The diagram below illustrates how Security Guardian functions, including how additional components are integrated.
Introducing Quest Security Guardian
About On Demand
About Security Guardian
Access Control
Functional Overview
Configuring Additional Components
Using the Dashboard
Tier Zero Objects
How Tier Zero Objects are Identified
Tier Zero Objects List
Viewing Tier Zero Object Details
Adding Tier Zero Objects Manually
Certifying Tier Zero Objects
Protecting Tier Zero Objects
Assessments
First Assessment Notification Email
Built-in Assessments
All Assessments List
Discoveries and Vulnerabilities
Findings
Discoveries List
Pre-Defined Discoveries and Vulnerabilities
Creating an Assessment
Viewing, Editing, and Deleting an Assessment
Assessment Results
Discovery for Credential Access Vulnerabilities
Discovery for Defense Evasion Vulnerabilities
Discovery for Discovery Vulnerabilities
Discovery for Initial Access Vulnerabilities
Discovery for Lateral Movement Vulnerabilities
Discovery for Persistence Vulnerabilities
Discovery for Privilege Escalation Vulnerabilities
Discovery for Reconnaissance Vulnerabilities
Creating a Discovery
Viewing, Editing, and Deleting a Discovery
Investigating Findings
Muting Findings for Indicators of Exposure and Compromise
Dismissing Findings
Viewing Finding History
Security Settings
Appendix - Security Guardian Indicator Details
Functional Overview
Configuring Additional Components
Additional components need to be configured to make Security Guardian fully functional.
To configure additional components:
-
From the On Demand left navigation menu, choose Security | Dashboard.
-
From the Configuration Status tile, configure the necessary components.
NOTE: Once an additional component is configured in On Demand, it's available to any other module that uses it.
| Component | Purpose | Instructions | ||
|---|---|---|---|---|
| Hybrid Agent | Gives Security Guardian access to the Active Directory domain(s) that you want to keep secure. |
On Demand Global Settings User Guide - Adding an on-premises agent When configuring the agent, ensure that:
| ||
|
Quest Change Auditor (via On Demand Audit) |
Sends Active Directory events to On Demand Audit for reporting in Security Guardian Findings and allows you to protect Tier Zero objects.
|
Instructions are provided via a tool tip in the Security Guardian UI. You can also find instructions at On Demand Audit User Guide - Change Auditor Integration
| ||
|
SpecterOps BloodHound Enterprise (Optional) |
Identifies Tier Zero assets in your organization's Active Directory domain(s), which you can monitor and assess for security vulnerabilities in Security Guardian.
|
On Demand Audit User Guide - Specter BloodHound Integration | ||
|
SIEM solution:
(Optional) |
Allows Security Guardian Findings to be forwarded to a configured SIEM tool for further analysis
|
Using the Dashboard
The Security Guardian dashboard displays a visual summary of the current security status of your organization's Active Directory.
To access the Security Guardian dashboard:
From the On Demand left navigation menu, choose Security | Dashboard. The dashboard contains tiles for each of the following components:
- Uncertified Tier Zero Objects
- Highest Severity Findings
- Tier Zero Objects Summary
- Active Exposures and Active Compromises
- Configuration Status
The Uncertified Tier Zero Objects tile:
-
displays the last time the Tier Zero list was synchronized
-
lists the last ten uncertified Tier Zero objects of each type that were added to Security Guardian (you can click View All for an object type to view the complete list)
NOTE: Tier Zero objects that have been certified are excluded from the list.
-
provides links that allow you to
- view object details (by clicking an object name)
-
NOTE: From within the Details view you can also certify the object. Once a Tier Zero object is certified, it will no longer display in this tile.
- Investigate the Finding for the object
- add a new Tier Zero object
- if BloodHound Enterprise is configured, log into BloodHound (if you have at least Read permissions) to open the Attack Paths page
-
NOTE: If Security Guardian is your Tier Zero provider, this link is hidden.
- view the Tier Zero Objects list.
The Highest Severity Findings tile displays the top five active Findings of the highest severity. Information includes:
- the Finding name
- when the Finding was Detected
- the Finding Type (Tier Zero, Exposure, or Compromise)
- the Severity indicator (Critical, High, or Medium)
- a link that allows you to Investigate the Finding
The View All link at the bottom of the tile allows you to view the list of all active Findings for the organization.
The Tier Zero Objects Summary tile displays a graphical representation of the number of certified vs. uncertified Tier Zero objects.
The Active Exposures and Active Compromises tile shows the total number of Indicator of Exposure and Indicator of Compromise Findings in the organization by severity level (Critical, High, and Medium).
From the Configuration Status tile you can configure additional components and view existing configurations.
Tier Zero Objects
Tier Zero objects are the most critical assets within an organization. Within the Microsoft enterprise access model, Tier Zero objects in Active Directory include accounts, groups, and other assets that have direct or indirect administrative control of AD and the assets within it.
Currently, Security Guardian supports the following Tier Zero object types:
- Domains
- Computers
- Groups
- Group Policies
- Users
The Tier Zero provider (Security Guardian or BloodHound Enterprise) identifies Tier Zero objects within the organization's Active Directory domain(s). These objects are then collected by and displayed in Security Guardian.
You can also add Tier Zero objects to Security Guardian manually.