Configure Simple Response for Microsoft Active Directory: Disable User

Configure a Microsoft Active Directory: Disable User simple response to disable the Microsoft Active Directory account of a user that is the victim of an incident automatically.

If you want to disable users in Microsoft Office 365, use the Microsoft Azure Active Directory: Disable User simple response instead. For more information, see Configure Simple Response for Microsoft Azure Active Directory: Disable User.

Typical use cases for this response include:

  • Stopping the use of leaked credentials
  • Minimizing damage from a compromised user
  • Implementing an incident response plan involving "disable and then investigate." For example, after Alert Logic detects use of known malware such as ransomware, you can disable the user automatically, investigate, and then re-enable the user after remediation.

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to Microsoft Active Directory
  4. (Optional) Apply exclusions
  5. Choose when to respond

(Optional) Create an exclusion list

If you want your automation to exclude specific users, the users must be defined in one or more exclusion lists. For example, you can create a list of users in your security team to prevent them from being locked out. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

  1. In the Alert Logic console, click the navigation menu icon (), click Respond, and then click Automated Response.
  2. On the Simple Responses page, click the add icon (), and then, under Microsoft Active Directory: Disable User, click START.

Connect to Microsoft Active Directory

This response requires a Microsoft Active Directory connection that grants Alert Logic access to manage users in your Microsoft Active Directory. In the Connect step, name your response and connect to Microsoft Active Directory as follows.

To connect to Microsoft Active Directory:

  1. In Response Name, enter a descriptive name for your simple response (example: Disable Microsoft AD User).
  2. If you already have a connection to Microsoft Active Directory that grants Alert Logic permission to perform this response, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have a Microsoft Active Directory connection that grants Alert Logic permission to perform this response, click Create a connection, and then complete the instructions in Create a Microsoft Active Directory connection to set it up.
  4. In Expiration in Seconds, enter the number of seconds before you want Alert Logic to reenable the user, or keep the default value of 0 if you do not want the response to expire automatically.
  5. Click TEST to run a test that checks the configuration without performing the response. The test might take one to two minutes to complete. Results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click EDIT CONNECTION above Connection, and then use the information in Create a Microsoft Active Directory connection to check and fix the connection. For further assistance with troubleshooting, see Troubleshooting tips.
  6. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  7. Click NEXT to continue to the Apply Exclusions step.

Create a Microsoft Active Directory connection

A Microsoft Active Directory connection securely stores reusable authentication credential information for integrations with Microsoft Active Directory.

To create the Microsoft Active Directory connection, Alert Logic requires the following information about your Microsoft Active Directory:

  • Host—Hostname or IP address of the Active Directory that you want Alert Logic to access.
  • Base DN—Distinguished name of the Active Directory domain. The format of the distinguished name looks like DC=alertlogic,DC=com, rather than a domain name like alerlogic.com.
  • User and password—Credentials of the user that allows Alert Logic to log into the Active Directory client secret. Alert Logic recommends that you set up a dedicated user, rather than use one that is shared by human users or other software integrations.

This connection also requires an Alert Logic IDS appliance. You specify a network where the appliance is located, and Alert Logic chooses the appropriate appliance to connect to the specified hostname or IP address. Choosing the network instead of a specific appliance prevents you from needing to update the connection as appliances are added to or removed from the network. The IDS appliances in the selected network must be able to connect to your Microsoft Active Directory using the TCP port selected, 389 by default. Any routing, network segmentation, cloud security groups, and other network access controls must allow outbound communication from all IDS appliances in the selected network to your Active Directory.

Alert Logic provides the following steps to help you create the connection. For further questions about the steps performed in Microsoft Active Directory, contact Microsoft support, or refer to the vendor documentation listed in the technical reference section.

To create the Microsoft Active Directory connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connection (example: Microsoft Active Directory Connection).
  2. In Host, type the hostname or IP address of the Microsoft Active Directory that you want to connect to.
  3. In Port, leave the default port number 389 for incoming connection requests, or change it if you have a custom configuration.
    If you select the Use TLS check box, Alert Logic ignores the port number specified and uses the TLS port number 636 automatically.
  4. If you want to require SSL with TLS for establishing a connection to Microsoft Active Directory, select the Use TLS check box. If the check box is cleared, Alert Logic verifies SSL certificates for requests it makes to Active Directory but does not use TLS to encrypt the requests.
  5. In Base DN, enter the distinguished name of your Active Directory domain (example: DC=my-ad,DC=mycompany,DC=net).
  6. In User, enter the distinguishedName for the administrative account that allows Alert Logic access to log into your Active Directory client secret (example: Alert_Logic_Intelligent_Response).
  7. In User password, enter the password for the specified user.
  8. In Network ID, select the network that contains an Alert Logic IDS appliance that can connect to your Microsoft Active Directory.
  9. Click SAVE.

(Optional) Apply exclusions

If you want to exclude users from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In the last step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to disable users detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "Office 365 Security & Compliance Alert: Ransomware Activity for {victim_username}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.

Troubleshooting tips

Here are common errors that can occur when you test the configuration and suggested troubleshooting steps.

Socket Connection Error While Opening: Timed Out

The Alert Logic appliance was unable to connect to your Microsoft Active Directory. Common causes include:

  • The IP address or hostname provided in the connection is incorrect.
  • The port provided in the connection is incorrect.
  • Active Directory services are not running on the host or IP address provided in the connection.
  • Windows Firewall is blocking connections from the Alert Logic appliance.
  • Intermediate firewalls are blocking connections from the Alert Logic appliance.
  • No route exists from the appliance to your Active Directory.

To troubleshoot this error:

  1. In the Create a Simple Response page, click EDIT CONNECTION, ensure the settings are correct, and then click TEST again. For more information, see Create a Microsoft Active Directory connection.

  2. If the connection settings are correct, review the configuration of your firewalls and routing, and then click TEST again.

Technical reference

Simple Response Name

Microsoft Active Directory: Disable User

Permissions

This simple response requires a limited privilege user with the Create, delete, and manage user accounts permission. The specific object access required to enable and disable users is:

  • Write userAccountControl
  • Read userAccountControl

Vendor documentation

For extensive documentation about configuring and using Microsoft Active Directory, see Identity and Access documentation.

For more information about security of Active Directory itself, see Best Practices for Securing Active Directory.