Insights Collector
Use Insights Collector to set up a connection from your configured Microsoft Active Directory member server to your Insights tenant, where you can view the member server event ID and log information.
What Microsoft Active Directory information does the Insights Collector gather?
The Insights Collector accesses a variety of information as part of its operation.
- Domain controller event log
- From the domain controller event log, which is polled every 10 minutes, Insights collects or accesses the following:
- The Windows event log (read by the connected domain controller)
- EventIDs from the security log: 4624, 4642, 4740, 4742, 4768, 4769, 4770, 4771, 4776, 5136 (see below for details)
- The last collection date for each pull (to collect new events)
- From the domain controller event log, which is polled every 10 minutes, Insights collects or accesses the following:
- AD inventory
- From the AD inventory, which is polled every 30 minutes, Insights collects or accesses the following:
- Active Directory object metadata
- Important Access Control Lists (ACLs)
- Objects:
- user
- groups
- computer
- containers
- organizational units (OUs)
- domain
- group policy objects (GPOs)
- Active Directory Certificate Services
- From the AD inventory, which is polled every 30 minutes, Insights collects or accesses the following:
- Microsoft Active Directory Certificate Services, which is polled every 60 minutes, Insights collects the following:
- LDAP object properties for certificate authority, certificate templates, and enrollment services from the configuration container
- Security events from the enrollment service machines: 4886, 4887, 5145
- Events 4886 and 4887 are only logged if "Issue and manage certificate requests" is enabled on the Audit tab of the CA's properties in Certificate Services MMC snap-in
- The agent security Access Control Lists (ACLs) from the enrollment service machines via the registry
- The enrollment agent restrictions from the enrollment service machines via the registry
Note
The Microsoft Active Directory connector collects information from Active Directory, and sends this information Insights for analysis. Some security solutions may detect this as an attack pattern after the connector is installed.
Security alerts you may see include:
- Suspicious LDAP search
- A service account is authenticating over Kerberos
- A device is sending data externally
Event ID details
Security events
| Event ID | Description | Further information |
|---|---|---|
| 4768 | A Kerberos authentication ticket (TGT) was requested. This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768 |
| 4769 | A Kerberos service ticket was requested. This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769 |
| 4770 | A Kerberos service ticket was renewed. This event generates for every Ticket Granting Service (TGS) ticket renewal. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4770 |
| 4771 | Kerberos pre-authentication failed. This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 |
| 4776 | The computer attempted to validate the credentials for an account. This event generates every time a credential validation occurs using NTLM authentication. It occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776 |
| 4624 | An account was successfully logged on. This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 |
| 4662 | An operation was performed on an object. This event generates whenever an operation was performed on an Active Directory object. This event generates only if appropriate SACL was set for Active Directory object and performed operation meets this SACL. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 |
| 4740 | A user account was locked out. This event generates every time a user account is locked out. This account lockout event ID is very helpful when troubleshooting. | https://system32.eventsentry.com/security/event/4740 |
| 4742 | A computer account was changed. This event generates every time a computer object is changed. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4742 |
| 5136 | A directory service object was modified. This event generates every time an Active Directory object is modified. To generate this event, the modified object must have an appropriate entry in SACL: the “Write” action auditing for specific attributes. | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136 |
Windows Server events
- 4670: Permissions on an object were changed
- 4717: System security access was granted to an account
- 4720: A user account was created
- 4722: A user account was enabled
- 4727: A security-enabled global group was created
- 4728: A member was added to a security-enabled global group
- 4732: A member was added to a security-enabled local group
- 4735: A security-enabled global group was changed
- 4738: A user account was changed
- 4764: A group’s type was changed
Certificate events
- 4886: Certificate Services received a certificate request
- 4887: Certificate Services approved a certificate request and issued a certificate
- 5145: A network share object was checked to see whether the client can be granted desired access.
Prerequisites
BeyondTrust prerequisites
You must configure the Insights Collector in your Insights tenant before you can install it on a member server in your Active Directory.
Microsoft Active Directory prerequisites
- Member Server: You must run the installer on a Windows Server joined to the domain you want Insights to access.
- Suggested minimum server specifications are 16 GB RAM and dual core CPU.
- Service Account: A provisioned on-premises service account for the connector, with the following required permissions:
- Domain User Group
- Event Log Reader Group
- Registry read access to the ADCS Enrollment Server for the following registry locations:
- SYSTEM\\CurrentControlSet\\Services\\CertSvc\Configuration\\{servername}\\PolicyModule\\CertificateAuthority_MicrosoftDefault.Policy
- SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\{servername}
- Connectivity: The member server must be able to:
- connect to Active Directory using SSL and TCP 636.
- If SSL/636 are not available, the installer can optionally be configured to use TCP 389.
- connect outbound to Identity Security Insights via the following URLs:
- connect to Active Directory using SSL and TCP 636.
- Domain Controller: You must configure the domain controller and the member server where the Insights Collector is installed to the same time zone.
- Firewall rules: The following firewall rules on the Domain Controller should allow for communication from the member server and enrollment servers to facilitate event log collection:
- COM+ Network Access (DCOM-In)
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP)
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
- Firewall rules: The following firewall rules on the Domain Controller should allow for communication from the member server and enrollment servers to facilitate event log collection:
Active Directory Certificate Services (ADCS) role prerequisites
If ADCS roles are configured in your server:
- Ensure Audit Certification Services logs both Success and Failure events.
- Ensure "Issue and manage certificate requests" is enabled under the CA audit filter properties.
Note
For more information on these configuration settings, refer to the Microsoft documentation.
Create the Microsoft Active Directory connector
- From the top left of any page in Insights, click
> Insights > Connectors.
The Connectors page displays. - Click Available Connectors.
The Available Connectors list displays. - Locate Insights Connector in the Available Connectors list.
- Click Create Connector.
The Create Insights Connector panel opens. - Enter a human-readable Name for your Microsoft Active Directory connector.
- Click Create Connector.
Insights generates credentials and a key. - Copy the key and store it in a secure location.
- Click Download to download and run on a member server that allows data collection.
Note
Do not run this installer on the Domain Controller.
- Follow the on-screen prompts.
- When prompted in the installer, enter the installation key copied in step 7.
Note
Do not close the connector before you have entered these credentials.
-
When the installation completes, in Insights, click Close Key.
-
In the confirmation message:
- click View Credentials if you have not completed installation. Once closed, you cannot access the key again.
- click Close Credentials if you've completed installation. The panel closes and the key is no longer accessible.
-
Click Available Connectors.
The Available Connectors list displays. -
Verify your connector is in the Available Connectors list.
Update or reinstall the Insights Collector
Update the Insights Collector
The Insights connector updates automatically when a new version becomes available, without any need for manual installation.
Reinstall the Insights Collector installer for Microsoft Active Directory
-
From the top left of any page in Insights, click
> Insights > Connectors.
The Connectors page displays with Configured connectors shown by default. -
Locate the Insights Collector you wish to reinstall.
-
Click
> View Connector.
The connector's Overview page displays. -
Click Settings.
-
Locate and click the download the installer link on the page.
Note
This link re-downloads the installer created during your connector setup. If you already used the installation key provided during initial setup, you must create a new Insights connector.
-
Follow the on-screen prompts until complete.
Password auditing in Microsoft Active Directory
Prerequisites
The password auditing feature of the Insights Collector must be installed and configured on a member server in your Active Directory.
Given the nature of password auditing, the member server must be a tier 0 member of the infrastructure, requiring the highest level of privilege to access.
Note
For more information, see Protecting Tier 0 the Modern Way.
Ensure the following requirements are met before installation:
-
Member Server: The installer must be run on a Windows Server joined to the domain you want Identity Security Insights to access. The suggested minimum server specifications are 16 GB RAM and dual-core CPU.
-
Connectivity: The member server must be able to:
-
connect to Active Directory using SSL and TCP 636.
If SSL/636 are not available, the installer can optionally be configured to use TCP 389. -
connect outbound to Identity Security Insights via the following URLs:
-
-
The domain controller and the member server where the Insights collector is installed must be configured to the same time zone.
How it works
With the replication permissions granted to the service account, the member server can retrieve the Active Directory account's password hashes. These hashes do not leave the member server and are not stored on disk.
The hashes are compared locally to our Insights password audit database (which consists of internal lists and third-party checks including https://haveibeenpwned.com/Passwords and result in password audit events that indicate if the various audit checks pass or fail for the account. These events do not include the account password hash.
Create the Microsoft Active Directory connector
-
On the Insights Tenant dashboard, navigate to Menu > Connectors > Available and select Create Connector beside Insights Collector.
-
In the Connection panel, enter a human-readable name for your Microsoft AD connector, and click Create Connector to continue.
-
Download and run the installer provided on the following page.
-
Enter the installation key generated by Insights when prompted by the installer. Do not close the connector before you have entered these credentials.
-
After you provide your credentials to the installer, click Close Key.
-
Navigate to the Configured Connectors panel (Menu > Connectors > Configured) to confirm the connector is successfully created and review any connector settings.
Update or reinstall the Active Directory connector
The Identity Security Insights Active Directory connector updates automatically when a new version becomes available, without any need for manual installation, but you can manually reinstall it.
- Navigate to Menu > Connectors > Configured, and click on the ellipsis to the right of your Active Directory connector.
- Click View Connector, and navigate to Settings.
- On the Active Directory settings page, download the install created during your initial connector setup. If you've already used the installation key provided during setup, you must create a new connector.
Updated 5 days ago