Adding collector agents to Starling Identity Analytics & Risk Intelligence
The following explains how to add a collector agent to Starling Identity Analytics & Risk Intelligence in order to begin collecting entitlement data.
|
|
NOTE: You cannot install multiple collector agents on the same machine. |
|
|
NOTE: The data collected by the data source module(s) associated with the collector agent will remain within Starling Identity Analytics & Risk Intelligence until it has been purged. For more information, see Purging data. |
|
|
IMPORTANT: Read the Additional hardware and software requirements before installing a collector agent. |
To add a collector agent
- From the Collector Agent page, click Add a collector agent to open the Add Collector Agent dialog.
- Copy and save the registration code. This code is requested during the collector agent installation and will only be valid for 15 minutes.
- Use Download Collector Agent Installer to download the collector agent installer. Clicking About Collector Agent in the dialog provides additional copyright and third party component information.
- Once downloaded, run the IAI.Collector.Installer.msi installer package and follow the instructions in the Starling IARI Collector Setup dialog to complete the installation. The installer will automatically close once installation is complete.
-
Once installation has been successfully completed, close the Add Collector Agent dialog to return to the Collector Agents page.
The page will automatically refresh once the collector agent has been installed. The new collector agent appears listed on the Collector Agents page with a green check mark to indicate the collector agent has been installed correctly and is able to communicate with Starling Identity Analytics & Risk Intelligence. You are now able to add modules to the collector agent (see Adding data source modules to Starling Identity Analytics & Risk Intelligence).
Collector Agent page
The Collector Agent page is displayed when the Collector Agents link is selected from the Configuration drop-down menu located in the navigation bar. The Collector Agent page is used for adding and managing the collector agents and data source modules that are configured for your account.
The following information appears once at least one collector agent has been installed.
Search for collector agents
Use this field to filter the list of collector agents appearing at the bottom of this page.
Add Collector Agent
This button is used for adding a new collector agent. For more information, see Adding collector agents to Starling Identity Analytics & Risk Intelligence.
The following information appears in the table at the bottom of the page once at least one collector agent has been configured.
Host
This is the host name for the collector agent.
Number of Modules
This is the number of data source modules currently configured for the collector agent.
Last Communication
This displays the time of the last communication between the collector agent and the Starling Identity Analytics & Risk Intelligence cloud service. This communication is done through an HTTPS call on port 443 and cannot be configured. This check is in order to ensure communication between the two components is active and secure.
Status
This indicates the current status of the connection. Mousing over the displayed icon provides a brief explanation of the current status.
More Details
Clicking this button displays information regarding the currently installed versions of both the collector agent and the installer.
Actions
This drop-down menu displays the following configuration options:
- Edit: This option provides access to the Data Source Modules page where you can add and manage data source modules for use by the collector agent.
- Uninstall: This option uninstalls the collector agent as well as any configured data source modules. For more information, see Uninstalling a collector agent.
- About Collector Agent: This option provides additional copyright and third party component information regarding the installed collector agent.
Adding data source modules to Starling Identity Analytics & Risk Intelligence
Once you have finished Adding collector agents to Starling Identity Analytics & Risk Intelligence you need to configure modules for that source.
|
|
IMPORTANT: Read the Additional hardware and software requirements before adding a data source module. |
|
|
NOTE: Only one module of each type can be added to each collector agent. |
|
|
NOTE: The amount of time needed to collect data will increase if the network is slow between the machine where the collector agent is installed and the machine it is collecting data from. |
To add an Active Directory data source module- From the Collector Agents page, expand the Action drop-down menu associated with the collector agent to which you want to add an Active Directory data source module.
- Select Edit. This will open the Data Source Modules page.
- Click the Add Module button to open the Configure New Module dialog.
- Expand the Module Type drop-down menu and select Active Directory.
-
(Optional) Enter a Host Name or IP Address. If you have more than one Active Directory data source available in the environment then you need to specify which one to connect with, otherwise Starling Identity Analytics & Risk Intelligence will randomly select one.
IMPORTANT: A global catalog must be resolvable via its DNS name regardless of whether you are connecting directly to it or to a domain controller connected with a global catalog.
-
In the Data Collection Frequency (hours) field, enter how often Starling Identity Analytics & Risk Intelligence should initiate a collection. By default, collections will occur every 24 hours. This process will be indicated by an alert bar in Starling Identity Analytics & Risk Intelligence followed by the impacted pages automatically updating once the evaluation has completed.
NOTE: The Data Collection Frequency (hours) value must be between 1-576. - In the Username field, enter the name of a user with appropriate permissions to the data source.
- In the Password field, enter the password associated with the user.
-
Click Save to save the module and close the dialog.
Once you have completed adding the data source, the following information may appear indicating the state of the connection:
- Upon initial completion, a
icon appears to indicate the module is validating.
-
The next step in this process is the actual collection of the data, which is indicated by a
icon. During this step, the data source will begin the process of connecting with and sending data to Starling Identity Analytics & Risk Intelligence. This process may take a while depending on a number of factors (for example, the amount of data that needs to be collected).
The data being collected includes information regarding disabled accounts since, although inactive, they still exist, and therefore can provide important information about both the account and the data source overall. However, this account information will not include data related to actions an account cannot perform. For example, expired entitlements within Safeguard are not considered when calculating the risk level of an account since an expired entitlement is the same as the entitlement not existing.
- Once the module has successfully connected and a
appears, the module data will be available within Starling Identity Analytics & Risk Intelligence.
- Should the data collection or module validation fail, a
appears indicating a problem has occurred (for example, incorrect configuration settings, the data source being inaccessible at this time, and so on).
- Upon initial completion, a
- From the Collector Agents page, expand the Action drop-down menu associated with the collector agent to which you want to add an Active Roles data source module.
- Select Edit. This will open the Data Source Modules page.
- Click the Add Module button to open the Configure New Module dialog.
- Expand the Module Type drop-down menu and select ActiveRoles.
-
(Optional) Enter a Host Name or IP Address. If you have more than one Active Roles data source available in the environment then you need to specify which one to connect with, otherwise Starling Identity Analytics & Risk Intelligence will randomly select one.
IMPORTANT: The collector agent must also be able to resolve the DNS names of all computers hosting Active Roles Administration Services in the Active Roles installation.
-
In the Data Collection Frequency (hours) field, enter how often Starling Identity Analytics & Risk Intelligence should initiate a collection. By default, collections will occur every 24 hours. This process will be indicated by an alert bar in Starling Identity Analytics & Risk Intelligence followed by the impacted pages automatically updating once the evaluation has completed.
NOTE: The Data Collection Frequency (hours) value must be between 1-576. - In the Username field, enter the name of a user with appropriate permissions to the data source.
- In the Password field, enter the password associated with the user.
-
Click Save to save the module and close the dialog.
Once you have completed adding the data source, the following information may appear indicating the state of the connection:
- Upon initial completion, a
-
The next step in this process is the actual collection of the data, which is indicated by a
The data being collected includes information regarding disabled accounts since, although inactive, they still exist, and therefore can provide important information about both the account and the data source overall. However, this account information will not include data related to actions an account cannot perform. For example, expired entitlements within Safeguard are not considered when calculating the risk level of an account since an expired entitlement is the same as the entitlement not existing.
- Once the module has successfully connected and a
- Should the data collection or module validation fail, a
- Upon initial completion, a
- From the Collector Agents page, expand the Action drop-down menu associated with the collector agent to which you want to add a Safeguard data source module.
- Select Edit. This will open the Data Source Modules page.
- Click the Add Module button to open the Configure New Module dialog.
- Expand the Module Type drop-down menu and select Safeguard.
- (Optional) Enter a Host Name or IP Address. If you have more than one Safeguard data source available in the environment then you need to specify which one to connect with, otherwise Starling Identity Analytics & Risk Intelligence will randomly select one.
- For the Safeguard Appliance DNS Name or IP Address field, it is strongly recommended that you enter the DNS Name of the Safeguard appliance to which you are connecting. In order to use an IP address for connecting with Starling Identity Analytics & Risk Intelligence the SSL certificate must have that IP address listed as a Subject Alternative Name.
-
In the Data Collection Frequency (hours) field, enter how often Starling Identity Analytics & Risk Intelligence should initiate a collection. By default, collections will occur every 24 hours. This process will be indicated by an alert bar in Starling Identity Analytics & Risk Intelligence followed by the impacted pages automatically updating once the evaluation has completed.
NOTE: The Data Collection Frequency (hours) value must be between 1-576. - Authentication Type: From the drop-down menu, select whether to use the Local or Certificate authentication provider.
-
Based on your Authentication Type, enter the following information:
- Local: Enter the name of a user with appropriate permissions to the data source and the associated password.
- Certificate: Enter the client Certificate Thumbprint (SHA-1) that will be used for authentication. This certificate must exist in the Personal (Local Computer) certificate store of the collector agent machine.
-
Click Save to save the module and close the dialog.
Once you have completed adding the data source, the following information may appear indicating the state of the connection:
- Upon initial completion, a
-
The next step in this process is the actual collection of the data, which is indicated by a
The data being collected includes information regarding disabled accounts since, although inactive, they still exist, and therefore can provide important information about both the account and the data source overall. However, this account information will not include data related to actions an account cannot perform. For example, expired entitlements within Safeguard are not considered when calculating the risk level of an account since an expired entitlement is the same as the entitlement not existing.
- Once the module has successfully connected and a
- Should the data collection or module validation fail, a
- Upon initial completion, a
|
|
IMPORTANT: In order to use Azure Active Directory as a data source, additional configuration must be done BEFORE it will be able to connect with Starling Identity Analytics & Risk Intelligence. For instructions on configuring Azure Active Directory, see Configuring Azure Active Directory. |
- From the Collector Agents page, expand the Action drop-down menu associated with the collector agent to which you want to add an Azure Active Directory data source module.
- Select Edit. This will open the Data Source Modules page.
- Click the Add Module button to open the Configure New Module dialog.
- Expand the Module Type drop-down menu and select Azure Active Directory.
-
In the Data Collection Frequency (hours) field, enter how often Starling Identity Analytics & Risk Intelligence should initiate a collection. By default, collections will occur every 24 hours. This process will be indicated by an alert bar in Starling Identity Analytics & Risk Intelligence followed by the impacted pages automatically updating once the evaluation has completed.
NOTE: The Data Collection Frequency (hours) value must be between 1-576. - In the Directory ID field, enter the value saved during the Configuring Azure Active Directory process.
- In the Application ID field, enter the value saved during the Configuring Azure Active Directory process.
- In the App Secret field, enter the key value generated and saved during the Configuring Azure Active Directory process.
-
Click Save to save the module and close the dialog.
Once you have completed adding the data source, the following information may appear indicating the state of the connection:
- Upon initial completion, a
-
The next step in this process is the actual collection of the data, which is indicated by a
The data being collected includes information regarding disabled accounts since, although inactive, they still exist, and therefore can provide important information about both the account and the data source overall. However, this account information will not include data related to actions an account cannot perform. For example, expired entitlements within Safeguard are not considered when calculating the risk level of an account since an expired entitlement is the same as the entitlement not existing.
- Once the module has successfully connected and a
- Should the data collection or module validation fail, a
- Upon initial completion, a
Data Source Modules page
The Data Source Modules page is displayed by editing a configured collector agent (see Adding data source modules to Starling Identity Analytics & Risk Intelligence). The Data Source Modules page is used for adding and managing the data source modules for a collector agent.
Once a collector agent has been installed, the following information appears on this page:
Search for modules
Use this field to filter the list of data source modules appearing at the bottom of this page.
Add Module
This button is used for adding a new data source module. For more information, see Adding data source modules to Starling Identity Analytics & Risk Intelligence.
The following information appears in the table at the bottom of the page once at least one data source module has been configured for the collector agent.
Module
This is the type of data source module.
Host
This is the host name for the collector agent.
Last Updated
This is the last update from the data source module to Starling Identity Analytics & Risk Intelligence. These updates can occur manually and are also configurable for each data source module (for information on configuring those settings, see Editing a data source module).
Status
This indicates the current status of the connection. Mousing over the displayed icon provides a brief explanation of the current status.
More Details
Clicking this button displays information regarding the currently installed versions of both the collector agent and the installer.
Actions
This drop-down menu displays the following configuration options:
- Edit: This option provides access to the Edit Module Configuration dialog where you can edit the current data source module configuration.
- Initiate Collection: This option is for manually initiating data collection outside of the scheduled collection times. For more information, see Initiating data source module collection.
- Uninstall: This option uninstalls the data source module. For more information, see Uninstalling a data source module.