Quick Start Tutorial¶
The quick start procedure is simply to demonstrate the application of this solution continue reading in the using guide once your first use is complete. If you have not already done so follow the install and data-activedirectory portions of the documentation first.
Identifying important assets and identities¶
- Working with a knowledgeable identify a specific Windows server (or servers) that by name or name pattern can be identified as high or critical. For example the file server used by the CEO.
- Working with a knowledgeable Active Directory administrator identify one group with current members that grants privileged access to Active Directory or Member Servers OTHER than the default groups created by Active Directory such as Enterprise Admins, Domain Admins or Administrators
Configure categorization for a single server¶
- Login to Enterprise Security
- Navigate to Enterprise security
- Select Configure menu
- Select Content management
- Select “SecKit SA IDM Common for ES” in the app drop down
- Find “SecKit IDM Common static hosts”
- Under actions for this row select export
- Using a csv editor of your choice Add the following information and save. wild card values for static name are allowed as are specific host names. Wild cards should use should be limited to the end of the host name to avoid accidental match to unintended hosts.
static_name | static_category | static_pci_domain | static_priority | static_expected |
srvexevfs* | estaff | trust | high | true |
- return to Enterprise Security
- Under Actions for this row click Update File
- Select the modified file
Run the following searches:
Windows Assets:
Run the search:
| savedsearch seckit_idm_windows_identities_lookup_gen
Force Enterprise Identity Merge:
- Run the search:
| from savedsearch:"Identity - Asset Identity Matches - Lookup Gen"
Verify categorization for a single server¶
- Return to Enterprise Security
- Select the Security Domains menu
- Select Identity
- Select Asset Center
- Enter a specific host matching static name above
- Verify the category, pci_domain and priority fields match above
Configure categorization for privileged group¶
- Login to Enterprise Security
- Navigate to Enterprise security
- Select Configure menu
- Select Content management
- Select “SecKit SA IDM Windows for ES” in the app drop down
- Find “SecKit IDM Windows AD Identity Classification By memberOf Group”
- Under actions for this row select export
- Using a csv editor of your choice Add the following information and save. wild card values for static name are allowed as are specific host names. Wild cards should use should be limited to the end of the host name to avoid accidental match to unintended hosts.
memberOf | member_category | member_priority | member_watchlist |
CN=System Managed Accounts Group,CN=Builtin,* | nha | critical | high |
- return to Enterprise Security
- Under Actions for this row click Update File
- Select the modified file
Run the following searches:
Windows Identities
Build:
| savedsearch seckit_idm_windows_assets_lookup_gen
Force Enterprise Asset and Identity Merge:
- Run the search:
| from savedsearch:"Identity - Asset String Matches - Lookup Gen"
- Run the search:
| from savedsearch:"Identity - Asset CIDR Matches - Lookup Gen"
Verify categorization for privileged group¶
- Return to Enterprise Security
- Select the Security Domains menu
- Select Identity
- Select Identity Center
- Enter a specific user included in the group
- Verify the category and priority fields match above