Skip to main content
Sumo Logic

Windows Active Directory Source

A Windows Active Directory Source collects inventory data from Active Directory Database. This includes information such as computer names, user names, email addresses, and location information.

Cloud SIEM Enterprise uses information from Windows Active Directory to enrich log data to help provide additional context and build a more complete profile of your network, for example, by connecting the dots between a location, and the servers, workstations, and users in that location.

The following information is collected:

  • Username
  • Email address
  • Departments to which employee belongs
  • Employee’s manager
  • Security groups to which the employee is assigned, which allows Cloud SIEM Enterprise to determine the privileges the user has on the company network

To configure a Windows Active Directory Source

  1. In Sumo Logic select Manage Data > Collection > Collection.
  2. Find the Installed Collector you'd like to add the Source to. Click Add and then choose Add Source from the pop-up menu.
  3. Click Windows Active Directory.
    windows ad source icon.png
  4. Set the following:
    windows ad source input.png
    • Name. Type the name for the new Source. 
    • Description is optional.
    • Frequency. By default, Active Directory is queried for data every 24 hours. You can select a more frequent interval down to every minute.
    • Source Category. Enter a string used to tag the output collected from this Source with searchable metadata. For example, typing web_apps tags all the logs from this Source in the sourceCategory field, so running a search on _sourceCategory=web_apps would return logs from this Source. For more information, see Metadata Naming Conventions and our Best Practices: Good Source Category, Bad Source Category.
      You can define a Source Category value using system environment variables, see Configuring sourceCategory using variables below.
    • Fields. Click the +Add Field link to add custom log metadata Fields.
      • Define the fields you want to associate, each field needs a name (key) and value. 
        • green check circle.png A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
        • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
    • Active Directory Attributes. (Optional)
      • Additional Attributes. Provide a semi-colon separated list of the LDAP Names of Active Directory attributes to report, in addition to the default list:
        • Username
        • Email address
        • Departments to which employee belongs
        • Employee’s manager
        • Security groups to which the employee is assigned
      • Excluded Attributes. Provide a semi-colon separated list of the LDAP Names of Active Directory attributes to exclude from the report.
      • Exclude Distinguished Name Suffixes. Provide a semi-colon separated list of Distinguished Name suffixes. When set, the Source won't ingest any records that contain the Distinguished Name suffixes specified.
      • Directory Filter. Specifies a filter to use when searching for Domain Objects in Active Directory.
    • Create any Processing Rules you'd like for the new Source.
  5. Click Save.

You can return to this dialog and edit the settings for the Source at any time.

Configuring sourceCategory using variables

Collector versions 19.216-22 and later allow you to define Source Category and Source Host metadata values with system environment variables from the host machine.

When configuring your Source, specify the system environment variables by prepending sys. and wrapping them in double curly brackets {{}} in this form:

{{sys.VAR_NAME}}

Where VAR_NAME is an environment variable name, for example:

{{sys.PATH}}

You can use multiple variables, for example:

{{sys.PATH}}-{{sys.YourEnvVar}}

environment variable usage.png

You can incorporate text in the metadata expression, for example:

AnyTextYouWant_{{sys.PATH}}_{{sys.YourEnvVar}}

If a user-defined variable doesn’t exist, that portion of the metadata field will be blank.