Discoveries are evaluated by Assessments to identify vulnerabilities in your organization's Active Directory. Security Guardian comes with several pre-defined Discoveries and you can also create your own Discoveries.
Additional permission required for specific vulnerabilities
In addition to the permissions required for the hybrid agent, the service account (which the Collect Active Directory object data action uses) must be a member of the Domain Admins group for the following pre-defined vulnerabilities and any vulnerabilities created using the same template.
For the vulnerability gMSA root key access, the account must be a member of the Domain Admins or Enterprise Admins group.
If the required permission is not granted, Assessment results for these vulnerabilities will return as Inconclusive.