NXLog for auditing ADFS

Active Directory Federation Services (ADFS) is a software component that provides users with single sign-on (SSO) access to systems and applications located across organizational boundaries. You can enable auditing for ADFS and send audit logs to Arctic Wolf® using NXLog.

These operating systems are supported:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

PowerShell commands for auditing ADFS

By default, basic auditing is enabled for ADFS. But, you can run these basic PowerShell commands to adjust the level of auditing for ADFS:

Note:

You must run these commands on the primary ADFS server.

  • Run this command to log no more than five events for a single request:
    BASH 
    Set-AdfsProperties -AuditLevel Basic
  • Run this command to disable log audit events:
    BASH 
    Set-AdfsProperties -AuditLevel None
  • Run this command to log a significant number of events:
    BASH 
    Set-AdfsProperties -AuditLevel Verbose
  • Run this command to view or verify the current auditing level:
    BASH 
    Get-AdfsProperties
  • Run this command to turn on Extranet Lockout:
    BASH 
    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 15)
  • Run this command to add block IP addresses to ADFS:
    BASH 
    Set-AdfsProperties -AddBannedIps "1.2.3.4", "::3", "1.2.3.4/16"
  • Run this command to use the Windows Internal Database (WID) as the storage method for the ADFS configuration database:
    BASH 
    Set-AdfsProperties -LogLevel `
((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')

ADFS audit configuration in Group Policy

Based on Microsoft best practices, all Group Policy Objects (GPOs) that apply to ADFS servers should not apply to other servers. See Configure an Arctic Wolf GPO Advanced Audit Policy for more information. If the ADFS server is not also a domain controller (DC), some items do not apply.

Enable the ADFS service account

The ADFS service account is disabled by default.

Note:

Events from the auditing levels above the service account are independent of the default options on the Events tab of the ADFS properties.

  1. Click Start > Programs > Administrative Tools > Local Security Policy.
    Tip:

    Microsoft recommends using the Local Security Policy application for this process.

  2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
  3. On the Local Security Setting tab, verify that the ADFS service account is listed. If it is:
    • Not listed — Click Add User or Group, add it to the list, and then click OK.
    • Listed — Proceed to the next step.
  4. Open a command prompt with administrator permissions.
  5. Run this command to enable auditing:
    BASH 
    auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  6. Close the Local Security Policy window.
  7. Click Start > Programs > Administrative Tools > ADFS Management to open the ADFS Management snap-in.
  8. In the Actions pane, click Edit Federation Service Properties.
  9. In the Federation Service Properties dialog, click the Events tab.
  10. Select Success audits and Failure audits.
    Note:

    Arctic Wolf recommends enabling Success audits and Failure audits on the ADFS Farm. To enable this, you must enable auditing using the Local Security Policy MMC snap-in.

  11. Click OK.

ADFS logs for troubleshooting

These are the primary logs used for ADFS troubleshooting:

  • Administrative log — Provides high-level information for issues. This logging is enabled by default.
  • Trace log — Generates in a short amount of time. This logging is disabled by default.

Send ADFS logs to Arctic Wolf

  1. Confirm that NXLog is installed on ADFS servers. See Install NXLog for more information.
  2. Confirm that the nxlog.conf file for the Arctic Wolf Sensor, including Virtual Log Collectors (vLCs) or Virtual Sensors (vSensors), is installed in the same local area network.
    Tip:

    The standard Arctic Wolf nxlog.conf file configuration used on your DC works for this process.

  3. Confirm that NXLog is started.
To continue with Active Directory installation, see Active Directory Integrations.