Chat now with support
Chat mit Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Using Security Guardian Intelligence with Findings

Security Guardian Intelligence can quickly answer your questions and provide a high-level overview of your environment, including identified Findings and recommended actions to resolve issues.

NOTE:

  • Before you can access the Security Guardian Intelligence assistance, you need to read and accept the AI Terms of Use.

  • You can also click the Security Guardian Intelligence icon next to a user account to view a review of the account and ask questions.

To access Security Guardian Intelligence from findings:

  1. From the left navigation menu, choose Security | Findings.

  2. Select a Finding and click the Security Guardian Intelligence tab.

  3. You can enter your question directly or select from the following to get started.

    1. Summary offers a concise overview of a specific Finding, including an explanation, the affected objects, real-world examples of similar issues, and suggested follow-up questions to guide further investigation.

    2. Related Findings highlights other active Findings that are connected by object-type or potential attack paths, helping you understand broader security implications and offering additional follow-up questions.

    3. Additional Information provides a detailed risk overview, including severity levels, affected objects, potential security threats, real-world exploit incidents, and a security risk review, along with relevant follow-up questions.

    4. Remediation outlines recommended remediation steps, including detailed instructions, and follow-up questions to support implementation.

Muting Findings for Hygiene and Detected Indicators

You can mute Findings for Hygiene, Detected TTP, and Detected Anomaly Indicators, or individual objects within those Findings, to prevent future Findings from being raised.

NOTE: If you want to mute an indicator entirely, you can do so from the All Indicators page.

 

To mute Findings:

From the Findings Investigation page or Findings list (if you are dismissing multiple Findings), dismiss the Finding.

When prompted to confirm the dismissal, check the Mute this Finding box.

 

NOTES:

  • Tier Zero [object] Detected Findings cannot be muted. If your selection includes these the mute option will be unavailable.

  • Because Findings are muted at the time they are dismissed and therefore no longer display in the Findings list, they can only be unmuted from the All Indicators page.

 

To mute Findings for individual objects:

  1. From the Findings Investigation What Happened?/What Is Wrong? section, select the object(s) you want to mute.

  2. Click Mute Object.

NOTE: You can unmute muted objects from the Findings Investigation What Happened?/What Is Wrong? page or from the Indicator Details view.

Dismissing Findings

When you dismiss a Finding, the Finding will no longer display in the active Findings list.

  • For a Hygiene, Detected TTP, or Detected Anomaly Indicator, the Finding will continue to be monitored and any new Finding for the indicator will be raised unless it is muted.

  • For a Tier Zero indicator, the Finding will not be raised again unless the object is re-added as a Tier Zero or Privileged object.

    NOTES:

    • Only certified Tier Zero and Privileged objects can be dismissed. If a Tier Zero/Privileged object is not certified, the Dismiss option will be disabled. However, you can dismiss a Tier Zero/Privileged Finding as part of the certification process.

    • When you dismiss a Finding, the Finding Status is changed from Active to Inactive and can be viewed when the Findings list is filtered by Status = Inactive.

To dismiss a Finding after investigation:

From the Investigate Finding page, click Dismiss Finding.

You will be prompted to confirm the dismissal. For a Hygiene, Detected TTP, or Detected Anomaly Indicator, the confirmation dialog also includes a check box that allows you to mute the Finding at the same time.

To dismiss one or more Findings from the Findings list:

  1. Select the Finding(s) you want to dismiss.

  2. Click the Dismiss button.

NOTE: If your selection contains only Hygiene, Detected TTP, and/or Detected Anomaly Indicators, you will also have the option to mute the Finding(s). If the selection includes Tier Zero Findings, the option to mute will be unavailable. Any uncertified Tier Zero objects in the selection will not be dismissed.

Viewing Finding History

You can view the history of all actions associated with a Finding from the Findings list or the Findings Investigation page.

NOTE: Once a Finding is dismissed, history will no longer be recorded, although it still can be viewed. If a new Finding is raised for the same indicator, a new history for the Finding will be created.

To view a Finding's history from the Findings list:

  1. Select the Finding whose history you want to view.

  2. Click the View History button.

    NOTE: If more than one Finding in the list is selected, the button will be disabled.

To view a Finding's history from the Findings Investigation page:

Click the View History button.

For each action associated with the Finding (listed from newest to oldest), the following information displays:

  • Date

    NOTE: This field displays the signed-in user's local date and time.

  • Action

  • Source

  • Actor

For a Tier Zero [object] indicator, the history will include:

  • when the object was detected and whether the source was the provider (Security Guardian or BloodHound Enterprise) or Manually added.

  • when the Finding was created by Security Guardian.

For a Hygiene, Detected TTP, or Detected Anomaly Indicator the history will include:

  • when a Hygiene, Detected TTP, or Detected Anomaly object was detected and whether the source was Assessments or Audit.
  • when the Finding was created by Security Guardian.
  • when any objects within the Finding were muted/unmuted.
  • for an unprotected Active Directory Tier Zero object Finding, when the object was protected (if applicable).

 

 

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen