IBM Support

WinCollect: Enable Active Directory Lookups FAQ

Question & Answer


Question

In my WinCollect log source configuration there is a check box for "Enable Active Directory Lookups". What does this check box do when enabled?

Answer

What does does the "Enable Active Directory Lookups" check box do?


The check box allows the WinCollect Agent to make an additional network request to the AD Server to identify a username that is written in a non-human readable format. For example, an event comes in with a username value of {hex}, the agent can make a request to the AD server to identify that username={hex} is actually username=joe.smith or however the name resolves from the AD catalog. Object names and type are another reason to enable it, like username, they can be in GUID format
When the check box is selected, if the agent is unable to determine the username a secondary request is made to the AD Server to attempt to resolve the user to display the data in human readable values.

What about user Security Identifiers (SIDs) as those values are not human readable?


Typically, an AD request is not required to resolve a SIDs as these can be resolved from the Windows registry in most cases. SID values such as S-1-5-21-1180699209-877415012-1111111111-11111 can be resolved through the registry to resolve the actual user name. If a majority if your events are SIDs, then additional Active Directory Lookups should not be required to resolve usernames to human readable values.

Should an administrator turn on Enable "Active Directory Lookups" for their log sources?


Most security teams will want Enable Active Directory Lookups turned on as the data provided is valuable when resolving HEX, Object GUIDs, and object types that require additional queries to resolve. Enable Active Directory Lookups was added after the initial release of WinCollect as a feature. IBM does not enable the feature by default and lets the site administrators decide if they want to leverage the feature or not.

Having a {hex} username or object GUID value that does not properly resolve might requires extra investigation by the security team when trying to investigate what user violated a policy. For example, distinguished name for an object might change, but the object GUID will not. In some cases, the security team might need help from an AD admin to even access/resolve a value to a username from an event.

Are there any problems when enabling Active Directory Lookups for my WinCollect log sources?


The possible issues would be site specific, but for probably 90% of all users it is beneficial to enable this feature as the data returned by these AD Lookups is work that a SOC users or tier 1 analyst does not need to review. It is also useful to have this data in the initial event payload or use by application, such as User Behavior Analytics (UBA). If the Windows host is generating events with HEX usernames, this data could show up as new users in application like UBA.
The answer is site specific because some Windows deployments have very busy AD Servers. Because the resolution requests require an extra request and response to occur, a busy AD Server might have problems handling the extra traffic and the queues can back up on systems where the AD Server is already overburdened. These requests can also become an extra burden on very busy WinCollect Agents as the agent needs to resolve the request before it can forward the data to the QRadar appliance. So, the down side can be problems depending on hardware capabilities or network limitations.
Another possible down side might be that turning on these requests will cause extra traffic to occur, which might not be a desired outcome for some administrators. On a remote WAN link or satellite link where bandwidth is a premium, these requests can cause extra traffic where the data might not be as valuable as the bandwidth or the issues that consuming the extra bandwidth creates.

Where do I enable Active Directory Lookups in my log source?


The Enable Active Directory Lookups check box is defined in the image below. A deploy configuration is not required when this feature is enabled or disabled.

image-20190930101851-1

 
Where do you find more information?


 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 October 2019

UID

ibm11076673