Active Directory Account Lockdown custom configuration
This article details new Account Lockdown custom configuration options that are available in v8.2+ of Vectra software.
Applicability / Option Descriptions
Active Directory (AD) integration for Vectra NDR enables your Brain appliance to pull added context for host and account entities. It is also required in order to enable Account Lockdown. Please see the below articles for details and configuration information for both of these features:
In version 8.2 of Vectra software, two new options for Account Lockdown were made available via a request to Vectra Support (they are not enabled nor visible by default):
Using "AccountExpires" instead of "userAccountControl" means that instead of disabling an account, Vectra will set the expiration of the account to 24 hours before the Account Lockdown was initiated.
AD defaults to not allowing an account to login on the day after expiration of an account, so this effectively disallows any future login after the Account Lockdown was initiated.
The option to require the AD Info field to be populated allows you to add freeform information, such as a ticket number or other notes, to AD when performing an Account Lockdown.
The "Info" field populates the "Notes" area of an AD account in the "Telephones" tab when looking at an account.
If your deployment requires either of these custom configuration options, please contact Vectra Support and ask for either or both of them to be enabled. These options are available for both Respond UX and Quadrant UX deployments.
Required Additional Configuration Details (AD)
As per the Configuring Active Directory(AD) integration with Vectra NDR article, a service account that allows your Vectra Brain to interact with your AD server(s) is required. If you choose to have either of the options detailed in this article to be enabled, there are some changes to the permissions required in the linked article.
Changing the permissions is done in the same way as detailed in the article, you just pick different permissions.
If using "AccountExpires" instead of the standard "userAccountControl" attribute to perform Account Lockdown, use the "Write accountExpires" permission instead of the "Write userAccountControl" permission.
If you add both permissions, then you can change back and forth which attribute is used by simply changing the Vectra configuration as described in the next section of this article.
If enabling the Info/Notes field option, you must also add the "Write Personal information" permission.
All other steps in Configuring Active Directory(AD) integration with Vectra NDR should be followed as described in that article.
Required Additional Configuration Details (Vectra)
Once Vectra Support has enabled the feature flag(s) for your desired custom configuration options, you still must click the checkbox(es) in the Vectra UI to begin using the features. They will not be turned on by default after the feature flag(s) are enabled.
Navigate to Settings > External Connectors > Active Directory and Lockdown and edit the feature settings.
After you enable Active Directory Integration per Configuring Active Directory(AD) integration with Vectra NDR and enable Account Lockdown per the Account Lockdown FAQ, the checkboxes to enable each custom configuration option that Vectra Support enabled will appear.
Simply check the boxes to enable the option(s) and then "Save" your configuration at the bottom.
Last updated
Was this helpful?