Chatta subito con l'assistenza
Chat con il supporto

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Investigating Tier Zero and Privileged Object Findings

The top of a Tier Zero or Privileged object Investigation page identifies the object being investigated, along with the following information:

  • the Severity of the Finding

  • the Finding Type (Tier Zero)

  • the Certification Status (Certified or Not Certified)

  • the Finding Status (Active or Inactive)

  • Last Updated (that is, the last time the Finding was detected)

    NOTE: Last Updated displays a relative time. However, if you hover over the clock icon you can see an exact date and time. This field displays the signed-in user's local date and time.

  • options to certify the object, dismiss the Finding, and view history of the Finding.

What Happened?

This section indicates why a Finding was raised for the object, as well why the object is considered Tier Zero or Privileged and the number of other Tier Zero or Privileged objects that it impacts and is impacted by.

NOTE: If BloodHound Enterprise is the provider, it can return a maximum of 1000 related objects for each category.

The What Happened? section also includes a series of links to help you complete your investigation, as described in the following table.

Link Description
View Details

The properties of the object, including whether it was added by the system (Security Guardian or BloodHound Enterprise) or by a user, identifiers used for the object within Active Directory or Entra ID, the date the object was added and the date its information was last updated.

NOTE: The Date Added field displays the signed-in user's local date and time.

View Relationships

 

If BloodHound Enterprise is configured, this link enables you to log into BloodHound (if you have at least Read permissions) and view attack paths between the object being investigated and other objects.

NOTE: If Security Guardian is the provider, this option will be hidden.

View Recent Activity This link opens the Quick Search page in On Demand Audit, which lists event data for the selected object.
Escalate this Finding
Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

How Do I fix this?

This section provides recommendations for investigation and remediation.

 

NOTE: If BloodHound Enterprise is the provider, the View Relationships link to BloodHound Enterprise is also provided in this section.

Investigating Hygiene and Detected Indicators

  • Findings for Hygiene and Detected Indicators are raised when:
    • vulnerabilities are detected when a Security Guardian Assessment is run

    AND/OR

    • critical activity anomalies are detected by On Demand Audit.

    NOTE:Hygiene indicates that objects are susceptible to an adversary attack. Detected indicates that an action took place that could possibly be an adversary attack.

    • Detected TTP (tactics, techniques and procedures) Indicators are search-based.

    • Detected Anomaly Indicators are based on statistical analysis.

    The top of an Investigation page identifies the object being investigated, along with the following information:

    • the Severity of the Finding

    • the Finding Type (Hygiene, Detected TTP, Detected Anomaly)

    • the Finding Status (Active or Inactive)

    • MITRE ATT&CK TTP (if applicable)

      NOTE: Up to three TTPs may be returned for the finding. If "+ [number]" is shown to the right of the displayed TTP, hover over the icon to view the additional values.

    • the number of Affected Objects

    • Last Updated (that is, the last time the Finding was detected)

      NOTE: Last Updated displays a relative time. However, you can hover over the clock icon to see an exact date and time (which displays the local date and time of the signed-in user).

    What Happened?/What Is Wrong?

    The What Happened? (for Detected Indicators) or What Is Wrong? (for Hygiene) page provides a description of the Finding and lists the objects that are affected. The following information is included for each object:

    • Object Name (with a link that allows you to display object details)

      exception: If an Object Type is trustedDomain, Container or dnsZone, object details cannot be displayed from the Investigation page and the Object Name link will be disabled.

    • Principal Name (which is searchable)

    • Object Type

    • First Discovered date and time

      NOTE: This field displays the signed-in user's local date and time.

    • Certification Status, which may be

      NOTE: A status of "Status Not Available" may occur if the object has been deleted from Active Directory/Entra ID or the Object ID cannot otherwise be identified.

    This section also includes a series of links to help you complete your investigation, as described in the following table.

    Link Description
    For Selected Objects in the list

    Object Name

    (for a single object)

    The properties of the object, including whether or not it is Tier Zero/Privileged, identifiers used for the object within Active Directory or Entra ID, the date the object was added and the date its information was last updated.

    NOTE: This field displays the signed-in user's local date and time.

    Mute Object button See Muting Findings for Hygiene and Detected Indicators.

    View Activity button

    (for a single object)

    This link opens the Quick Search page in On Demand Audit, which lists event data for the object being investigated.

    View Assessment button

    (for a single object)

    If the indicator was raised by a Security Guardian Assessment, this link opens the Assessment Results Vulnerability Detail page that includes the selected object.

    NOTE: This button is enabled only when a single object is selected.

    View critical activity link If the indicator was raised by an On Demand Audit critical activity event, this link opens Critical Activity event details in On Demand Audit.
    Escalate this Finding
    Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
    Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

    How Do I fix this?

    This section provides the recommended remediation.

  • Muting Findings for Hygiene and Detected Indicators

    You can mute Findings for Hygiene, Detected TTP, and Detected Anomaly Indicators, or individual objects within those Findings, to prevent future Findings from being raised.

    NOTE: If you want to mute an indicator entirely, you can do so from the All Indicators page.

     

    To mute Findings:

    From the Findings Investigation page or Findings list (if you are dismissing multiple Findings), dismiss the Finding.

    When prompted to confirm the dismissal, check the Mute this Finding box.

     

    NOTES:

    • Tier Zero [object] Detected Findings cannot be muted. If your selection includes these the mute option will be unavailable.

    • Because Findings are muted at the time they are dismissed and therefore no longer display in the Findings list, they can only be unmuted from the All Indicators page.

     

    To mute Findings for individual objects:

    1. From the Findings Investigation What Happened?/What Is Wrong? section, select the object(s) you want to mute.

    2. Click Mute Object.

    NOTE: You can unmute muted objects from the Findings Investigation What Happened?/What Is Wrong? page or from the Indicator Details view.

    Dismissing Findings

    When you dismiss a Finding, the Finding will no longer display in the active Findings list.

    • For a Hygiene, Detected TTP, or Detected Anomaly Indicator, the Finding will continue to be monitored and any new Finding for the indicator will be raised unless it is muted.

    • For a Tier Zero indicator, the Finding will not be raised again unless the object is re-added as a Tier Zero or Privileged object.

      NOTES:

      • Only certified Tier Zero and Privileged objects can be dismissed. If a Tier Zero/Privileged object is not certified, the Dismiss option will be disabled. However, you can dismiss a Tier Zero/Privileged Finding as part of the certification process.

      • When you dismiss a Finding, the Finding Status is changed from Active to Inactive and can be viewed when the Findings list is filtered by Status = Inactive.

    To dismiss a Finding after investigation:

    From the Investigate Finding page, click Dismiss Finding.

    You will be prompted to confirm the dismissal. For a Hygiene, Detected TTP, or Detected Anomaly Indicator, the confirmation dialog also includes a check box that allows you to mute the Finding at the same time.

    To dismiss one or more Findings from the Findings list:

    1. Select the Finding(s) you want to dismiss.

    2. Click the Dismiss button.

    NOTE: If your selection contains only Hygiene, Detected TTP, and/or Detected Anomaly Indicators, you will also have the option to mute the Finding(s). If the selection includes Tier Zero Findings, the option to mute will be unavailable. Any uncertified Tier Zero objects in the selection will not be dismissed.

    Related Documents

    The document was helpful.

    Seleziona valutazione

    I easily found the information I needed.

    Seleziona valutazione