Configuring a Forwarding Destination
If your organization uses Microsoft Sentinel and/or Splunk (Cloud Platform or Enterprise) as a SIEM solution, you can configure Security Guardian to forward Findings to the applicable tool for further analysis.
You can also configure email alerts for Findings, as well as for the first completed assessment.
Once configured, the tile for the forwarding destination shows details of the configuration, as well as when the last Finding was sent. A forwarding destination can also be edited or removed.
To access the Forwarding configuration page:
-
From the On Demand left navigation menu, choose Security | Settings.
-
Make sure the Forwarding tab is selected.
To configure Microsoft Sentinel as a forwarding destination:
-
Click Add Forwarding Destination, select Microsoft Sentinel.
-
Enter the Sentinel Workspace ID and Shared (Primary) Key.
Refer to the Microsoft documentation for instructions on Finding the Workspace ID and key.
-
Click Send Test Event to ensure that a connection can be made to Sentinel.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the Workspace ID and Shared Key were entered correctly.
-
Click Save.
To configure Splunk (Cloud Platform or Enterprise) as a forwarding destination:
-
Click Add Forwarding Destination, select Splunk.
-
Enter the Splunk HTTP Event Collector URL (e.g. <http or https>://<cloud or server address>:<port>) and Token.
Refer to the Splunk documentation for instructions on Finding the HTTP Event Collector URL and Token.
-
Click Send Test Event to ensure that a connection can be made to Splunk.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the URL and Token were entered correctly.
-
Click Save.
To configure Email as a forwarding destination:
-
Click Add Forwarding Destination, select Email.
-
Add the Forward To email recipients that you want alerts sent to. If you are entering multiple email addresses, separate each with a semicolon.
-
Click Save.
Managing Indicators
An indicator consists of a set of criteria that is used to evaluate collected data and generate Findings for:
- Tier Zero object activity
- The following exposures and compromises:
- Security Assessment vulnerabilities detected by Security Guardian
- Critical Activity and unprotected Tier Zero objects collected by On Demand Audit.
|
|
NOTE: Indicator-specific detail, with listings by severity and by the data source, can be found in the Appendix. |
If you no longer want a Finding to be generated for an indicator, you can mute it.
|
|
EXCEPTION: New Tier Zero object indicators cannot be muted. |
To access the All Indicators page:
-
From the left navigation menu, choose Security | Settings.
-
Select the All Indicators tab.
A list of all indicators displays, with the following information for each:
-
Finding (Indicator name)
-
one of the following Severity levels:
 |
Critical |
Generally reserved for Indicators of Compromise and Indicators of Exposure that are changes to Tier Zero object security, have significant potential impact to the Active Directory environment, and are not part of the default Active Directory configuration. |
 |
High |
Generally reserved for Indicators of Exposure that are of high concern but impact single objects, the discovery of new Tier Zero domain objects, and changes to Tier Zero objects that occur more often through normal business operations or are part of the default Active Directory configuration. |
 |
Medium |
Generally reserved for the addition of Tier Zero user, computer, group, and Group Policy objects. |
-
Type (Tier Zero, Exposure, or Compromise)
-
Active Findings
-
Inactive Findings
-
number of Muted Objects
-
Mute Status
|
|
NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:
-
Indicator
-
Severity
-
Type
-
Mute Status |
To view Indicator Details:
Either:
Muting and Unmuting Indicators
When Managing indicators you can mute (or unmute) selected indicators to prevent (or allow) Findings. You can also unmute objects that were muted during Findings investigation.
|
|
NOTES:
-
New Tier Zero [Object] Detected indicators cannot be muted and the Mute Indicator option will be disabled.
-
If an indicator for a Security Assessment vulnerability is muted, that vulnerability will not be evaluated in future Assessments.
-
If an indicator for On Demand Audit Critical Activity is muted, associated events will be hidden. |
To mute (or unmute) indicators:
Either:
To unmute objects within an indicator:
-
From the Indicator Details Muted Objects for this Indicator section, select the object(s) you want to unmute.
-
Click Unmute Object.
Appendix - Security Guardian Indicator Details
This appendix provides details of all indicators in Security Guardian, listed both by severity and by source.
|
|
NOTE: For the general criteria Security Guardian uses to determine severity levels, refer to the topic Managing Indicators. |
