Username reporting

Username reporting#

Username reporting allows Scrutinizer to ingest user traffic/activity data to enrich flow data and enhance reporting/filtering functions.

This page covers the setup and configuration steps to enable username reporting on different platforms.

On this page:

Plixer AD Users
Plixer AD Users (for Microsoft Active Directory)
Cisco ISE
Cisco Identity Services Engine (ISE)

Plixer AD Users (for Microsoft Active Directory)#

The Plixer AD Users utility enables username reporting for a Microsoft Active Directory server (or Azure). Once installed and set up on an AD server or a remote event collector, the utility continuously parses authentication events from an event log file and then sends the data to Scrutinizer (or another IPFIX collector).

Scrutinizer is able to leverage the username data to create IP-to-user mappings (viewable under Explore > Entities > Usernames) and apply additional reporting and filtering options.

Note

Only IP addresses included in internal IP groups can be mapped to users.

Setup and configuration#

Follow the steps below to install the Plixer AD Users utility and set up username reporting to Scrutinizer:

  1. Enable event auditing for login events on the domain.

    • Under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff, enable Success and Failure for Audit Logoff and Audit Logon

    • Under Computer Configuration > Policies > Windows Settings > Local Policies > Security Options, select Audit: Force audit policy subcategory settings, and then tick the checkboxes for Define this policy setting and Enabled.

  2. Download and install the AD Users utility.

    1. Download the product package from https://files.plixer.com/ad-users/ad-users.zip.

    2. Extract the contents of the archive, and then run ad-users-installer.exe.

    3. Follow the prompts to continue the installation.

      • To use a different admin account (instead of running the utility as a LocalService), the account must have administrator privileges and the Log on as a service permission. It must also be added to the Event Log Readers group.

      • Leaving the Verify AD Users and Open config file checkboxes ticked before clicking Finish is recommended.

    This will install the utility as a service, which will run in the background and can be set to automatically restart after the host reboots.

    Note

    To start/restart the utility via command line, run the following from the command prompt:

    ad-users.exe run

    Running the utility from the command line does not require the package to be installed but is primarily intended for debugging/troubleshooting. Installing the utility as a service is strongly recommended for production environments.

  3. Configure and start the AD Users utility.

    • Verify that the details in the configuration file (ad-users.yml) are correct:

      Note

      All log.***** values are only required if the utility is run from a command prompt instead of as a service.

      View file contents

      Name

      Description

      Example Value

      Default Value

      chunking

      Number of events to collect and send at a time (Use 0 to send each event as it is parsed)

      1000

      0

      flush_wait_seconds

      Number of seconds to wait before all collected events in the buffer are sent (Use 0 to use only the chunking value before sending events)

      60

      0

      path

      Path to the Windows event log (Security.evtx if the utility is running on the AD server or ForwardedEvents.evtx if events are being forwarded from a separate host)

      C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx

      C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx

      collector

      IP address and port (in IP:PORT format) of the Scrutinizer server/collector

      127.0.0.1:4739

      127.0.0.1:4739

      exporter

      [Optional] IP address and port (in IP:PORT format) of the Windows server running the utility

      8.8.8.8:9996

      (Local IP address with port 9996)

      log.name

      [Optional] Log file to use

      C:\ad-users\Plixer\ad-users.log

      ad-users.log in the same directory as ad-users.exe

      log.level

      [Optional] Log level to use for the utility log debug (default), info, warn, or error

      debug, info, warn, or error

      debug

      log.max_size

      Maximum size (in MB) of the log file before rotation

      100

      5

      log.max_backups

      [Optional] Maximum number of log entries to retain before rotation

      100

      0

      log.max_age_days

      [Optional] Maximum number of days to retain old log entries before rotation

      14

      0

    • In the Windows Services view, right-click on PlixerADUsers and select Properties to apply the following settings:

      • General: Set the startup type to Automatic (Delayed Start).

      • Recovery: Select to Restart the service for the first, second, and subsequent failures.

  4. Verify that the utility is running and Scrutinizer is receiving the data.

    • Check log files: Log entries for the utility can be viewed in the Windows Event Viewer and should only include configuration and start/stop info messages (i.e., no errors).

      Note

      If the utility is not running as a service, log entries will be written to the log file specified in ad-users.yml and displayed in the console (stdout).

    • Navigate to Explore > Entities > Usernames and verify that usernames and authentication events are being received from the utility. If the Usernames view is not being populated, verify that the current license can support the additional exporters (each AD Users instance running will count as one exporter) under Admin > Plixer > Scrutinizer Licensing. An exporter corresponding to the AD Users server/host should also be listed in the Admin > Resources > Manage Exporters view.

Note

  • If the AD Users service is stopped, the record ID of the event last sent is saved to last_recordID.txt. If this file exists, only events with record IDs greater than the number in this file will be sent to Scrutinizer. This will help avoid duplicate events or lapses in the authentication event processing when the service restarts.

  • While the chunking and flush_wait_seconds settings should help maintain consistent rates, environments with extremely high volumes of Active Directory authentication events may need to enable export spreading to prevent NetFlow export storms.

Event forwarding#

The Plixer AD Users utility can also be run on a remote event collection server that is joined to the same domain as the AD server/domain controller.

Follow these steps to set up event forwarding from an AD server to a collection server:

View instructions

  1. On the Active Directory server, start the Windows Remote Management service with the default configuration (requires elevated permissions):

    winrm quickconfig

  2. On the event collection server, enable the Windows Event Collector Utility service with the default configuration (requires elevated permissions):

    wecutil qc
  3. Create a subscription to the AD server log file on the event collection server:

    1. Launch the Windows Event Viewer as an administrator, and then click Subscriptions.

    2. Select Create Subscription in the Actions pane, and then enter a subscription name.

    3. Select Computers, and then enter the address of the AD server.

    4. Under Destination log > Forwarded events, select Keep user account as machine account.

    5. Under Events > Security for event logs, enter the following event IDs: 4624, 4634, 4647, 6272-6274, 6278, and 6279.

After the subscription has been created/configured, verify that Scrutinizer is receiving username and authentication event data as described in the AD Users setup instructions (step 4).

Plixer ML Engine integrations#

Plixer AD Users 2.0.0+ is able to forward both AD authentication events and Azure sign-in logs from specified storage containers to the Plixer ML Engine. The engine is then able to leverage the data to build models to detect anomalies, deliver alerts, and generate reports.

Active Directory authentication events#

To configure the AD Users utility to send username and authentication event data to a Plixer ML Engine instance for modeling and additional behavior analytics, edit the following flags in the ad-users.yml configuration file:

  • ml.send_ad_to_ml: Set to true

  • ml.scrut_auth_token: Enter the authentication token generated when the ML engine instance was registered

  • ml.ml_engine_ip: Enter the IP address of the ML engine instance

After the changes have been saved, restart the PlixerADUsers service on the host running the utility, and then verify that Scrutinizer is receiving username and authentication event data as described in the AD Users setup instructions (step 4).

Microsoft Azure sign-in logs#

The AD Users utility can collect Azure sign-in logs (for both interactive and non-interactive sign-ins) archived in a specified storage account and then send it to a Plixer ML Engine instance for model generation.

Note

Follow this Microsoft guide to create an Azure storage account and set up archiving of sign-in logs.

Once the storage account has been created and is receiving sign-in logs, follow these steps to configure the AD Users utility to collect the data and forward it to the ML engine instance:

View instructions

Important

The AD Users utility can send AD authentication event logs and/or Azure sign-in logs to a Plixer ML Engine instance.

ml.ml_engine_ip and ml.scrut_auth_token must both be defined for either log type to be sent.

  1. Navigate to Admin > Settings > ML AD Users in the Scrutinizer web interface and enter the name and key for the Azure storage account being used to store the sign-in logs.

  2. Edit the following flags in the ad-users.yml configuration file:

    • ml.scrut_auth_token: Enter the authentication token generated when the ML engine instance was registered

    • ml.ml_engine_ip: Enter the IP address of the ML engine instance

    • azure.send_azure_to_ml: Set to true

    • azure.interactive_container: Enter name of the container used to store interactive sign-in logs (e.g., insights-logs-signinlogs)

    • azure.non_interactive_container: Enter name of the container used to store non-interactive sign-in logs (e.g., insights-logs-noninteractive-signinlogs)

    • azure.max_log_age_minutes: [Optional] Enter the number of minutes to use for backfilling Azure sign-in events (i.e., logs terminated within the last X minutes will be processed; duplicates of both AD and Azure events are deleted for model generation)

    • azure.account_filter_list: [Optional] Enter the Azure accounts/emails (comma-delimited) whose sign-in events should be processed (event data for all accounts is sent if left blank)

    • azure.app_filter_list: [Optional] Enter the applications (e.g., Microsoft Teams,Microsoft Office,Office 365 Exchange Online) whose sign-in events should be processed (event data for all applications is sent if left blank )

After the changes have been saved, restart the PlixerADUsers service on the host running the utility, and then verify that Scrutinizer is receiving username and authentication event data as described in the AD Users setup instructions (step 4).

Cisco Identity Services Engine (ISE)#

When Cisco Identity Services Engine (ISE) username reporting is enabled, Scrutinizer is able to retrieve username lists, search flows for specific usernames, and run additional reports related to Cisco ISE user traffic.

Important

Username reporting integration in Scrutinizer supports Cisco ISE versions 1.x, 2.x, and 3.x.

Enabling ERS#

Before setting up Cisco ISE username reporting in Scrutinizer, External RESTful Services (ERS) should first be enabled on the ISE appliance as follows:

View instructions

  1. On the ISE server, create a new user with the following permissions:

    • ERS Admin

    • ERS Operator

    • Super Admin

    • System Admin

  2. Test the configuration from an external host by sending a GET request using the URL: https://[ISE_server_address]/ise/mnt/Session/AuthList/null/null

    Hint

    • Use any REST client (such as Postman, or similar tools) to perform this test.

    • If using a GUI-based tool like Postman, navigate to the server URL first in a browser and accept the security certificate, then leave that browser window open.

Visit the Cisco website to learn more about enabling ERS for the supported ISE versions.

Configuring Scrutinizer for Cisco ISE#

View instructions

  1. SSH into the Scrutinizer server as the plixer user and run /home/plixer/scrutinizer/bin/scrut_util to launch the scrut_util interactive CLI.

  2. At the SCRUTINIZER> prompt, enter:

    SCRUTINIZER> ciscoise add [ISE_IP] [ISE_TCP_port] [ISE_user]

    This adds a Cisco ISE node from which username data for active sessions can be retrieved. ISE_IP and ISE_TCP_port refer to the ISE server’s address and TCP port number and ISE_user refers to the user previously created on the same server.

  3. When prompted, enter the password for the ISE user.

After all configuration steps have been completed, all functions associated with Cisco ISE username reporting will immediately be enabled.

Note

It may take several minutes before usernames are displayed in the web interface.

scrut_util commands for Cisco ISE#

Information about other scrut_util commands related to Cisco ISE username reporting can be found here.