Viewing Finding History
You can view the history of all actions associated with a Finding from the Findings list or the Findings Investigation page.
|
|
NOTE: Once a Finding is dismissed, history will no longer be recorded, although it still can be viewed. If a new Finding is raised for the same indicator, a new history for the Finding will be created. |
To view a Finding's history from the Findings list:
-
Select the Finding whose history you want to view.
-
Click the View History button.
|
|
NOTE: If more than one Finding in the list is selected, the button will be disabled. |
To view a Finding's history from the Findings Investigation page:
Click the View History button.
For each action associated with the Finding (listed from newest to oldest), the following information displays:
-
Date
|
|
NOTE: This field displays the signed-in user's local date and time. |
-
Action
-
Source
-
Actor
For a Tier Zero [object] indicator, the history will include:
For a Hygiene, Detected TTP, or Detected Anomaly Indicator the history will include:
- when a Hygiene, Detected TTP, or Detected Anomaly object was detected and whether the source was Assessments or On Demand Audit.
- when the Finding was created by Security Guardian.
- when any objects within the Finding were muted/unmuted.
- for an unprotected Active Directory Tier Zero object Finding, when the object was protected (if applicable).
Security Settings
From the Security Guardian Settings page you can:
Configuring a Forwarding Destination
If your organization uses Microsoft Sentinel and/or Splunk (Cloud Platform or Enterprise) as a SIEM solution, you can configure Security Guardian to forward Findings to the applicable tool for further analysis.
You can also configure email alerts for Findings, as well as for the first completed assessment.
Once configured, the tile for the forwarding destination shows details of the configuration, as well as when the last Finding was sent. A forwarding destination can also be edited or removed.
To access the Forwarding configuration page:
-
From the On Demand left navigation menu, choose Security | Settings.
-
Make sure the Forwarding tab is selected.
To configure Microsoft Sentinel as a forwarding destination:
-
Click Add Forwarding Destination, select Microsoft Sentinel.
-
Enter the Sentinel Workspace ID and Shared (Primary) Key.
Refer to the Microsoft documentation for instructions on Finding the Workspace ID and key.
-
Click Send Test Event to ensure that a connection can be made to Sentinel.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the Workspace ID and Shared Key were entered correctly.
-
Click Save.
To configure Splunk (Cloud Platform or Enterprise) as a forwarding destination:
-
Click Add Forwarding Destination, select Splunk.
-
Enter the Splunk HTTP Event Collector URL (e.g. <http or https>://<cloud or server address>:<port>) and Token.
Refer to the Splunk documentation for instructions on Finding the HTTP Event Collector URL and Token.
-
Click Send Test Event to ensure that a connection can be made to Splunk.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the URL and Token were entered correctly.
-
Click Save.
To configure Email as a forwarding destination:
-
Click Add Forwarding Destination, select Email.
-
Add the Forward To email recipients that you want alerts sent to. If you are entering multiple email addresses, separate each with a semicolon.
-
Click Save.
Managing Indicators
An indicator consists of a set of criteria that is used to evaluate collected data and generate Findings for:
- Tier Zero (including Privileged) object activity
- The following Hygiene, Detected TTP, and Detected Anomaly indicators:
- Security Assessment vulnerabilities detected by Security Guardian
- Critical Activity and unprotected Active Directory Tier Zero objects collected by On Demand Audit.
|
|
NOTE: Indicator-specific detail, with listings by severity and by the data source, can be found in the Appendix. |
If you no longer want a Finding to be generated for an indicator, you can mute it.
|
|
EXCEPTION: New Tier Zero object indicators cannot be muted. |
To access the All Indicators page:
-
From the left navigation menu, choose Security | Settings.
-
Select the All Indicators tab.
A list of all indicators displays, with the following information for each:
-
Finding (Indicator name)
-
one of the following Severity levels:
 |
Critical |
Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero and Privileged object security, have significant potential impact to the Active Directory or Entra ID environment, and are not part of the default Active Directory or Entra ID configuration. |
 |
High |
Generally reserved for:
-
Hygiene and Detected Indicators that are of high concern but impact single objects.
-
the discovery of new Tier Zero domain objects and Privileged tenant objects.
-
changes to Tier Zero and Privileged objects that occur more often through normal business operations or are part of the default Active Directory or Entra ID configuration. |
 |
Medium |
Generally reserved for the discovery of:
-
Tier Zero user, computer, group, and Group Policy objects.
-
Privileged user, role, group, and service principal objects. |
-
Type (Tier Zero (which includes Privileged), Hygiene, Detected TTP, Detected Anomaly)
-
Active Findings
-
Inactive Findings
-
number of Muted Objects
-
Mute Status
|
|
NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:
-
Indicator
-
Severity
-
Type
-
Mute Status |
To view Indicator Details:
Click the link for the indicator.
