Solved

LDAP from iData agent

  • 15 February 2021
  • 20 replies
  • 194 views

Userlevel 4
Badge +13

Our security team enabled some more login and found the below request. I think it’s a legit request from our commcell, but I’m not able to find any logfiles where I can see the requests.

Does anyone know in what log file I can look for them?

 

//Henke

icon

Best answer by MaheshPrakash 1 April 2021, 08:06

View original

20 replies

Userlevel 7
Badge +23

Hey @Henke!  Without giving actual server names, can you confirm who this client is making the requests to?  Is it the Commserve?  A webserver?

I would start with CVD.log for the specified times (factoring in the time zone of the security log vs the client or other servers) as a start.

What iDa is on that client?  That would help build some context as well.

Thanks!

Userlevel 4
Badge +13

Hey @Mike Struening, it’s sending the request to one of the domain controllers.It has the AD iData agent so it would make perfect sense for it so send the request.

 

I’ll have a look in the Cvd.log on the client, thanks.

 

//Henke

Userlevel 7
Badge +23

Ah, yeah that makes perfect sense.  I was thinking perhaps an exchange agent, but AD makes sense for sure.

Keep me posted!

Userlevel 7
Badge +23

Hey @Mike Struening, it’s sending the request to one of the domain controllers.It has the AD iData agent so it would make perfect sense for it so send the request.

 

I’ll have a look in the Cvd.log on the client, thanks.

 

//Henke

Hey @Henke , any luck on the CVD log messages?

Thanks!

Userlevel 4
Badge +13

@Mike Struening ,no luck in that log on the client what I could see.

 

//Henke

Userlevel 6
Badge +13

Where is the source of the LDAP query that is being made to the DC with the AD ida installed on it? 

Userlevel 7
Badge +23

Appreciate the reply.  

Quick clarification:

Which machine is the SENDER and which is the RECIPIENT?

Is that the Commserve sending to the Active Directory iDA client?

Want to be sure we are checking the right servers with the proper expectations.

Thanks!

Userlevel 7
Badge +23

@Henke , want to keep this thread alive.  any luck on checking the sender and recipient?

Userlevel 4
Badge +13

@Mike Struening The source is Commserve and recipient is one of the Domain controllers.

 

Below is a snippet from the alert message after detection.


Workspace: [Medium] Security principal reconnaissance (LDAP)

Security principal reconnaissance (LDAP) was detected in "domain"


An actor on COMMSERVE sent suspicious LDAP queries to GLOBAL-DOMAINCONTROLLER, searching for Records Management


 

//Henke

Userlevel 7
Badge +23

Like you, I’m sure it is legit though you want to have some log file proof I imagine :grinning:

I’ll share this thread with some people here for advice.

Badge +2

@Henke , is there any LDAP Server setup in your commserver like a Microsoft AD server etc ? that would make LDAP queries to the Domain Controllers, during user discovery for logins etc. You can check the commserver evmgrs logs if you have an AD setup for authentication.

Userlevel 7
Badge +23

@Henke , have you had a chance to review @MaheshPrakash ‘s response?

Userlevel 4
Badge +13

@Mike Struening@MaheshPrakash Yes we have AD integration. Though I wasn’t able to find any ldap references in Evmgrs log file.

 

Userlevel 7
Badge +23

@Henke , I hate to go this route, but it’s probably best to open a support case here.  Let me know if you do and I’ll track the incident and resolution to update this thread.

Userlevel 6
Badge +17

With SSO enabled, the CS will query AD using LDAP.
Increase debug level for EvMgrS.log to see in the log.
 

Badge +2

@Scott Moseman @Henke   yes with or without SSO enabled, any AD login would be logged in evmgrs with higher debug level 7+. If the logins are mostly on the webconsole/command center then those would be logged in the webserver.log in the webserver machine. Looking at the AD requests, it is most likely login/ user,usergroup discovery requests from the CS machine.

Userlevel 4
Badge +13

Thank you all that contributed.

I’ll drop this for now, if I pick it up again I will let you know.

 

Thanks

//Henke

Userlevel 7
Badge +23

Appreciate it, @Henke .  If you reactivate the thread, I’ll unmark the answer.

Userlevel 4
Badge +13

@Mike Struening how do I reactivate the thread?

Userlevel 7
Badge +23

Any reply will do (I’m monitoring for all activity).  Once you reengage, I’ll adjust the Best answer showing it is not solved.

Reply