Discover Package icon

Discover Package

The Discover Package is the entry level package into ACDP. It assists customers in getting their SOC to interact with their environment in a risk-based way, leveraging the power of machines to optimize the work of the human.

Asset Enumeration icon

Enterprise Asset Enumeration


The Enterprise Asset Enumeration Module contains services designed to enumerate a customer’s environment. It can provide real-time endpoint interrogation, identify hosts and network-connected devices, discover and validate vulnerabilities, quantify Network Resilience, and provide Blast Radius calculations for attack path planning. The module supports basic security use cases such as identifying both new and existing infrastructure vulnerabilities. For example:

  • Identification of all active nodes and their activity within your network
  • Discovery of rogue or unknown hosts
  • Enumeration of vulnerabilities
  • Identification of exploitable software without vulnerabilities
  • Active endpoint interrogation (via Osquery)

Identity Assurance icon

Identity Assurance


The Identity Assurance Module leverages highly specific algorithms designed to identify anomalous activity within the customer’s environment. The module is designed to verify that an entity within a given environment is actually what it claims to be. In other words, identification data from any system, process, person, or location is now easily verifiable.

The Identity Assurance Module aids in security and awareness across all instrumented forests and domains and is part of ACDP's Advanced Monitoring and Protection suite. The included services are designed to provide maximum confidence in all authentication requests across the enterprise, using both deterministic and heuristic detection methods to monitor and detect attempted misuse or anomalous interaction between users, domain controllers, and services on the network. Special attention is paid to Kerberos and Active Directory to monitor ongoing credential use and configurations which can indicate attempts to escalate privileges to valuable resources/services, unadvisable or unintentional misconfigurations within the domain, or unexpected ongoing changes or actions due to change control failures within the monitored network(s).

The Identity Assurance Module is managed via the cloud-based ACDP Web Application and includes API access for querying a RESTful Application Programming Interface (API) to retrieve detected events and the ability to forward events to another downstream service or application.

The following analytics are included:

  • Stateful Validation of Kerberos Authentication Events
  • Forged Golden Ticket Detection
  • Forged Silver Ticket Detection
  • Pass the Hash Detection
  • Pass the Ticket Detection
  • Skeleton Key Detection
  • DC Shadow Detection
  • DC Sync Detection
  • Active Directory Monitoring and Analytics
  • User and Entity Behavioral Analytics

The advanced analytics used to provide external validation of the Kerberos protocol and the other analytic routines described herein requires the deployment of lightweight agents across select machines in the monitored domain. ACDP’s unique ability to alert in near real-time on Golden and Silver tickets requires the Agent-based sensor to be present at the domain controllers and all Kerberized servers. Additionally, some additional data sources are collected using a Active Directory Monitoring and Windows Event Log Collector deployed within each domain.

To ensure security and reliability of all data sets required to ensure trust on the monitored domains, Fractal assists customers in deploying a high-availability message queue and the ADMonitoring and Windows Event Log collector services within each domain. These can be deployed on physical servers or on virtual machines within the customer environment. The user is responsible for administering servers and services within their network, but Fractal support and deployment staff are readily available to assist.

Active Directory Monitoring

The Active Directory (AD) monitoring capabilities in ACDP are used to proactively identify weaknesses across the domain, identifying misconfigured accounts and Domains Controllers, accounts and administrators that have over-allocated privileges, and the quantity of users, trusts, domains, administrators, and groups. Using the graph database capabilities in Fractal OS, ACDP makes it easy to explore hidden relationships within Active Directory to expose true relationships and authorities. This helps to uncover complex attack paths that would be readily exploited by attackers but are only visible when viewing AD graphs and not lists of privileges. Ongoing AD monitoring and health reporting effectively highlights users who are not using allocated privileges, trusts that are not utilized, and groups that are not properly configured. Integrated summaries of AD environment health provide ongoing metrics and reporting for:

  • AD permissions graph analysis
  • stale accounts
  • enumeration of domain and forest trusts
  • domain KPIs and metrics
  • krbtgt password reset times
  • null session enabled in DCs
  • accounts in domain admin groups without password expiry
  • non-admin user abilities to add computers within a domain
  • account and group creation and membership to include frequency of change

User and Entity Behavioral Analysis (UEBA)

ACDP can use Osquery information, Windows Event Logs, Kerberos and authentication data, proxy logs, among other data, to provide rich behavioral analysis capabilities in large complex networks. This capability analyzes user data to discover inconsistencies or outliers for quantification against network actions, access, and business processes. When coupled with the Asset Mapping module and endpoint interrogation, discreet actions at the endpoints themselves can be characterized and presented with context and criticality based on potential impact.

Network Security icon

Network Security


The Network Security Module includes the Advanced Monitoring and Protection Module (AMP) and the basic Incident Response Workflow. This is the user interface that analysts interact with to identify and remediate security incidents, and is designed to integrate ACDP from a user’s point of view. This includes incident ticketing, telemetry, log aggregation, data lake queries, alert prioritization, access to Osquery Agents, and access to the Fractal Cyber-Physical Graph (CPG). Analysts can work on incidents throughout their life cycle, pull in telemetry logs, and coordinate remediation tasks out of a single “pane of glass.”

The network security module includes the following capabilities:

  • Ingest data from most log sources
  • Generate enriched events based on the log source
  • Track issue tickets for event remediation and closure
  • Direct query access to ingested data
  • Cloud infrastructure security monitoring
  • Cloud-based application security monitoring

Distributed Data Classification and Loss Prevention

Distributed Data Classification and Loss Prevention


The Distributed Data Classification and Loss Prevention module contains tools to enhance organizational understanding of data, its locality, and reduce the likelihood of data loss and exfiltration. This module heavily leverages the advanced NLP and data extraction infrastructure within Fractal OS. Customers can review a set of common data types (e.g. SSNs, names, telephones, addresses, account numbers, etc.) which have special handling, reporting, or duty-of-care requirements. Customers may also add a combination of patterns and/or keywords/subjects which are unique to their organization's business or operational requirements that should be monitored. These definitions of patterns and examples of sensitive content are used to train models and search processes that can identify sensitive data from a plurality of sources and feed it into the SOC via the ACDP incident and event feed. ACDP supports definition of custom rules as well as triage, escalation, and notification procedures for identified items of interest that can be tailored for the customer use case. Data to feed this process can be obtained from several sources including network security monitoring tools that can assemble transmitted files (or portions of them), use of file carving to return data from endpoints (e.g. via Osquery), or via other telemetry sources on the network (e.g. perimeter security devices, emails, or printer jobs). This module also supports data classification against these defined criteria for risk management and privacy related organizational functions including GDPR.