What is Account Lockdown?
Account Lockdown is a new feature that will give Detect users the ability to temporarily disable network accounts during a security investigation. Account Lockdown enables enforcement action, via the disabling of Active Directory accounts. It can run in an automated or manual mode. In the automated mode, action is taken once privilege, threat and certainty score thresholds have been passed.
Why is disabling a network account necessary during a security investigation?
Disabling a network account prevents an attack from progressing further along the kill chain. It prevents the malicious user from logging into any additional systems, potentially limiting the blast radius of an on-going attack.
How does Account Lockdown work?
Account Lockdown requires Cognito Detect to be integrated with your Active Directory (AD) server. When an Account Lockdown is instantiated, Detect will notify the AD to disable the account.
Please note that this is different from an Active Directory account lockout, which can only be invoked by a domain controller.
How does an Account get locked down?
There are two main ways to utilize Account Lockdown:
- Manually, where an account is locked by a Detect user.
- Automatically, where Detect can be configured to automatically lock accounts based on configured Observed Privilege, Threat and Certainty score thresholds.
How do I manually lockdown an account?
All accounts will have a new Account Lockdown widget in the sidebar of individual account pages. From here you can enable or disable Lockdown. Accounts can be manually locked from 1 hour up to 24 hours, in pre-configured time ranges. To lockdown an account, simply click the Disable Account button and select a pre-configured time range from the dropdown. The account will automatically be re-enabled once the selected time range has expired. Please note that enabling or disabling manual lockdown on an account will require the Detect user to have the Edit Account Lockdown RBAC permission enabled.
How do I automatically lockdown accounts?
In Detect, navigate to Settings → External Connectors → Active Directory & Lockdown. From here you can enable the Account Lockdown feature itself, along with Automatic Lockdown and its required thresholds. Once you have enabled Automatic Lockdown, you will have the option to configure the automatic lockdown period, which can range from 1 hour up to 24 hours, in pre-configured time ranges, and set the Observed Privilege, Threat and Certainty score thresholds. After automatic Lockdown has been enabled, anytime an account's scores exceed the Observed Privilege, Threat and Certainty thresholds, the account will be disabled in Active Directory for the configured time range. Please note that viewing and configuring the automatic Lockdown settings will require the Detect user to have the Edit Settings-Active Directory RBAC permission enabled.
Where can I check the lockdown status of an account?
All accounts will have a new Account Lockdown widget in the sidebar of individual account pages. From here you can see the account's current Lockdown status. If an account is locked down, the status will show time until the account is re-enabled and the username of the Detect user that enabled lockdown for that account. There is also an AP endpoint (/api/v2.1/lockdown/account) where you can pull a list of all current accounts that have been disabled via Lockdown. Please note that viewing Lockdown status will require the Detect user to have the View Account Lockdown RBAC permission enabled.
Can Account Lockdown access be managed by RBAC permissions?
There are 2 sets of permissions associated with Account Lockdown:
Configuration of Account Lockdown:
View Settings - Active Directory - controls who can view the Active Directory External Connector settings, which includes all of the new Lockdown settings.
Edit Settings - Active Directory - controls who can edit the Active Directory External Connector settings, which includes all of the new Lockdown settings.
Use of Account Lockdown:
Edit Account Lockdown: This allows users to manually lock or unlock individual accounts.
By default (assuming roles have not been modified), all of the above are automatically granted to the roles of Super Admin and Admin
If an account gets locked down, will existing/open sessions be terminated?
No. Once an account gets disabled via Lockdown, existing user sessions will still be valid. Disabling an account via lockdown only impacts subsequent login attempts.
What type of permissions are required on the AD query account to utilize Account Lockdown?
The Active Directory query account requires read and write permissions on the userAccountControl attribute. Please note: It is critical that the user used for AD integration can modify its own userAccountControl attribute. This modification is used by the Cognito brain to validate the Account Lockdown integration is configured correctly.
Once an account has been locked down, how can it be re-enabled?
Accounts only re-enable via the following methods:
- Admin manually re-enables account via Detect
- Disable timer expires
- Account is re-enabled outside of Detect (via AD)
If I update my automatic lockdown thresholds, will all accounts be re-evaluated?
No, adjusting the lockdown thresholds will not retroactively apply to existing account scores, only when new account scores are calculated.
Is there API support for Account Lockdown?
Yes, for reporting of disabled accounts only. We may add support for enabling or disabling of accounts in a future release.
Can I configure a lockdown whitelist so strategic accounts never get disabled?
No. An account-based triage rule can be used to address this use case if needed.
If an account is locked out through Detect (automated or manual) but enabled outside of Detect (through AD) how does that appear in Detect?
For 5.5, it will still show as Disabled/Locked until the AD cache job refreshes its status (max 24 hour delay). For 5.6 we are planning to always try to pull the current AD state for any page view in VUI to alleviate that staleness.
Will the end user be notified when an account is locked down?
No, the end user is not notified whenever their account is disabled.
Will administrators be notified when an account is locked down?
Yes, Detect admins will see email and syslog notifications when lockdown is enabled or disabled. Please note that in order to receive Account Lockdown email notifications, Account alert emails notification must be enabled under Settings / Notifications.
Where can I see a sample syslog notification for lockdown?
Account Lockdown Sample Syslog
Where can I see a sample email notification for lockdown?
Account Disable sample email
Account Enable sample email
Can I use advanced search to pull information on locked down accounts?
As of release version 5.5, Advanced search for Account Lockdown is not supported. We will introduce Advanced search support in a future release.