search

Account Association

Compromising an account is a high value target for an attacker, whether on premise or in the cloud. Account Credentials offer an access point to progress deeper. Vectra CDR for M365, IDR for Azure AD (Entra ID), CDR for AWS, and CDR for Azure will allow you to track attack progression across the cloud and network, in one simple, unified, view of an account.

Automatic Account Linking will link accounts seen on your network with accounts we see in your M365, AAD (Entra ID), Azure, and AWS environments. This enables you to quickly see activity across your entire organization and track account activity from an initial cloud breach to any hosts that this account has been seen on.

hashtag
Availability of AWS Account Association

While this feature exists for both QUX and RUX deployments, the rollout of AWS support for the feature is scheduled for the v9.2 release. RUX deployments will have support for federated AWS SAML accounts as of mid-April.

hashtag
Set Up

To enable Automatic Account Linking, you will need to enable Active Directory(AD) integration with Vectra NDR.

  • For full details, see the linked article above.

  • Go to Settings > External Connectors.

  • Click "Edit" beside "Active Directory and Lockdown".

  • Ensure you have entered the correct Active Directory details.

  • Enable the toggle beside "Automatically map cloud domains to network realms so that Vectra can associate cloud and network accounts." near the bottom of the edit dialog.

  • Click Save.

Your accounts will now be linked automatically, it can a few hours for all accounts to be associated initially. Once up and running, when a network account exits prior to their being a detection on what would be an associated cloud account, when the cloud account detection comes into the system, the accounts can be linked at that time. When a cloud account exists before a network detection on what would be an associated account comes in, it can take a few hours for the underlying process to complete the account association process.

If you would like manually control mappings between cloud domains and network domains instead of having the system do this automatically, this can be configured as follows:

  • Navigate to Settings > General.

    • Or click the "Manually map accounts" link which will take you to the same area.

  • Click "Edit" beside "Account Association".

  • Ensure the "Account Association" feature is enabled at the top if it is not already.

  • You can toggle between automatically mapping and manually mapping with the radio buttons.

    • IT IS STRONGLY RECOMMENDED TO USE THE AUTOMATIC MAPPING OPTION

      • If you are interested in manual mapping, please contact your Vectra account team to discuss the requirement.

  • To configure manually mapping after selecting the manually map option:

    • Enter the expected domains for Azure AD (Entra ID), M365, and Federated AWS SAML domains under "Azure AD & M365 Domain".

      • Language will be updated in the future to include AWS.

      • The feature is live for RUX customers as of mid-April.

      • It is planned to support AWS account linking for QUX deployments in the 9.2 release.

    • Enter the network realm (domain) corresponding to the cloud domain on the right side.

    • Do this for as many domains/realms that you require.

    • Click "Save"

hashtag
How Linked Accounts Work

Linked accounts will show in a single pane of glass, with any linked cloud & network accounts showing up on entity pages and entity detail pages in your Vectra UI. The RUX UI is shown in these examples included below. QUX deployments will be similar, but some details such as scoring will be different.

When you view an account entity, you will be able to see in the top left corner the information for each account:

Above we are seeing network, AAD/M365, and federated accounts all attributed to the same "[email protected]" Vectra entity container. Detections from NDR, CDR for M365, IDR for AAD, and CDR for AWS are also seen in the detections list on the right. This example above does not include CDR for Azure detections, but they are also supported.

In the details tab, there is more information on when the sub accounts were last seen and what their source is:

.

PreviousSETUPNextEDR Integrations

Last updated

Was this helpful?