Fortinet black logo

External Systems Configuration Guide

Microsoft Active Directory

Microsoft Active Directory

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

LDAP User details, Password age Security Monitoring, User meta data for log
WMI

Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring
WMI "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status
WMI "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status

Event Types

  • PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to excpire in 2 weeks)
  • PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
  • PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Acounts - not log on in last 30 days)
  • PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
  • PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
  • PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
  • PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to excpire in 2 weeks)
  • PH_DEV_MON_DCDIAG (output of "dcdiag -e" command)
    [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
  • PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)
    [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[srcName]="WIN-IGO8O8M5JVT",[errReason]="" 
  • PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)
     [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[destName]="WIN-IGO8O8M5JVT",[errReason]=""

Rules

  • Failed Windows DC Diagnostic Test

Reports

  • Successful Windows Domain Controller Diagnostic Tests
  • Failed Windows Domain Controller Diagnostic Tests
  • Source Domain Controller Replication Status
  • Destination Domain Controller Replication Status

Configuration

WMI

See WMI Configurations in the Microsoft Windows Server Configuration section.

Active Directory User Discovery

If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.

  1. Add the login credentials for Active Directory server and associate them to an IP range.
  2. Discover the Active Directory server.

If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM.

After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.

Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).

Adding Active Directory login credentials to FortiSIEM
  1. Log in to your Supervisor UI.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
    1. Name: a name for the credential.
    2. Device Type: select Microsoft Windows.
    3. Access Protocol:
      1. By default, LDAP servers listen on TCP port 389.
      2. LDAPS (LDAP with SSL) defaults to port 636.
      3. LDAP Start TLS defaults to port 389.
    4. Used For: select Microsoft Active Directory.
    5. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com
    6. NetBIOS/Domain: enter the NetBIOS/Domain value.
    7. User Name: enter the user name for your LDAP directory.

      The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership.

    8. Enter and confirm the Password for your User.
    9. Click Save. Your LDAP credentials will be added to the list of credentials.
  4. Under Enter IP Range to Credential Associations, click Add.
  5. Select your LDAP credentials from the list of Credentials. Click + to add more.
  6. Enter the IP/IP Range or host name for your Active Directory server.
  7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
  8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
Discovering users in FortiSIEM
  1. Go to ADMIN> Discovery and click Add.
  2. For Name, enter Active Directory.
  3. For Include Range, enter the IP address or host name for your Active Directory server.
  4. Click OK. Active Directory will be added to the list of discoverable devices.
  5. Select the Active Directory device and click Discover.
  6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click Refresh to load the user tree hierarchy.

To get user updates in Active Directory, simply re-run discovery.

Validating LDAP Credentials and Permissions

  1. Log in to your Active Directory server.
  2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
  3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.

  4. Right click the selected User and check Properties.
  5. The User should be a member of Domain Users.
  6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.

Microsoft Active Directory

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

LDAP User details, Password age Security Monitoring, User meta data for log
WMI

Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring
WMI "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status
WMI "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status

Event Types

  • PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to excpire in 2 weeks)
  • PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
  • PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Acounts - not log on in last 30 days)
  • PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
  • PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
  • PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
  • PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to excpire in 2 weeks)
  • PH_DEV_MON_DCDIAG (output of "dcdiag -e" command)
    [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
  • PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)
    [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[srcName]="WIN-IGO8O8M5JVT",[errReason]="" 
  • PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)
     [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[destName]="WIN-IGO8O8M5JVT",[errReason]=""

Rules

  • Failed Windows DC Diagnostic Test

Reports

  • Successful Windows Domain Controller Diagnostic Tests
  • Failed Windows Domain Controller Diagnostic Tests
  • Source Domain Controller Replication Status
  • Destination Domain Controller Replication Status

Configuration

WMI

See WMI Configurations in the Microsoft Windows Server Configuration section.

Active Directory User Discovery

If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.

  1. Add the login credentials for Active Directory server and associate them to an IP range.
  2. Discover the Active Directory server.

If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM.

After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.

Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).

Adding Active Directory login credentials to FortiSIEM
  1. Log in to your Supervisor UI.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
    1. Name: a name for the credential.
    2. Device Type: select Microsoft Windows.
    3. Access Protocol:
      1. By default, LDAP servers listen on TCP port 389.
      2. LDAPS (LDAP with SSL) defaults to port 636.
      3. LDAP Start TLS defaults to port 389.
    4. Used For: select Microsoft Active Directory.
    5. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com
    6. NetBIOS/Domain: enter the NetBIOS/Domain value.
    7. User Name: enter the user name for your LDAP directory.

      The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership.

    8. Enter and confirm the Password for your User.
    9. Click Save. Your LDAP credentials will be added to the list of credentials.
  4. Under Enter IP Range to Credential Associations, click Add.
  5. Select your LDAP credentials from the list of Credentials. Click + to add more.
  6. Enter the IP/IP Range or host name for your Active Directory server.
  7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
  8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
Discovering users in FortiSIEM
  1. Go to ADMIN> Discovery and click Add.
  2. For Name, enter Active Directory.
  3. For Include Range, enter the IP address or host name for your Active Directory server.
  4. Click OK. Active Directory will be added to the list of discoverable devices.
  5. Select the Active Directory device and click Discover.
  6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click Refresh to load the user tree hierarchy.

To get user updates in Active Directory, simply re-run discovery.

Validating LDAP Credentials and Permissions

  1. Log in to your Active Directory server.
  2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
  3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.

  4. Right click the selected User and check Properties.
  5. The User should be a member of Domain Users.
  6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.