Chatta subito con l'assistenza
Chat con il supporto

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Assessment Results

You can access the link to results for an Assessment from the All Assessments list.

To access results for a selected Assessment:

Click the corresponding Active Directory domain name or Entra ID tenant name in the Link to Results column

NOTE: You can only view Assessment results for one Active Directory domain or Entra ID tenant at a time. If the Assessment was run on more than one, you can switch to a different domain or tenant from the drop-down in the upper right corner of the Results page for the Assessment.

The Results page for the Assessment is divided into sections:

 

The first section, Summary of Assessment Vulnerabilities, provides a summary of the last run of the selected Assessment, including:

  • the date and time the vulnerabilities within the Assessment were Assessed on

  • the date and time the data used to assess the vulnerabilities was Collected on.

     

    NOTE: These fields display the signed-in user's local date and time.

Of the total number of Evaluated Vulnerabilities, a graph depicts color-coded results, as described below.

With Vulnerable Objects (n)
Without Vulnerable Objects (n)

With Inconclusive Results (n)

The second section, Summary of Last 7 Days, shows the following information for the past seven days that the Assessment was run:

n Assessments in compliance
n Assessments with vulnerable objects
n Vulnerabilities found

 

The third section contains the list of evaluated vulnerabilities, which provides the following information:

  • the Discovery Type in which the vulnerability is defined

  • the Vulnerability name, which links to vulnerability-specific detail, including any objects the vulnerability was detected in

  • the date and time when the vulnerability was Last Detected

    NOTE: This field displays the signed-in user's local date and time.

  • the number of Vulnerable Objects found

    NOTE: icon indicates that an error occurred while the vulnerability was being evaluated.

  • the number of Inconclusive results

  • Created by either:
    • System (for pre-defined Discoveries and Vulnerabilities)

    • User (for user-created Discoveries and Vulnerabilities)

  • a graphical representation of the 7 Day Trend for the Vulnerability

    TIP: Hover over the line graph to see the number of vulnerabilities (if any) detected per day.

 

Viewing Detail for an Assessed Vulnerability

When you select a Vulnerability from an Assessment's Results page, detail about the assessed vulnerability is displayed.

The left side of the page includes detailed information about the vulnerability as defined in the Discovery.

7 Day Assessment Trend

A graph depicts color-coded results over the past 7 days that the Assessment was run, as described below.

TIPS:

  • You can click individual states in State Filtering so that only the states you want to focus on are displayed in the graph. (The Compliant Objects state is always hidden by default.)

  • Hover over the graph to display the number of vulnerable objects (if any) detected per day.

  • Click on an area of the graph to display details about that Assessment run in the list below.

Compliant objects
Vulnerable objects

Error

NOTE: An Error state indicates that an error occurred during data collection (for example, the server containing the objects to be evaluated could not be reached).

If an error occurred, the appropriate message displays.

Inconclusive

NOTE: An Inconclusive state indicates that data could not be collected for a non-error-related reason. The reason may be:

  • The scope of an Assessment includes Tier Zero or Privileged objects but no Tier Zero or Privileged objects were found.

  • An Assessment involves both Active Directory and Entra Id workloads, but both are not configured.

  • The number of Tier Zero or Privileged objects exceeded the maximum number (10,000) that could be evaluated,

  • Permissions were insufficient to collect the data).

  • The Assessment requires a Premium license, but the Organization has a free license

If results were inconclusive for individual objects, hover over the icon for a description of the reason.

 

Below the graph a list of the Vulnerable Objects (up to 100,000) found out of the total number of Assessed Objects for the selected area of the graph.

NOTEs:

  • If a group is identified as vulnerable, all of the members of that group (including via nested groups) are included in the Vulnerable Objects total. Click the link to view the list of the affected objects.

  • If more than 100,000 vulnerable objects are returned, it is advisable to investigate why so many objects are found to be vulnerable. For example, all users may have been added to a group they don't belong in.

  • For User and Computer vulnerabilities, the column Is Account Enabled? is included, allowing you to prioritize enabled accounts when implementing a remediation.

 

To download the Vulnerable Objects list to a CSV file:

From the details page for the vulnerable objects, click Export to CSV.

The file will include all of the objects displayed in the Vulnerable Objects list.

Findings

Findings allow you to view and investigate notable events in your organization's Active Directory and/or Entra ID, including:

  • Active Directory Tier Zero and Entra ID Privileged object activity, including the identification of unprotected Tier Zero objects.

  • Hygiene indicators detected by Security Guardian Assessments.

  • Detected TTP and Detected Anomaly Indicators collected by Security Guardian from On Demand Audit.

NOTE: Hygiene (from Security Guardian Assessments) indicates that objects are susceptible to an adversary attack. Detected (from On Demand Audit) indicates that an action took place that could possibly be an adversary attack. Detected TTP (tactics, techniques and procedures) are search-based detected indicators whereas Detected Anomalies are indicators based on statistical analysis.

To view Findings:

From the left navigation menu, choose Security | Findings.

The Findings list displays the following information for each finding:

  • Finding

  • one of the following Severity levels:

    NOTE: Security Guardian calculates severity levels by a range of values (i.e., the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe.

    Critical Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero and Privileged object security, have significant potential impact to the Active Directory or Entra ID environment, and are not part of the default Active Directory or Entra ID configuration.
    High

    Generally reserved for:

    • Hygiene and Detected Indicators that are of high concern but impact single objects.

    • the discovery of new Tier Zero domain objects and Privileged tenant objects.

    • changes to Tier Zero and Privileged objects that occur more often through normal business operations or are part of the default Active Directory or Entra ID configuration.

    Medium

    Generally reserved for the discovery of:

    • Tier Zero user, computer, group, and Group Policy objects.

    • Privileged user, role, group, and service principal objects.

  • Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
  • Workload (Active Directory or Entra ID)
  • The date and time Last Detected
  • NOTE: This field displays the signed-in user's local date and time.

  • Status (Active or Inactive)

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

  • Finding

  • Severity
  • Type

  • Status

    (Active Findings display by default. You can choose to display either Active or Inactive Findings in the list, but not both.)

From the Findings list you can dismiss one or more Findings and view Finding history.

Investigating Findings

From the Findings list, you can investigate Findings in more detail for indicators of:

  • Tier Zero and Privileged objects that have been identified by the provider (Security Guardian or BloodHound Enterprise) or added manually by a user.

  • Hygiene and Detections that have been found through Security Guardian Assessments and On Demand Audit critical activity.

Click on the Finding you want to investigate.

The Investigate Finding page consists of two sections.

  • What Happened?, or for Hygiene, What Is Wrong?

  • How Do I Fix This?

You can navigate between sections either by clicking a section name or using the Next and Back buttons.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione