How we automated our PingCastle security audit reports for our Active Directory
As SysAdmin in charge of the Active Directory at ManoMano, it is important for us to guarantee a very high level of security. To achieve this, we use, among other things, a great program : PingCastle
PingCastle is a tool to quickly evaluate the security level of the Active Directory with the help of reports. In this report, we have different scores on four themes. Each anomaly is explained and a solution is proposed.
It was developed by Vincent LE TOUX, and we thank you for this fabulous work! 🙏
Great adventures always start with a great story
At ManoMano, we like to work as a team. We have set up with the security team 👮 (you must have seen some articles of Laurent Delosieres or even Jules Duvivier) a process to notify us directly in Slack when the PingCastle report score changes (for better, but also for worse).
This way, we can react quickly to remedy it if the score goes up or celebrate if the score goes down!
In this article, we will detail the infrastructure scheme we used to create these reports and share with you a Powershell script to create your own notification, because yes, we are like that!😄
Scheme and explanation
To explain this scheme, we have detailed point by point.
1. The PowerShell script will run the PingCastle program to generate a report in XML and HTML format.
2. The XML format is parsed to retrieve the scores and compare them with the previous run. If the code is different or it is the first execution, we go to step 3.
3. The Powershell script will call an EndPoint N8N. In this call, we send the content of the HTML report and the scores.
4. N8N takes care of calling TheHive to create an IT security alert.
The content of the report is sent to a secure Google Drive folder. A link is retrieved that will be used for the Slack message.
Then Slack is contacted to send a message with the score and the Google Drive link in a private channel.
5. Security receives an alert from TheHive and can close it when it is remediated.
6. SysAdmin and security will receive a Slack notification. We use this process to estimate the urgency and plan our actions.
And here’s the result 🎉
Let’s share our experience and knowledge!
Below is an example script that you can use to generate the report. It doesn’t matter if you don’t have this infrastructure, you just have to adapt the script to line 145 to send the report by email or make a call to an API.
To make it work, you can save it in a directory, for example PingCastleReport.ps1.
In this directory you have to download the PingCastle source, unzip it and rename it ‘PingCastle’.
You should have this tree without the Reports part because it will be created after the first run.
All that’s left to do is run the script to generate your report. 🎉 You can schedule it to be alerted when there is a score change!
