Active Directory (LDAP)

Active Directory LDAP

Active Directory LDAP is a Directory Data Source integration. Data Source integrations are used during investigations to improve analysis and in interactive chat to help answer questions. They are optional, but enabling more tooling integrations enhances Dropzone analysis.

The Dropzone platform supports Active Directory (LDAP) to look up organizational information such as users, job titles, and devices.

Active Directory does require that you've enabled the Dropzone Connector.

Integration Overview

To enable these integrations you will perform the following actions:

Create a read-only service account
Grant the service account read access to users and computers
Determine your LDAP Base DN (Distinguished Name)
Install the credentials into your Dropzone tenant

Create a Read Only Service Account

Dropzone will use an AD service account for authenticating to your AD LDAP. To create a Read Only Service Account, do the following:

Open "Active Directory Users and Computers"

Right click on the container of your choice, such as "Users", and click New > User

Give it a first/last/full name
Give it a User Logon Name, such as svc-dropzone@

Record this User Logon Name for use later in the Dropzone UI where it is called "User"
Click Next
Provide a strong password and record it for use later in the Dropzone UI where it is called "Password"
Uncheck "User must change password at next login"

If you have a corporate-wide password rotation policy you should either disable it for this user, or you will want to change the password periodically in AD and update the Dropzone integration with the new password to stay within your organizational policy

Click "Next"
Click "Finish"

Apply Active Directory Permissions to the Service Account

Next, we will grant permissions to the service account. Most customers will apply this at the top of the forest so Dropzone has the most visibility into users/devices/etc, but you may pick a lower level if you wish to limit the scope.

Open "Active Directory Users and Computers"
Click "View" from the menu bar, and make sure "Advanced Features" is selected
Right click the top of your forest and select "Properties"
Select the "Security" tab and click "Add"
Type the name of the service account you created (e.g. svc-dropzone@) and click OK to search

Highlight the service account and click "Advanced"

In the "Permissions" tab, select the service account again and click "edit"

Set read for users
- Set the "Applies to" dropdown to "Descendant User Objects" so the service account can see all objects in the hierarchy
- In the Permissions section, make sure "Read All Properties" is checked
- In the Properties section, make sure "Read All Properties" is checked (this is further down the page)

Set read for devices
- Set the "Applies to" dropdown to "Descendant Computer Objects" so the service account can see all objects in the hierarchy
- In the Permissions section, make sure "Read All Properties" is checked
- In the Properties section, make sure "Read All Properties" is checked (this is further down the page)
Click the "OK" button to save

Note that device querying via LDAP is not yet supported in Dropzone AI

Determine The Service Account User Name

In Active Directory Users and Computers, find the service account just created
Right click on it and select Properties

Click "Attribute Editor" in the tabs at the top
Scroll down to the "distinguishedName" field

Double click it to pop it out
Record the full value of the distinguishedName field for use later in the Dropzone UI where it is called "Distinguished Name"

Determine your LDAP Base DN (Distinguished Name)

Your Base DN typically is based on your domain name, with DC= between each of the domain component. For example if your domain is example.com then the Base DN is likely DC=example,DC=com.

If you do not already know your Base DN, you can find it as follows: