Background
This article covers how CyberQP's Privileged Account Auditing feature works and how to configure email alert recipients for key Active Directory privileged account events.
Pre-requisites
- The CyberQP agent must be installed on an Active Directory server for your customers in CyberQP.
Table of Contents
Privileged Security Groups
CyberQP monitors Active Directory accounts that are members of the following privileged security groups. New account detections, account disables, and account deletions for accounts in these groups trigger email alerts.
| No. | Group Name |
|---|---|
| 1 | Allowed RODC Password Replication Group |
| 2 | Cert Publishers |
| 3 | Cloneable Domain Controllers |
| 4 | DNSAdmins |
| 5 | DNSUpdateProxy |
| 6 | Domain Admins |
| 7 | Enterprise Admins |
| 8 | Enterprise Key Admins |
| 9 | Group Policy Creator Owners |
| 10 | Protected Users |
| 11 | Schema Admins |
| 12 | Access Control Assistance Operators |
| 13 | Account Operators |
| 14 | Administrators |
| 15 | Backup Operators |
| 16 | Certificate Service DCOM Access |
| 17 | Cryptographic Operators |
| 18 | Distributed COM Users |
| 19 | Event Log Readers |
| 20 | Hyper-V Administrators |
| 21 | Incoming Forest Trust Builders |
| 22 | Network Configuration Operators |
| 23 | Print Operators |
| 24 | RDS Endpoint Servers |
| 25 | RDS Management Servers |
| 26 | RDS Remote Access Servers |
| 27 | Remote Management Users |
| 28 | Replicator |
| 29 | Server Operators |
| 30 | Storage Replica Administrators |
| 31 | Terminal Server License Servers |
| 32 | Windows Authorization Access Group |
Alerted Actions
Alerts are batched and sent hourly. A single summary email is delivered at the top of each hour covering all alert types recorded in the previous hour. The table below shows which events are tracked per source and import status.
| Source | Currently Imported to CyberQP | Not Yet Imported to CyberQP |
|---|---|---|
| AD |
New Account Detected: N/A Account Disabled: YES Account Deleted: YES |
New Account Detected: YES Account Disabled: No Account Deleted: No |
| Local |
New Account Detected: N/A Account Disabled: YES Account Deleted: No |
New Account Detected: No Account Disabled: No Account Deleted: No |
| M365 |
New Account Detected: No Account Disabled: No Account Deleted: No |
New Account Detected: No Account Disabled: No Account Deleted: No |
The following are examples of each alert type in the summary email.
summary email heading
new privileged account email alert
privileged account deleted email alert
privileged account disabled email alert
Configure Alerts
-
Log in to the CyberQP dashboard at https://admin.getquickpass.com.
-
Click Alerts in the left-side navigation.
alerts menu in left navigation
-
Click Add Email to Notify in the top right of the screen.
add email to notify button in top right
-
Enter a valid email address and click Save.
email address field with save button
NOTE: You can add up to 10 email addresses.
The email address appears at the bottom of the Alerts menu.
added email listed at bottom of alerts menu
-
Enable the toggle next to Privileged Account Auditing.
privileged account auditing toggle enabled
NOTE: This setting applies to all customers with Active Directory agents installed.
end of article
Comments
0 comments
Please sign in to leave a comment.