Skip to main content

Purpose

This guide explains how to integrate the Microsoft Active Directory (AD) integration with AirMDR to query directory information such as users, groups, and organizational units using the LDAP protocol. This integration is typically used for:
  • User enrichment during investigations
  • Identity validation during incident response
  • Mapping AD users to security events
  • Group membership lookups
AirMDR connects to Active Directory using LDAP queries executed through a service account.

Pre-requisites

Before setting up the Microsoft Active Directory integration in AirMDR, ensure the following requirements are met:

Active Directory Environment

  • Microsoft Active Directory Domain Services (AD DS) environment must be available.
  • At least one Domain Controller (DC) must be reachable from the AirMDR environment.
  • LDAP services must be enabled on the Domain Controller.
  • If LDAPS (port 636) is used:
    • The Domain Controller must have a valid TLS certificate
    • The certificate must be issued by a trusted certificate authority
    • TLS must be enabled on the LDAP service
      LDAPS is recommended to ensure encrypted communication between AirMDR and Active Directory.

Authentication Method

AirMDR authenticates to Active Directory using a service account and LDAP bind using username and password

Required Parameters

ParameterDescription
LDAP ServerDomain Controller hostname or IP
PortLDAP or LDAPS port
UsernameService account used for LDAP bind
PasswordPassword of the service account
Base DNDirectory search base
The service account should have read-only directory access. Typical privileges include:
  • Read user objects
  • Read group objects
  • Read organizational units
  • Read attributes (email, samAccountName, etc.)

Supported Versions

The AirMDR Active Directory integration supports:
  • Microsoft Active Directory Domain Services (AD DS)
  • Windows Server 2012 / 2016 / 2019 / 2022
  • LDAP / LDAPS directory services
  • On-premises Active Directory deployments
    Azure AD (Entra ID) is not supported through LDAP. Use the Microsoft Graph integration instead.

Generate Microsoft Active Directory (AD) LDAP server details, Service account credentials and Base Distinguished Name (DN)

1

Identify the LDAP Server (Domain Controller)

  1. Log in to the Domain Controller.
  2. Open Server Manager.
  3. Navigate to Tools → Active Directory Users and Computers
  4. In the left navigation panel, identify your Domain Controller hostname.
    Example: dc01.company.local
    This will be used as the LDAP Server.
2

Determine the LDAP Port

Active Directory supports two LDAP ports:
ProtocolPort
LDAP389
LDAPS (Secure LDAP)636
To verify:
  1. Open Command Prompt on the domain controller.
  2. Run: 
    nltest /dsgetdc:<your-domain>
    Example: 
    nltest /dsgetdc:company.local
    This returns the active domain controller and confirms LDAP services.
    AirMDR recommends LDAPS (port 636) for encrypted connections.
3

Create a Service Account

dedicated service account should be created for the integration.
  1. Navigate to open Server Manager → Tools → Active Directory Users and Computers.
  2. Click on “Create a new user in the current container”.
    Active Directory 2
  3. Enter the required Field Values.
    FieldValue (Example)
    First NameAirMDR
    Last NameService
    User Logon Nameairmdr-service
    or
  4. Navigate to the desired Organizational Unit (OU).
  5. Right-click the OU.
  6. Click Next.
  7. Configure password settings:
    • Set a secure password
    • Uncheck User must change password at next logon
    • Enable Password never expires (recommended for service accounts)
  8. Click Finish.
    The service account will be used as the LDAP bind user.
4

Retrieve the Service Account Username

The LDAP bind username can be expressed in either format:User Principal Name (UPN): airmdr-service@company.localorDomain format: COMPANY\airmdr-service
Either format is accepted by most LDAP clients.
5

Determine the Base Distinguished Name (Base DN)

The Base DN defines where LDAP searches begin in the directory tree.To obtain it:
  1. Navigate to open Server Manager → Tools → Active Directory Users and Computers.
  2. Right-click the domain root.
  3. Select Properties
  4. Go to the Attribute Editor tab.
  5. Locate the attribute: distinguishedName
    Example value: DC=company,DC=local
    This becomes the Base DN used by AirMDR for LDAP searches.
Example Credentials retrieved to configure the Microsoft AD Integration in AirMDR
FieldValues (Example)
LDAP Serverdc01.company.local
Port636
Usernameairmdr-service@company.local
Password********
Base DNDC=company,DC=local
Example Configuration: 
{
  "ldap_server": "dc01.company.local",
  "port": 636,
  "username": "airmdr-service@company.local",
  "password": "********",
  "base_dn": "DC=company,DC=local"
}

Data Flow & Security

Data Retrieved

The integration typically queries:
  • User objects
  • Group memberships
  • Email addresses
  • Security identifiers (SID)
  • Organizational unit membership

Encryption

LayerMethod
In TransitTLS (LDAPS)
At RestEncrypted credential storage in AirMDR

Network Ports

PortProtocol
389LDAP
636LDAPS (recommended)

Skills Provided by this Integration

Skill IDPurpose
Disable Active Directory (Onprem) UserDisables the specified user account in Active Directory (Onprem) by setting the ACCOUNTDISABLE flag on userAccountControl
To view the details of Input Parameters and Output for the respective skills

Configure Active Directory in AirMDR Integrations Dashboard

  1. Navigate to AirMDR, provide the credentials and click Login.
  2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
  3. Use the search option, enter the keyword “Active Directory”, select the Connections tab, and click + Add New Connection.
  4. Enter an unique name to the Instance (e.g., your org name-Active Directory) and brief Description to easily identify the user connection by AirMDR.
  5. Enter the generated LDAP Server details, Service Account Credentials, and base Distinguished Name (DN) in the Authentication Details field params, and click Save.

Error Handling

ErrorCauseResolution
LDAP bind failedIncorrect credentialsVerify username/password
Cannot connect to serverNetwork/firewall issueConfirm LDAP port access
Invalid Base DNIncorrect directory pathVerify distinguishedName
TLS handshake errorLDAPS certificate issueValidate DC certificates

Support & Maintenance

  • 📧 Contact AirMDR Support through your designated support channel.
  • 🔁 Rotate credentials regularly in Microsoft Active Directory (AD).
  • 🔄 If a domain controller changes:
    • Update the LDAP Server hostname in the integration configuration.