Chatee ahora con Soporte
Chat con el soporte

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Removing a Change Auditor Installation

When you remove a Change Auditor installation that is registered with On Demand (or delete the associated organization), Change Auditor will stop sending events.

To remove a Change Auditor installation

  1. Navigate to Security | Audit
  2. From the Configuration tab, select the ellipsis (...) on the Change Auditor tile and choose Remove Installation.
  3. Click OK to confirm.

Reviewing the status of your Change Auditor installation

From the Configuration tab, you can quickly see the status of your Change Auditor installation.

The information includes:

  • Installation status - whether it is connected, disconnected, or paused.
  • The time of the last update.
  • The number of connected coordinators.
  • The installed version of Change Auditor.

NOTE: If the Change Auditor installation is disconnected, there may be an issue with the Change Auditor coordinators. The following steps may help reconnect the installation:

  • Restart the coordinator to attempt to reconnect to On Demand and check the coordinator logs for error messages. See Manage Change Auditor coordinators section in the Change Auditor User Guide for information on restarting the coordinator and accessing the logs.

If the installation is still disconnected, contact Customer Support.

SpecterOps BloodHound Enterprise Integration

Attack path management is a critical component of defending Active Directory and Microsoft 365 environments from attacks. SpecterOps BloodHound Enterprise simplifies this process by prioritizing and quantifying attack path choke points, giving you the information you need to identify and eliminate the paths with the most exposure and risk.

Integrating with SpecterOps BloodHound Enterprise helps you reduce the risk of attacks by enabling you to easily identify, prioritize and eliminate the most vital avenues that attackers can exploit.

Specifically administrators can monitor Tier Zero assets for their Active Directory and Microsoft Entra environment. Tier Zero is the highest level of the Active Directory tiered administrative model and includes administrative accounts, groups, domain controllers, and domains that have direct or indirect administrative control of the Active Directory forest.

Audit provides built-in searches that allow administrators to create alert-enabled search for historical changes to the Tier Zero objects to ensure real-time monitoring of critical assets.

 

Configure a SpecterOps BloodHound Integration

Integrating with SpecterOps BloodHound Enterprise delivers a complete solution for risk assessment and threat monitoring. To enable this integration, add a SpecterOps BloodHound configuration.

NOTE:

  • To manage a SpecterOps BloodHound Enterprise configuration, you must have the Can Manage SpecterOps BloodHound Configuration permission.

  • Once the configuration has been added, you can select the three vertical dots in the upper right-corner to refresh the configuration immediately, to edit the notification template, or to read more about the benefits of integrating with SpecterOps BloodHound Enterprise.

  • The configuration connection message details whether the connection the SpecterOps has been successful, and the status of the configuration.

To add a configuration:

  1. From the Configuration tab, select Add BloodHound Enterprise or click the + icon.
  2. Enter the SpecterOps BloodHound URL, the Permanent Authorization Token (PAT) Token ID, and Key pair.
  3. Click Validate to validate the URL format (https://yourdomain.bloodhoundenterprise.io.), the Permanent Authorization Token (PAT) Token ID, and the Key pair.
  4. Click Save.Once the configuration has been added, you can select to edit the Tier Zero notification template to configure who will be notified when an alert is triggered.

To edit a configuration:

  1. From the Configuration tab, select the BloodHound Enterprise card, and choose Edit Configuration.
  2. Edit the SpecterOps BloodHound URL, Permanent Authorization Token (PAT) Token ID, and Key pair as required.
  3. Click Validate to validate the URL format (https://yourdomain.bloodhoundenterprise.io.), the Permanent Authorization Token (PAT) Token ID, and the Key pair.
  4. Click Save.

To remove a configuration:

IMPORTANT: When you remove a configuration, SpecterOps BloodHound Enterprise information will no longer be added to events in Audit.

  1. From the Configuration tab, select the BloodHound Enterprise card, and choose REMOVE.
  2. Click YES to remove the configuration.

 

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación