended system account, and to tick Open config file to set the collector value.

  3. Run a verification test via command prompt with command-line argument test. For example, ad-users.exe test.

Editing the config files

ad-users.yml

Name

Required?

Description

Example Value

Default Value

chunking

Yes

Number of authentication log events to collect, and then send at a time. Set to 0 to send each event as it is parsed.

1000

0

flush_wait_seconds

Yes

Time in seconds to periodically send any events in the buffer. Set to 0 if you want to use chunking value for sending events instead.

60

0