If Microsoft Active Directory is used as the source of information, you need:
Name |
Description |
---|---|
Step 1. Configure the UserID agent settings for monitor Microsoft AD. |
The UserID agent parameters were discussed earlier. |
Step 2. Configure the event source. |
Configure Microsoft Active Directory as the source. See below for more information on the source settings. |
When using AD servers as event sources, NGFW performs WMI queries to search for successful logon events (event ID 4624), Kerberos events (event numbers: 4768, 4769, 4770) and group membership events (event ID 4627). The querying frequency is defined in the UserID agent settings (Polling interval). The events are displayed on the Logs and reports tab under Logs ➜ UserID agent ➜ Windows Active Directory log.
When adding an event source of Microsoft Active Directory type, you need to specify the following:
Name |
Description |
---|---|
Enabled |
Enable/disable receiving logs from the source. |
Name |
The source name. |
Description |
An optional description of the source. |
Server address |
Microsoft Active Directory address. |
Protocol |
AD access protocol (WMI). |
Name |
The username for connecting to AD. |
Password |
The user's password for connecting to AD. |
Auth profile |
The authentication profile used to look up users found in AD logs. For more details on profiles, see the section Authentication Profiles. |