Active Directory v4

Description

Active Directory is a powerful and complex tool for your network, but complex tools need monitoring and repair, too. This bundle provides four triggers that build real-time metrics for the following Active Directory services: user accounts, computer accounts, DNS, LDAP, global catalog, and group policy loads. The bundle also includes dashboards, alerts, and record queries to help you track Active Directory activity.

Note: The 4.0 bundle version includes the following changes:

• Added a concise overview dashboard to surface important metrics
• Standardized the dashboard layouts to make information easier to find
• Added regular expression checking for privileged account names
• Converted custom Application-level metrics to Device-level metrics and added drill-downs to improve workflow
• Added high level overviews of Kerberos Authentication and Ticket-Granting Services

Bundle Contents

• (5) Alerts
  • AD DNS Service Lookup Processing Time
  • AD High Global Catalog Processing Time
  • AD High Kerberos Processing Time
  • AD New Privileged Access
  • AD Privileged Access Errors
• (4) Triggers
  • AD: Kerberos
  • AD: Group Policy
  • AD: LDAP & Global Catalog
  • AD: DNS Service Records
• (1) Dynamic Group
  • Kerberos Servers
• (2) Dashboards
  • Active Directory Overview
  • Active Directory Details
• (2) Record Formats
  • Kerberos Request AD
  • Kerberos Response AD
• (12) Queries
  • AD: Invalid Passwords
  • AD: User Lockouts
  • AD: Disabled Accounts
  • AD: Time Skew Errors
  • AD: Policy Rejected
  • AD: Unknown SPNs
  • AD: Privileged Access Errors
  • AD: Privileged Access
  • AD: DNS Service Record Traffic
  • AD: Global Catalog Traffic
  • AD:LDAP Plain Text Binds
  • AD: Group Policy

Requirements

Installation Instructions

1. Download the bundle on this page
2. Log into the ExtraHop Web UI and complete the following procedures
   • Upload and Apply a Bundle - From the Existing objects menu, select overwrite. If you are installing the Active Directory bundle for the first time, rename any objects on the appliance that have the same name as the objects in the bundle. Objects with duplicate names are overwritten when the bundle is applied.
   • Enable each of the Active Directory triggers.
   • Configure the AD: Kerberos trigger script by modifying the following settings.
   • Set the failedLoginDisableInterval variable to match your Reset account lockout counter after policy setting in Active Directory.
   • Set the accountLockoutDuration variable to match your Account lockout duration policy setting in Active Directory.
   • Add the complete names of any privileged accounts in your environment to the priv_names list and any partial matches to the priv_regex list.
3. Enable and configure notification settings for any Active Directory alerts that you want to be notified about. Modify alerting thresholds to fit your environment.
4. If you are upgrading the Active Directory bundle, disable the previous Active Directory trigger and alerts.