Capture Client 3.0 - AD Integration - can't find it
BWC Cybersecurity Overlord ✭✭✭
I'am not running an AD but I was eager to test the new AD Integration in CC 3.0. I deployed CC on my test AD controller (W2K12 R2) but where do I define the AD groups to assign policies to them?
The release notes mentioning this:
The AD enhancements include:
- Creating dynamic user groups based on Active Directory User Group names.
- Creating dynamic user groups based on Active Directory OU names.
- By default, being able to browse devices by groups and being able to easily see the devices in a specific group.
But the management console does not allow dynamic user groups.
What am I doing wrong here?
Category: Capture Client
You can say next on that page and add a custom rule. You can see the options related to AD as below
I hope that helps!
Technical Support Advisor, Premier Services6
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
found it ... so "Creating dynamic user groups based on Active Directory User Group names." actually means "Creating dynamic
devicegroups based on Active Directory User Group names.".
The AD "integration" is a bit rudimentary, is there some form of synchronistation planned for the future to make groups selectable? It's not very comfortable the way how it works right now. But better than nothing :)
Yes, Michael@BWC. I totally agree that this is very rudimentary at this moment. But this is just the beginning, more coming up soon.
Technical Support Advisor, Premier Services
One thing to note about AD synchronization - there is actually no need to setup an LDAP/AD server, no need to plug in credentials or anything of the sort. The AD information is obtained directly from the endpoint - which is why there is no LDAP explorer per se. We believe this to be a more robust and cloud-friendly method because you cannot really setup an LDAP connection with Azure AD. So its agnostic to where your AD is - either on prem or in the cloud. But do keep the feedback coming in and we'll continue to evaluate enhancements!
I'am also testing "native" SentinelOne at the moment, it's their approach to do it. SOPHOS for example provides an AD Directory Sync service which is installed locally and transfers the AD information to the cloud backend, don't know if this works with Azure AD which you mentioned.
One customer told me he prefers that there is NO sync at all, because he don't wanna have the AD exposed externally. So one size does not fit all, but that's ok.
Did you guys checked this against special characters (german umlauts etc.) in group names etc? Because this is a very common drawback in global products.
Hi @SuroopMC ,
Does the CC client use a Group policy query like GPresult to understand what AD groups a user or computer are members off? I'd be keen to get some more detail on how capture client retrieves AD info