收集 Microsoft Windows AD 数据
此文档包含以下信息:
- 部署架构和安装步骤,以及生成 Microsoft Windows Active Directory 事件的 Google Security Operations 解析器支持的日志所需的任何配置。Google Security Operations 概览 数据注入,请参阅将数据注入到 Google Security Operations 中。
- 有关解析器如何将原始日志中的字段映射到 Google Security Operations Unified Data Model 字段的信息。
根据您的部署架构,配置 BindPlane 代理或 用于将 Microsoft Windows Active Directory 日志注入到 Google Security Operations 的 NXLog 代理。 我们建议您使用 BindPlane 代理将 Windows Active Directory 的日志转发到 Google Security Operations。
本文档中的信息适用于具有 WINDOWS_AD 注入标签的解析器。注入标签标识哪个解析器将原始日志数据标准化为结构化 UDM 格式。
准备工作
在配置 BindPlane 代理或 NXLog 代理之前,请先完成以下任务:
- 将所有系统配置为使用 UTC 时区。
- 配置 Microsoft Windows AD 服务器。
- 查看支持的设备和版本。
- 查看支持的日志类型。
配置 Microsoft Windows AD 服务器
在每个 Microsoft Windows Active Directory 服务器上,创建并配置 PowerShell 脚本以将日志数据保存到输出文件。BindPlane 代理或 NXLog 会读取输出文件。
# Set the location where the log file will be written $OUTPUT_FILENAME="<Path_of_the_output_file>" If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue} # USER_CONTEXT: Gets all Active Directory users and their properties. Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append } # ASSET_CONTEXT: Gets all Active Directory assets and their properties. Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }
替换以下内容:
- 将
$OUTPUT_FILENAME
的值替换为输出文件的位置。 - 以 JSON 格式存储数据。
- 将编码设置为 UTF-8。
- 调用
Get-ADUser
和Get-ADComputer
cmdlet 时,请使用-Filter
参数,而不是-LDAPFilter
参数。
- 将
创建运行脚本的周期性任务,以将数据提取并写入到输出文件。
- 打开“任务计划程序”应用。
- 点击创建任务。
- 输入任务的名称和说明。
- 选中Run with highest privileges(以最高权限运行)复选框,以确保检索所有数据。
- 在触发器标签页中,定义何时希望重复执行该任务。
- 在操作标签页中,添加新操作,并提供存储该脚本的文件的路径。
查看支持的设备和版本
Microsoft Windows Server 按以下版本发布:Foundation、Essentials、Standard 和 Datacenter。每个版本生成的日志事件架构没有区别。
Google 安全运营解析器支持来自以下 Microsoft Windows 服务器版本的日志:
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Google Security Operations 解析器支持 NXLog 社区版或企业版收集的日志。
查看支持的日志类型
Google 安全运营解析器将解析从用户上下文和资源上下文中检索的数据并对其进行标准化。它支持使用英语文本生成的日志,不支持使用非英语生成的日志。
配置 BindPlane 代理
我们建议您使用 BindPlane 代理将 Windows Active Directory 的日志转发到 Google Security Operations。
安装后,BindPlane 代理服务会在 Windows 服务列表中显示为 observIQ
服务。
- 在每个 Windows Active Directory 服务器上安装 BindPlane 代理。如需详细了解如何安装 BindPlane 代理, 请参阅 BindPlane 代理安装说明。
为 BindPlane 代理创建一个配置文件,其中包含以下内容。
receivers: filelog: include: [ `FILE_PATH` ] operators: - type: json_parser start_at: beginning windowseventlog/activedirectoryservice: channel: Directory Service raw: true processors: batch: exporters: chronicle/activedirectory: endpoint: https://malachiteingestion-pa.googleapis.com creds: '{ "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com", "universe_domain": "googleapis.com" }' log_type: 'WINDOWS_AD' override_log_type: false raw_log_field: body customer_id: `CUSTOMER_ID` service: pipelines: logs/ads: receivers: - filelog - windowseventlog/activedirectoryservice processors: [batch] exporters: [chronicle/activedirectory]
替换以下内容:
FILE_PATH
,其中包含存储配置 Microsoft Windows AD 服务器中所述 PowerShell 脚本输出的文件的路径。将
PRIVATE_KEY_ID
、PRIVATE_KEY
、SERVICSERVICE_ACCOUNT_NAME
、PROJECT_ID
、CLIENT_ID
和CUSTOMER_ID
替换为服务账号 JSON 文件中的相应值,您可以从 Google Cloud 下载该文件。如需详细了解服务账号密钥,请参阅创建和删除服务账号密钥。
如需启动 observIQ 代理服务,请依次选择 Services > Extended > observIQ Service > start。
配置 NXLog
下图显示了安装了 NXLog 代理以收集 Microsoft Windows 事件并将其发送到 Google Security Operations 的架构。 将此信息与您的环境进行比较,以确保已安装这些组件。您的部署可能与此架构不同,并且可能更复杂。
如果您使用的是 NXLog 代理,而不是 BindPlane 代理,请验证以下内容:
- 在每个运行 Active Directory 的 Microsoft Windows Server 上创建并配置 PowerShell 脚本,以收集
USER_CONTEXT
和ASSET_CONTEXT
数据。如需了解详情,请参阅配置 Microsoft Windows AD 服务器。 - NXLog 安装在每台 Microsoft Windows AD 服务器上,以将数据发送到中央设备 Microsoft Windows Server 或 Linux Server。
- Google Security Operations 转发器安装在中央 Microsoft Windows Server 或 Linux 服务器上,用于将日志数据转发到 Google Security Operations。
配置 NXLog
- 在 Windows Active Directory 服务器上运行的每个收集器上安装 NXLog 代理。 该应用会将日志转发到中央 Microsoft Windows 或 Linux 服务器。如需了解详情,请参阅 NXLog 文档。
为每个 NXLog 实例创建一个配置文件。使用 NXLog
im_file
模块从文件中读取内容并将行解析为字段。使用om_tcp
将数据转发到中央 Microsoft Windows 或 Linux 服务器。以下是 NXLog 配置示例。替换
<hostname>
和<port>
包含目标中心 Microsoft Windows 或 Linux 相关信息的值 服务器。在<Input in_adcontext>
部分和File
属性中,添加 PowerShell 脚本写入的输出日志文件的路径。始终设置DirCheckInterval
和PollInterval
。如果未定义,则 NXLog 每 1 秒轮询一次文件。define ROOT C:\Program Files\nxlog define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname> define ADCONTEXT_OUTPUT_DESTINATION_PORT <port> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Input in_adcontext> Module im_file File "<Path_of_the_output_file>" DirCheckInterval 3600 PollInterval 3600 </Input> <Output out_chronicle_adcontext> Module om_tcp Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT% </Output> <Route ad_context_to_chronicle> Path in_adcontext => out_chronicle_adcontext </Route>
在每个系统中启动 NXLog 服务。
在中央服务器上配置转发器
有关在 Linux 上安装和配置转发器的信息, 请参阅在 Linux 上安装和配置转发器。 有关在 Microsoft Windows 上安装和配置转发器的信息,请参阅在 Microsoft Windows 上安装和配置转发器。
- 使用世界协调时间 (UTC) 时区配置系统。
- 在中央 Microsoft Windows 或 Linux 服务器上安装 Google Security Operations 转发器。
配置 Google Security Operations 转发器,以将日志发送到 Google Security Operations。 以下是转发器配置示例:
- syslog: common: enabled: true data_type: WINDOWS_AD batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
字段映射参考信息:设备日志字段到 UDM 字段
本部分介绍解析器如何将原始日志字段映射到 Unified Data Model 字段。
用户上下文日志
NXLog 字段 | UDM 字段 |
---|---|
GivenName |
entity.entity.user.first_name |
Surname |
entity.entity.user.last_name |
SamAccountName |
entity.entity.user.userid |
SID.Value |
entity.entity.user.windows_sid |
ObjectClass |
If the value is user ,entity.metadata.entity_type is set to USER |
ObjectGuid |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the
entity.entity.user.product_object_id UDM field.
|
objectGUID |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
|
ObjectGUID |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
|
AccountExpirationDate |
entity.entity.user.account_expiration_time |
badPwdCount |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
CanonicalName |
entity.entity.administrative_domain |
City |
entity.entity.user.personal_address.city |
Company |
entity.entity.user.company_name |
Country |
entity.entity.user.personal_address.country_or_region |
Department |
entity.entity.user.department |
Description |
entity.metadata.description |
DisplayName |
entity.entity.user.user_display_name |
EmailAddress |
entity.entity.user.email_addresses |
EmployeeID |
entity.entity.user.employee_id |
HomeDirectory |
entity.entity.file.full_path |
HomePage |
entity.entity.url |
HomePhone |
entity.entity.user.phone_numbers |
LastBadPasswordAttempt |
entity.entity.user.last_bad_password_attempt_time |
lastLogoff |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
lastLogon |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
LastLogonDate |
entity.entity.user.last_login_time |
Manager |
Values for GUID , SAMAccountname , SID all mapped to different UDM fields:- SID is stored in manager.windows_sid- Distinguished name (i.e. value in first CN) is stored in
manager.user_display_name - GUID ,SamAccountName is stored in manager.userid |
MemberOf |
The following fields in the first occurrence of CN are set:entity.relations.entity.group.group_display_name entity.relations.entity_type set to GROUP entity.relations.relationship set t0 MEMBER entity.relations.direction set to UNIDIRECTIONAL |
MobilePhone |
entity.entity.user.phone_numbers |
Office |
entity.entity.user.office_address.name |
PasswordExpired |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
PasswordLastSet |
entity.entity.user.last_password_change_time |
PasswordNeverExpires |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
PasswordNotRequired |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
PrimaryGroup |
Following fields are set: - entity.relations.entity.group.group_display_name - entity.relations.entity_type set to GROUP - entity.relations.relationship set to MEMBER - entity.relations.direction set to UNIDIRECTIONAL |
ServicePrincipalNames |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
State |
entity.entity.user.personal_address.state |
StreetAddress |
entity.entity.user.personal_address.name |
Title |
entity.entity.user.title |
whenCreated |
entity.user.attribute.creation_time |
AccountLockoutTime |
entity.entity.user.account_lockout_time |
资源上下文日志
NXLog 字段 | UDM 字段 |
---|---|
DNSHostName |
entity.entity.asset.hostname |
SamAccountName |
entity.entity.asset.asset_id |
SID.Value |
entity.entity.user.windows_sid |
ObjectClass |
If the value is computer , entity.metadata.entity_type set to ASSET |
ObjectGuid |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.asset.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.asset.product_object_id UDM field. |
ObjectGUID |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.asset.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.asset.product_object_id UDM field. |
AccountExpirationDate |
entity.entity.user.account_expiration_time |
badPwdCount |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
CanonicalName |
entity.entity.administrative_domain |
countryCode |
entity.entity.asset.location.country_or_region |
Description |
entity.entity.metadata.description |
HomePage |
entity.entity.url |
IPv4Address |
entity.entity.asset.ip |
IPv6Address |
entity.entity.asset.ip |
LastBadPasswordAttempt |
entity.entity.user.last_bad_password_attempt_time |
lastLogoff |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
lastLogon |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
LastLogonDate |
entity.entity.user.last_login_time |
Location |
entity.entity.asset.location.name |
ManagedBy |
The following fields are set:entity.entity.user.user_display_name entity.relations.entity_type set to USER entity.relations.relationship set to ADMINISTERS entity.relations.direction set to UNIDIRECTIONAL |
ObjectCategory |
entity.entity.asset.category |
OperatingSystem |
If the name contains Windows ,
entity.entity.asset.platform_software.platform field is set to
WINDOWS . |
OperatingSystemServicePack |
entity.entity.asset.platform_software.platform_patch_level |
OperatingSystemVersion |
The field entity.entity.asset.platform_software.platform_version is set to
%{OperatingSystem} - %{OperatingSystemVersion} |
PasswordExpired |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
PasswordLastSet |
entity.entity.user.last_password_change_time |
PasswordNeverExpires |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
PasswordNotRequired |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
PrimaryGroup |
The following fields are set: - entity.relations.entity.group.group_display_name - entity.relations.entity_type set to GROUP - entity.relations.relationship set to MEMBER - entity.relations.direction set to UNIDIRECTIONAL |
ServicePrincipalNames |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
whenChanged |
entity.entity.asset.attribute.last_update_time |
whenCreated |
entity.entity.asset.attribute.creation_time |
AccountLockoutTime |
entity.entity.user.account_lockout_time |