How to Monitor Active Directory Queries - active-directory

We are working to publish more data to our Active Directory address book.
We would like to know if there are any strategies to monitor when users or applications perform an LDAP query against Active Directory to read data.
How would we configure our domain controllers to log these sorts of events?
Is monitoring these types of LDAP queries even achievable through Windows Event Logs?
An example of a query we would like monitored or logged is when an account pulls a list of all User objects in Active Directory.
Please let me know.

You can use Wireshark to capture the LDAP requests and report from there, if your requests are encrypted you will have to configure Wireshark accordingly
An alternative would be to use Active Directory Collector sets in Performance Monitor as explained in this article which seems to show LDAP queries, but the article gets technical fast!

Related

What is the WORKSHEETS_APP_USER in Snowflake

While looking at our snowflake.account_usage.login_history in order to identify users with outdated client drivers (using reported_client_type + reported_client_version), I came across this user_name that I did not recognize: WORKSHEETS_APP_USER.
It's not one of our users, so I'm wondering where it's coming from.
The client driver it's using is OTHER 1.1.5.
It's using OAUTH_ACCESS_TOKEN to authenticate (which is not an authentication method we use for Snowflake).
And it's using a ton of different IPs in the 10.4.* range.
It has a lot more logins during the week than during the weekend -- so probably a human(s).
I'm thinking it's probably related to the worksheets UI (either in Snowsight or in the old console).
If so, would there be any way to know who was the original user(s) behind this activity?
The first time Snowsight is accessed in an account, Snowflake creates an internal WORKSHEETS_APP_USER user to support the web interface. This user is used to cache query results in an internal stage in your account. For more information, see Getting Started With Snowsight.
https://docs.snowflake.com/en/sql-reference/account-usage/users.html#usage-notes

RSA Archer LDAP sync shows group-members from the same AD only

My team just "inherited" an Archer setup with 2 ADs and LDAP sync setup for each of them. The LDAP sync works fine individually; we are able to see the users/groups as per the LDAP configuration's filters. However, we have some groups in AD#1, that contain users from AD#2 and the LDAP sync is only showing/pulling users from 1 AD in Archer. I'm on Archer 6.4.
My question:
Is it possible at all in Archer to get the groups to show members from the 2 AD's?
Does the LDAP service account need any special permissions?
Anything else that I'm missing, or any viable workarounds?
I have looked at this question which talks about some possibilities but it's quite old so starting a new question. Any help is greatly appreciated.
The question you referenced is related to Archer v5.x and v6.x, so everything I mentioned there is still valid as of 2019-04-26.
Back to the questions you asked:
Is it possible at all in Archer to get the groups to show members from the 2 AD's?
The answer is "Yes", but not that simple.
If you check tables on the back end you can see that there are two type of groups:
Manually created groups by Archer admins. These groups are not part of any LDAP source and you can't synch these groups/users.
Groups created via LDAP Synch. These groups and users are synched with LDAP Synch configuration.
In your case, if you have two LDAP synchs configured then you will have two sets of LDAP groups and two sets of LDAP users, assuming LDAP synch is configured to add and synch groups and users using filters correctly.
Based on what you shared if you have group "ABC" in both LDAP sources you will have two groups added to Archer. On the back end in the table tblGroup they will have different "ldap_config_id" values, but same name.
Same applies for users - if you have user "User1" in both LDAP sources you will end up with two users with different domains and different "ldap_config_id".
Back to your question - Yes, if you have two LDAP sources with same group name you will end up with two groups with same name, each group should have users from corresponding LDAP assigned, if you configured both LDAP synchs to add and synch groups and users.
If this doesn't work this way for you, then review your LDAP synch configuration. Your may not have an option enabled to synch groups or don't have any filters in place to get them.
Does the LDAP service account need any special permissions?
In Archer - no, but in LDAP source (Active Directory) the account you specified in LDAP configuration should have access to query certain areas. The account you use for 2nd LDAP may not have access to query groups. I'm not an expert in AD security, you should talk to AD admin on this matter.
Anything else that I'm missing, or any viable workarounds?
See the old question/answer you referenced. LDAP synch principals in Archer v5 and v6 are the same as I know.
Best solution in my opinion is to establish "virtual link" or trust between both Active Directories. Third AD can be created with both AD#1 and AD#2 merged or linked. This way you can query AD#3 and have groups and users provided for you by using only one LDAP synch configuration/Domain. This is the simplest solution for you, but your AD admin will have to do some work.
You can check other options in the old question as well.
P.S: the instance I develop for had 2 LDAP sources, but I configured them to have unique group names and unique users. This way collisions don't occur.
Good luck!
Hahn, I'm uncertain how Archer handles users from two different AD's that members in the same group found in the first AD.
It's best to reach out to Archer support and pose the question to them.
I'm also seen a simlar question in RSA Partner Community. Support may respond to that post then here or other clients that have had the same issue.

Reading Active Directory Logs

I am working on a Data Analytics project. In this project i have to read logs from Active Directory and then need to do further processing on that logs.
I have to insert that logs into a Kafka Topic.
Now i am not able to understand that how can i get logs from active directory? is there any connector for it? I gone through below link but not able to understand anything with this -
https://learn.microsoft.com/en-us/windows/desktop/wec/windows-event-collector
https://learn.microsoft.com/en-us/windows/desktop/wec/windows-event-collector
If anyone has any link related to it then it will be really helpful to me.
Azure Directory has report feature.
Audit logs https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
Sign in logs https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
Risk sign-ins https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risky-sign-ins
Risk events https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events
users at risk https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-user-at-risk
You can use report api to get the logs. You can also archive azure ad logs to an Azure storage account.
You can check all the logs related to Active Directory in the Event Viewer, or if you want to get the file location where logs are actually stored, so you can get these file in [C:\Windows\System32\winevt\Logs] directory.

Active Directory (LDAP) query or filter to get users with closed mailboxes?

I use Exchange 2003 and I have been searching a lot and found related queries like
(&(UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*)(objectClass=User))
Which enumerates disabled user accounts with mailboxes, but what I want is quite the opposite, user accounts (enabled or disabled) with CLOSED mailboxes. Thanks beforehand for any help!
Exchange and Active Directory are separate, if user is created on AD doesn’t mean that it will have mailbox account too but usually both are used together.
You can use any LDAP browser like JXplorer or LDAPadmin to check the settings for your users on Active Directory. You will find disabled users on AD moved to different OU or there should be some attribute which will differentiate it from active users.
You can export LDIF file (by LDAP browser like LDAPadmin) for one active user and one disabled user and compare both to find relevant attribute for disabled entity and use it for your query filter. You can consult your IT team also who is managing Active directory for more details. HTH :)

New MS CRM contact already has an Active Directory account. How do I pull from AD?

I have some clients that I'd like to put into Microsoft CRM (3.0 Dynamics). These people are already in a small Active Directory group for access to a couple of internal applications.
Is there a way to add these people to CRM and pull/push the contact data from Active Directory, so I'm not creating a second repository of information that conflict?
Unfortunately there's no out-of-the-box way to dot his. You'd have to write a custom app in order to query AD and pull in the data. Unless you're looking at over 100 customers you probably won't make up the time it would take you to manually input this data.

Resources