# Active Directory Account Lockdown ## Applicability This article covers Account Lockdown for Active Directory which is supported for both Respond UX (RUX) and Quadrant UX (QUX) deployments. Entra ID (Azure Active Directory) Account Lockdown is a different feature that is available only for deployments using Vectra's Respond UX. Please see [Entra ID (Azure AD) Account Lockdown (RUX)](https://docs.vectra.ai/configuration/response/lockdown/entra-id-azure-ad-account-lockdown-rux) ​​​​​​for details on how to Lockdown Entra ID accounts in RUX. If you are unsure of which UX you have, please see [Vectra Analyst User Experiences (Respond vs Quadrant)](https://docs.vectra.ai/deployment/getting-started/analyst-ux-options-rux-vs-qux) for additional guidance. ## Introduction Account Lockdown enables analysts to temporarily disable network accounts during a security investigation. Account Lockdown enables enforcement action, via the disabling of Active Directory accounts. Disabling a network account prevents an attack from progressing further along the kill chain. It prevents the malicious user from logging into any additional systems, potentially limiting the blast radius of an on-going attack. Account Lockdown can run in either automated or manual mode. In the automated mode, action is taken once all applicable thresholds have been exceeded. * ​​​​​​For RUX deployments, the relevant thresholds are the urgency score of the account entity and the importance. * For QUX deployments, the relevant thresholds are the threat and certainty score of the account entity along with its observed privilege. Account Lockdown requires integration with your Active Directory (AD) server(s). When an Account Lockdown is performed, Vectra NDR will notify AD to disable the account. {% hint style="info" %} Please note that this is different from an Active Directory account lockout, which can only be invoked by a domain controller. {% endhint %} ### Custom Configuration Options Custom configuration options can be made available via a request to Vectra Support. These options are not enabled by default and require Vectra support for enable a feature flag so that these options become visible in your deployment. Please see [Account Lockdown Custom Configuration Options](https://docs.vectra.ai/configuration/response/lockdown/active-directory-account-lockdown-custom-configuration) for details and changes required to support either of both of these options: * Using `AccountExpires` instead of `userAccountControl` means that instead of disabling an account, Vectra will set the expiration of the account to 24 hours before the Account Lockdown was initiated which blocks any future login attempts. * The option to require the AD Info field to be populated allows you to add freeform information to AD, such as a ticket number or other notes, when performing an Account Lockdown. {% hint style="warning" %} **Please Note:** * It is important to follow the additional instructions in the article linked above, because different permissions are required in AD when using either or both of these options. {% endhint %} ## Required Permissions Please see the chart below for the permissions associated with AD integration and Account Lockdown. The permissions shown are assigned by default to the **Default Roles** in the table, but admins with sufficient permissions can edit the default assignments and add the required permissions to other roles if desired.
PermissionDefault RolesCapabilities
View → Account LockdownSuper Admin
Admin
Restricted Admin
  • View Account Lockdown status of an account
Edit → Account LockdownSuper Admin
Admin
Restricted Admin
  • View Account Lockdown status of an account
  • Lock and unlock accounts
View → Configuration - Active DirectorySuper Admin
Admin
Restricted Admin
  • View AD integration settings
  • View Account Lockdown settings
Edit → Configuration - Active DirectorySuper Admin
Admin
Restricted Admi
  • View/Edit AD integration settings
  • View/Edit Account Lockdown settings
## Enabling Account Lockdown {% stepper %} {% step %} #### Enable Active Directory Integration If you have not already enabled [Active Directory](https://docs.vectra.ai/configuration/setup/external-connectors/active-directory) integration in your deployment, you must enable it for Account Lockdown to be able to function. Follow all configuration advice in the linked article above and then return here to continue with the Account Lockdown configuration. {% endstep %} {% step %} #### Configure Account Lockdown * Navigate to *Configuration → RESPONSE → Lockdown → Active Directory Account Lockdown*. * **Edit** the settings to turn Active Directory Account Lockdown on or off and also choose if you also want to enable Automatic Account Lockdown. * If you choose to enable Automatic Account Lockdown, you will have the option to configure the automatic Lockdown period. {% hint style="info" %} **Please Note:** * Automated Lockdown can range from 1 hour up to 24 hours, in pre-configured intervals. * After automatic Lockdown has been enabled, anytime an account's thresholds are ALL exceeded, the account will be disabled in Active Directory for the configured time range. {% endhint %} **Example RUX Thresholds:**
In this example, the account entity must have a Urgency Score of at least 70 and an Importance of at least Medium. **Example QUX Thresholds:**
In this example, the account entity must have a Threat score of at least 75, a Certainty score of at least 75, and an Observed privilege of at least 5. {% endstep %} {% endstepper %} ## Usage FAQs {% hint style="info" %} **Please Note:** * If an AD account does not have a UPN (User Principal Name) configured, the account cannot be locked down. * Please ensure all accounts that you may to lock down have a UPN configured. {% endhint %} #### Where can I check the Lockdown status of an account? After Account Lockdown is enabled, accounts will have the **Account Status** shown in the sidebar of individual account pages.
From here you can see the account's current Lockdown status. If an account is locked down, the status will show time until the account is re-enabled and the username of the Vectra NDR user that enabled Lockdown for that account. There is also an API endpoint (see examples later in this document) where you can pull a list of all current accounts that have been disabled via Lockdown. {% hint style="info" %} **Please Note:** Viewing Lockdown status will require the user to have the **View → Account Lockdown** RBAC permission enabled. {% endhint %} #### How does an Account get locked down? There are two main ways to utilize Account Lockdown: 1. Manually, where an account is locked by a Vectra user. 2. Automatically, where Vectra NDR (formerly known as Vectra Detect for Network) can be configured to automatically lock accounts when all configured thresholds are exceeded. #### How do I manually lockdown an account? Accounts will have a new Account Status in the sidebar of individual account pages. See the [screenshot above](#where-can-i-check-the-lockdown-status-of-an-account). From here you can **Lock** or **Unlock** accounts. After clicking **Lock**:
Accounts can be manually locked from 1 hour up to 24 hours, in pre-configured time ranges. The account will automatically be re-enabled once the selected time range has expired. {% hint style="info" %} Please Note: Locking or unlocking an account will require the Vectra user to have the **Edit → Account Lockdown** RBAC permission enabled. {% endhint %} #### If an account gets locked down, will existing/open sessions be terminated? No. Once an account gets disabled via Lockdown, existing user sessions will still be valid. Disabling an account via Lockdown only impacts subsequent login attempts. #### What AD permissions does the service account require in AD? The Active Directory service account requires read and write permissions on the userAccountControl attribute. Please see [Configuring Active Directory(AD) integration with Vectra NDR](https://docs.vectra.ai/configuration/setup/external-connectors/active-directory) for details on setting up the required AD integration to support Account Lockdown. {% hint style="warning" %} **Please Note:** It is critical that the user used for AD integration can modify its own `userAccountControl` attribute. This modification is used by the Vectra Brain to validate the Account Lockdown integration is configured correctly. {% endhint %} Some third party sources for more details on setting the required permissions are: * * #### Once an account has been locked down, how can it be re-enabled? Accounts only re-enable via the following methods: * Admin manually re-enables account via Vectra's UI. * Lockdown timer expires. * Account is re-enabled outside of Vectra's UI (via AD for example). #### If I update my automatic lockdown thresholds, will all accounts be re-evaluated? No, adjusting the Lockdown thresholds will not retroactively apply to existing account scores, only when new account scores are calculated. #### Is there API support for Account Lockdown? Yes, see examples below. For more information about using APIs with Respond UX (RUX) or Quadrant UX (QUX) deployments please see: * Respond UX * [RUX API Postman quick start guide](https://docs.vectra.ai/configuration/access/api-rux/rux-api-postman-quick-start-guide) * [v3.4 API Guide (RUX)](https://docs.vectra.ai/configuration/access/api-rux/v34-api-guide-rux) * [Vectra RUX API Public Postman Collection](https://www.postman.com/planetary-trinity-669963/workspace/vectra-ai/collection/1058623-cc38478b-7261-4e59-8768-1cf61a68ec5d) * Quadrant UX * [v2.5 Postman quick start guide using token auth](https://docs.vectra.ai/configuration/access/api-qux/v25-postman-quick-start-guide-using-token-auth) * [v2.5 API guide (QUX)](https://docs.vectra.ai/configuration/access/api-qux/v25-api-guide-qux) * [Vectra QUX API Public Postman Collection](https://www.postman.com/planetary-trinity-669963/workspace/vectra-ai/collection/7429442-509c593b-8de4-4aa3-ac05-e07934eb9f17) **For RUX deployments use the:** `GET /api/v3.4/events/audits` {% code expandable="true" %} ```ckeditor_codeblock "events": [ { "id": 2196, "user_id": 25, "username": "test@vectra.ai", "user_type": "JWT", "api_client_id": null, "user_role": "Super Admin", "version": "2022.0.0", "source_ip": "127.0.0.6", "event_timestamp": "2024-02-29T23:49:49Z", "message": "AD Account Lockdown - manual lock test_1@qe-ad.test", "result_status": "success", "event_data": { "account_id": 52, "account_uid": "test_1@qe-ad.test", "duration": 60 }, "event_object": "account", "event_action": "lock" }, { "id": 2197, "user_id": 25, "username": "test@vectra.ai", "user_type": "JWT", "api_client_id": null, "user_role": "Super Admin", "version": "2022.0.0", "source_ip": "127.0.0.6", "event_timestamp": "2024-02-29T23:49:59Z", "message": "AD Account Lockdown - manual unlock test_1@qe-ad.test", "result_status": "success", "event_data": { "account_id": 52, "account_uid": "test_1@qe-ad.test" }, "event_object": "account", "event_action": "unlock" }, { "id": 2198, "user_id": 24, "username": "cognito", "user_type": null, "api_client_id": null, "user_role": null, "version": "2022.0.0", "source_ip": null, "event_timestamp": "2024-02-29T23:51:30Z", "message": "AD Account Lockdown - auto lock test_12@qe-ad.test", "result_status": "success", "event_data": { "account_id": 62, "account_uid": "test_12@qe-ad.test", "duration": 120 }, "event_object": "account", "event_action": "lock" }, { "id": 2199, "user_id": 24, "username": "cognito", "user_type": null, "api_client_id": null, "user_role": null, "version": "2022.0.0", "source_ip": null, "event_timestamp": "2024-02-29T23:53:38Z", "message": "AD Account Lockdown - auto unlock test_12@qe-ad.test", "result_status": "success", "event_data": { "account_id": 62, "account_uid": "test_12@qe-ad.test" }, "event_object": "account", "event_action": "unlock" } ], "next_checkpoint": 2200, "remaining_count": 0 } ``` {% endcode %} **For QUX deployments use:** `GET /api/v2.5/lockdown/account` {% code expandable="true" %} ```ckeditor_codeblock [     {         "lock_date": "2020-02-20T13:42:49Z",         "locked_by": "admin",         "unlock_date": "2020-02-20T14:42:49Z",         "account_id": 15,         "account_name": "lockdown_user_1@redwoods.test"     },     {         "lock_date": "2020-02-20T13:42:55Z",         "locked_by": "admin",         "unlock_date": "2020-02-20T14:42:55Z",         "account_id": 1,         "account_name": "Lockdown_User_7@redwoods.test"     } ] ``` {% endcode %} #### Can I configure a Lockdown whitelist so strategic accounts are never disabled? No. Account-based triage rules could conceivably be used to suppress detections on strategic accounts so that automated Lockdown thresholds were never exceeded but this is NOT recommended. #### Does the system know the real state of the account in AD? Yes, Vectra pulls the current state of the account in AD and displays the proper state of the account as it exists in AD. If accounts are modified outside of Vectra (i.e. directly in AD), Vectra will still show the correct state. ## Privileged Account Lockdown Behavior #### Summary * Some customers may desire to lock protected accounts that can't be locked due to AD protections. * Protected AD accounts cannot be managed using standard delegated permissions. * This is enforced by AdminSDHolder and SDProp. * Vectra's integration cannot bypass these protections. * Enabling this functionality requires modifying AdminSDHolder permissions. * Changes should be carefully evaluated by your team before implementation. #### Overview In Active Directory environments, certain privileged accounts are protected by a built-in security mechanism involving the **AdminSDHolder** object and the **SDProp** process. This protection can prevent Account Lockdown from locking these accounts. Accounts that are members of the following groups are considered protected accounts: * Domain Admins * Enterprise Admins * Administrators * Account Operators * Schema Admins #### Why This Happens Protected accounts inherit their permissions from the **AdminSDHolder** object. A background process called **SDProp** runs approximately every 60 minutes and: * It reapplies the AdminSDHolder security descriptor. * It also overwrites any delegated permissions set directly on protected accounts. As a result: * Delegated service accounts (such as the Vectra AD integration service account) **cannot modify or lock these accounts by default.** * Attempts will fail with errors such as `INSUFF_ACCESS_RIGHTS` . This behavior is by design in Active Directory and cannot be overridden by Vectra. #### Optional Steps to Enable Lockdown of Protected Accounts If your organization requires the ability to lock protected accounts, permissions must be granted via the **AdminSDHolder** object. {% hint style="warning" %} **Please Note:**\ This change affects all protected accounts and should be reviewed and approved by your security team before proceeding. {% endhint %} 1. Open **ADSI Edit** 2. Navigate to: ``` CN=AdminSDHolder,CN=System,DC=,DC= ``` Replace `` and `` with your Active Directory domain (for example.com you would put `DC=example,DC=com`) 3. Update security permissions: * Grant the Vectra AD service account the required permission of `Write userAccountControl` . 4. Wait for the **SDProp cycle (\~60 minutes)** for changes to propagate. ## Notifications #### Will the end user be notified when an account is locked down? No, the end user is not notified whenever their account is disabled. #### Will administrators be notified when an account is locked down? Yes, NDR admins will see email and syslog (syslog is only supported for QUX deployments) notifications when an account is locked or unlocked. {% hint style="info" %} **Please Note:** In order to receive Account Lockdown email notifications, **Entity Alerts** (for RUX) or **Account Alerts** (for QUX) must be enabled under *Configuration → RESPONSE → Notifications → Email Alerts*. {% endhint %} #### RUX Sample Email: ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-064b68fe892f23512cdeeee6989873c82fae0fdf%2F3e9694eae065a921ddd01877bc0dc1d32d92c343187f64dc8ba17eb3fc3333e1.jpg?alt=media) #### Where can I see a sample syslog notification for Lockdown? Account Lockdown Sample Syslog (QUX only, RUX does not support Syslog): ``` Standard: LOCKDOWN [lockdown@41261 category="LOCKDOWN" accountName="lockdown_user_1@redwoods.test" action="unlock" success="True" dvc="192.168.51.18" user="admin" URL="https://192.168.51.18/accounts/1" UTCTime="1581549510.72"] CEF: CEF:0|Vectra Networks|X Series|5.4|lockdown|Account Lockdown|3|externalId=1 cat=LOCKDOWN dvc=192.168.51.18 suser=admin account=lockdown_user_1@redwoods.test cs1Label=action cs1=unlock cs2Label=success cs2=True cs4Label=Vectra Event URL cs4=https://192.168.51.18/accounts/1 start=1581549510723 end=1581549510723 JSON: {"category": "LOCKDOWN", "account_id": 1, "success": true, "href": "https://192.168.51.18/accounts/1", "vectra_timestamp": "1581549510", "headend_addr": "192.168.51.18", "user": "admin", "version": "5.4", "action": "unlock", "account_uid": "lockdown_user_1@redwoods.test"} ```