08-17-2021 12:14 PM
We are attempting to use the agentless User-ID setup with the understanding that the service account needed to be a member of the following AD groups: Distributed COM Users, Event Log Readers, and Server Operators. However, after reading the following Palo Alto documentation on how to create the service account it seems that there is some conflicting information. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-users/create-.... It states that the Server Operator privilege is "Not Recommended" do to security concerns.
Also, for the DCOM privileges and Event Log Reader setup the document starts each piece with "If you want to". Does that mean you can setup User-ID with any of the 3 AD privileges but not necessarily all of them?
"If you want to use Server Monitoring to identify users, add the service account to the Event Log Reader builtin group to allow the service account to read the security log events."
"If you want to use WMI to collect user data, assign DCOM privileges to the service account so that it can use WMI queries on monitored servers."
