Microsoft Windows Active Directory Context

About The Device

When we review an event log, we have a lot of information available to us about the action that was taken on an asset, no matter if the log source is an endpoint, network or authentication event, to name just a few.

Device Information

Collection Method

Port Requirements

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 10014 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

Prerequisite

Obtain the CyberHub Certificate by contacting the Accenture Onboarding Team.

To Configure Windows Server

1. Configure all systems with the UTC time zone.

2. Create and set up a Powershell script to gather log data and store it in an output file on each Microsoft Windows Active Directory server.

3. Create a file with the ps1 extension and paste the below code.

   # Set the location where the log file will be written $OUTPUT_FILENAME="<Path_of_the_output_file>" If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue} # USER_CONTEXT: Gets all Active Directory users and their properties. Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append } # ASSET_CONTEXT: Gets all Active Directory assets and their properties. Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }

4. Create a recurring task that runs the script to fetch and write data to the output file.

5. Open the Task Scheduler application.

6. Click on "Create task" on the right panel.

7. Enter the Name and Description for the task.

8. Select the "Run with highest privileges" checkbox to make sure all data is retrieved.

Open

9. In the "Triggers" tab, define when you want to repeat the task.

Open

10. In the "Action" tab, add a new action and provide the path of the file where the script is stored.

To Configure NXLog Agent for log forwarding

1. Download and install the NXLog agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

2. Navigate to services.msc and stop the nxlog service.

3. Go to the folder "C:\Program Files\nxlog\data" and delete the file "configcache.dat" if it present.

4. Navigate to the installed location "C:\Program Files\nxlog\conf." Rename the attached file to "nxlog.conf" and copy it into this folder.

5. Replace the placeholder "CyberHub IP" with the actual CyberHub IP in the nxlog.conf file.

6. Replace the placeholder "output_file_location" with the actual full path of the Powershell script output file in the nxlog.conf file.

7. Copy the previously created certificate on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 52.

8. Now, start the nxlog service from services.msc.

9. NXLog agent logs will be available at the location "C:\Program Files\nxlog\data\nxlog.log".

10. The log flow should work, and you can check it using tcpdump with the command "tcpdump --AA port 10014"

Integration Parameters

Parameters required from customer for Integration.