Active Directory is a powerful and complex tool for your network, but complex tools need monitoring and repair, too. This bundle provides four triggers that build real-time metrics for the following Active Directory services: user accounts, computer accounts, DNS, LDAP, global catalog, and group policy loads. The bundle also includes dashboards, alerts, and record queries to help you track Active Directory activity.
Note: The 4.0 bundle version includes the following changes:
- Added a concise overview dashboard to surface important metrics
- Standardized the dashboard layouts to make information easier to find
- Added regular expression checking for privileged account names
- Converted custom Application-level metrics to Device-level metrics and added drill-downs to improve workflow
- Added high level overviews of Kerberos Authentication and Ticket-Granting Services
- (5) Alerts
- AD DNS Service Lookup Processing Time
- AD High Global Catalog Processing Time
- AD High Kerberos Processing Time
- AD New Privileged Access
- AD Privileged Access Errors
- (4) Triggers
- AD: Kerberos
- AD: Group Policy
- AD: LDAP & Global Catalog
- AD: DNS Service Records
- (1) Dynamic Group
- Kerberos Servers
- (2) Dashboards
- Active Directory Overview
- Active Directory Details
- (2) Record Formats
- Kerberos Request AD
- Kerberos Response AD
- (12) Queries
- AD: Invalid Passwords
- AD: User Lockouts
- AD: Disabled Accounts
- AD: Time Skew Errors
- AD: Policy Rejected
- AD: Unknown SPNs
- AD: Privileged Access Errors
- AD: Privileged Access
- AD: DNS Service Record Traffic
- AD: Global Catalog Traffic
- AD:LDAP Plain Text Binds
- AD: Group Policy
RequirementsExtraHop version 7.2 or later
- Download the bundle on this page
- Log into the ExtraHop Web UI and complete the following procedures
- Upload and Apply a Bundle - From the Existing objects menu, select overwrite. If you are installing the Active Directory bundle for the first time, rename any objects on the appliance that have the same name as the objects in the bundle. Objects with duplicate names are overwritten when the bundle is applied.
- Enable each of the Active Directory triggers.
- Configure the AD: Kerberos trigger script by modifying the following settings.
- Set the
failedLoginDisableIntervalvariable to match your
Reset account lockout counter afterpolicy setting in Active Directory.
- Set the
accountLockoutDurationvariable to match your
Account lockout durationpolicy setting in Active Directory.
- Add the complete names of any privileged accounts in your environment to the
priv_nameslist and any partial matches to the
- Enable and configure notification settings for any Active Directory alerts that you want to be notified about. Modify alerting thresholds to fit your environment.
- If you are upgrading the Active Directory bundle, disable the previous Active Directory trigger and alerts.