Microsoft Active Directory Integration
Overview
Microsoft Active Directory is the cornerstone of enterprise identity management. KYRA MDR collects AD security event logs via Windows Event Forwarding for monitoring authentication and privilege escalation. Supports Windows Server 2016, 2019, and 2022.
Prerequisites
- A KYRA MDR Collector installed and running
- Windows Server with Active Directory Domain Services
- Domain Administrator or equivalent permissions
- Windows Event Forwarding (WEF) or NXLog agent installed
Configuration
Configure Windows Event Forwarding:
- Enable audit policies on domain controllers:
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enableauditpol /set /category:"Account Management" /success:enable /failure:enableauditpol /set /category:"DS Access" /success:enable /failure:enableauditpol /set /category:"Policy Change" /success:enable /failure:enable- Install NXLog on domain controllers:
<!-- nxlog.conf --><Output out> Module om_tcp Host <collector-ip> Port 514 Exec to_syslog_bsd();</Output>- Restart the NXLog service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Logon Events | User authentication (4624, 4625) | Brute force, credential abuse |
| Account Management | User/group changes (4720, 4728) | Privilege escalation |
| Directory Service | AD object access (4662) | Object enumeration detection |
| Policy Change | Group Policy modifications (4719) | Security policy monitoring |
| Kerberos | Ticket operations (4768, 4769) | Kerberoasting detection |
| Privilege Use | Sensitive privilege use (4672) | Admin activity monitoring |
Troubleshooting
No events received: Verify audit policies with auditpol /get /category:*.
Missing Kerberos events: Enable Audit Kerberos Authentication Service policy.
High volume: Focus on security-relevant event IDs (4624, 4625, 4720, 4728, 4768).
Contact kyra@seekerslab.com for support.