Skip to main content

The Active Directory sensor

The Active Directory (AD) sensor collects and processes user login information from the on-premises Active Directory that your company uses.

Prerequisites

Before setting up the Active Directory sensor to integrate Microsoft Active Directory with it, make sure the following requirements are met:

  • On a machine with the Domain Controller role, the Certificate Authority role, or both:

    • BEST is installed and with the EDR module active.

    • The Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies group policies are set to audit all login events, except for the Global Object Access Auditing policies.

  • On the machine with the Certificate Authority role, all the Auditing > Events to audit properties are selected in the Certification Authority MMC.

Configuring policies for the Domain Controller and the Certificate Authority roles

To enable the group policies required for both the Domain Controller and the Certificate Authority roles, follow these steps:

  1. Open the Group policy management console.

  2. Navigate the tree structure to your domain > Domain Controllers, and select Default Domain Controllers Policy.

    default_domain_controllers_policy_cp_153786_en.png

  3. Right-click the Default Domain Controllers Policy and select Edit.

    The Computer Configuration window will be displayed.

  4. Navigate to Audit Policies: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    active_directory_audit_policies_cp_153786_en.png

  5. Configure all policies within Audit Policies, except Global Object Access Auditing, as shown below:

    policy_configuration_cp_153786_en.png

  6. Apply the changes.

  7. Open Command Prompt and run the following command: gpupdate /force.

    The policy changes you have made will take effect immediately.

Warning

Make sure these Audit policies are not overridden by a higher-priority GPO.

Configuring properties for the Certificate Authority role

To configure the properties required for the Certificate Authority role, follow these steps:

  1. Open the Certification Authority MMC.

  2. Right-click on your Certificate Authority, then select Properties.

    open-ca-mmc_cp_152539_en.png

  3. Click the Auditing tab.

  4. Select all the checkboxes under Events to audit.

    select-properties-ca_cp_152539_en.png

  5. Click Ok.

  6. Open Command Prompt and run the following command: gpupdate /force.

    The property changes you have made will take effect immediately.

Setting up the Active Directory sensor

To configure the Active Directory sensor in GravityZone Control Center, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Active Directory sensor and click Integrate.

    Tip

    If the Active Directory sensor is not licensed, you can use the Add License button to open the GravityZone Licensing section and add a license.

  3. On the Check requirements page, confirm that the prerequisite steps have been completed.

  4. Click the domain you want to monitor.

    A list of its hosts with the Domain Controller role, the Certificate Authority role, or both will be displayed.

    active_directory_sensor_setup_cp_152556_en.png

    Note

    Status will inform you of any missing prerequisite steps. When all requirements are met, the Status will display Ready to use.

    Important

    To be able to take response actions, the selected domain must have at least one online domain controller that has BEST with EDR installed.

  5. Select Add sensor, then Done.

    The new integration will be available in the Sensors Management grid.

Important

If you're using a hybrid Active Directory setup, make sure to deploy the Azure AD sensor as well. For more information, refer to The Azure AD sensor.

Deleting a Domain Controller or a Certificate Authority sensor

To delete a Domain Controller or a Certificate Authority sensor, you must first make sure it is offline or unmanaged.

If you only have one remaining Domain Controller or Certificate Authority sensor, you cannot delete it using this option. Instead, you can delete the entire sensor integration. For more information regarding this, refer to Managing sensors.

To delete a Domain Controller or Certificate Authority sensor from your Active Directory integration, follow these steps:

  1. Go to the Configuration > Sensors Management page in GravityZone Control Center.

  2. Click the Active Directory sensor integration you want to change.

    The details panel displays all the Domain Controller and Certificate Authority sensors of that integration.

  3. In the details panel, click the Delete button directly below the Domain Controller or Certificate Authority sensor.

    delete_domain_controller_cp_297899_en.png

  4. Click Delete again to confirm your choice.

    The Domain Controller or Certificate Authority sensor is now gone from the details panel.

    Note

    If the Domain Controller or Certificate Authority sensor comes back online, it will be automatically added to the details panel, and it will continue to process data.

In this section: