You do not need Domain Admin rights and should never monitor anything
within an enterprise using such a level of access. Windows permission
architecture should have specific service accounts with appropriate
permissions where auth is necessary such as LDAP read (which any
auth'ed user in a windows domain can actually do) or any sort of
active retrieval requiring authentication.
DA is not needed to interact with QRadar using LDAP auth for QRadar
either access should be handled by a AD ad group.
Original Message:
Sent: 11/24/2022 4:28:00 AM
From: Dusan VIDOVIC
Subject: RE: DO I NEED DOMAIN ADMIN?
I think you should define the question a bit better... QRadar by default uses local authentication (locally defined users and roles). If you are referring to using Active Directory as LDAP for authentication, when you are using authenticated bind you need a user that can read the LDAP directory. Instructions how to configure LDAP authentication can be found in IBM's documentation. You can e.g. opt to use group based authentication and allow/deny the groups of users per defined roles and security profiles (I recall there were some examples for that on you tube etc.).
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Wed November 23, 2022 05:00 AM
From: Fatih R
Subject: DO I NEED DOMAIN ADMIN?
Hello,
I want to ask you something. Is it necessary to have a domain admin user for IBM Qradar? So, is there such a need?
Thank you,
Kind Regards.
------------------------------
Fatih R
------------------------------