Microsoft Active Directory

If Microsoft Active Directory is used as the source of information, you need:

Name

Description

Step 1. Configure the UserID agent settings for monitor Microsoft AD.

The UserID agent parameters were discussed earlier.

Step 2. Configure the event source.

Configure Microsoft Active Directory as the source. See below for more information on the source settings.

When using AD servers as event sources, NGFW performs WMI queries to search for successful logon events (event ID 4624), Kerberos events (event numbers: 4768, 4769, 4770) and group membership events (event ID 4627). The querying frequency is defined in the UserID agent settings (Polling interval). The events are displayed on the Logs and reports tab under Logs ➜ UserID agent ➜ Windows Active Directory log.
When adding an event source of Microsoft Active Directory type, you need to specify the following:

Name

Description

Enabled

Enable/disable receiving logs from the source.

Name

The source name.

Description

An optional description of the source.

Server address

Microsoft Active Directory address.

Protocol

AD access protocol (WMI).

Name

The username for connecting to AD.

Password

The user's password for connecting to AD.

Auth profile

The authentication profile used to look up users found in AD logs.

For more details on profiles, see the section Authentication Profiles.