Findings allow you to view and investigate notable events in your organization's Active Directory and/or Entra ID, including:

  • Active Directory Tier Zero and Entra ID Privileged object activity, including the identification of unprotected Tier Zero objects.

  • Hygiene indicators detected by Security Guardian Assessments.

  • Detected TTP and Detected Anomaly Indicators collected by Security Guardian from On Demand Audit.

NOTE: Hygiene (from Security Guardian Assessments) indicates that objects are susceptible to an adversary attack. Detected (from On Demand Audit) indicates that an action took place that could possibly be an adversary attack. Detected TTP (tactics, techniques and procedures) are search-based detected indicators whereas Detected Anomalies are indicators based on statistical analysis.

To view Findings:

From the left navigation menu, choose Security | Findings.

The Findings list displays the following information for each finding::

  • Finding

  • one of the following Severity levels:

    NOTE: Security Guardian calculates severity levels by a range of values (i.e., the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe.

    Critical Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero and Privileged object security, have significant potential impact to the Active Directory or Entra ID environment, and are not part of the default Active Directory or Entra ID configuration.
    High

    Generally reserved for:

    • Hygiene and Detected Indicators that are of high concern but impact single objects.

    • the discovery of new Tier Zero domain objects and Privileged tenant objects.

    • changes to Tier Zero and Privileged objects that occur more often through normal business operations or are part of the default Active Directory or Entra ID configuration.

    Medium

    Generally reserved for the discovery of:

    • Tier Zero user, computer, group, and Group Policy objects.

    • Privileged user, role, group, and service principal objects.

  • Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
  • Workload (Active Directory or Entra ID)
  • The date and time Last Detected
  • NOTE: This field displays the signed-in user's local date and time.

  • Status (Active or Inactive)

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

  • Finding

  • Severity
  • Type

  • Status

    (Active Findings display by default. You can choose to display either Active or Inactive Findings in the list, but not both.)

From the Findings list you can dismiss one or more Findings and view Finding history.