On-Prem Active Directory (AD) Connector Setup Guide

This guide provides step-by-step instructions to set up the On-Prem AD Connector in the XDR platform using Docker and PowerShell.

1. Connector Configuration in XDR

1. Go to the XDR platform.
2. Navigate to Connectors → Ingestion.
3. Select On-prem AD Connector and click Configure.

4. Enter the following:

   • Collector ID
   • Password
   • Create Table: Set to Yes
   • Time Interval (in minutes)
   • Threshold (number of failed login attempts)
5. Click Validate and Save.

🔍 What are Time Interval and Threshold?

If Time Interval = 5 minutes and Threshold = 3, then if a user attempts 3 failed logins within 5 minutes, 1 alert will be generated.

2. System Requirements

• Machine with Static IP address
• Docker Engine installed from https://docs.docker.com/get-docker

Start Docker:

systemctl start docker

3. Firewall Port Configuration

For Linux/macOS:

firewall-cmd --permanent --add-port=514/udp
firewall-cmd --reload

For Windows (PowerShell as Administrator):

New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Inbound -Protocol UDP -LocalPort 514 -Action Allow
New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Outbound -Protocol UDP -LocalPort 514 -Action Allow

4. Docker Collector Setup

Download the collector image:

https://connectors-xdr.seqrite.com/connectors/collector/download?collectorId=<COLLECTOR_ID>&password=<PASSWORD>&tid=<TENANT_ID>

Load the Docker image:

docker load --input <path_to/hhcollector-1.0.0.tar>

Start the agent:

docker run -p 514:514/udp \
  --env COLLECTOR_ID=<COLLECTOR_ID> \
  --env TID=<TENANT_ID> \
  hhcollector

5. PowerShell Script Setup for Log Forwarding

✅ Prerequisites:

• Admin privileges
• PowerShell script downloaded
• NSSM (Non-Sucking Service Manager) installed

Step 1: Download the PowerShell Script

Download the script:

https://connectors-xdr.seqrite.com/connectors/collector/scriptDownload?collectorId=<COLLECTOR_ID>&password=<PASSWORD>&tid=<TENANT_ID>

Save the script as:

C:\SyslogForwarder\SyslogForwarder.ps1

Step 2: Download & Install NSSM

Download NSSM from the official site and extract to:

C:\nssm\

Step 3: Install the PowerShell Script as a Windows Service

Open Command Prompt as Administrator and run:

C:\nssm\nssm.exe install SyslogForwarder

In the NSSM GUI:

• Application:
  powershell.exe

• Arguments:
  -ExecutionPolicy Bypass -File "C:\SyslogForwarder\SyslogForwarder.ps1"

• Startup Directory:
  C:\SyslogForwarder

(Optional) Under Log on tab:
Use Local System or a user account with required permissions.

Click Install service.

Step 4: Set the Service to Start Automatically

Option 1: PowerShell

Set-Service -Name "SyslogForwarder" -StartupType Automatic

Option 2: Services Console

• Open services.msc
• Find SyslogForwarder
• Right-click → Properties
• Set Startup Type to Automatic
• Click OK

Step 5: Start the Service

You can use any of the following:

nssm start SyslogForwarder

or

net start SyslogForwarder

or via services.msc → right-click → Start

Step 6: Verify Operation

Check log output at:

C:\SyslogForwarder\SyslogForwarder.log

Ensure the file is updating with the expected logs.