AD integration provides IP-to-user-identity mapping for use in Insight Analytics Flow Custom Tags.


The feature is based on Winlogbeats and installed by the UNUM administrator.


The feature integrates Elastic's Beats technology into the UNUM Platform.


Winlogbeats is a 'log-shipper' that runs on a Windows machine and parses the Windows logs and ships them to the UNUM Platform Logstash server.


Winlogbeats parses the Windows security log for specific event IDs (logon and logoff events).


Other events, such as application installation, and/or compliance events may be added in the future.


UNUM utilizes Logstash to ingest different data streams – e.g. Syslog, SNMP, etc.  


The Logstash service is enhanced to receive Winlogbeats event data. This data is transformed and stored in a new queue named - "queue.beats".


NOTE: AD Integration only supports user name and domain.


Installing Winlogbeats


Winlogbeats is installed on one or more Windows Domain Controllers (DCs). Click here for detailed installation and configuration instructions.


Ensure only one namespace is enabled. Do not enable "output.elasticsearch".


winlogbeat.yml contains the Winlogbeats configuration. This file needs to be modified as follows:


winlogbeat.event_logs:


- name: Security


ignore_older: 1h


event_id: 4624, 4634


...


output.logstash:


# The Logstash hosts


hosts: ["UNUM_host_IP:5044"]


Verify the configuration file using the "winlogbeat.exe" command on the domain controller.


Implementation Notes:


  • UNUM Platform only receives logon/logoff events from Active Directory.
  • UNUM Platform maps these logon/logoff events to flows (from Insight Analytics Flow).
  • UNUM Platform allows user to filter flows in dashboard based on user identity.


For more information on implementing and configuring Winlogbeats, please refer to the following link:

Detailed Implementation and Configuration Instructions