On-premise Active Directory

To monitor your on-premise Active Directory (AD) cluster, you will need to install the SlashID Collector in your network.

How the SlashID Collector works

The SlashID Collector monitors your network and sends data to the SlashID detection engine. To ensure full coverage, you will need to connect each domain controller to the SlashID Collector.

STEP 1: Create the connection on the SlashID Console

1. In the SlashID Console > Configuration > Data sources > Add data source and select Active Directory from the list.

2. Complete the following fields:

• Name of the connection: an arbitrary name for your new connection
• Authoritative status: whether this connection should be the primary source of truth to reconcile identities across providers

3. Once the initial connector is created, it will appear in Configuration > Data sources. From this page, copy the Event streaming token and store it temporarily, as you will need it in the following step.

STEP 2: Deploy the SlashID Collector

1. Request access to the SlashID Docker registry through Slack or email support@slashid.com.
2. Download the SlashID AD Collector image from the registry.
3. Edit the config.env file that you will need for deployment:

• DOMAIN: your domain
• USERNAME and PASSWORD: username and password of a member of the group Domain Admins (RID 512)
• TARGET_DC: domain controller location
• SLASHID_AUTH_TOKEN: the token you copied in STEP 1.

# Active Directory Snapshot Uploaders (One per AD domain)
AD_SNAPSHOT_1_DOMAIN=your.domain.local
AD_SNAPSHOT_1_USERNAME=admin.user
AD_SNAPSHOT_1_PASSWORD=admin-password
AD_SNAPSHOT_1_TARGET_DC=first.controller.your.domain.local
AD_SNAPSHOT_1_SLASHID_AUTH_TOKEN=123456789

# WMI Event Streamers (One per Domain Controller)
WMI_1_DOMAIN=your.domain.local
WMI_1_USERNAME=admin.user
WMI_1_PASSWORD=admin-password
WMI_1_TARGET_DC=first.controller.your.domain.local
WMI_1_SLASHID_AUTH_TOKEN=123456789

WMI_2_DOMAIN=your.domain.local
WMI_2_USERNAME=admin.user
WMI_2_PASSWORD=admin-password
WMI_2_TARGET_DC=second.controller.your.domain.local
WMI_2_SLASHID_AUTH_TOKEN=123456789

4. Deploy the SlashID AD Collector in a machine that has access to domain controllers with this command:

docker run --pull always --env-file config.env --name slashid_agent --restart unless-stopped --detach --network host slashid/agent

Example

This is an example deployment with a SlashID Collector collecting data from multiple domains.

# Active Directory Snapshot Uploaders (One per AD domain)
# Required
AD_SNAPSHOT_1_DOMAIN=north.sevenkingdoms.local
AD_SNAPSHOT_1_USERNAME=brandon.stark
AD_SNAPSHOT_1_PASSWORD=***
AD_SNAPSHOT_1_TARGET_DC=winterfell.north.sevenkingdoms.local
AD_SNAPSHOT_1_SLASHID_AUTH_TOKEN=***
# Optional
AD_SNAPSHOT_2_COLLECTION_METHOD=All
AD_SNAPSHOT_1_LDAPS=false
AD_SNAPSHOT_1_LDAPS_PORT=636
AD_SNAPSHOT_1_FQDN_RESOLVER=192.168.56.11

# Required
AD_SNAPSHOT_2_DOMAIN=south.sevenkingdoms.local
AD_SNAPSHOT_2_USERNAME=arya.stark
AD_SNAPSHOT_2_PASSWORD=***
AD_SNAPSHOT_2_TARGET_DC=braavos.south.sevenkingdoms.local
AD_SNAPSHOT_2_SLASHID_AUTH_TOKEN=***
# Optional
AD_SNAPSHOT_2_COLLECTION_METHOD=Computers
AD_SNAPSHOT_2_LDAPS=true
AD_SNAPSHOT_2_LDAPS_PORT=689
AD_SNAPSHOT_2_FQDN_RESOLVER=192.168.56.12

# WMI Event Streamers (One per Domain Controller)
# Required
WMI_1_DOMAIN=north.sevenkingdoms.local
WMI_1_USERNAME=bran.stark
WMI_1_PASSWORD=***
WMI_1_TARGET_DC=winterfell.north.sevenkingdoms.local
WMI_1_SLASHID_AUTH_TOKEN=***
# Optional
WMI_1_KERBEROS_AUTH=false

# Required
WMI_2_DOMAIN=south.sevenkingdoms.local
WMI_2_USERNAME=jaqen.hghar
WMI_2_PASSWORD=***
WMI_2_TARGET_DC=braavos.south.sevenkingdoms.local
WMI_2_SLASHID_AUTH_TOKEN=***
# Optional
WMI_2_KERBEROS_AUTH=true
WMI_2_AES_KEY=***