Admin Users
When you connect Active Directory to InsightIDR, InsightIDR can identify and appropriately tag any administrator users.
Any users that are members of these LDAP groups are considered to be admin users:
domain adminsenterprise adminsschema adminsadministratorsbackup operators
When you click the Admin Accounts number on the Users & Accounts page, you will see a table of admin information, such as Admin Accounts and Admin Activity.
Rapid7 recommends reviewing the list of administrators to ensure proper administrative access to the right users.
Admin Accounts
The Admin Account tab displays a list of the following:
- Groups that the account belongs to
- Department
- Title
- Date of the latest asset logon with one of the AD accounts that belong to the user
This data is collected from the LDAP event source, which pulls the information directly from your domain controller. InsightIDR also applies admin group tags based on observed the admin activities users perform.
| Admin activity group tag | Description |
|---|---|
| AWS Admins | This group contains all accounts that perform IAM activities in AWS. |
| Box Admins | This group contains all accounts that perform Box.com admin activity. |
| Google Admins | This group contains all accounts that perform admin activities in Google Apps. |
| Okta Admins | This group contains all accounts that perform admin activities in Okta. |
| O365 Admins | This group contains all accounts that perform admin activities in Microsoft Office 365. |
| Azure AD Admins | This group contains all accounts that perform admin activities in Azure Active Directory. |
| LDAP Admins | This group contains all accounts that perform LDAP admin activity. |
| Zscaler Admins | This group contains all accounts that perform admin activity in Zscaler. |
| SentinelOne Admins | The group contains all accounts that perform admin activity in SentinelOne. |
For users who belong to multiple admin groups, hovering over the admin group tag displays the groups that user is a member of. Note that the standalone Administrators tag indicates a Local Administrator.
To see definitions of the other account tags that InsightIDR can apply to admin users, view the Account Tags page.
Admin Activity
You can also select the Admin Activity view at the top of the user list to see historical administrative activity, including:
- Source user
- Target user
- Action
- Timestamp
This data mirrors the log data included in the Active Directory Administrative Activity log set(s). You can also select the Activity dropdown on the left to switch to different data sources, such as LDAP, Okta, and others.
You can also search for a particular admin to see only their activity.
