[Internal]: Privileged User Monitoring - Active Directory Integrations Groups Update #4503
Description
Description
We are introducing an update to the fields that privmon matches privileged user groups on, for active directory integrations sync.
Previously these were matched on the field "user.group.name", against the text/string based values "Domain Admins" and "Enterprise Admins".
Now, they are matched on the integrations derived field "entityanalytics_ad.user.privileged.group_member" which matches against any privileged active directory group, based on SID group codes, such as:
512: Domain Admins
516: RID Controllers
518: Schema Admins
519: Enterprise Admins
520: Group Policy Owners
525: Protected Users
526: Key Admins
527: Enterprise Key Admins
544: BUILTIN/Administrators
548: Account Operators
549: Server Operators
551: Backup Operators
This update should be in place for new customers using privleged user monitoring, for previous users this will only be in place with a migration.
When: This should update for 9.3 and 9.2 @jaredburgettelastic
Why:
To allow for multi language support for active directory integrations sync and expand the privileged users to all appropriate groups within active directory.
Resources
PR
Issue
Entity Analytics AD Integrations privileged_group_member script
Active Directory, Well Known SID's Resource
Which documentation set does this change impact?
Unknown
Feature differences
- Should work for all new customers.
- Existing customers will not get the update unless they perform a migration.
- Where a migration means - adding or removing one of the integrations data sources. This overwrites all attributes for that saved object, including custom matchers.
What release is this request related to?
N/A
Serverless release
undefined
Collaboration model
The documentation team
Point of contact.
Main contact: @CAWilson94
Stakeholders: @jaredburgettelastic [email protected]