Active Directory Log Collection for Insights

Overview

Oort’s platform can analyze logs provided by customers to give insights into how users are accessing your applications.  To provide Insights, logs must be shared with Oort for analysis.  This document will walk you through the process of collecting the various logs needed.

Goal

This document aims to serve as a guide to help you gather logs from your organization.  Ideal sources of logging are identity, authentication, access, SIEM, Syslog, or firewalls.  The document will walk you through a collection of logs across systems discussed with the Oort team.   

Audience

This document is meant for the CISO to share with their teams to collect logs that Oort will evaluate.

Next Steps

Once log streaming has been set up, Oort will analyze the logs to provide insights into your identities.  This will include behavior, security, and any other insights that Oort can discover. 

Log Collection

For Oort to provide insights with as high fidelity as possible, integration with your primary log source is recommended. We have discussed the following log source with your team:

  • Microsoft Active Directory (AD DS)

Microsoft Active Directory

Active Directory has three primary log types that we will stream. Each activity log type contains different sets of information. All of the available logs can be seen through PowerShell with the command: Get-EventLog *

  • Application – Active Directory Application-related logs events.
  • Security – Active Directory Security-related log events.
  • System – Active Directory System-related log events.

Requirements for Active Directory log streaming

To set up Active Directory log streaming to Oort, you will need the following:

Installing winlogbeat

Preparing for install

To prepare for the winlogbeat install, please download the following:

Install the winlogbeat client

  • Download the winlogbeat client from the URL above

  • Extract the zip archive

    • Browse for the folder C:\Program Files and click Extract

  • Browse to winlogbeat directory

    • Open explorer and navigate to:
      C:\Program Files\winlogbeat-7.10.0-windows-x86_64

  • Replace the winlogbeat.yml file in the directory with the file provided by Oort.

    • Replace:
      C:\Program Files\winlogbeat-7.10.0-windows-x86_64\winlogbeat.yml
      With:
      winlogbeat.yml provided by Oort

    Starting the winlogbeat client

  • Open a PowerShell console

  • Enter the following in the PowerShell console

    cd ‘C:\Program Files\winlogbeat-7.10.0-windows-x86_64\’

  • Enter the following in the PowerShell console to start winlogbeat

    .\winlogbeat.exe test config -c .\winlogbeat.yml -e

    You should see Config OK at the end of the output.

  • Install the winlogbeat service by entering the following in the PowerShell console

    .\install-service-winlogbeat.ps1

  • Start the winlogbeat service by entering the following in the PowerShell console

    Service-Start winlogbeat

  • Verify the winlogbeat service is running by entering the following in the PowerShell console

    Get-Service winlogbeat

    If you see the Status as Running, you are done.