Active Directory v3.0

Description

Active Directory is a powerful and complex tool for your network, but complex tools need monitoring and repair, too. This bundle provides a trigger that builds real-time metrics for the following Active Directory services: user accounts, computer accounts, DNS, LDAP, global catalog, and group policy loads. The bundle also includes dashboards, alerts, and record queries to help you track Active Directory activity.

Note: The 3.0 bundle version includes the following changes:

• Added a new dashboard region for privileged login failures and successes, as well as services granted to privileged accounts.
• Added metrics for the Kerberos Authentication Service, Ticket-Granting Service, and SPN errors.
• Added new record queries for important metrics, such as unknown SPNs and DNS service record errors.
• Added alerts for high processing times and access issues.
• Updated Explore appliance record formats for Kerberos requests and responses with additional fields for username and error information, plus a flag to identify privileged accesses and attempts.

Kerberos User Access Errors:

Privileged Logins:

Group Policy:

Bundle Contents

• (5) Alerts
  • Active Directory DNS Service Lookup Processing Time
  • Active Directory High Global Catalog Processing Time
  • Active Directory High Kerberos Response Time
  • Active Directory New Privileged Access
  • Active Directory Privileged Attempts
• (1) Trigger
  • Active Directory
• (1) Application
  • Active Directory
• (1) Dynamic Group
  • Kerberos Servers
• (1) Dashboard
  • Active Directory
• (2) Record Formats
  • Kerberos Request AD
  • Kerberos Response AD
• (10) Queries
  • AD: Kerberos Error Records
  • AD: Time Skew Errors
  • AD: User Lockouts
  • AD: Policy Rejected
  • AD: Privileged Attempts
  • AD: Privileged Access
  • AD: Unknown SPNs
  • AD: DNS Service Record Errors
  • AD: Global Catalog Traffic
  • AD: LDAP Plain Text Binds

Installation Instructions

1. Download the bundle on this page

2. Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide

   • Upload a Bundle
   • Apply a Bundle - From the Existing objects menu, select overwrite. If you are installing the Active Directory bundle for the first time, rename any objects on the appliance that have the same name as the objects in the bundle. Objects with duplicate names are overwritten when the bundle is applied.
   • Assign a Trigger - Assign the Active Directory trigger to the Kerberos Servers dynamic device group.
   • Configure the Active Directory trigger script by modifying the following settings.
     • Set the failedLoginDisableInterval variable to match your Reset account lockout counter after policy setting in Active Directory.
     • Set the accountLockoutDuration variable to match your Account lockout duration policy setting in Active Directory.
     • Add the names of any privileged accounts in your environment to the priv_names list.

   Note: If you are unfamiliar with modifying triggers, see the Triggers section in the Web UI Guide.

   • Enable a Trigger - Enable the Active Directory trigger. If you are upgrading the Active Directory bundle, disable the previous Active Directory trigger before enabling the new trigger to avoid duplicate metrics.
   • Assign a Page - Assign the Active Directory Authentication and Services page to the Active Directory application.
   • Enable and Assign Alerts - Enable and configure notification settings for any Active Directory alerts that you want to be notified about. Assign any alerts you enable to the Active Directory application, and modify alerting thresholds to fit your environment.