收集 Microsoft Windows AD 数据

支持的平台:

此文档包含以下信息:

  • 部署架构和安装步骤,以及生成 Microsoft Windows Active Directory 事件的 Google Security Operations 解析器支持的日志所需的任何配置。Google Security Operations 概览 数据注入,请参阅将数据注入到 Google Security Operations 中
  • 有关解析器如何将原始日志中的字段映射到 Google Security Operations Unified Data Model 字段的信息。

根据您的部署架构,配置 BindPlane 代理或 用于将 Microsoft Windows Active Directory 日志注入到 Google Security Operations 的 NXLog 代理。 我们建议您使用 BindPlane 代理将 Windows Active Directory 的日志转发到 Google Security Operations。

本文档中的信息适用于具有 WINDOWS_AD 注入标签的解析器。注入标签标识哪个解析器将原始日志数据标准化为结构化 UDM 格式。

准备工作

在配置 BindPlane 代理或 NXLog 代理之前,请先完成以下任务:

配置 Microsoft Windows AD 服务器

  1. 在每个 Microsoft Windows Active Directory 服务器上,创建并配置 PowerShell 脚本以将日志数据保存到输出文件。BindPlane 代理或 NXLog 会读取输出文件。

    # Set the location where the log file will be written
    $OUTPUT_FILENAME="<Path_of_the_output_file>"
    
    If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue}
    
    # USER_CONTEXT: Gets all Active Directory users and their properties.
    Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }
    
    # ASSET_CONTEXT: Gets all Active Directory assets and their properties.
    Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }
    
  2. 替换以下内容:

    • $OUTPUT_FILENAME 的值替换为输出文件的位置。
    • 以 JSON 格式存储数据。
    • 将编码设置为 UTF-8。
    • 调用 Get-ADUserGet-ADComputer cmdlet 时,请使用 -Filter 参数,而不是 -LDAPFilter 参数。
  3. 创建运行脚本的周期性任务,以将数据提取并写入到输出文件。

    1. 打开“任务计划程序”应用。
    2. 点击创建任务
    3. 输入任务的名称和说明。
    4. 选中Run with highest privileges(以最高权限运行)复选框,以确保检索所有数据。
    5. 触发器标签页中,定义何时希望重复执行该任务。
    6. 操作标签页中,添加新操作,并提供存储该脚本的文件的路径。

查看支持的设备和版本

Microsoft Windows Server 按以下版本发布:Foundation、Essentials、Standard 和 Datacenter。每个版本生成的日志事件架构没有区别。

Google 安全运营解析器支持来自以下 Microsoft Windows 服务器版本的日志:

  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2012

Google Security Operations 解析器支持 NXLog 社区版或企业版收集的日志。

查看支持的日志类型

Google 安全运营解析器将解析从用户上下文资源上下文中检索的数据并对其进行标准化。它支持使用英语文本生成的日志,不支持使用非英语生成的日志。

配置 BindPlane 代理

我们建议您使用 BindPlane 代理将 Windows Active Directory 的日志转发到 Google Security Operations。

安装后,BindPlane 代理服务会在 Windows 服务列表中显示为 observIQ 服务。

  1. 在每个 Windows Active Directory 服务器上安装 BindPlane 代理。如需详细了解如何安装 BindPlane 代理, 请参阅 BindPlane 代理安装说明
  2. 为 BindPlane 代理创建一个配置文件,其中包含以下内容。

    receivers:
      filelog:
        include: [ `FILE_PATH` ]
        operators:
          - type: json_parser
        start_at: beginning
      windowseventlog/activedirectoryservice:
        channel: Directory Service
        raw: true
    processors:
      batch:
    
    exporters:
      chronicle/activedirectory:
        endpoint: https://malachiteingestion-pa.googleapis.com
        creds: '{
        "type": "service_account",
        "project_id": "malachite-projectname",
        "private_key_id": `PRIVATE_KEY_ID`,
        "private_key": `PRIVATE_KEY`,
        "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "client_id": `CLIENT_ID`,
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.iam.gserviceaccount.com",
        "universe_domain": "googleapis.com"
        }'
      log_type: 'WINDOWS_AD'
      override_log_type: false
      raw_log_field: body
      customer_id: `CUSTOMER_ID`
    
    service:
      pipelines:
        logs/ads:
          receivers:
            - filelog
            - windowseventlog/activedirectoryservice
          processors: [batch]
          exporters: [chronicle/activedirectory]
    
  3. 替换以下内容:

    • FILE_PATH,其中包含存储配置 Microsoft Windows AD 服务器中所述 PowerShell 脚本输出的文件的路径。

    • PRIVATE_KEY_IDPRIVATE_KEYSERVICSERVICE_ACCOUNT_NAMEPROJECT_IDCLIENT_IDCUSTOMER_ID 替换为服务账号 JSON 文件中的相应值,您可以从 Google Cloud 下载该文件。如需详细了解服务账号密钥,请参阅创建和删除服务账号密钥

  4. 如需启动 observIQ 代理服务,请依次选择 Services > Extended > observIQ Service > start

配置 NXLog

下图显示了安装了 NXLog 代理以收集 Microsoft Windows 事件并将其发送到 Google Security Operations 的架构。 将此信息与您的环境进行比较,以确保已安装这些组件。您的部署可能与此架构不同,并且可能更复杂。

NXLog 转发器提取。

如果您使用的是 NXLog 代理,而不是 BindPlane 代理,请验证以下内容:

  • 在每个运行 Active Directory 的 Microsoft Windows Server 上创建并配置 PowerShell 脚本,以收集 USER_CONTEXTASSET_CONTEXT 数据。如需了解详情,请参阅配置 Microsoft Windows AD 服务器
  • NXLog 安装在每台 Microsoft Windows AD 服务器上,以将数据发送到中央设备 Microsoft Windows Server 或 Linux Server。
  • Google Security Operations 转发器安装在中央 Microsoft Windows Server 或 Linux 服务器上,用于将日志数据转发到 Google Security Operations。

配置 NXLog

  1. 在 Windows Active Directory 服务器上运行的每个收集器上安装 NXLog 代理。 该应用会将日志转发到中央 Microsoft Windows 或 Linux 服务器。如需了解详情,请参阅 NXLog 文档
  2. 为每个 NXLog 实例创建一个配置文件。使用 NXLog im_file 模块从文件中读取内容并将行解析为字段。使用 om_tcp 将数据转发到中央 Microsoft Windows 或 Linux 服务器。

    以下是 NXLog 配置示例。替换 <hostname><port> 包含目标中心 Microsoft Windows 或 Linux 相关信息的值 服务器。在 <Input in_adcontext> 部分和 File 属性中,添加 PowerShell 脚本写入的输出日志文件的路径。始终设置 DirCheckIntervalPollInterval。如果未定义,则 NXLog 每 1 秒轮询一次文件。

    define ROOT C:\Program Files\nxlog
    define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname>
    define ADCONTEXT_OUTPUT_DESTINATION_PORT <port>
    
    Moduledir   %ROOT%\modules
    CacheDir    %ROOT%\data
    Pidfile     %ROOT%\data\nxlog.pid
    SpoolDir    %ROOT%\data
    LogFile     %ROOT%\data\nxlog.log
    
    <Input in_adcontext>
        Module im_file
        File "<Path_of_the_output_file>"
        DirCheckInterval 3600
        PollInterval 3600
    </Input>
    
    <Output out_chronicle_adcontext>
        Module  om_tcp
        Host    %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS%
        Port    %ADCONTEXT_OUTPUT_DESTINATION_PORT%
    </Output>
    
    <Route ad_context_to_chronicle>
        Path in_adcontext => out_chronicle_adcontext
    </Route>
    
  3. 在每个系统中启动 NXLog 服务。

在中央服务器上配置转发器

有关在 Linux 上安装和配置转发器的信息, 请参阅在 Linux 上安装和配置转发器。 有关在 Microsoft Windows 上安装和配置转发器的信息,请参阅在 Microsoft Windows 上安装和配置转发器

  1. 使用世界协调时间 (UTC) 时区配置系统。
  2. 在中央 Microsoft Windows 或 Linux 服务器上安装 Google Security Operations 转发器。
  3. 配置 Google Security Operations 转发器,以将日志发送到 Google Security Operations。 以下是转发器配置示例:

      - syslog:
          common:
            enabled: true
            data_type: WINDOWS_AD
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    

字段映射参考信息:设备日志字段到 UDM 字段

本部分介绍解析器如何将原始日志字段映射到 Unified Data Model 字段。

用户上下文日志

NXLog 字段 UDM 字段
GivenName entity.entity.user.first_name
Surname entity.entity.user.last_name
SamAccountName entity.entity.user.userid
SID.Value entity.entity.user.windows_sid
ObjectClass If the value is user,
entity.metadata.entity_type is set to USER
ObjectGuid If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
objectGUID If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
ObjectGUID If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
AccountExpirationDate entity.entity.user.account_expiration_time
badPwdCount entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
CanonicalName entity.entity.administrative_domain
City entity.entity.user.personal_address.city
Company entity.entity.user.company_name
Country entity.entity.user.personal_address.country_or_region
Department entity.entity.user.department
Description entity.metadata.description
DisplayName entity.entity.user.user_display_name
EmailAddress entity.entity.user.email_addresses
EmployeeID entity.entity.user.employee_id
HomeDirectory entity.entity.file.full_path
HomePage entity.entity.url
HomePhone entity.entity.user.phone_numbers
LastBadPasswordAttempt entity.entity.user.last_bad_password_attempt_time
lastLogoff entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
lastLogon entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
LastLogonDate entity.entity.user.last_login_time
Manager Values for GUID, SAMAccountname, SID all mapped to different UDM fields:
- SID is stored in manager.windows_sid
- Distinguished name (i.e. value in first CN) is stored in manager.user_display_name
- GUID,SamAccountName is stored in manager.userid
MemberOf The following fields in the first occurrence of CN are set:
entity.relations.entity.group.group_display_name
entity.relations.entity_type set to GROUP
entity.relations.relationship set t0 MEMBER
entity.relations.direction set to UNIDIRECTIONAL
MobilePhone entity.entity.user.phone_numbers
Office entity.entity.user.office_address.name
PasswordExpired entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
PasswordLastSet entity.entity.user.last_password_change_time
PasswordNeverExpires entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
PasswordNotRequired entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
PrimaryGroup Following fields are set:
- entity.relations.entity.group.group_display_name
- entity.relations.entity_type set to GROUP
- entity.relations.relationship set to MEMBER
- entity.relations.direction set to UNIDIRECTIONAL
ServicePrincipalNames entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value
State entity.entity.user.personal_address.state
StreetAddress entity.entity.user.personal_address.name
Title entity.entity.user.title
whenCreated entity.user.attribute.creation_time
AccountLockoutTime entity.entity.user.account_lockout_time

资源上下文日志

NXLog 字段 UDM 字段
DNSHostName entity.entity.asset.hostname
SamAccountName entity.entity.asset.asset_id
SID.Value entity.entity.user.windows_sid
ObjectClass If the value is computer, entity.metadata.entity_type set to ASSET
ObjectGuid If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.asset.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.asset.product_object_id UDM field.
ObjectGUID If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.asset.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.asset.product_object_id UDM field.
AccountExpirationDate entity.entity.user.account_expiration_time
badPwdCount entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
CanonicalName entity.entity.administrative_domain
countryCode entity.entity.asset.location.country_or_region
Description entity.entity.metadata.description
HomePage entity.entity.url
IPv4Address entity.entity.asset.ip
IPv6Address entity.entity.asset.ip
LastBadPasswordAttempt entity.entity.user.last_bad_password_attempt_time
lastLogoff entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
lastLogon entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
LastLogonDate entity.entity.user.last_login_time
Location entity.entity.asset.location.name
ManagedBy The following fields are set:

entity.entity.user.user_display_name
entity.relations.entity_type set to USER
entity.relations.relationship set to ADMINISTERS
entity.relations.direction set to UNIDIRECTIONAL
ObjectCategory entity.entity.asset.category
OperatingSystem If the name contains Windows, entity.entity.asset.platform_software.platform field is set to WINDOWS.
OperatingSystemServicePack entity.entity.asset.platform_software.platform_patch_level
OperatingSystemVersion The field entity.entity.asset.platform_software.platform_version is set to %{OperatingSystem} - %{OperatingSystemVersion}
PasswordExpired entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
PasswordLastSet entity.entity.user.last_password_change_time
PasswordNeverExpires entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
PasswordNotRequired entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
PrimaryGroup The following fields are set:
- entity.relations.entity.group.group_display_name
- entity.relations.entity_type set to GROUP
- entity.relations.relationship set to MEMBER
- entity.relations.direction set to UNIDIRECTIONAL
ServicePrincipalNames entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value
whenChanged entity.entity.asset.attribute.last_update_time
whenCreated entity.entity.asset.attribute.creation_time
AccountLockoutTime entity.entity.user.account_lockout_time