When you connect Active Directory to InsightIDR, InsightIDR can identify and appropriately tag any administrator users.
When you click the Admin Accounts number on the Users & Accounts page, you will see a table of admin information, such as Admin Accounts, and Admin Activity.
Rapid7 recommends reviewing the list of administrators to ensure proper administrative access to the right users.
The Admin Account tab displays a list of the following:
- Groups that the account belongs to
- Date that the account last accessed the system
This data is collected from the LDAP event source, which pulls the information directly from your domain controller.
For users who belong to multiple admin groups, hovering over the admin group tag displays the groups that user is a member of. Note that the standalone Administrators tag indicates a Local Administrator.
To see definitions of the other account tags that InsightIDR can apply to admin accounts, see the Account Tags page.
You can also select the Admin Activity view at the top of the user list to see historical administrative activity, including:
- Source user
- Target user
This data mirrors the log data included in the Active Directory Administrative Activity log set(s). You can also select the Activity dropdown on the left to switch to different data sources, such as LDAP, Okta, and others.
You can also search for a particular admin to see only their activity.
Domain Admin Accounts
InsightIDR is designed to automate many of the day-to-day security monitoring tasks that are often taken for granted. In order to collect the data about authentication and administrative activity from your network, the solution needs your permission to gather these events.
Having a domain admin account is the best option because it saves you from completing a complex re-configuration of production domain controllers to allow remote Distributed Component Object Model (DCOM) and Windows Management Instrumentation (WMI) permissions.
Why Do I Need a Domain Admin Account?
Watching the Watchers: InsightIDR audits access to administrator accounts, flags anomalous administrator events, and alerts you to new (or re-enabled) accounts.
Endpoint Monitoring: InsightIDR collects endpoint logs from systems throughout the network, providing visibility into local administrators along with alerting you to indicators of compromise at the endpoint. See the Endpoint Monitor for more information.
Service Account Auditing: InsightIDR also tracks service accounts (including its own), tracing activity to ensure it is consistent. If a service account is used irregularly (such as from a new source server), InsightIDR will alert you to the anomalous and potentially malicious activity.
Credential Security: All credentials you create in the InsightIDR interface are sent straight to your own Collector(s), where the credentials are salted, hashed, and stored. Your credentials are never saved in the Insight cloud. InsightIDR is designed to catch compromised credentials.
Using a Domain Admin account will drastically increase your visibility into network activity.