How to Monitor and Analyze AWS Managed Microsoft AD Security Logs Using Amazon CloudWatch and Splunk

By Nithin Banda, Cloud Support Engineer at AWS

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) makes it possible for you to monitor and analyze security events of your directory in near real-time.

You can now forward security event logs from your directory to Amazon CloudWatch Logs in the Amazon Web Services (AWS) account of your choice, and centrally monitor events using AWS services or third-party applications such as Splunk, an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency.

In this post, I will show you an example of how to detect and respond to unauthorized or unusual activity. For example, account lockouts may result from a user who forgot their password. However, a bad actor could be attempting unauthorized access, or running a denial of service attack against your users.

By detecting account lockouts, you may be able to distinguish between an attacker and a user who innocently lost access, and you can respond appropriately.

I will also explore how to monitor and create near-real-time alerts for account lockouts in your AWS Managed Microsoft AD using Amazon CloudWatch Logs and Splunk. I’ll accomplish this in four steps:

1. Enable log forwarding to Amazon CloudWatch Logs.
2. Configure your Splunk environment.
3. Stream logs from Amazon CloudWatch Logs to Splunk using an AWS Lambda function.
4. Configure the monitor account lockouts dashboard.

Assumptions and Solution Architecture

For the purposes of this post, I am assuming you already created an AWS Managed Microsoft AD directory and configured a fine-grained password policy that enforces the account lockout policy (not enabled by default).

In this example, I configured a password policy with a lockout policy after three failed login attempts. I’ve assumed you are already using Splunk Cloud, which is a cloud-native approach to monitor cloud services.

If you don’t have one already, sign up here and verify your email. This takes you to a login page where you can spin up your Splunk Cloud within minutes.

As you can see, I’ve enabled AWS Managed Microsoft AD log forwarding to Amazon CloudWatch Logs, configured Splunk, used an AWS Lambda function to push the event logs from Amazon CloudWatch Logs to Splunk, and then configured the Splunk dashboard to monitor account lockouts.

You can use Amazon Kinesis Data Firehose as an alternative to an AWS Lambda function. In this post, I’ll use Splunk Cloud instead of Splunk Enterprise, because it eliminates the need of infrastructure deployment and management.

Step 1: Enable Log Forwarding to Amazon CloudWatch Logs

Follow these steps to enable log forwarding from your directory to Amazon CloudWatch Logs:

• Open the AWS Management Console, select Directory Service, and then select the directory you want to share (in my case, corp.com).
• In the details page, select the Networking & Security tab, and then choose Enable under the Log Forwarding section.

• Create or select an existing CloudWatch Log group that will contain the security logs from your domain controllers. If you have a central security team that monitors your cloud activity from a separate central account, you can send the security logs to their Amazon CloudWatch account.
  .
  In this example, I’ll create a new log group in the same account as the directory. Select the Create a New Log Group option and use the suggested log group name. Choose Enable, and then wait 5-10 minutes for the security logs of each domain controller to be available in Amazon CloudWatch Logs.
  .
  Note that AWS Directory Service will create or use an existing resource policy with permissions to publish the security logs to the specified log group name.

Step 2: Configure Your Splunk Environment

As I mentioned in the solution architecture overview, I am using an AWS Lambda function to push event logs from Amazon CloudWatch Logs to Splunk. To receive the event logs into Splunk, I must first configure a Splunk HTTP Event Collector (HEC) by following these steps:

• Open the Splunk management console, select Settings, then Data Inputs, and choose Add New HTTP Event Collector. Here’s a list of properties you must configure:

Below is my configuration example:

• Enable HEC through the Global Settings dialog box. On the Data Inputs page, select HTTP Event Collector and choose Global Settings. Select Enable in the All Tokens option.

Step 3: Stream Logs from Amazon CloudWatch Logs to Splunk

Now that I’ve enabled log forwarding to Amazon CloudWatch Logs and configured Splunk, I’ll create an AWS Lambda function to stream logs from CloudWatch Logs to Splunk. To accomplish this, I will use a predefined Splunk CloudWatch log-processing blueprint in Lambda by following these steps:

• Open the AWS Management Console, select Lambda, and then choose Create Function. Select the Blueprints option, and search for “splunk.” Select the “splunk-cloudwatch-logs-processor” Lambda blueprint and choose Configure.

• In the Basic Information section, provide a Name for your Lambda function and create or select an Identity and Access Management (IAM) Role that grants Lambda the rights to CreateLogGroup, CreateLogStream, and PutLogEvents.
  .
  In this example, I created a new Role from the template shown below. The Lambda function will attach an AWSLambdaBasicExecutionRole which has the permissions listed above.

• In the CloudWatch Logs Trigger section, select the Log Group to which you are forwarding AWS Managed Microsoft AD security logs (see Step 1). Provide a Filter Name, and make sure you check the Enable Trigger option.

• In the Environment Variables section, provide the values for the following variables according to your Splunk configurations in Step 2:
  .
  • SPLUNK_HEC_URL: Provide the URL you use to access your Splunk account, which is available in the browser when you access your Splunk home page. In this case: https://prd-p-69vgmjstn6rc.cloud.splunk.com/en-US/app/launcher/home.
    .
    Splunk expects this value in the following format: https://input-prd-p-xxx.cloud.splunk.com:8088/services/collector
    .
  • SPLUNK_HEC_TOKEN: When you configured the HEC in Step 2, Splunk created a token. To see your token, open the Splunk Management Console, select Settings, select Data Inputs, and then select HTTP Event Collector.
    .
    Below is my configuration example:

• Choose Creation Function, and AWS subscribes this Lambda Function to the selected log group. With this, Amazon CloudWatch Logs triggers the subscribed Lambda function each time CloudWatch receives a new security event from AWS Managed Microsoft AD.

• After a few minutes, you’ll see your directory security events in your Splunk environment. To see the events from your Splunk dashboard, click on Search & Reporting and query using command index=main, and choose the appropriate values from Selected Fields in the left pane. This will auto-populate the search query as index=main host=”input-prd-p-69vgmjstn6rc.cloud.splunk.com:8088″ source=”lambda:DSSecurityLogs.”

Step 4: Configure the Monitor Account Lockouts Dashboard

Now that Splunk is receiving security events, I am ready to create a dashboard in Splunk where I can monitor the account lockouts of the directory. Active Directory generates the Event ID 4740 every time an account lockout occurs. To monitor this specific event, I need to install the Splunk add-on for Microsoft Windows, which enables Splunk to understand and parse Windows logs.

From your Splunk dashboard, click on Find More Apps and search for “Splunk Add-on for Microsoft Windows.”

The Splunk for Microsoft Windows add-on provides common information model mappings for Windows events, and allows you to set up dashboard and alerting that I’ll configure in next steps. Click Install besides the Add-On.

Splunk can now process the log files as Windows security events. Next, I will use Splunk searches to configure a dashboard report that shows details of account lockouts:

• Create a query to search for the account lockout events (Event ID 4740). Here’s an example of the query: sourcetype=xmlwineventlog EventCode=4740 | table _time TargetUserName, TargetDomainName | rename TargetDomainName as “Caller Computer Name”

• Save the query by selecting the option Save As Dashboard Panel and provide the requested information. See here for more details on creating Dashboards.

• You can now see the account lockout events in your Splunk dashboard report.

Congratulations! You can now monitor your AWS Managed Microsoft AD security event logs using Splunk in near real-time. Splunk provides additional monitoring and alerting capabilities, such as sending an alert email every time an account lockout occurs.

Summary

In this post, I have demonstrated how you can monitor your AWS Managed Microsoft AD directory’s security events using Amazon CloudWatch Logs and Splunk in near real-time.

I used the account lockout event as an example that helps you to be informed and take appropriate actions even before your end users reach out to you. In addition, I showed you how to accomplish this by using cloud-based services only. This makes it easier and more cost-effective for you to monitor your directory security events because it eliminates the need to deploy any additional infrastructure or deploy and manage additional monitoring tools.

Learn more about AWS Directory Service, and if you have questions please post them on the Directory Service forum.