Mark Karlstrand

Active Directory Context In Security Analytics

Discussion created by Mark Karlstrand Employee on Jul 11, 2016
Latest reply on Aug 19, 2016 by Mark Karlstrand

Security Analytics would like to help customers harness the user and resource details stored in their Active Directory (LDAP) for behavior analytics, incident response and investigations. Behavior analytics will need very frequent access to the profile data for every user so SA will need a copy of the AD fields the solution uses. To this end we would like your feedback on the most acceptable approach to making AD data available to SA. Here are three options we are considering. It would be a great help if you would please comment on which may be most palatable to your organization and why.

 

  1. When a customer enables SA behavior analytics they will bootstrap the system will a bulk load of AD data. To accomplish this a customer exports an LDIF of the fields needed for all users then loads it into SA. To make regular updates easy and secure the customer would issue SA a service account and configure connectivity to AD. The customer could easily configure how often SA is allowed to query AD and times of the day it should not make any queries. The default would be to query AD for updates once every 24 hrs at 200 am local time.
  2. When a customer enables SA behavior analytics they will issue SA a service account and configure connectivity to AD. The customer could easily configure how often SA is allowed to query AD and times of the day it should not make any queries. The default would be to query AD for updates once every 24 hrs at 200 am local time.
  3. When a customer enables SA behavior analytics they will bootstrap the system will a bulk load of AD data. To accomplish this a customer exports an LDIF of the fields needed for all users then loads it into SA. To make regular updates the customer would implement custom scripts to export and import a new LDIF file.

Outcomes