Chat now with support
Chat mit Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Findings

Findings allow you to view and investigate notable events in your organization's Active Directory, including:

  • Tier Zero object activity, including the identification of unprotected Tier Zero objects

  • Indicators of Exposures and Indicators of Compromise detected by Security Guardian and collected by On Demand Audit.

NOTE: An exposure indicates that objects are susceptible to an adversary attack. A compromise indicates that it's possible an adversary attack has already occurred.

To view Findings:

From the left navigation menu, choose Security | Findings.

The Findings list displays Active Directory objects, along with the following information for each:

  • Finding

  • one of the following Severity levels:

    NOTE: Security Guardian calculates severity levels by a range of values (i.e., the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe.

    Critical Generally reserved for Indicators of Compromise and Indicators of Exposure that are changes to Tier Zero object security, have significant potential impact to the Active Directory environment, and are not part of the default Active Directory configuration.
    High Generally reserved for Indicators of Exposure that are of high concern but impact single objects, the discovery of new Tier Zero domain objects, and changes to Tier Zero objects that occur more often through normal business operations or are part of the default Active Directory configuration.
    Medium Generally reserved for the addition of Tier Zero user, computer, group, and Group Policy objects.

  • Type (Tier Zero, Exposure, or Compromise)

  • The date and time Last Detected

    NOTE: This field displays the signed-in user's local date and time.

  • Status (Active or Inactive)

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

  • Finding

  • Severity

  • Type

  • Status

    (Active Findings display by default. You can choose to display either Active or Inactive Findings in the list, but not both.)

From the Findings list you can dismiss one or more Findings and view Finding history.

Investigating Findings

From the Findings list, you can investigate Findings in more detail for:

  • Tier Zero objects that have been identified by the Tier Zero provider (Security Guardian or BloodHound Enterprise) or manually by a user

  • Exposures and Compromises that have been detected through Security Guardian Assessments and On Demand Audit critical activity.

Click on the Finding you want to investigate.

The Investigate Finding page consists of three sections.

  • What Happened?

  • Am I Exposed?

  • How Do I Fix This?

You can navigate between sections either by clicking a section name or using the Next and Back buttons.

Investigating Tier Zero Activity

The top of a Tier Zero Object Investigation page identifies the object being investigated, along with the following information:

  • the Severity of the Finding

  • the Finding Type (Tier Zero)

  • the Certification Status (Certified or Not Certified)

  • the Finding Status (Active or Inactive)

  • Last Updated (that is, the last time the Finding was detected)

    NOTE: Last Updated displays a relative time. However, if you hover over the clock icon you can see an exact date and time. This field displays the signed-in user's local date and time.

  • options to certify the Tier Zero object, dismiss the Finding, and view history of the Finding.

What Happened?

This section indicates why a Finding was raised for the Tier Zero object, as well as the number of other Tier Zero objects that it impacts and is impacted by.

NOTE: If BloodHound Enterprise is the Tier Zero provider, it can return a maximum of 1000 related objects for each Tier Zero category.

The What Happened? section for Tier Zero also includes a series of links to help you complete your investigation, as described in the following table.

Link Description
View Details

The properties of the Tier Zero object, including whether it was added by the system (Security Guardian or BloodHound Enterprise) or by a user, identifiers used for the object within Active Directory, the date the object was added and the date its information was last updated.

NOTE: The Date Added field displays the signed-in user's local date and time.

View Relationships

 

If BloodHound Enterprise is configured, this link enables you to log into BloodHound (if you have at least Read permissions) and view attack paths between the object being investigated and other AD objects.

NOTE: If Security Guardian is the Tier Zero provider, this option will be hidden.

View Recent Activity This link opens the Quick Search page in On Demand Audit, which lists event data for the selected object. in On Demand Audit, which displays event data for the object being investigated.
Escalate this Finding
Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

Am I exposed?

Because Tier Zero objects are critical assets, this section recommends that you explore all recent activity, inbound and outbound control, and relationships to determine the level of exposure produced by the Tier Zero object. Included are links to additional active Findings that can be considered related based on object type of the Tier Zero object currently being investigated. When investigating a given Finding, related active Findings will be displayed in one of the following sections based on its source:

  • Assessment Findings

  • Audit Findings

  • Protection Findings

How Do I fix this?

This section provides recommendations for investigation and remediation.

 

NOTE: If BloodHound Enterprise is the Tier Zero provider, the View Relationships link to BloodHound Enterprise is also provided in this section.

 

Investigating Indicators of Exposure and Compromise

  • Findings for Indicators of Exposure and Indicators of Compromise are raised when:

    • vulnerabilities are detected when a Security Guardian Assessment is run

    AND/OR

    • critical activity anomalies are detected by On Demand Audit.

    NOTE: An exposure indicates that objects are susceptible to an adversary attack. A compromise indicates that it's possible an adversary attack has already occurred.

    The top of an Investigation page identifies the object being investigated, along with the following information:

    • the Severity of the Finding

    • the Finding Type (Exposure or Compromise)

    • the Finding Status (Active or Inactive)

    • the number of Affected Objects

    • Last Updated (that is, the last time the Finding was detected)

      NOTE: Last Updated displays a relative time. However, you can hover over the clock icon to see an exact date and time (which displays the local date and time of the signed-in user).

    What Happened?

    The What Happened? section for Indicators of Exposure and Indicators of Compromise provides a description of the Finding and lists the objects that are affected. The following information is included for each object:

    • Object Name

    • Principal Name (which is searchable)

    • Object Type

    • First Discovered date and time

      NOTE: This field displays the signed-in user's local date and time.

    • Certification Status, which may be

      • Certified or Not Certified (for Tier Zero objects)

        OR

      • Not Tier Zero

      NOTE: A status of "Status Not Available" may occur if the object has been deleted from Active Directory or the Object ID cannot otherwise be identified.

    This section also includes a series of links to help you complete your investigation, as described in the following table.

    Link Description
    For Selected Objects in the list

    Object Name

    (for a single object)

    The properties of the object, including whether or not it is Tier Zero, identifiers used for the object within Active Directory, the date the object was added and the date its information was last updated.

    NOTE: This field displays the signed-in user's local date and time.

    Mute Object button See Muting Findings for Indicators of Exposure and Compromise.

    View Activity button

    (for a single object)

    		 This link opens the Quick Search page in On Demand Audit, which lists event data for the object being investigated.

    View Assessment button

    (for a single object)

    If the indicator was raised by a Security Guardian Assessment, this link opens the Assessment Results Vulnerability Detail page that includes the selected object.

    NOTE: This button is enabled only when a single object is selected.

    View critical activity link If the indicator was raised by an On Demand Audit critical activity event, this link opens Critical Activity event details in On Demand Audit.
    Escalate this Finding
    Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
    Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

    Am I exposed?

    This section displays additional active Findings that can be considered related to the Finding currently being investigated. The Findings are considered related based on object type, similar attributes impacted, and possible exposed attack type. When investigating a given Finding, related active Findings will be displayed in one of the following sections based on its source:

    • Assessment Findings

    • Audit Findings

    • Protection Findings

    How Do I fix this?

    This section provides the recommended remediation.

    • Verwandte Dokumente

    The document was helpful.

    Bewertung auswählen

    I easily found the information I needed.

    Bewertung auswählen