One of the most relevant forms of event context in a SIEM is that of user identity and the most common sources for this context in an enterprise is typically the Active Directory database maintained by a Windows Domain Controller. By connecting the DC to the SIEM, operators can issue filtered queries against specific domain users and/or groups as well as include user and group context within a correlation rule. Examples of this will be provided in a later section of this document.
Connecting to Windows
To connect the SIEM to a Windows DC, the following steps must be taken.
- Click on the Asset Manager icon from the Quick Launch menu. The Asset manager window will open.
- Select the Asset Sources tab.
- Select the ESM object from the list of available devices. It is from this device that the Active Directory connection will be made.
- Click the Add button.
- Enter a Name for the Domain Controller.
- Enter the IP Address of the Domain Controller.
- Enter an authorized Username in the format firstname.lastname@example.org. Thie ESM will use this account to connect to AD. The SIEM user user must have read permissions on the AD tree.
- Enter the Password used by this user to authenticate.
- Enter the appropriate Search Base that will be used to enumerate the domain groups and users. Example: dc=domain,dc=tld.
- Configure the retrieval interval and time. The default settings will query the Active Directory once daily at midnight.
- Click the Connect button to test the connection to the Domain Controller.
- If the connection test is successful, a dialog box will open to confirm. Click OK.
- If the connection to the Domain Controller is unsuccessful, a dialog box will open indicating that the connection test failed. If this happens, confirm the IP address of the Domain controller, the port number across which the LDAP query will occur (default 389), the username (in the correct email@example.com format), the password and the Search Base. Determine from the customer if TLS is required to connect to this Domain Controller and, if so, enable it using the check box provided on the Asset Data Source form.
- Once the connection test to the Domain Controller is successful, click OK.
- Click the Write button in the bottom left of the Asset Sources window. The Writing changes to device window will open.
- After the changes have been successfully written to the device, click Close.
- Select the newly created Active Directory Domain Controller from the list of available asset sources.
- Click the Retrieve button.
- A Dialog box will open indicating that the Active Directory user and group data is being retrieved. Depending on the size of the customer Active Directory, this process may take several minutes or longer to complete.
- When the Active Directory data retrieval has successfully completed, a dialog box will open. Click OK.
- Close the Asset Manager window.
To confirm the successful retrieval of Active Directory user and group information, follow these steps.
- Scroll down the list of objects in the Filter Panel to the Source User form field.
- Click the Filter icon beside the Source User field. The Filter Variables window will open. You should see the domain from which you retrieved user and group information.
- Expand the domain object to display the groups enumerated from the Active Directory.
- Expand the group Administrators.Builtin to see a list of Active Directory administrators.
Now that the Active Directory user and groups have been enumerated into the SIEM, their values can be used in future filter queries, correlation rules and reports.