search

Active Directory (AD) groups

hashtag
Applicability

Active Directory (AD) Groups is currently available for all RUX deployments. Private preview is planned to be available for QUX deployments in the v9.6 release with full GA for QUX scheduled for the v9.7 release. Please contact your Vectra account team if you have questions about availability.

hashtag
About Groups

Consistent use of groups helps ease triage filter creation and maintenance. For example, rather than building a set of conditions for authorized domains in several triage filters, it is much easier to simply create a group that can be used as often as required. Also, when group membership changes, you only need to update the group and not every filter that would have used the same members as individual conditions.

Host and Account groups in RUX deployments also have an importance rating associated with them of High, Medium, or Low. The importance of the group will influence the urgency score (prioritization) of host and account entities in RUX deployments. There is no importance for groups in QUX deployments. While QUX deployments do have an ability to label hosts as Key Assets, this does not influence the threat/certainty scoring. If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Groups can consist of hosts, accounts, IPs, or domains. Each of these types will be kept in their own group. Groups cannot mix members of different types in the same group.

IP and domain groups are statically defined. Host and account groups can be defined statically or be defined based on regex patterns. Using regex to define a host or account group is called a "Dynamic Group".

Host and account groups can also be automatically constructed based on groups that exist in Active Directory (AD).

Here are some reasons that managing group membership is important:

  • Having well defined groups can help improve signal quality by allowing triage rules to be defined using groups.

    • Triage rules can filter out traffic that would otherwise cause a detection to fire for authorized behaviors.

  • Importance of groups influences prioritization (scoring) of entities in RUX deployments.

  • Groups are displayed for entities which can give key context to analysts when interpreting signal in the Vectra UI.

  • Groups can be statically defined, based on regex patters, or be created based on AD groups

For more details on groups, please see:

hashtag
AD Groups Important Facts

  • Import of Active Directory groups, so that Vectra groups can be created based on those imported groups, is enabled by first Configuring Active Directory(AD) integration with Vectra NDR.

    • Vectra normally syncs with your Active Directory in chunks at varying intervals over the course of 24 hours.

      • It can take up to 24 hours for group membership to be fully updated in any Vectra groups that are based on AD groups.

    • Queries are paginated to reduce the load on your AD server.

    • Larger environments may need to sync more frequently to successfully gather all directory information.

    • If the load on your AD server you have chosen to use for AD Integration with Vectra becomes too much, you can change to a Dirsync method that only syncs changes hourly after an initial full sync.

      • Please see the AD integration KB for details if Dirsync is desired.

      • Unless there are issues with AD server load, Vectra recommends using normal AD sync.

  • While an AD group object (in Active Directory) may contain both hosts and accounts, in Vectra, AD groups are stored separately for hosts and accounts and must be imported separately.

    • If your AD group contains both hosts and accounts, make sure to import the same group twice.

    • In one import you will create a Vectra AD host group while in the other import you will create a Vectra AD account group.

  • If AD integration is disabled (turned off), all imported groups based on AD groups will be converted to static groups.

    • These static groups will retain the members they had at the time of conversion but they will not receive any updates even if AD integration is turned on again.

  • If you have several Active Directories that you have enabled for AD integration and delete any of those configurations, any groups that were imported from those ADs will be converted into static groups.

    • These static groups will retain the members they had at the time of conversion but they will not receive any updates even if AD integration is turned on again.

  • If you convert an AD group to a static group manually, or through the disabling of AD integration or deletion of an AD integration profile, you will need to go through the AD group configuration process again to recreate the AD group once AD integration is re-enabled, or the AD integration profile is recreated.

    • Group names can be retained, and the auto-suggested names will include a trailing (2), (3), etc if the original auto-suggested name is still in the system.

  • AD groups only supports Active Directory

    • Entra ID (formerly Azure Active Directory) is NOT supported for the AD groups feature.

hashtag
Configuration and Management

hashtag
Enabling AD Groups

  • To enable the creation of AD groups, AD integration must be configured. For details please see:

  • Once you have AD integration enabled, you are ready to begin configuring your AD groups that you want imported into Vectra.

    • Keep in mind that not all groups may be available for import immediately, as per the AD Groups Important Facts above, it can take up to 24 hours for full synchronization.

hashtag
Configuring AD Groups

  • Navigate in your Vectra UI to Manage > Groups and click "Create Groups".

    • Choose Host or Account for the "Type".

    • Choose "AD (Multi-Entry Import)" for Build Using...

      • Once you pick this Name, Importance, and Description are no longer options at this point.

      • These can be configured later.

  • On the Group Import screen, choose the groups that you want to import, cancel, or go back.

    • Once you have selected all the groups that you wish to import, you can click on the "Groups Preview" button to validate your selections.

      • You can choose to import all groups using the "Select All" button, or choose individual groups to import.

    • Details:

      • AD Profile

        • All configured AD profiles will be listed here.

        • You can either display all groups in all configured ADs or show groups from only one of your configured ADs.

      • Search of filter AD group

        • You can search on Base DN, OU, O, or C. Display names are not supported.

      • AD Group

        • The Distinguished Name (DN) will be shown for the AD groups that were found in the chosen AD Proflie.

      • Name

        • An auto generated name will be shown

        • This can be edited as desired.

      • Importance

        • Available for RUX deployments only.

        • The default of Medium importance for the resulting Vectra group can be changed to Low or High if desired.

        • Importance will impact the urgency score of a host or account entity.

  • On the "Groups Preview" screen, you can see how many assets of this group type Vectra has matched to the AD group.

    • The count may be lower than the total AD members if some have never been seen by Vectra.

      • Host objects are created when any traffic is observed from a host.

      • Account objects are created when any detection is created for an account.

    • Counts may take up to 24 hours to populate after AD is first connected.

  • When you are satisfied with the validation, click "Create Groups" to create the groups you selected.

  • Important Tip - As per the AD Groups Important Facts section above:

    • While an AD group object (in Active Directory) may contain both hosts and accounts, in Vectra, AD groups are stored separately for hosts and accounts and must be imported separately.

      • If your AD group contains both hosts and accounts, make sure to import the same group twice.

      • In one import you will create a Vectra AD host group while in the other import you will create a Vectra AD account group.

hashtag
Managing AD Groups

  • On the Manage > Groups page, you can click into a group to manage it.

  • Rebuild As Static

    • Click here to convert this group into a static group.

      • This will happen automatically if you disable AD integration or delete the AD the group was imported from.

      • Static groups cannot be converted back to an AD group.

  • Edit Details

    • Click here if you want to change the Name, Importance, or Description of your group.

  • Delete Group

    • Click here to delete the group.

  • Search Members

    • You can search for specific members in this area.

    • Only Vectra hosts or accounts will show for these AD groups.

      • The count of members may be lower than the total AD members if some have never been seen by Vectra.

        • Host objects are created when any traffic is observed from a host.

          • This is not immediate and follows Understanding Vectra Detect Host Naming conventions for how the hosts are named.

          • Until a stable Host object is created by HostID, the host could be represented as IP.X.X.X.X which is a generic host container and not a fully host object.

          • Generic Host Containers will not match imported AD Host references.

        • Account objects are created when any detection is created for an account.

  • Download CSV

    • Click here to download a .csv file of the Vectra AD group members.

PreviousTriage best practicesNextDynamic groups

Last updated

Was this helpful?