Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.
This is a template for collecting high level overview of the status reported by PingCastle. It is intended as basis for C-level reporting dashboard. It includes the most important metrics (scores in PingCastle terminology).
Here you can find the template itself and a sample bash script process.sh
for parsing reports and sending to Zabbix.
The template is designed with Zabbix Trapper items. This choice is dictated by the fact that AD scanning by pingcastle is performed on a machine separate from the Zabbix server/agent/proxy and then possibly processed on another machine.
It is possible to operate with regular items but this is not easily coordinated on a general basis and needs tuning.
Currently only key indicators are monitored
Item | Key | Description |
---|---|---|
Engine Version | pingcastle.EngineVersion | Version of the PingCastle tool used to generate the report |
GlobalScore | pingcastle.GlobalScore | Max of all other scores |
PrivilegiedGroupScore | pingcastle.PrivilegiedGroupScore | Score about privileges |
StaleObjectsScore | pingcastle.StaleObjectsScore | Score about stale objects |
TrustScore | pingcastle.TrustScore | Score about trusted domains and issues therein |
AnomalyScore | pingcastle.AnomalyScore | Anomalies not fitting in any of the rest |
DomainAdministrators | pingcastle.DomainAdministrators | Number of Domain Administrators |
TotalRiskPoints | pingcastle.TotalRiskPoints | Sum of all matched RiskRule's ponts |
For every score (Global, Privileged, Stale, Trust, Anomaly) there are 4 triggers according to PingCastle documentation
- 0 - no risk identified but some improvements detected
- between 1 and 10 - a few actions have been identified
- between 10 and 30 - rules should be looked with attention
- score higher than 30 - major risks identified
Macros have been provided to tune the thresholds per host
For Domain Administrators there is a single non recovering trigger that fires on change. The event must be manually acknoleged and closed.
There is also a trigger for stale data.
Macros | Default | Description |
---|---|---|
{$PINGCASTLE_NODATA_DAYS} |
21d | Threshold to alert if no data received for XX days (default 21d) |
{$PINGCASTLE_THRESHOLD_WARNING} |
10 | Threshold for firing warning trigger (default 10) |
{$PINGCASTLE_THRESHOLD_AVERAGE} |
30 | Threshold for firing average trigger (default 30) |
{$PINGCASTLE_THRESHOLD_HIGH} |
50 | Threshold for firing high trigger (default 50) |
- Import Template into Zabbix (will go in
Templates/PingCastle
group) - Create a host with
DomainSID
as hostname. Use any custom nice looking name in the display name field - Make sure you have
zabbix_send
and xmllint installed on the machine doing the processing - Run
process.sh
A sample process.sh
bash script is included for parsing the Pingcastle reports and submitting them to Zabbix.
process.sh
- requires as a minimum xmllint
from libxml2-utils
and zabbix_send
Feel free to use the issues system for requests and others