Install Indicators of Attack

Tenable.ad's Indicators of Attack (IoA) module requires you to run a Powershell installation script with an administrative account having the ability to create and link a new Group Policy Object (GPO) to an organizational unit (OU).

You can run this script from any machine joined to your Active Directory domain that Tenable.ad monitors and that can reach domain controllers via the network.

You only have to run this installation script once in each AD domain: through the GPO, it will automatically apply to all existing and new domain controllers (DC).

To activate this module, the installation script carries out the following tasks:

  • Creation of a GPO that configures the PowerShell Event Tracing for Windows (ETW) script, which runs on each domain controller (DC) to extract ETW information.

  • Installation of a Windows Management Instrumentation (WMI) filter to restart the PowerShell script at boot.

Before you begin

  • Review the limitations and potential impacts of installing IoAs, as described in Technical Changes and Potential Impact.

  • Check that the DC has the PowerShell modules for ActiveDirectory and GroupPolicy installed and available.

  • Check that the DC has the Distributed File System Tools feature RSAT-DFS-Mgmt-Con enabled so that the deployment script can check for replication status because it cannot create a GPO while the DC is replicating.

  • Tenable.ad recommends that you install/upgrade IoAs during off-peak hours to limit disruptions to your platform.

For more information, see: