Tenable Identity Exposure works as a non-intrusive solution that monitors an Active Directory infrastructure without deploying agents and with minimal configuration change in your environment.
Tenable Identity Exposure uses a regular user account with no administrative permissions to connect to standard APIs for its security monitoring feature.
Tenable Identity Exposure uses the Active Directory replication mechanisms to retrieve the relevant information, which incurs only limited bandwidth costs between each domain’s PDC and Tenable Identity Exposure’s Directory Listener.
To detect efficiently security incidents using indicators of attack, Tenable Identity Exposure uses the Event Tracing for Windows (ETW) information and the replication mechanisms available on each Domain Controller. To collect this set of information, you deploy a dedicated Group Policy Object (GPO) using a script from Tenable Identity Exposure as described in Install Indicators of Attack.
This GPO activates an event logs listener using Windows EvtSubscribe APIs on all domain controllers which writes to the system volume (SYSVOL) to benefit from the AD replication engine and Tenable Identity Exposure’s ability to listen to SYSVOL events. The GPO creates a file in SYSVOL for each domain controller and flushes its contents periodically.
To initiate security monitoring, Tenable Identity Exposure must contact standard directory APIs from Microsoft.
Domain Controller
Tenable Identity Exposure only requires communication with the Primary Domain Controller emulator (PDCe) using the network protocols described in the Network Flow Matrix.
In the case of multiple monitored domains or forests, Tenable Identity Exposure must reach each domain's PDCe.
For best performance, Tenable recommends that you host Tenable Identity Exposure on a physical network close to the PDCe to monitor.
User Account
Tenable Identity Exposure authenticates to the monitored infrastructure using a non-administrator user account to access the replication flow.
A simple Tenable Identity Exposure user can access all collected data. Tenable Identity Exposure does not access secret attributes such as credentials, password hashes, or Kerberos keys.
Tenable recommends that you create a service account that is a member of the group “Domain Users” as follows:
-
The service account is on the main monitored domain.
-
The service account is in any Organizational Unit (OU), preferably where you create other security service accounts.
-
The service account has standard user group membership (such as member of the Domain Users AD default group).