Skip to main content

Microsoft AD FS Collection

Download With Dependencies

Microsoft Active Directory Federation Services

Microsoft AD FS


This pack includes XSIAM content.

Configuration on Server Side

Validate that AD FS server role is enabled

  1. In the Server Manager, click Manage > Add Roles and Features.

  2. Click Server Roles in the left menu.

  3. Validate that Active Directory Federation Services is selected and installed.

    Server Screenshot

  4. To enable logging of AD FS, run the following commands in PowerShell with administrative privileges:

    • Set-AdfsProperties -LogLevel Basic - This command will enable basic logging of AD FS.
    • Get-AdfsProperties - This command will validate that the AuditLevel is set to Basic.

    Server Screenshot

  5. Additional validation of the logging can be located at the Windows Event Viewer:

    1. Run eventvwr.msc in the search bar.
    2. In the left directory tree, select Applications and Services Logs and validate that AD FS exists and Admin logs are located in the folder

    Server Screenshot

Collect Events from Vendor

For the Filebeat collector, use the following option to collect events from the vendor:

  • XDRC (XDR Collector)

    You will need to configure the vendor and product for this specific collector.

XDRC (XDR Collector)


Use the information described here.


You can configure the vendor and product by replacing [vendor]_[product]_raw with msft_adfs_raw.


When configuring the instance, use a yml file that configures the vendor and product, as shown in the configuration below for the Microsoft AD FS product.


Copy and paste the following content in the Filebeat Configuration File section (inside the relevant profile under the XDR Collectors Profiles).

Filebeat Configuration File

winlogbeat.event_logs:
  - name: Security
    event_id: 510, 1200, 1201, 1202, 1203, 1204, 1205, 1206, 1207
    processors:
      - add_fields:
          fields:
            vendor: microsoft
            product: windows


Note: The above configuration uses the default location of the logs.

PUBLISHER

Cortex

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJune 29, 2022
Last ReleaseJanuary 29, 2023

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.