On-premise Active Directory

To monitor your on-premise Active Directory (AD) cluster, you will need to install the SlashID Collector in your network.

How the SlashID Collector works

The SlashID Collector monitors your network and sends data to the SlashID detection engine. To ensure full coverage, you will need to connect each domain controller to the SlashID Collector.

STEP 1: Create the connection on the SlashID Console

1. In Configuration > Connectors > + Add connector and select Active Directory from the list.
2. Complete the following fields:

• Name of the connection: an arbitrary name for your new connection
• Authoritative status: whether this connection should be the primary source of truth to reconcile identities across providers

3. Once the initial connector is created, it will appear in Configuration > Connectors. From this page, copy the Event streaming token and store it temporarily, as you will need it in the following step.

STEP 2: Deploy the SlashID Collector

1. Request access to the SlashID Docker registry through Slack or email support@slashid.com.
2. Download the SlashID AD Collector image from the registry.
3. Edit the config.env file that you will need for deployment:

• MODE: the first Collector you deploy must be able to collect both a view of all identities (snapshot) and events (event). Any subsequent Collector deployed after the first should be set to event only
• DOMAIN: your domain
• USERNAME and PASSWORD: username and password of a member of the group Domain Admins (RID 512)
• TARGET_DC: domain controller location
• SLASHID_AUTH_TOKEN: the token you copied in STEP 1.

MODE=snapshot,event
DOMAIN=your.domain.local
USERNAME=admin.user
PASSWORD=admin-password
TARGET_DC=controller.your.domain.local
SLASHID_AUTH_TOKEN=123456789

4. Deploy the SlashID AD Collector in a machine that has access to a domain controller with this command:

docker run --pull always --env-file config.env --name slashid_agent --restart unless-stopped --detach --network host slashid/agent

5. [Optional] Deploy additional Collectors if you have more than one domain controller in your network. For each domain controller, you should edit the config.env file like this:

• MODE: set it to event
• TARGET_DC: the location of the current domain controller

Example

This is an example deployment with multiple SlashID Collectors.

# Active Directory Snapshot Uploaders (One per AD domain)
# Required
AD_SNAPSHOT_1_DOMAIN=north.sevenkingdoms.local
AD_SNAPSHOT_1_USERNAME=brandon.stark
AD_SNAPSHOT_1_PASSWORD=***
AD_SNAPSHOT_1_TARGET_DC=winterfell.north.sevenkingdoms.local
AD_SNAPSHOT_1_SLASHID_AUTH_TOKEN=***
# Optional
AD_SNAPSHOT_2_COLLECTION_METHOD=All
AD_SNAPSHOT_1_LDAPS=false
AD_SNAPSHOT_1_LDAPS_PORT=636
AD_SNAPSHOT_1_FQDN_RESOLVER=192.168.56.11

# Required
AD_SNAPSHOT_2_DOMAIN=south.sevenkingdoms.local
AD_SNAPSHOT_2_USERNAME=arya.stark
AD_SNAPSHOT_2_PASSWORD=***
AD_SNAPSHOT_2_TARGET_DC=braavos.south.sevenkingdoms.local
AD_SNAPSHOT_2_SLASHID_AUTH_TOKEN=***
# Optional
AD_SNAPSHOT_2_COLLECTION_METHOD=Computers
AD_SNAPSHOT_2_LDAPS=true
AD_SNAPSHOT_2_LDAPS_PORT=689
AD_SNAPSHOT_2_FQDN_RESOLVER=192.168.56.12

# WMI Event Streamers (One per Domain Controller)
# Required
WMI_1_DOMAIN=north.sevenkingdoms.local
WMI_1_USERNAME=bran.stark
WMI_1_PASSWORD=***
WMI_1_TARGET_DC=winterfell.north.sevenkingdoms.local
WMI_1_SLASHID_AUTH_TOKEN=***
# Optional
WMI_1_KERBEROS_AUTH=false

# Required
WMI_2_DOMAIN=south.sevenkingdoms.local
WMI_2_USERNAME=jaqen.hghar
WMI_2_PASSWORD=***
WMI_2_TARGET_DC=braavos.south.sevenkingdoms.local
WMI_2_SLASHID_AUTH_TOKEN=***
# Optional
WMI_2_KERBEROS_AUTH=true
WMI_2_AES_KEY=***