Google Secops and Active Directory

HI,
For collecting Active Directory (AD) data (excluding logs) from on-prem environments, I typically use the BindPlane agent in combination with a PowerShell script. You can refer to the following resources for guidance:

https://medium.com/google-cloud/windows-active-directory-data-collection-with-the-new-secops-collection-agent-c398b161ff20

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/windows-ad#configure_microsoft_windows_ad_servers

For log collection, I also use the BindPlane agent (note: licenses are available for Google SecOps customers).
Detailed instructions can be found here:

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/winevtlog#configure-bindplane-agent

Although your Active Directory is hosted on GCP, meaning it runs on virtual machines in the cloud,it is still considered an "on-premises" environment from the perspective of many integrations, and therefore requires a forwarding agent.

I suggest two deployment options, depending on the number of servers involved:

For 1–2 servers:
Install the BindPlane agent directly on each host.

For multiple servers:
Set up a Windows Event Forwarding (WEF) server, install the BindPlane agent on that server, and manage all log forwarding centrally (assuming all servers are part of the same domain, as required).

Hope this helps you choose the best approach.

Hi, thank you for the reply. However, i've successfully configured my system to create the log files – I can see them being generated locally without any issues. However, despite this, they're not appearing in Google SecOps.

I've been following the article on Medium that seemed promising, but it references a specific forwarder that, from what I can tell, is no longer installable on Windows. 

Any help or guidance would be greatly appreciated!

Thanks in advance.

You have a couple of options for ingestion:

• Bindplane Agent, as mentioned above, can be used to forward the logs or the log files
• SecOps forwarder, you can configure the AD to advertise the logs on a specific port, the forwarder container can then forward the logs to SecOps
• If you are already using files, you can use a cron to move them to a GCS bucket and you can set up a SecOps feed to ingest the data from the bucket
• You can also create your own ingestion script to send the logs from GCP to SecOps directly using the Ingestion API (You can leverage the samples to create your own)

The best option will depend on the complexity of your architecture.

Thank you very much for your responses, I was able to find the AD logs in the Rules section. However, the script mentioned in the link: https://medium.com/google-cloud/windows-active-directory-data-collection-with-the-new-secops-collection-agent-c398b161ff20 does not get AD logs, such as an account lockout, or a login. Perhaps I did not express myself well, what we need is to be able to have alerts for locked users within AD On-premise. Is there a script, or a way to configure this?

Thank you very much.

The script referenced in the article above is used to collect user and asset context and would typically run on the AD server to get the users and assets within the domain which is then used to enrich the other log data. Additional documentation around this specific component can be found here: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/windows-ad

To collect the windows event logs, like 4624 for successful login and such, the docs to accomplish this are found here: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/winevtlog

Thank you! With the links you provided, I was able to successfully integrate SecOps with AD.