Overview
Blumira’s modern cloud SIEM platform integrates with Microsoft’s Active Directory to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected on an endpoint.
After you complete the integration procedure below, Active Directory will stream security event logs and alerts to Blumira’s platform for threat detection and actionable response leveraging event information about users and computers.
A few examples of Active Directory detections include user behavioral analytics, credential spraying, rogue domain administration, and much more. The integration with Active Directory is also commonly used for audit purposes defined in common compliance frameworks such as PCI DSS and NIST 800-171.
Integration options
You have three options for completing the integration to collect Microsoft AD logs. Choose one of the following options:
- Using Blumira Agent
- Using a Blumira sensor with Poshim to automate configurations
- Using a Blumira sensor with manual configurations
Using Blumira Agent
Blumira Agent is an option to complete this integration, as it automatically collects Microsoft AD logs along with other Windows logs when it is deployed on a Windows machine. The agent can be deployed with one install script and can quickly complete all required steps for successful log collection. If you choose to use Blumira Agent for this integration, no other steps on this page are needed.
Reference: See Installing Blumira Agent on a remote device for instructions.
Using a Blumira sensor with Poshim to automate configurations
You can integrate with AD using Blumira’s Poshim (PowerShell Shim) script, which is designed to ensure that you are collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Automating Windows log collection with Poshim for instructions.
If you choose to use Poshim for this integration, nothing further is needed on this page. For manual configuration, continue reading below.
Using a Blumira sensor with manual configurations
You can perform a manual setup that includes all of the steps that have been automated in the options above. The full procedure is provided below.
Sensor installation
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Windows NXLog setup
Blumira uses NXLog in order to collect logs from Active Directory. NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs.
In concept, NXLog is similar to Syslog-ng or Rsyslog, but it is not limited to UNIX and Syslog only.
Setting up a standard host
- Download and install the newest stable NXLog Community Edition.
- Replace C:\Program Files (x86)\nxlog\conf\nxlog.conf with the Blumira nxlog configuration file found here: https://storage.googleapis.com/blumira-shipping-configurations/nxlog/nxlog.conf
- Open the configuration file for editing as an administrator replace A.B.C.D. with the actual IP address of the Blumira Sensor at line 21. The edited line should look like this:
define SIEM 10.11.12.13
- Save the file.
- Open Windows Services and restart the NXLog service. You can also run net start nxlog to start the service in an administrator command prompt.
- Log in to Blumira and verify that you are receiving NXLog events by navigating to Settings > Sensors > Logging Devices or by reviewing your Security dashboard.
If you are using Windows 2003:
- You should use this configuration instead of the aforementioned configuration:
https://storage.googleapis.com/blumira-shipping-configurations/nxlog/nxlog_2003.conf - It can be placed in the same location, assuming you are using x86 version of Windows 2003, C:\Program Files\nxlog\conf\nxlog.conf.
- This configuration strips out a number of features that the 2008+ version has. We strongly recommend using the latest version of Sysmon that supports Windows 2003 to fill in the holes that are lost due to the Windows 2003 event log not being very verbose.
- You do not need to set up any additional logging on the host, no additional steps are required beyond the hardening guide.
- Please reach out to support@blumira.com for our Windows 2003 hardening and visibility guide.
Setting up IIS Logging
Event Viewer Collection for IIS – Recommended
With the configuration file change on 2019/10/16, updates to the configuration file are no longer required to support IIS. If you currently use IIS, you should run the following commands in an Administrative command prompt to enable logging:
wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true wevtutil sl Microsoft-IIS-Configuration/Operational /e:true wevtutil sl Microsoft-IIS-Logging/Logs /e:true
If IIS is not installed you will get an error. It is non-harmful if being used across a broad deployment.
Lastly, each IIS server will need its logging configuration changed in Log Event Destination to support the Event Log.
- Navigate to your IIS Manager > Server Configuration > Logging.
- Select Both log file and ETW event.
- Restart nxlog from the services console or with the following command:
net stop nxlog && net start nxlog
Direct Log File Collection
Note: This is an option - instead of the recommended collection option above - if you have an older nxlog.conf that you want to use.
If you are leveraging IIS on a server and would like to collect the access logs associated with it, a few small modifications are required to the aforementioned nxlog.conf file that you downloaded from above. In most cases just enabling logging for your IIS Site and uncommenting the section in nxlog.conf will be all that is required from the below steps.
- Check that you have Logging enabled on your IIS instance.
- Go to your IIS Manager>Server Configuration>Logging
- Ensure that your main Logging configuration matches the below configurations. The locations of the log file(s) can be in a different place than the default, but, the actual field selection seen in the below image must match or the data will fail to parse appropriately.
When you click on Select Fields… next to W3C format, the fields seen below should be selected in this order. Your Standard Fields output should look exactly like the following image.
- Once you have validated that the logging is set up correctly and the logs are either in the default path or you are aware as to where they are located, you can proceed to the next step.
- Open up nxlog.conf downloaded from the previous section and navigate to Windows IIS Event Logs START. If your logs are in the default location, C:\inetpub\logs\LogFiles\, then you likely do not need to make any changes. Otherwise, change the File path at line 201 to be where your logfiles are located and named, e.g., C:\logfiles\site* if all files are rotating at C:\logfiles\site_log1.log.
- Uncomment the section, this means that you will remove all # from the beginning of the lines. Starting at #<Extension w3c> until #</Route> above the Windows IIS Event Logs END block.
- You can now restart your nxlog instance, net stop nxlog && nx start nxlog and IIS logs will now show up as http_access on your Sensor Details page.
Note: If you have more than one Site on your host, you will need to ensure that each Site is configured appropriately for Logging. Then, you will need to copy and paste the entire Windows IIS Event Logs START to END block and change the File parameters appropriately for those log files.
Setting up Windows Firewall logging
*Tested from Server 2012 to Current
Windows Firewall Logging has some significant benefits, but it does increase the amount of logs and data being extracted from your host. Blumira recommends implementing this configuration in areas where you do not have good visibility within the network.
Note: Successful logging requires the on-host firewall to be enabled and functioning in the appropriate policies. In situations where your Windows Firewall has been disabled, this will only set the FirewallProfile and not necessarily enable it. Please review Microsoft documentation pertaining to your on-host firewall for more details. Blumira always recommends least-access, only expected protocols should be allowed when possible, however, even just having it to default policies and enabled will allow log collection to function.
Enabling using Powershell
To reduce noise, Blumira recommends setting this up to only log out Dropped traffic by the Firewall. While Allowed traffic can be sent, it will drastically increase noise within your logging infrastructure and will essentially log all traffic from that host. Blumira recommends only doing this in situations where you have a highly sensitive host that does not traverse any other logging that Blumira captures.
Recommended Powershell command:
Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True
If significant verbosity is required, use this command, which will also log Allowed connections:
Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True
Enabling using GPO
You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.
- Open the appropriate group policy object
- Navigate to Computer Configuration>Windows Settings>Security Settings>Windows Defender Firewall with Advanced Security>Windows Defender Firewall Properties* Example of the local Group Policy editor, refer to this link for Domain-specific guidance to deploy GPOs for Windows Firewall.For each network location type (Domain, Private, Public), perform the following steps.
- Click the tab that corresponds to the network location type.
- Under Logging, click Customize.
- No need to change the location, the configuration assumes that you will have it in the default place.
- Ensure that you only selected Log dropped packets as Yes, unless you require significant visibility Log successful connections should be No.
- Click OK
- If you did not change the default path for the Logging file, you only need to uncomment the Windows Firewall Logs section.
- Uncomment the section, this means that you will remove all # from the beginning of the lines.
- Starting at #<Extension csv_windows_fw> until #</Route> above the Windows Firewall Logs END block.
- Restart nxlog from the services console or with the following command:
net stop nxlog && net start nxlog
Reference
- http://nxlog.org/docs
- http://nxlog.org/products/nxlog-community-edition
- http://www.ietf.org/rfc/rfc3164.txt
- http://www.ietf.org/rfc/rfc5424.txt
- https://nxlog.org
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log
- nxlog-ce-2.10.2150.msi