The Active Directory sensor
The Active Directory (AD) sensor collects and processes user login information from the on-premises Active Directory your company uses.
Active Directory sensor prerequisites
Before setting up the Active Directory sensor, make sure the following requirements are met:
BEST with EDR is installed and active on each domain controller of the domains you want to monitor.
With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.
Active Directory Sensor policy configuration
Open the Group policy management console.
Navigate the tree structure to your domain > Domain Controllers, and select Default Domain Controllers Policy.
Right click on Default Domain Controllers Policy and select Edit. The Computer Configuration window will be displayed.
Navigate to Audit Policies: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
Configure all policies withing Audit Policies, except Global Object Access Auditing, as shown below:
Apply the changes.
Open Command Prompt and run the following command:
gpupdate /force
The policy changes you have made will take effect immediately.
Setting up Active Directory sensors
To configure the Active Directory sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the Active Directory sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Click on the domain you want to monitor. A list of its domain controllers will be displayed.
Note
Status will inform you of any missing prerequisite steps. When all requirements are met, the Status will display Ready to use.
Select Apply.
The new integration will be available in the Sensors Management grid.
Deleting a domain controller sensor
To delete a domain controller sensor, you must first make sure it is offline or unmanaged.
If you only have one remaining domain controller sensor, you cannot delete it using this option. Instead, you can delete the entire sensor integration. For more information regarding this, refer to Managing sensors.
To delete a domain controller sensor from your Active Directory integration, follow these steps:
Go to Configuration > Sensors Management.
Click on the Active Directory sensor integration you want to change.
The details panel displays all the domain controller sensors pertaining to that integration.
In the details panel, click the Delete button directly below the domain controller sensor.
Click Delete again to confirm your choice.
The domain controller sensor is now gone from the details panel.
Note
If the domain controller sensor comes back online, it will be automatically added to the details panel and it will continue to process data.