Chat now with support
Chat mit Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Adding Tier Zero Objects Manually

You can add Tier Zero objects manually for AD objects that were not identified as Tier Zero by the Tier Zero provider but are considered critical assets in your organization.

 

In addition to the Tier Zero objects identified by the Tier Zero provider, it is recommended that the following objects be added manually:

  • Microsoft Entra Connect servers, including:

    • servers with PTA agents if Pass-Through Authentication (PTA) is enabled

    • the "AZUREADSSO" computer account

  • Active Directory Federation servers

  • Distributed COM Users

  • Privileged access management (PAM) systems

  • Certificate Authorities and Subordinates

  • Computers that host Quest Recovery Manager and other Active Directory management software and their backups

  • Computers that host GPOAdmin, Active Administrator, and other group policy management software

  • Microsoft Exchange Servers (if split permissions are not configured)

  • Microsoft System Center Configuration Manager (SCCM) servers or equivalent

  • Microsoft Exchange Groups (if default permissions are still configured)

  • Microsoft SQL server or equivalent if hosting a database from a Tier Zero system

  • Active Directory Management and auditing software, such as Change Auditor or Active Roles Server

To add a Tier Zero object manually:

  1. Use one of the following options:

  2. For each Tier Zero object you want to add:

    1. Enter the object's Principal Name, or type at least two characters then select the object from the drop-down. (Note that a message will display if the object is already Tier Zero.)

      The object will be added to the Principal Name list.

    2. In the Principal Name list, select object(s) you want to add.

  3. Click Save.

Removing Manually-Added Tier Zero Objects

You can remove Tier Zero objects that have been manually added by a user from the Tier Zero Objects list.

NOTE: Tier Zero objects added by the Tier Zero provider (Security Guardian or BloodHound Enterprise) cannot be removed via On Demand.

 

Note that, if you remove a manually-added object from the Tier Zero list, it will no longer be monitored and if re-added, it will revert to being Not Certified, regardless of its status when it was removed.

 

To remove a manually-added Tier Zero object:

  1. From the Tier Zero Objects list, the object(s) you want to remove.

  2. Click Remove Tier Zero.

    NOTE: If any Tier Zero objects added by the Tier Zero provider are in the selection, the Remove Tier Zero option will be disabled.

    You will be prompted to confirm the action.

Certifying Tier Zero Objects

Certification is a means by which you can verify that any object identified by the Tier Zero provider or added manually by a user as Tier Zero qualifies as Tier Zero. Once certified, it will be used to establish a baseline for generating Findings for Detected and Hygiene Indicators.

By default, when an object is added as Tier Zero (which includes objects in the initial list collected by the Tier Zero provider), its status is Not Certified. This encourages you, as a Security Guardian administrator, to review each object for Tier Zero account security risks.

EXCEPTION: Because they pose the highest security risk to your Active Directory environment, Tier Zero Domain objects identified by the Tier Zero provider (Security Guardian or BloodHound Enterprise) are certified automatically and cannot be uncertified.

You can certify one or multiple objects from the Tier Zero Objects list, or individually from the Investigate Finding page or within an Uncertified Tier Zero Object's Details view on the Dashboard.

It is strongly recommended that any manually-added Tier Zero objects that, after review, have not been certified as Tier Zero be removed.

You can also uncertify any Tier Zero object, except a Domain object, that has been previously certified from the Tier Zero Objects list.

To certify Tier Zero objects from the Tier Zero Objects list:

  1. Select the object(s) you want to certify.

  2. Click Certify Tier Zero.

To certify a Tier Zero object from the Findings Investigation page:

Click Certify Tier Zero Object.

You will be prompted to confirm the certification. The confirmation dialog also includes a check box that allows you to dismiss the Finding at the same time.

NOTE: Once a Tier Zero object has been certified, it will no longer display in the Uncertified Tier Zero Objects tile on the Dashboard.

To uncertify a Tier Zero Object from the Tier Zero Objects list:

  1. Select the object you want to uncertify.

NOTE: Only one certified object can be uncertified at a time. If more than one object is selected, or if a Domain object is selected, the option to uncertify will not be available.

  1. Click Uncertify Tier Zero.

Protecting Tier Zero Objects

If Change Auditor version 7.4 or Hybrid Audit is integrated with On Demand, you can protect Tier Zero objects from unauthorized or accidental modifications or deletions from the Security Guardian interface.

You can protect Tier Zero objects from the Findings Investigation page if one or more unprotected Tier Zero objects have been detected as a Detected TTP or Hygiene Indicator, or from the Tier Zero list.

NOTES:

  • Currently, you cannot unprotect objects in Security Guardian when integrated with Change Auditor. However, Change Auditor can be used to unprotect objects. Once an object is unprotected, a new Finding will be raised in Security Guardian.

  • When Security Guardian is integrated with Hybrid Audit, Tier Zero protection templates can be managed in Hybrid Audit | Protection.

  • When an object within a Finding is protected, it no longer displays in the Findings investigation page. However, object protection status details can be viewed in Change Auditor.

Tier Zero Protection Status

The Tier Zero protection status is displayed in the Protection Status column of the Tier Zero Objects List. The status may be:

  • Not Protected

  • Protected

  • Pending Evaluation

    NOTE: A Pending Evaluation status indicates that either Change Auditor has not completed processing the protection request or that Change Auditor 7.4 or later is not integrated with On Demand.

To protect Tier Zero objects from the Tier Zero list:

  1. Select the unprotected object(s) you want to protect.

  2. Click the Enable Protection button.

To protect Tier Zero objects from the Findings Investigation page (if applicable):

  1. On the Findings Investigation page What Happened? section, select the Tier Zero object(s) that you want to protect.

  2. Click the Enable Protection button.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen