Skip to main content

The Active Directory sensor

The Active Directory (AD) sensor collects and processes user login information from the on-premises Active Directory your company uses.

Active Directory sensor prerequisites

Before setting up the Active Directory sensor, make sure the following requirements are met:

  • BEST with EDR is installed and active on each domain controller of the domains you want to monitor.

  • With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.

Active Directory Sensor policy configuration

  1. Open the Group policy management console.

  2. Navigate the tree structure to your domain > Domain Controllers, and select Default Domain Controllers Policy.

    Active Directory Default Domain Controllers Policy
  3. Right click on Default Domain Controllers Policy and select Edit. The Computer Configuration window will be displayed.

  4. Navigate to Audit Policies: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    Active Directory Audit Policies
  5. Configure all policies withing Audit Policies, except Global Object Access Auditing, as shown below:

    Active Directory policy configuration
  6. Apply the changes.

  7. Open Command Prompt and run the following command: gpupdate /force

    The policy changes you have made will take effect immediately.

Setting up Active Directory sensors

To configure the Active Directory sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Active Directory sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Click on the domain you want to monitor. A list of its domain controllers will be displayed.

    Active Directory sensor setup

    Note

    Status will inform you of any missing prerequisite steps. When all requirements are met, the Status will display Ready to use.

  5. Select Apply.

    The new integration will be available in the Sensors Management grid.

Deleting a domain controller sensor

To delete a domain controller sensor, you must first make sure it is offline or unmanaged.

If you only have one remaining domain controller sensor, you cannot delete it using this option. Instead, you can delete the entire sensor integration. For more information regarding this, refer to Managing sensors.Managing sensors

To delete a domain controller sensor from your Active Directory integration, follow these steps:

  1. Go to Configuration > Sensors Management.

  2. Click on the Active Directory sensor integration you want to change.

    The details panel displays all the domain controller sensors pertaining to that integration.

  3. In the details panel, click the Delete button directly below the domain controller sensor.

    Active Directory sensor - details panel
  4. Click Delete again to confirm your choice.

    The domain controller sensor is now gone from the details panel.

    Note

    If the domain controller sensor comes back online, it will be automatically added to the details panel and it will continue to process data.