Install Indicators of Attack

Required User Role: Organizational user with permission to modify the Indicators of Attack configuration in Tenable Identity Exposure. For more information, see Set Permissions for a Role.

Tenable Identity Exposure's Indicators of Attack (IoA) module requires you to run a PowerShell installation script with an administrative account that can create and link a new Group Policy Object (GPO) to an organizational unit (OU). You can run this script from any machine joined to your Active Directory domain that Tenable Identity Exposure monitors and that can reach domain controllers via the network.

Note: The recommended version of PowerShell is 5.1.

You only have to execute this installation script once for each AD domain, since the GPO created automatically deploys the event listener to all existing and new domain controllers (DCs).

Moreover, "Automatic Updates" is a feature that allows you to automatically enable or disable an existing IoAs without having to manually re-deploy it. Note that this feature does not automatically update the IoA content itself. To get the latest version of an IoA, you must still re-deploy it.

  1. In Tenable Identity Exposure, click System on the left menu bar and the Configuration tab.

    The Configuration pane appears.

  2. Click Indicators of Attack.

    The IoA configuration pane appears.

  3. In (1) Domains Configuration, click See Procedure.

    A procedure window opens.

  4. Under Future automatic updates?:

    • The default option Enable allows Tenable Identity Exposure to update automatically your IoA configuration whenever you modify it in Tenable Identity Exposure in the future. This also ensures continuous security analysis.

    • If you turn off this option, a message asks you to turn it on to get automatic future updates. Click See procedure and toggle to Enable.

  1. Click Download to download the script to run for each domain (Register-TenableIOA.ps1).

  2. Click Download to download the configuration file for the domains (TadIoaConfig-AllDomains.json).

  1. Click to copy the Powershell command to configure your domains.

  1. Click outside the procedure window to close it.

  1. Open a PowerShell terminal with administrative rights and run the commands to configure your domain controllers for IoAs.

    Note: The service account you use to install IoAs and to query the domains must have write permissions in Tenable Identity Exposure (formerly known as Tenable.ad) GPO folder. The installation script adds this permission automatically. If you remove this permission, Tenable Identity Exposure shows an error message and automatic updates no longer work. For more information, see Indicators of Attack Installation Script.

  1. In (2) Event Collection Configuration, click Open Configuration.

    A configuration window appears.

  1. Under Search delay, move the slider to select the duration of event collection before triggering a security analysis.

  2. Under Sharing technology, click the drop-down arrow to select one of the following:

    • Dedicated SMB shareTenable Identity Exposure creates the SMB share on your Principal Domain Controller Emulator (PDCe), and all Domain Controllers write directly to this SMB share. For prerequisites to use this mode, see Indicators of Attack Deployment.

    • Built-in SYSVOL share — Event logs files stored on the SYSVOL share will be available across all Domain Controllers as part of the DFSR mechanism.

      Note: After installation of the IoA module, you can switch between SMB and SYSVOL modes at any time, provided you observe the prerequisites for SMB mode as indicated in Indicators of Attack Deployment.

      Note: Two domain health checks help you assess the status of the IoA modules. For more information, see Health Checks.

  1. Click Save configuration.

  1. In the IoA configuration pane, under IoA Setup, select the IoAs you want in your configuration.

    Tip: The Zerologon Exploitation Indicator of Attack (IoA) dates from 2020. If all of your domain controllers (DCs) received updates within the past three years, they are protected from this vulnerability. To determine the required patches for securing your DCs against this vulnerability, consult the information in Netlogon Elevation of Privilege Vulnerability from Microsoft. Once you've confirmed your DCs' security, you can safely deactivate this IoA to avoid unnecessary alerts.

  2. Click Save.

    • If you enabled Future automatic updates, Tenable Identity Exposure saves and automatically updates your new configuration. Allow a few minutes for this update to take effect.

    • If you did not enable Future automatic updates, a procedure window appears to guide you To configure domains for IoAs:

  1. In Group Policy Management, check that the new Tenable Identity Exposure GPO exists and it links to the Domain Controllers OU:

  2. Go to the path C:\Windows\SYSVOL\sysvol\alsid.corp\Policies\{GUID}\Machine\IOA and check that the .gz file exists for all domain controllers before you test the IoAs:

  1. In the file manager, go to \\<DNS-NAME>\sysvol\<DNS-NAME>\Policies\{<GPO-ID>}\Machine\.

  1. Right-click on the TenableADEventsListenerConfiguration.json file and select Properties.

  2. Select the Security tab and click Advanced.

  3. Click the Effective Access tab.

  4. Click Select a user.

  5. Type <TENABLE-SERVICE-ACCOUNT-NAME> and click OK.

  6. Click on View effective access.

  7. Check that the "Write" permission is active for the Tenable service account.

Alternately, you can use PowerShell:

  • Run the following commands:

Copy 
Install-Module -Name NTFSSecurity -RequiredVersion 4.2.3
Copy 
Get-NTFSEffectiveAccess -Path \\<DNS-NAME>\sysvol\<DNS-NAME>\Policies\{<GPO-ID>}\IOA\ -Account <TENABLE-SERVICE-ACCOUNT-NAME>

To avoid false positive attacks or lack of detection of legitimate attacks, you must calibrate your IoAs according to your environment by adapting them to the size of your Active Directory, whitelisting known tools, etc.

  1. See the Tenable Identity Exposure Indicators of Attack Reference Guide for information about the options and recommended values to select.

  2. In the security profile, apply the options and values to each IoA as described in Customize an Indicator.

The following error messages can appear during the deployment:

Message Remediation
"Tenable Identity Exposure cannot write to the configuration file because the target folder <targetFolder> does not exist. This indicates that the IoA module deployment may have failed." Uninstall the script and click "See procedure" for instructions to re-install the script.
"Tenable Identity Exposure could not write to the configuration file located on <targetFile> to update it. This can be due to another process locking the file or permission changes."

  • Ensure that no other process besides the IoA module is using the configuration file.

  • Check that the service account has permission to modify the file contents.

  • If you do not want to grant permission to the service account, disable the "Automatic Updates" toggle and click "See Procedure" for instructions on how to do a manual update whenever you modify your IoA configuration.
"The target folder <targetFolder> contains a version of Tenable Identity Exposure that cannot run automatic updates." The currently installed script is an old version using WMI. Uninstall the current version, download a new installation script, and run this script.
"The configuration file deployment ran into an unexpected error." Uninstall the script and click "See procedure" for instructions to re-install the script. If this does not work, contact your customer support representative.

For more information, see: