Overview

In this page find an explanation on integrating your Active Directory Users data source to Hunters. This table holds information about domain users and their properties, including person-related information.

Note: This data source is used in the Hunters Pipeline mainly to correlate various entities (usernameemailAWS User ARN, etc.) to a related person entity, which gives context for security-related events and allows correlating signals from different attack surfaces.

Hence, this data source is crucial for effective correlation of some data types, especially if data from other IAM technologies (e.g., Okta or OneLogin) is not ingested.

Getting the data

In order to retrieve the data in the expected format, execute the following PowerShell on one of the Domain Controllers in your network:

import-module activedirectory
get-aduser -filter * -Properties * | export-csv <FILE_PATH>
CODE

If your organization consists of various Active Directory Domains, you will need to perform this process for all Domains. Also note that for a better integration, it is recommended to create a periodic scheduled task (e.g. once a day) that executes the command above and ships the resulted files to Hunters.

Expected Format

  1. The outputted file format should be passed as it, without modifications, to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

  2. The file should be passed to a dedicated prefix inside the shared bucket (e.g. s3://<BUCKET_NAME>>/active_directory_users/).

  3. The outputted time fields within the file (CREATEDMODIFIED, etc.) should all be in the following format: %Y-%m-%dT%H:%M:%S in UTC time. This can be achieved by using the ToUniversalTime function with this format (e.g. @{Name='Created';Expression={$_.Created.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}).

  4. The file name should start with the execution time (snapshot time), in the following format: %Y%m%dT%H%M%S (e.g. 20210502T120000_ad_users.csv)