I am working to setup two domain controllers as active directory event sources. I’ve done this many times, however, these specific domain controllers are behind a pao firewall.
As of today, I have rules to allow connections from the collectors inbound to the DCs on ports tcp 445 & 636, plus predefined applications in Palo called smb-base, smbv3, ssl and wmi.
However, I still cannot connect to my AD event sources.
Our engineers sent me screenshots of smbv2 dropped traffic. SMBv2 was deprecated when SMBv3 came out via Server 2008. And we don’t allow old SMB calls.
Has anyone witnessed this before? Why is their product is using a 15-year-old deprecated SMB version?
Do I have other options for collecting data from these domain controllers?
For Active Directory via WMI, you will also need port 135 and 139 opened. However, I would recommend using the Insight Agent for AD log collection. You can find instructions here midway down the page: Active Directory | InsightIDR Documentation
The main benefit is that you don’t need to use WMI, which imo is a pretty nice benefit. Other benefit would be that the agent can talk directly to the Insight Platform and you don’t necessarily have it route to the Collector which takes away some of the networking complexity.
A high number of events would really be if it’s generating over 100s of events per second.
Also to answer your original question, I have not seen that specifically, and if it’s the DC sending smbv2, I would imagine that it may be a setting on that DC, as it should be able to support smbv3. And in that case, if you do still decide to go the WMI route you’ll need to open port 135 as well.
We recently disabled SMB2 on our domain controllers. Today, I noticed our DNS and DHCP logs are not being captured in InsightIDR. Upon investigation, I came across this documentation on InsightIDR’s Data Collection Methods. We use the Watch Directory method for the DNS and DHCP log file shares on our domain controllers. The InsightIDR documentation notes Watch Directory requires SMB1 (CIFS) or SMB2. Are there plans to support SMB3 for Watch Directory?