Removing Manually-Added Tier Zero Objects
You can remove Tier Zero objects that have been manually added by a user from the Tier Zero Objects list.
|
NOTE: Tier Zero objects added by the Tier Zero provider (Security Guardian or BloodHound Enterprise) cannot be removed via On Demand. |
Note that, if you remove a manually-added object from the Tier Zero list, it will no longer be monitored and if re-added, it will revert to being Not Certified, regardless of its status when it was removed.
To remove a manually-added Tier Zero object:
-
From the Tier Zero Objects list, the object(s) you want to remove.
-
Click Remove Tier Zero.
|
NOTE: If any Tier Zero objects added by the Tier Zero provider are in the selection, the Remove Tier Zero option will be disabled. |
You will be prompted to confirm the action.
Certifying Tier Zero Objects
Certification is a means by which you can verify that any object identified by the Tier Zero provider or added manually by a user as Tier Zero qualifies as Tier Zero. Once certified, it will be used to establish a baseline for generating Findings for Detected and Hygiene Indicators.
By default, when an object is added as Tier Zero (which includes objects in the initial list collected by the Tier Zero provider), its status is Not Certified. This encourages you, as a Security Guardian administrator, to review each object for Tier Zero account security risks.
|
EXCEPTION: Because they pose the highest security risk to your Active Directory environment, Tier Zero Domain objects identified by the Tier Zero provider (Security Guardian or BloodHound Enterprise) are certified automatically and cannot be uncertified. |
You can certify one or multiple objects from the Tier Zero Objects list, or individually from the Investigate Finding page or within an Uncertified Tier Zero Object's Details view on the Dashboard.
To certify Tier Zero objects from the Tier Zero list:
-
rom the Tier Zero list, select the object(s) you want to certify.
-
Click Certify Tier Zero.
To certify a Tier Zero object from the Findings Investigation page:
Click Certify Tier Zero.
You will be prompted to confirm the certification. The confirmation dialog also includes a check box that allows you to dismiss the Finding at the same time.
|
NOTE: Once a Tier Zero object has been certified, it will no longer display in the Uncertified Tier Zero Objects tile on the Dashboard. |
Protecting Tier Zero Objects
If Change Auditor version 7.4 is integrated with On Demand, you can protect Tier Zero objects from unauthorized or accidental modifications or deletions from the Security Guardian interface.
You can protect Tier Zero objects from the Findings Investigation page if one or more unprotected Tier Zero objects have been detected as a Detected TTP or Hygiene Indicator, or from the Tier Zero list.
|
NOTES:
-
Currently, you cannot unprotect objects in On Demand. However, Change Auditor can be used to unprotect objects. Once an object is unprotected, a new Finding will be raised in Security Guardian.
-
When an object within a Finding is protected, it no longer displays in the Findings investigation page. However, object protection status details can be viewed in Change Auditor. |
Tier Zero Protection Status
The Tier Zero protection status is displayed in the Protection Status column of the Tier Zero Objects List. The status may be:
-
Not Protected
-
Protected
-
Pending Evaluation
|
NOTE: A Pending Evaluation status indicates that either Change Auditor has not completed processing the protection request or that Change Auditor 7.4 or later is not integrated with On Demand. |
To protect Tier Zero objects from the Tier Zero list:
-
Select the unprotected object(s) you want to protect.
-
Click the Enable Protection button.
To protect Tier Zero objects from the Findings Investigation page (if applicable):
-
On the Findings Investigation page What Happened? section, select the Tier Zero object(s) that you want to protect.
-
Click the Enable Protection button.
Exporting the Tier Zero Objects List
You can export the complete, unfiltered Tier Zero objects list to a .csv file, which can be shared with stakeholders and used for security assessment engagements.
To export the Tier Zero objects list:
From the Tier Zero Objects page, click Export to CSV.
The file is exported to your Downloads folder with the file name export_{timestamp}_{a GUID}.csv and includes the following information:
-
Display Name
-
Principal Name
-
Distinguished Name
-
Object Type
-
Date Added
-
Added By
-
Certification Status
-
Protection Status