Setup IS-IDP: Identity Security - Identity Detection & Protection (RangerAD)

1. Prerequisites

1.1 Agent Version

Minimum Windows Agent Version: 25.1+

1.2 Network and Firewall Requirements

Required Network Flows:

Traffic Type: Outbound only.
Sources: Domain Controllers (DCs) and the AD Connector server.
Protocol: HTTPS
Port: TCP 443

URLs to Authorize – Europe Region The following must be accessible from both the DCs and the AD Connector:

https://euce1-identity.sentinelone.net
https://euce1-api-identity.sentinelone.net
https://eucel-api-identity.sentinelone.net

1.3 Supported Operating Systems (DCs / Application Servers)

Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022

1.4 Hardware and System Requirements (AD Connector)

Operating System: Windows 10 (64-bit) minimum or Windows Server 2012 R2 (or higher).
Processor (CPU): 4 cores
Memory (RAM): 16 GB
Hard Disk: 1 GB free space

2. AD Connector Installation

Steps

Install the unified SentinelOne agent (version 25.1 or higher) on a Windows endpoint or a virtual machine joined to the Active Directory domain.
Log in to the SentinelOne console using an account with administrative privileges.
In the main menu, navigate to Policies & Settings.
Go to the Identity Security section, then click on Active Directory.
Click on Connect AD, as shown in the image below.

Click 'Next' to enable the configuration for both ISPM (Exposures) and ISIDP (Protect).

Select the name of the endpoint on which the unified SentinelOne agent was previously installed.

It should look like this:

Fill in the Active Directory details, including:

Domain Name
Domain Controller (FQDN)
AD Service Account
Communication Settings

⚠️ Settings must be configured according to your IT infrastructure, specifically:

LDAP or LDAPS
WinRM over HTTPS (recommended) or WinRM over HTTP

Field definitions from the screenshot above:

Sites: Defines the scope (Account or Site) where the AD configuration is applied. (ISPM & ISIDP: mandatory scope, ensure the correct site is selected)
Domain Name: FQDN of the Active Directory domain or subdomain to be analyzed. (ISPM only)
Monitor subdomains: Analyzes all domains within the same AD forest. (ISPM only – recommended for a full forest analysis)
LDAP Encryption method: Encrypts LDAP communications between ISPM and domain controllers (LDAPS recommended). (ISPM only)
WinRM Encryption Method: Defines the WinRM encryption mode between the AD Connector and the DCs (HTTPS recommended). (ISPM only)
Domain Controller FQDN: FQDN of a domain controller used for AD queries. (ISPM only)
Username: Active Directory account used to query the AD (read-only recommended). (ISPM only)
Access over trust: Allows the analysis of a domain from another forest via an AD trust relationship. (ISPM only – for multi-forest environments)
AD Sync: Synchronizes AD users and groups to SentinelOne. (Mandatory for ISPM. ISIDP: used for identity context enrichment)
Threat Detection: Enables detections based on Active Directory posture and configuration. (ISPM only – requires AD Sync)

Finalization: Once configured, you simply need to wait for the scan results to populate. The first alerts may take up to 24 hours to report after activation, depending on Active Directory activity

3. Installation of Protection Policies (Protect)

Follow these steps to deploy Singularity Identity (ISIDP) protection policies on your Domain Controllers (DCs):

3.1. Policy Configuration in the Console

Log in to the SentinelOne console.
Navigate to Policies and settings > Protection Policies.
Select the policy applied to your servers, then click Actions > Edit.
Ensure that the ADSecure-DC option is enabled.

3.2. Agent Download and Installation

Navigate back to Policies and settings > Protection Policies.
Select the relevant policy, then click Actions > Download.
Extract the downloaded archive (the folder will typically be named after your policy and the download date, example : Endpoint-Default_Protection_Policy-22-Jan-2026).
Transfer the entire folder to your Domain Controllers (DCs).
Open a PowerShell terminal as an Administrator, navigate to the folder containing the executable, and run the following command: .\\windowssetup.exe /ia /service /v2

3.3. Additional Tips (Advanced Commands)

Uninstall

.\\windowssetup.exe /ua /service /v2

Force Installation

.\\windowssetup.exe /ia /service /v2 /force

Force Uninstallation

.\\windowssetup.exe /ua /service /v2 /force

3.4. Installation Verification

Installation may take 1 to 2 minutes for the information to be reported back to the console.

To confirm a successful deployment:

Go to Policies and settings > Identity Endpoints.
Verify that your Domain Controllers appear in the list with the correct status and the associated policy.

4. Network and System Prerequisites

Here are the technical prerequisites required for the installation of the AD Connector and ADSecure-DC agents. Validation of these points by your system and network teams is essential before we proceed with the installation.

4.1. System Requirements

Windows Agent Version: The SentinelOne agent installed on the endpoints must be version 25.1 or higher.
Supported Operating Systems (DCs & Servers): Windows Server 2012 R2, 2016, 2019, and 2022.

4.2. AD Connector Server Specifications

The server dedicated to the connector role (member server or Windows 10 64-bit machine minimum) must meet the following resource requirements:

CPU: 4 cores.
Memory (RAM): 16 GB.
Disk Space: 1 GB free space.

4.3. Network and Firewall Requirements

To allow communication with the management console (Europe Region), the following outbound-only flows must be authorized from your Domain Controllers (DCs) and the AD Connector server:

Protocol: HTTPS (TCP 443)
Destinations (URLs):
- https://euce1-identity.sentinelone.net
- https://euce1-api-identity.sentinelone.net
- https://eucel-api-identity.sentinelone.net

5. Email for AD Connector configuration

Please, send an email to [email protected] with these information completed so that our SOC team can proceed to the installation.

Subject: [Company Name] Technical Information – AD Connection Configuration

Dear Stoïk team,

In order to configure the SentinelOne Singularity Identity solution, here are details regarding my Active Directory infrastructure.

1. Domain Connectivity

Domain Name: The FQDN of your Active Directory domain.
Domain Controller FQDN: The full name of the primary DC to be used for queries.
Forest Scope: Would you like to enable the "Monitor subdomains" option to analyze all domains within the same forest?

2. AD Service Account

To allow the AD Connector to query your directory, a dedicated service account is required:

Username: (example : svc_ranger_ad).
Password

3. Communication Protocols

Confirm the authorized methods within your network:

LDAP Method: LDAPS (Port 636 - Recommended) or LDAP (Port 389).
WinRM Method: Over HTTPS (Port 5986 - Recommended) or Over HTTP (Port 5985).

4. Synchronization Preferences

AD Sync: Confirm that you want to synchronize users and groups for identity context enrichment

Best regards,

PreviousEDR - Options NextEDR setup: MS Defender

Last updated 17 days ago

Was this helpful?

hashtag1. Prerequisites

hashtag1.1 Agent Version

hashtag1.2 Network and Firewall Requirements

hashtag1.3 Supported Operating Systems (DCs / Application Servers)

hashtag1.4 Hardware and System Requirements (AD Connector)

hashtag2. AD Connector Installation

hashtagSteps

hashtag3. Installation of Protection Policies (Protect)

hashtag3.1. Policy Configuration in the Console

hashtag3.2. Agent Download and Installation

hashtag3.3. Additional Tips (Advanced Commands)

hashtag3.4. Installation Verification

hashtag4. Network and System Prerequisites

hashtag4.1. System Requirements

hashtag4.2. AD Connector Server Specifications

hashtag4.3. Network and Firewall Requirements

hashtag5. Email for AD Connector configuration