Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Using the Dashboard

The Security Guardian dashboard displays a visual summary of the current security status of your organization's Active Directory and Entra ID.

To access the Security Guardian dashboard:

From the On Demand left navigation menu, choose Security | Dashboard. The dashboard contains tiles for each of the following components:

  • Uncertified Tier Zero Objects (from Active Directory)
  • Uncertified Privileged Objects (from Entra ID)
  • Active Directory Tier Zero certification summary
  • Entra ID Privileged Objects certification summary
  • Highest Severity Findings
  • Active Hygiene and Active Detected
  • Configuration Status

The Uncertified Tier Zero Objects and Uncertified Privileged Objects tiles:

  • display the last time the objects list was synchronized

  • list the last ten uncertified objects of each type that were added to Security Guardian (you can click View All for an object type to view the complete list for each workload )

    NOTE: Objects that have been certified are excluded from the lists.

  • provide links that allow you to

The Highest Severity Findings tile displays the top five active findings of the highest severity. Information includes:

  • the Finding name
  • when the Finding was Detected
  • the Finding Type (Tier Zero, Privileged Object, Hygiene, Detected TTP, or Detected Anomaly)
  • the Severity indicator (Critical, High, or Medium)
  • a link that allows you to Investigate the Finding

The View All link at the bottom of the tile allows you to view the list of all active Findings for the organization.

The Active Directory Tier Zero Objects and Entra ID Privileged Objects tiles display graphical representations of the number of certified vs. uncertified objects.

The Active Hygiene and Active Detected tile shows the total number of Hygiene and Detected (TTP and Anomaly) Findings in the organization by severity level (Critical, High, and Medium).

From the Configuration Status tile you can configure additional components and view existing configurations.

Audit

Audit provides extensive, customizable auditing of critical activities and detailed alerts about vital changes taking place in Microsoft 365 Exchange Online, SharePoint Online, Teams, OneDrive for Business, and Microsoft Entra. Continually being in-the-know helps you to prove compliance, drive security, and improve uptime while proactively auditing changes to configurations and permissions. Specifically, you can audit:

  • Exchange Online, OneDrive for Busines, Teams, and SharePoint Online activity that corresponds to the events in the Microsoft 365 Security & Compliance Center unified audit log. See Auditing Microsoft 365 for details.
  • Microsoft Entra user, group, application, and directory activity that corresponds to the events in the audit logs, sign-in activity report, and risky sign-ins report. See Auditing Microsoft Entra for details.

Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher). See Change Auditor Integration. You can audit:

  • When Exchange Online mailboxes are created, deleted, and accessed.
  • Permission changes to see which users are granted access to a mailbox.
  • Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
  • Mailbox activity by owner for sensitive and high value mailboxes.
  • When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
  • When user and group attributes are changed.
  • When users and groups are added to and removed from the directory.
  • Successful and failed logins. 
  • Suspicious sign-in activity.
  • Teams user and administrator activity.

Configuring Audit

Working with tenants

You must have a tenant in the organization to audit the Microsoft 365 and Microsoft Entra activity.

NOTE:

  • For details on adding your first tenant, refer to the On Demand Global Settings User Guide.

  • GCC tenants are only supported by Audit in On Demand organizations located the US region.

  • When you remove a tenant, event collection stops. If you add the tenant back, you will need to select the services to audit again.

To add a tenant:

  1. Log in to On Demand.
  2. To add another tenant, navigate to Security | Audit. From the Configuration tab, click Add Microsoft Entra tenant.

  3. Sign in as a Global administrator account for the tenant on the Azure sign in page.

  4. Read through the required permissions and select Accept.
Before you can audit the tenant, you need to grant On Demand consent to audit its Microsoft 365 and Microsoft Entra activity. See Granting required consent
 
 
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation