Microsoft AD FS
This pack includes XSIAM content.
Configuration on Server Side
Validate that AD FS server role is enabled
In the Server Manager, click Manage > Add Roles and Features.
Click Server Roles in the left menu.
Validate that Active Directory Federation Services is selected and installed.
To enable logging of AD FS, run the following commands in PowerShell with administrative privileges:
- Set-AdfsProperties -LogLevel Basic - This command will enable basic logging of AD FS.
- Get-AdfsProperties - This command will validate that the AuditLevel is set to Basic.
Additional validation of the logging can be located at the Windows Event Viewer:
- Run eventvwr.msc in the search bar.
- In the left directory tree, select Applications and Services Logs and validate that AD FS exists and Admin logs are located in the folder
Collect Events from Vendor
For the Filebeat collector, use the following option to collect events from the vendor:
- XDRC (XDR Collector)
You will need to configure the vendor and product for this specific collector.
XDRC (XDR Collector)
Use the information described here.
You can configure the vendor and product by replacing [vendor]_[product]_raw with msft_adfs_raw.
When configuring the instance, use a yml file that configures the vendor and product, as shown in the configuration below for the Microsoft AD FS product.
Copy and paste the following content in the Filebeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).
Filebeat Configuration File
winlogbeat.event_logs:
- name: Security
event_id: 510, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207
processors:
- add_fields:
fields:
vendor: microsoft
product: windows
Note: The above configuration uses the default location of the logs.