We did just roll out Rapid7 and are reacting to the thousands of new alerts it is generating. Our Security team needs to understand why:
Attached Rapid7 log:
User svcbuild authenticated as administrator jproctor.pdf (225.0 KB)
Attached Octopus Task log:
ServerTasks-762014.log.txt (266.9 KB)
Thanks for getting in touch! Those are nice looking reports, but I can imagine there is a whole lot of them!
The short story: We are very unlikely to change the approach we use to synchronise AD security groups into Octopus. Is there a way for you to exclude this kind of activity from Octopus?
Another option - frequency: We synchronise with AD every hour so the behaviour is predictable and timely. What would an acceptable frequency and timing be in your situation? I’m still concerned this will still add noise you need to ignore in order to see unexpected AD access.
Explanation: In the past, we used a different approach for synchronising AD security groups into Octopus. This approach started enumerating through your AD looking for groups, spidering out through all references, even across forests, mapping Octopus Users into those groups. This caused a lot of pain for customers with really big and complicated AD configurations where only a small percentage of people in AD actually used Octopus. We also had problems where the spidering would fail due to permissions boundaries which were really hard to diagnose. Since swapping around and querying AD for each User, this process has been more reliable and generally better performing.
In the end, and if possible, I think the best course of action will be to find a way to tell Rapid7 about expected behaviour from Octopus and exclude that from its reporting.
Hope that helps!
Kike