@PhoneBoy for AD query ther's no need to use an domain admin account Using Identity Awareness AD Query without Active Directory Administrator privileges on Windows Serve... 

Because of the new security features in newer windows releases AD query should not be used and it's not working without lowering the security on the windows server.

I thought the recent changes Microsoft made broke all this?
Still, I agree: use Identity Collector.

from AD Query cannot access DC server when AD Query is configured for non-admin user workaround 2 states using a member of domain admin group. But does not work with the newest windows releases. 

@Matlu forget about AD query. Identity Collector, Identity Agent, MUH agent are the working solutions.

I tried that sk with 4 different customers in the past, every time even TAC was on the phone, and we got it working once for like 1 day and then broke and could not be fixed again, so we just gave up on it.

Hello,

One doubt, for the Identity Collector, is it mandatory that the AD account used belongs to the group "Event Log Readers"?

It is not possible to work this integration with an "any" user of the AD, which is in "read only" mode?

Greetings.

It must be able to read security event logs.

I will give that "option" to the client, because being a state entity, their policies are really a headache.
They don't want to provide a user from the "Event Log Readers" group, as a "precaution".
Hence my query.

We all encounter clients like that, my friend : - )

@Matlu in a similar case we used the Identity Agent on the endpoint. You need local admin rights on the endpoint to install the agent but only for install. Agent can be configured to use SSO with the user authenticated on the endpoint.

Identity Agent for a User Endpoint Computer - Configuring as Identity Source