- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Configure the Microsoft Active Directory (AD) (Latest) Service
Configure Microsoft on-premises Active Directory (AD) as a service to manage groups, accounts, and credentials, and run other Microsoft Active Directory (AD) (Latest) actions.
Prerequisites
Last updated: June 15, 2022
Ensure you have a Windows user account with the necessary permissions. You must have a user account in the Domain Admins security group or use an organizational unit (OU) to delegate the permissions, called administrative tasks, required for each action to a user account:
Incident Responder action | Required administrative task |
|---|---|
Get User Information | Read all user information |
List User’s Groups | Read all user information |
Add User to Group | Modify the membership of a group |
Remove User From Group | Modify the membership of a group |
Expire Password | Reset user passwords and force password change at next logon |
Reset password | Reset user passwords and force password change at next logon |
Set New Password | Create, delete and manage user accounts |
Disable user account | Create, delete and manage user accounts |
Enable user account | Create, delete and manage user accounts |
Unlock User Account | Create, delete and manage user accounts |
Set Host Attribute | Write All Properties |
Change Host’s Organizational Unit | Write All Properties |
Create a Custom Administrative Task for the Set Host Attribute or Change Host's Organizational Units Action
For the Set Host Attribute and Change Host's Organizational Units actions, you must also create a custom administrative task that allows your account to rename a computer in a domain.
Right-click the OU containing the user account, then select Delegate Control....
In the Delegation of Control Wizard, click Next >.
Select the user account, then click Next >.
Select Create a custom task to delegate, then click Next >.
Select Only the following objects in the folder, select Computer objects, then click Next >.
Under Show these permissions:, select Propert-specific; under Permissions:, select Write All Properties, Validated write to DNS host name, and Validated write to service principal name; then click Next >.
Review the changes you made, then click Finish.
Configure the Service in Exabeam Incident Responder
In the sidebar, click SETTINGS
, then select Core.Under SERVICE INTEGRATIONS, select Services.
Select a service:
To configure a specific service, hover over a service, then click CONFIGURE. Use the search by vendor or filter by action to find a service.
To manually provide the relevant information for a service, click Configure a new service
.To view all actions for a service, hover over a service, then click the information icon
.
Enter information about the service:
Service Name – Enter a unique name for the service. By default, the service name is Active Directory Latest.
(Optional) Description – Describe the service.
(Optional) Owner – Enter the email address of the person or group responsible for the service.
Host – Enter the IP address or hostname of your Microsoft Azure AD endpoint.
Username – Enter the username of your Microsoft account.
Password – Enter the password to your Microsoft account.
Domain (One per line) – Enter the domains of the domain controllers running Microsoft Azure AD. Enter one domain per line.
TCP port – Enter the TCP port number you use to connect to your Microsoft Azure AD endpoint.
To validate the source, select TEST CONNECTIVITY.
Select CREATE SERVICE.