Security Guardian Current

NOTE: All of the available vulnerability templates are used in pre-defined Discoveries. You can refer to the Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID sections for guidance when creating a new Discovery.

To create a Discovery:

From the Discoveries list, click Create.
Select a Workload (Active Directory or Entra ID).
Enter a Discovery Type.
Click Select Vulnerabilities to display a list of available vulnerability templates for the workload.
Select each vulnerability template you want to add to the Discovery, then click Select.
For each vulnerability added to the Discovery:
1. Enter a Vulnerability Name.
2. For Risk, enter the reason why the vulnerability is considered a risk. For Remediation, enter the recommendation for resolving the vulnerability.
  
  TIP: You can refer to Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID for examples of Risk and Remediation text.

If the vulnerability includes a Scope, specify the objects that you want the Assessment to evaluate. Use the information in the following table for guidance.

NOTES:

If the Tier Zero or Privileged objects checkbox is selected, all applicable Tier Zero or Privileged objects, both those collected from the provider (Security Guardian or BloodHound Enterprise) and any that were manually-created, will be included in/excluded from the scope (depending on which option you select).

If a vulnerability pertains to a specific object or set of objects, the Scope section will be hidden. For example, if the vulnerability pertains to users, only Tier Zero users will be included. If the vulnerability pertains to a specific AD group, such as Built-In administrators, only that group will be included.

Scope selection	Description
All {objects}	All objects in the workload that are the applicable object type, including both Tier Zero/Privileged and non-Tier Zero/Non-Privileged objects.
Select {objects}	Only the objects you specify based on your selection criteria will be included. When finished, click Add Object to add the object (s) to the Selected {Object}s list. If you want to exclude individual objects within your selection (for example, you selected an AD group but want to exclude individual members from the scope), click Add Exceptions and enter the object(s) as you would if you were adding objects.
All Except Selected {objects}	Only the objects you specify based on your selection criteria will be excluded from the scope. You can add multiple objects, separated by semicolons. When finished, click Add Object to add the object (s)to the Selected {Object}s list.

Click Save.

Viewing, Editing, and Deleting a Discovery

From the Discoveries list, you can view the details of a Discovery. You can also edit or delete a user-created Discovery. You can also change the scope of a pre-defined Discovery (if applicable) and, in a few cases, the What to find value. (Refer to the Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID sections for specific Vulnerability templates.)

NOTE: You cannot delete pre-defined Discoveries and the option will be disabled.

To view a Discovery:

Click the Discovery Type link.

To edit a Discovery:

Either:
- In the Discoveries list, select the Discovery that you want to edit.
  
  OR
- Open the Discovery that you want to edit.
Click Edit.
Update the Discovery as needed.
Click Save.

To delete a user-created Discovery:

NOTE: Currently, you can only delete one Discovery at a time.

Either:
- In the Discoveries list, select the Discovery that you want to delete.
  
  OR
- Open the Discovery that you want to delete.
Click Delete.

You will be prompted to confirm the deletion.

Findings

Findings allow you to view and investigate notable events in your organization's Active Directory and Entra ID, including:

Active Directory Tier Zero and Entra ID Privileged object activity, including the identification of unprotected Tier Zero objects.
Hygiene indicators detected by Security Guardian Assessments.
Detected TTP and Detected Anomaly Indicators collected by Security Guardian from On Demand Audit.

NOTE: Hygiene (from Security Guardian Assessments) indicates that objects are susceptible to an adversary attack. Detected (from On Demand Audit) indicates that an action took place that could possibly be an adversary attack. Detected TTP (tactics, techniques and procedures) are search-based detected indicators whereas Detected Anomalies are indicators based on statistical analysis.

To view Findings:

From the left navigation menu, choose Security | Findings.

The Findings list displays the following information for each finding:

Finding name

Severity level

NOTE: Security Guardian calculates severity levels by a range of values (for example, the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe.

Critical

Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero and Privileged object security, have significant potential impact to the Active Directory or Entra ID environment, and are not part of the default Active Directory or Entra ID configuration.

High

Generally reserved for:

Hygiene and Detected Indicators that are of high concern but impact single objects.
the discovery of new Tier Zero domain objects and Privileged tenant objects.
changes to Tier Zero and Privileged objects that occur more often through normal business operations or are part of the default Active Directory or Entra ID configuration.

Medium

Generally reserved for the discovery of:

Tier Zero user, computer, group, and Group Policy objects.
Privileged user, role, group, and service principal objects.

Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
Workload (Active Directory or Entra ID)
Last Detected date and time. (This field displays the signed-in user's local date and time.)

Status (Active or Inactive)

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

Finding
Severity
Type
Status

(Active Findings display by default. You can choose to display either Active or Inactive Findings in the list, but not both.)

From the Findings list you can dismiss one or more Findings and view Finding history.

Investigating Findings

From the Findings list, select a Finding to investigate in more detail:

Tier Zero and Privileged objects that have been identified by the provider (Security Guardian or BloodHound Enterprise) or added manually by a user.
Hygiene and Detected Indicators that have been found through Security Guardian Assessments and On Demand Audit Critical Activity.

From the Investigate Finding page, you can:

View a summary of the Finding key elements
Access Security Guardian Intelligence to answer your questions and provide a high-level overview of your environment, including identified Findings and recommended actions to resolve issues.

NOTE:

Before you can access the Security Guardian Intelligence assistance, you need to read and accept the AI Terms of Use.
To refresh the Security Guardian Intelligence content in the flyout, click the AI icon next to a different user object.

Access guiding questions:
- What Happened?, or for Hygiene, What Is Wrong?
- How Do I Fix This?

NOTE: Navigate between questions either by clicking a the name or using the Next and Back buttons.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

Security Guardian Current - User Guide

Creating a Discovery

Viewing, Editing, and Deleting a Discovery

Findings

Investigating Findings