Username reporting

Scrutinizer supports username reporting via Microsoft Active Directory (AD) or Cisco Identity Services Engine (ISE).

To enable and configure username reporting integration, follow the corresponding guide below.

Microsoft Active Directory over LDAP

When Microsoft Active Directory (AD) username reporting is enabled, Scrutinizer is able to retrieve domains, datasources, and first/last seen details for AD users and report the information in various web interface views and functions.

This integration relies on the Plixer AD Users utility to retrieve username data and forward it to Scrutinizer as IPFIX flows.

The AD Users utility reads a Windows event log file, continually parses authentication events, and sends event data to an IPFIX collector (Scrutinizer) for viewing in the Explore > Entities > Usernames table in the web UI. If the AD Users service is stopped, the last sent event record ID is saved to last_recordID.txt. If this file exists, only events with record IDs greater than the number in the file will be sent to Scrutinizer. This feature helps avoid duplicate events being sent to the collector or a lapse in the authentication events processed should the program restart.

Plixer AD Users 2.0.0

Plixer AD Users 2.0.0 allows integration with the Plixer ML Engine 19.5.0. When configured, both Active Directory authentication events and sign-in logs from designated Azure storage containers are processed by the ML Engine. The result is model generation used to detect anomalies, send alerts, and generate reports for usernames or email (Azure) login data.

Note

Azure login data typically categorizes users by email.

For Azure sign-in logs, there is a configuration setting to pull logs older than the specified number of minutes to account for any missed events back to a certain time. The ML Engine will remove duplicates of both AD and Azure events for model generation.

Configuring the servers

User permissions

By default, the AD Users installer configures the program to run using a local system account and this is the recommended configuration. However, the program can also be configured to run as a different user.

If not using a local system account, the user who is configured to run the AD Users service needs to:

• Have administrator privileges

• Have permissions to query domain controller event logs by being added to the event log readers built-in group

• Have Log on as a service rights if running as a service

Domain controller audit policies

To allow authentication events to be collected, logon/logoff audit policies on the domain controller must be enabled.

To do this, make the following changes to the domain controller’s default policies:

1. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

2. Enable Success and Failure for Audit Logoff and Audit Logon.

The advanced audit policies require that another group policy override setting is enabled. To do this, follow these steps:

1. Expand Computer Configuration > Policies > Windows Settings > Local Policies > Security Options.

2. Select Audit: Force audit policy subcategory settings.

3. Tick Define this policy setting, and then tick Enable.

Event forwarding

Running AD Users directly on the Active Directory server does not require any additional configuration, other than ensuring that the config file points to Security.evtx.

To run AD Users on a separate event collection server joined to the same domain as the Active Directory server/domain controller, follow these steps:

1. On the Active Directory server(s), run the following command from an elevated-permissions command prompt: C:\> winrm quickconfig

2. On the event collection server, run the following command from an elevated-permissions command prompt: C:\> wecutil qc

3. Establish a subscription by performing the following on the event collection server:

   • As an Administrator, launch Event Viewer, and then click Subscriptions.

   • In the Actions pane, click Create Subscription.

   • Enter a subscription name.

   • Select Computers, and then enter your Active Directory server(s).

   • Go to Destination log > Forwarded Events, and then select Keep User Account as Machine Account.

   • Select Events, then select Security for Event logs, and then enter the following event IDs to include: 4624,4634,4647,6272-6274,6278,6279.

Setting up the Plixer AD Users utility

Once the domain controller has been correctly configured, set up Plixer AD Users on a Windows computer as follows:

1. Download the AD Users 2.0.0 product package: ad-users-2.0.0.zip

   • This archive includes the ad-users.exe executable file, the ad-users-installer.exe installer, and the ad-users.yml config file.

   • The checksum for the zip file can be found here: ad-users-2.0.0.zip.sha256

2. Run ad-users-installer.exe, and then go through the installation steps.

   Important

   Make sure that you select No to use recommended system account, and to tick Open config file to set the collector value.

3. Run a verification test via command prompt with command-line argument test. For example, ad-users.exe test.

Editing the config files

ad-users.yml

Name	Required?	Description	Example Value	Default Value
chunking	Yes	Number of authentication log events to collect, and then send at a time. Set to 0 to send each event as it is parsed.	1000	0
flush_wait_seconds	Yes	Time in seconds to periodically send any events in the buffer. Set to 0 if you want to use chunking value for sending events instead.	60	0
path	Yes	Path to the Windows event log. Use ForwardedEvents.evtx if forwarding events, or Security.evtx if running directly on AD server.	C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx	C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx
collector	Yes	This is the Scrutinizer collector to send the flows to. The format must be IP:port.	127.0.0.1:2055	127.0.0.1:2055
exporter	No	The IP address of the Windows server running AD Users. To specify your own value, use the format IP:port.	8.8.8.8:9996	(Local IP address with port 9996)

log section

Name	Required?	Description	Example Value	Default Value
name	no	Name of the log file if not running as a service.	C:\ad-users\Plixer\ad-users.log	(ad-users.log in executable directory)
level	no	Log level to use for file logging if not running as a service.	info	debug
max_size	no	Maximum size (in MB) of the log file before it gets rotated, if not running as a service.	100	5
max_backups	no	Maximum number of old log files to retain, if not running as a service.	10	0
max_age_days	no	Maximum number of days to retain old log files, if not running as a service.	14	0

ml section

Name	Required?	Description	Example Value	Default Value
send_ad_to_ml	No	Flag for sending AD data to the ML Engine, in addition to Scrutinizer.	True	False
scrut_auth_token	No (only required if send_ad_to_ml or send_azure_to_ml is set to True)	24-character authentication token generated from Scrutinizer.
ml_engine_ip	No (only required if send_ad_to_ml or send_azure_to_ml is set to True)	IP address of the ML Engine to send to the Active Directory and/or Azure data via Kafka.	0.0.0.0	0.0.0.0

azure section

Name	Required?	Description	Example Value	Default Value
send_azure_to_ml	No	Flag for sending Azure data to the ML Engine.	True	False
interactive_container	No (only required if send_azure_to_ml is set to True)	Name of the configured interactive sign-in log storage container in Azure.	insights-logs-signinlogs	insights-logs-signinlogs
non_interactive_container	No (only required if send_azure_to_ml is set to True)	Name of the configured non-interactive sign-in log storage container in Azure.	insights-logs-noninteractive-signinlogs	insights-logs-noninteractive-signinlogs
max_log_age_minutes	No	Logs terminated within the last [number] minutes set will be processed.	15	0
account_filter_list	No	Used to monitor sign-in events of admin Azure accounts (emails), and then send these events to the ML Engine. Separate multiple email addresses with a comma.	[user1@plixer.com,user2@plixer.com,user3@plixer.com]	[user1@plixer.com,user2@plixer.com,user3@plixer.com]
app_filter_list	No	Used to monitor sign-in events of applications, and then send these events to the ML Engine. Separate multiple applications with a comma.	[Microsoft Teams,Microsoft Office,Office 365 Exchange Online]	[Microsoft Teams,Microsoft Office,Office 365 Exchange Online]

Starting the service

1. Open Services, and then right-click on Plixer AD Users.

2. Select Properties, and then in the General tab, set the startup type to Automatic (Delayed Start).

3. Go to the Recovery tab, and then set all three failure options to Restart the Service.

4. Click OK to save.

Microsoft Azure

To archive both interactive and non-interactive sign-in logs to a storage account, create a storage account, and then set up archiving for the sign-in logs to that storage account.

Hint

For more information on setting up a storage account to receive sign-in logs, refer to this Microsoft guide .

To set up a storage account, do the following:

1. Sign in to the Microsoft Azure portal.

2. Under All Services, select Storage Accounts, and then select Create.

3. If necessary, configure your storage account if needed. No AD Users-specific configuration is required here.

4. Take note of the storage account name, and then after configuring, select Create.

5. Under Storage Accounts, select Access Keys under Security + Networking to generate and save the value of the key for the storage account.

Plixer ML Engine

To configure your Azure account info with the ML Engine, do the following:

Note

If logging in using the Microsoft Azure sign-in log, navigate to Admin > Settings > ML AD Users in the Plixer Scrutinizer web UI before proceeding to Step 1. Enter the Azure storage account name and the Azure storage account key for the storage account containing the Azure sign-in logs. If the ML Engine was upgraded from v19.4 to v19.5, make sure to restart ad-users after entering the credentials.

1. Edit the ad-users.yml config file.

   • Set the value of ml.send_ad_to_ml to true.

   • Set the value of ml.scrut_auth_token to the ML auth token generated in the Scrutinizer web UI under Admin > Resources > ML Engines.

   • Set the value of ml.ml_engine_ip to the IP address of the ML Engine server.

2. Restart ad-users on Windows AD Server running the utility.

Verifying the setup

Checking log files

If running AD Users as a service, the application log in Event Viewer will show the program’s log messages. At startup, there will be a few info messages indicating everything was configured properly and the program has started event monitoring. After that, there will only be error log messages if any errors occur or if the service is stopped. If the service restarts, the startup info messages will be logged again.

If running AD Users in command prompt, use command-line argument run. Log messages will be written to the log file as well as the console (stdout).

C:\ad-users> ad-users.exe run
Detected 'run' program argument, not running as a service
Config: Trying to get Azure credentials via ML Engine API at x.x.x.x
Config: GET https://x.x.x.x:30888/azure_auth response code=200
{"level":"info","time":"2024-04-08T12:18:16-07:00","message":"Successfully set config values: chunking=10; path=C:\\Windows\\System32\\winevt\\Logs\\ForwardedEvents.evtx; exporter=; collector=x.x.x.x:2055; flush wait seconds=60; send AD to ML=true; send Azure to ML=true"}
{"level":"info","buffer_size":67108864,"time":"2024-04-08T12:18:16-07:00","message":"SetWriteBuffer"}
{"level:"info","time":"2024-04-08T12:18:16-07:00","message":"Successfully set collector: x.x.x.x:2055 and exporter: x.x.x.x:9996 endpoints"}
{"level":"info","time":"2024-04-08T12:18:16-07:00","message":"Successfully set ML Engine endpoint x.x.x.x and Kafka producer for topic x-topic"}
{"level":"info","time":"2024-04-08T12:18:16-07:00","message":"Successfully set up access to Azure containers x-interactive and y-noninteractive"}
{"level":"info","time":"2024-04-08T12:18:17-07:00","message":"Successfully opened Windows events file: C:\\Windows\\System32\\winevt\\Logs\\ForwardedEvents.evtx"}
{"level":"info","time":"2024-04-08T12:18:17-07:00","message":"Last sent record ID was saved as 12345"}
{"level":"info","time":"2024-04-08T12:18:17-07:00","message":"Starting event monitoring"}

Checking Scrutinizer for IPFIX flows

In the Scrutinizer UI Explore > Entities > Usernames table, AD Users authentication events will start populating. AD Users sends the IP address (no IPv6 support currently), logon type (logon or logoff), domain, username, and machine name of the authentication event.

If usernames aren’t showing up as expected, double-check that you have enough exporters licensed for the number of exporters enabled. You can see how many exporters you have licensed in the Scrutinizer UI under Admin > Plixer > Scrutinizer Licensing > Exporter Count and Enabled Exporters. You can also view specific exporters under Admin > Resources > Manage Exporters.

The AD Users server will count as an exporter since it is sending flows with username data to Scrutinizer.

Export spreading

The config values for chunking and flush_wait_seconds should mitigate any issues from too many events being exported at a time: chunking allows for a given number of events to be queued in the buffer then sent all at once, and flush_wait_seconds will flush the buffer periodically to avoid events sitting in the queue for too long when fewer authentication events are logged in a minute than the set chunking value.

However, if working with a Scrutinizer setup where too many Active Directory authentication events at a time is a concern, you can prevent Netflow export storms by enabling export spreading. Follow the instructions here for your performance monitor configuration.

Cisco Identity Services Engine (ISE)

When Cisco Identity Services Engine (ISE) username reporting is enabled, Scrutinizer is able retrieve username lists, search flows for specific usernames, and run additional reports related to Cisco ISE user traffic.

Important

Username reporting integration in Scrutinizer supports Cisco ISE versions 1.x, 2.x, and 3.x.

Enabling ERS

Before setting up Cisco ISE username reporting in Scrutinizer, External RESTful Services (ERS) should first be enabled on the ISE appliance as follows:

1. On the ISE server, create a new user with the following permissions:

   • ERS Admin

   • ERS Operator

   • Super Admin

   • System Admin

2. Test the configuration using an external host via a Postman GET request using the URL: https://[ISE_server_address/ise/mnt/Session/AuthList/null/null

   Hint

   When creating the GET request using Postman, navigate to the server using a browser and agree to use a bad certificate. Leave that window open.

Visit the Cisco website to learn more about enabling ERS for the supported ISE versions.

Configuring steps in Scrutinizer

1. SSH into the Scrutinizer server as the plixer user and run /home/plixer/scrutinizer/bin/scrut_util to launch the scrut_util interactive CLI.

2. At the SCRUTINIZER> prompt, enter:

   SCRUTINIZER> ciscoise add [ISE_IP] [ISE_TCP_port] [ISE_user>]

   This adds a Cisco ISE node from which username data for active sessions can be retrieved. ISE_IP and ISE_TCP_port refer to the ISE server’s address and TCP port number and ISE_user refers to the user previously created on the same server.

3. When prompted, enter the password for the ISE user.

After all configuration steps have been completed, all functions associated with Cisco ISE username reporting will immediately be enabled.

Note

It may take several minutes before usernames are displayed in the web interface.

scrut_util commands for Cisco ISE

Information about other scrut_util commands related to Cisco ISE username reporting can be found here.