Active Directory Sync Page

The Active Directory Sync page within the Integrations interface lists the domains that are synced to theThreat Manager database. The sync operation gets all information about an Active Directory environment (users, groups, hosts, etc).See the Permissions for Active Directory Sync  topic for additional information about the permissions required for Active Directory syncing.

Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select Integrations to open the Integrations interface.

Click Active Directory Sync in the navigation pane to view a list of the already added Active Directory domains, if any. Each added domain represents a sync policy.

A service named Active Directory Service continuously runs to collect data for the specified domain(s). It evaluates the USN value of an object and syncs when the object changes. The table provides the following information:

• Name – Name of the domain. This may be either the domain DNS name or domain controller hostname.

• Enabled – icon indicates the enabled state:

  • Checkmark icon – Enabled
  • X icon – Disabled

• Profile – Name of the Credential Profile assigned to the policy. As mentioned earlier, each added domain represents a sync policy.

• Last Sync Start – Date timestamp when the task started for the most recent sync

• Last Sync Status – Event status for the most recent sync task

To view policy details or make modifications, select a domain from the table or under Active Directory Sync in the navigation pane.

Add an Active Directory Sync Policy

NOTE: Prior to adding an Active Directory Sync policy, you must first configure a Credential Profile with credentials properly provisioned for running the sync operation for the domain. See the Application Server Requirements topic for the permissions. See the Credential Profile Page topic for additional information on creating a profile.

Follow the steps to add a domain/Active Directory sync policy.

Step 1 – Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select Integrations to open the Integrations interface.

Step 2 – On the Integrations interface, click Add New Integration in the navigation pane. The Add New Integration window opens.

Step 3 – In the Type drop-down menu, select Active Directory Sync.

Step 4 – Enter the following information:

• Domain – Enter the domain DNS name or domain controller hostname in the required format of [DOMAIN.COM], e.g. NT-DC03.NWXTech.com
• Credential Profile – Select the Credential Profile by name from the drop-down menu. This was pre-created in the Credential Profiles page.
• Enabled / Disabled – Toggle indicates if the policy is enabled to run the sync service. By default it is set to Enabled.
• Max Renew Ticket Age (days) – The value indicates the maximum number of days of the Renew Ticket Age for the domain. This value must match the domain configuration. See the Microsoft Max-Renew-Age attribute article for additional information. The default value is 7 days; modify the value by typing in the textbox.
• Max Ticket Age (hours) – The value indicates the maximum number of hours of the Ticket Age for the domain. This value must match the domain configuration. See the Microsoft Max-Ticket-Age attribute article for additional information. The default value is 10 hours; modify the value by typing in the textbox.
• Use SSL – Check the box to enable SSL for secure communication with the domain. See the Microsoft 5.1.1.2 Using SSL/TLS article for additional information.

Step 5 – Click Test Connection to ensure connection to the domain. This will take a moment. Then a message will appear in the upper right corner of the console indicating a successful or failed connection.If successful, move on to the next step. If failed, recheck your entries for error and repeat this step until a successful connection is established.

Step 6 – Click Add. The Add New Integration window closes.

The domain or domain controller (the Domain value supplied in Step 4) is listed in the Integrations navigation pane. Repeat the process to add additional domains.

Active Directory Sync Policy Details

Follow the steps to view the details of an Active Directory sync policy.

Step 7 – Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select Integrations to open the Integrations interface.

Step 8 – On the Integrations interface, click Active Directory Sync in the navigation pane to view a list of the already created Active Directory Sync policies, if any. A policy is represented by the domain for which it is created.

Step 9 – Select a domain from the table or the navigation pane to view the details of the Active Directory Sync policy created for that domain.

Select the domain from the list to see modification options:

• Name – The box at the top displays the name of the domain

  • Delete – The delete button in the upper right corner of the box opens the Delete Domain window to confirm the action

• Domain Configuration – Displays the sync policy settings entered for the selected domain. These settings can be modified on this tab. See the Domain Configuration Tab topic for additional information.

• Sync History – Displays the information on each synchronization event. See the Sync History Tab topic for additional information.

Domain Configuration Tab

The Domain Configuration tab displays the sync policy settings entered for the selected domain. With the exception of the domain itself, these settings can be updated as needed.

The Domain Configuration tab displays the following settings:

• Domain – Displays the domain DNS name or domain controller hostname in the required format of [DOMAIN.COM], e.g. NT-DC03.NWXTech.com

• Credential Profile – Displays the Credential Profile by name

• Enabled / Disabled – Toggle indicates if the policy is enabled to run the sync service

• Max Renew Ticket Age (days) – Displays the value indicates the maximum number of days of the Renew Ticket Age for the domain. This value must match the domain configuration. See the Microsoft Max-Renew-Age attribute article for additional information.

  NOTE: This value is required to accurately evaluate the Golden Ticket threat.

• Max Ticket Age (hours) – Displays the value indicates the maximum number of hours of the Ticket Age for the domain. This value must match the domain configuration. See the Microsoft Max-Ticket-Age attribute article for additional information.

  NOTE: This value is required to accurately evaluate the Golden Ticket threat.

• Use SSL – Indicates whether you have enabled SSL for secure communication with the domain. See the Microsoft 5.1.1.2 Using SSL/TLS article for additional information.

• Perform a full scan on next run – Indicates whether the next sync will only look for domain changes or run a full scan of the domain. By default, this option is enabled for the first sync executed when a new domain is added; however, it is disabled automatically after the first sync. This can be used to fully refresh domain information, but is typically not needed for normal operation.

• Test Connection – Click Test Connection to ensure connection to the domain. This will take a moment. Then a message will appear in the upper right corner of the console indicating a successful or failed connection.

The Save button is enabled when any settings are modified. Click it to commit the changes before leaving the page.

Sync History Tab

The Sync History tab displays the information on each synchronization event. This includes general information about user, group, and computer objects within the selected domain.

The table provides the following information:

• Start Time – Date timestamp when the task started
• End Time – Date timestamp when the task completed
• Users – Number of user objects in the domain
• Users Changed – Number of user objects with changes detected since the last sync
• Groups – Number of group objects in the domain
• Groups Changed – Number of group objects with changes detected since the last sync
• Computers – Number of computer objects in the domain
• Computers Changed – Number of computer objects with changes detected since the last sync
• Status – Event status for the sync task

The table is designed to display 10 records at a time, by default. However, you can set this to 50, 100, or 1,000 rows with the drop-down menu above the right corner of the table. There is a search box above the left corner of the table. Page navigation buttons are below the table. You can also export the data from the current page using the Export CSV button.

Modify Active Directory Sync Policy

Follow the steps to modify the Active Directory Sync policy for the selected Active Directory domain.

Step 1 – On the Integrations interface, click Active Directory Sync in the navigation pane to view a list of the already created Active Directory Sync policies, if any. A policy is represented by the domain for which it is created.

Step 2 – The Domain Configuration tab opens, where you can make the desired modification.

Remember, the domain cannot be modified.

Step 3 – To modify the Credential Profile, select the Credential Profile by name from the drop-down menu. This was pre-created in the Credential Profiles page.

NOTE: If you modify the Credential Profile for a domain, click Test Connection to ensure connection to the domain. This will take a moment. Then a message will appear in the upper right corner of the console indicating a successful or failed connection.

Step 4 – Click the toggle to change the Enabled/Disabled state of the policy.

Step 5 – For the Max Renew Ticket Age (days) value, modify the value by typing in the textbox.

Step 6 – For the Max Ticket Age (hours) value, modify the value by typing in the textbox.

Step 7 – Select or deselect the Use SSL box for the desired security state for communication with the domain.

Step 8 – Select the Perform a full scan on next run checkbox to force the next sync to run a full scan of the domain.

Step 9 – The Save button is enabled when any settings are modified. Click it to commit the changes before leaving the page.

The changes to the Domain Configuration have been saved.

Folder Settings Page

The Folder Settings page within the Integrations interface allows users to designate the Investigation exports folder location. Additionally, a shared folder can be provided for subscription purposes.

By default, Investigation exports are placed in the Downloads folder of the logged in user, on the machine where that user is accessing the application. When a Local Folder path is designated, all Investigation exports are also stored in the specified folder on the application server.

When shared folders are added, they are displayed in a table at bottom of the page.

The Shared Folders table has the following columns:

• Display Name – The name of the shared folder as displayed in the application
• Path to the Shared folder – The path to the shared folder where subscription reports are stored
• Credential Profile – Name of the Credential Profile
• Access – The users that can save their subscription exports to the shared folder
• Last Time tested – Date timestamp when the the shared folder was tested to ensure it is configured correctly

Additional Options

When you hover over a row within the Shared Folders table, three additional options are displayed:

• Refresh Arrow – Tests the shared folder configuration
• Edit – Opens the Add New Shared Folder window to edit the configured settings
• Trash – Deletes the shared folder, which prevents the application from using it

Designate a Local Folder

Follow the steps to designate a local folder for Investigation exports.

Step 1 – Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select Integrations to open the Integrations interface.

Step 2 – On the Integrations interface, click Folder Settings in the navigation pane.

Step 3 – In the Path field, enter a valid folder path on the server where the application is installed. For example, C:\Reports.

Step 4 – The Save button is enabled when any settings are modified. Click it to commit the changes before leaving the page.

Investigation exports will now be saved to the designated local folder on the application server.

Add a Shared Folder

NOTE: Prior to adding a shared folder, you must first configure a Credential Profile with Write access to the shared folder. See the Credential Profile Page topic for additional information on creating a profile.

You can specify a shared folder for exporting investigations data from subscriptions through the Integrations menu. Follow the steps to add a shared folder.

Step 1 – Use the gear icon in the upper right corner of the console to open the Configuration menu. Then select Integrations to open the Integrations interface.

Step 2 – On the Integrations interface, click Folder Settings in the navigation pane.

Step 3 – Click Add Shared Folder. The Add New Shared Folder window opens.

Step 4 – Enter the following information:

• Display Name – Enter a name of the shared folder as displayed in the application
• Credential Profile – Select the Credential Profile by name from the drop-down menu. This was pre-created in the Credential Profiles page.
• Path – Enter a valid share path with the \[SERVER NAME][PATH TO SHARED FOLDER] format. For example, \NT-FS02\Subscriptions.
• Access – Allow specific users to access the folder when configuring subscriptions in the application. By default, this is set to All users. To limit access, select users from the drop-down menu. Only users granted application access through the System Settings > User Access page will be available in the drop-down.

Step 5 – Click Add. The Add New Shared Folder window closes.

The specified shared folder has been configured for subscription exports.