Chatta subito con l'assistenza
Chat con il supporto

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Security Guardian Inteligence Tier Zero Objects Shields Up Protection Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details Appendix - Data Collection Details

Viewing Details for an Assessed Vulnerability

When you select a Vulnerability from an Assessment's Results page, detail about the assessed vulnerability is displayed.

The left side of the page includes detailed information about the vulnerability as defined in the Discovery.

 

7 Day Assessment Trend

A graph depicts color-coded results over the past 7 days that the Assessment was run, as described below.

TIPS:

  • Select the Security Guardian Intelligence icon to review a summary of the vulnerability, including vulnerability trends, summary of key points, recommended remediation steps, and follow-up questions to support implementation.

  • You can click individual states in State Filtering so that only the states you want to focus on are displayed in the graph. (The Compliant Objects state is always hidden by default.)

  • Hover over the graph to display the number of vulnerable objects (if any) detected per day.

  • Click on an area of the graph to display details about that Assessment run in the list below.

Compliant objects
Vulnerable objects

Error

NOTE: An Error state indicates that an error occurred during data collection (for example, the server containing the objects to be evaluated could not be reached).

If an error occurred, the appropriate message displays.

Inconclusive

NOTE: An Inconclusive state indicates that data could not be collected for a non-error-related reason. The reason may be:

  • The scope of an Assessment includes Tier Zero or Privileged objects but no Tier Zero or Privileged objects were found.

  • An Assessment involves both Active Directory and Entra Id workloads, but both are not configured.

  • The number of Tier Zero or Privileged objects exceeded the maximum number (10,000) that could be evaluated,

  • Permissions were insufficient to collect the data.

  • The Assessment requires a Premium license, but the Organization has a free license.

If results were inconclusive for individual objects, hover over the icon for a description of the reason.

 

Below the graph is a list of the Vulnerable Objects (up to 100,000) found out of the total number of Assessed Objects for the selected area of the graph.

NOTES:

  • If a group is identified as vulnerable, all of the members of that group (including via nested groups) are included in the Vulnerable Objects total. Click the link to view the list of the affected objects.

  • If more than 100,000 vulnerable objects are returned, it is advisable to investigate why so many objects are found to be vulnerable. For example, all users may have been added to a group they don't belong in.

  • For User and Computer vulnerabilities, the column Is Account Enabled? is included, allowing you to prioritize enabled accounts when implementing a remediation.

  • For certain vulnerabilities, you can click the Principal Name or Display Name link to view detailed information about the object. This may include object properties, any affected Tier Zero objects, and group members (for group objects only).

 

To download the Vulnerable Objects list to a CSV file:

  • From the details page for the vulnerable objects, click Export to CSV.

The file will include all of the objects displayed in the Vulnerable Objects list.

Findings

Findings allow you to view and investigate notable events in your organization's Active Directory and Entra ID, including:

  • Active Directory Tier Zero and Entra ID Privileged object activity, including the identification of unprotected Tier Zero objects.

  • Hygiene indicators detected by Security Guardian Assessments.

  • Detected TTP and Detected Anomaly Indicators collected by Security Guardian from On Demand Audit.

NOTE: Hygiene (from Security Guardian Assessments) indicates that objects are susceptible to an adversary attack. Detected (from On Demand Audit) indicates that an action took place that could possibly be an adversary attack. Detected TTP (tactics, techniques and procedures) are search-based detected indicators whereas Detected Anomalies are indicators based on statistical analysis.

To view Findings:

  • From the left navigation menu, choose Security | Findings.

The Findings list displays the following information for each finding:

  • Finding name

  • Severity level

    NOTE: Security Guardian calculates severity levels by a range of values (for example, the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe.

    Critical Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero and Privileged object security, have significant potential impact to the Active Directory or Entra ID environment, and are not part of the default Active Directory or Entra ID configuration.
    High

    Generally reserved for:

    • Hygiene and Detected Indicators that are of high concern but impact single objects.

    • the discovery of new Tier Zero domain objects and Privileged tenant objects.

    • changes to Tier Zero and Privileged objects that occur more often through normal business operations or are part of the default Active Directory or Entra ID configuration.

    Medium

    Generally reserved for the discovery of:

    • Tier Zero user, computer, group, and Group Policy objects.

    • Privileged user, role, group, and service principal objects.

  • Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
  • Workload (Active Directory or Entra ID)
  • Last Detected date and time. (This field displays the signed-in user's local date and time.)
  • Status (Active or Inactive)

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

  • Finding

  • Severity

  • Type

  • Status

    (Active Findings display by default. You can choose to display either Active or Inactive Findings in the list, but not both.)

From the Findings list you can dismiss one or more Findings and view Finding history.

Investigating Findings

From the Findings list, select a Finding to investigate in more detail:

  • Tier Zero and Privileged objects that have been identified by the provider (Security Guardian or BloodHound Enterprise) or added manually by a user.

  • Hygiene and Detected Indicators that have been found through Security Guardian Assessments and On Demand Audit Critical Activity.

From the Investigate Finding page, you can:

  • View a summary of the Finding key elements

  • Access Security Guardian Intelligence to answer your questions and provide a high-level overview of your environment, including identified Findings and recommended actions to resolve issues.

NOTE:

  • Before you can access the Security Guardian Intelligence assistance, you need to read and accept the AI Terms of Use.

  • To refresh the Security Guardian Intelligence content in the flyout, click the AI icon next to a different user object.

  • Access guiding questions:

    • What Happened?, or for Hygiene, What Is Wrong?

    • How Do I Fix This?

NOTE: Navigate between questions either by clicking a the name or using the Next and Back buttons.

 

 

 

 

 

Investigating Tier Zero and Privileged Object Findings

The top of a Tier Zero or Privileged object Investigation page identifies the object being investigated, along with the following information:

  • the Severity of the Finding

  • the Finding Type (Tier Zero)

  • the Certification Status (Certified or Not Certified)

  • the Finding Status (Active or Inactive)

  • Last Updated (that is, the last time the Finding was detected)

    NOTE: Last Updated displays a relative time. However, if you hover over the clock icon you can see an exact date and time. This field displays the signed-in user's local date and time.

  • options to certify the object, dismiss the Finding, and view history of the Finding.

What Happened?

This section indicates why a Finding was raised for the object, as well why the object is considered Tier Zero or Privileged and the number of other Tier Zero or Privileged objects that it impacts and is impacted by.

NOTE: If BloodHound Enterprise is the provider, it can return a maximum of 1000 related objects for each category.

The What Happened? section also includes a series of links to help you complete your investigation, as described in the following table.

Link Description
View Details

The properties of the object, including whether it was added by the system (Security Guardian or BloodHound Enterprise) or by a user, identifiers used for the object within Active Directory or Entra ID, the date the object was added and the date its information was last updated.

NOTE: The Date Added field displays the signed-in user's local date and time.

View Relationships

 

If BloodHound Enterprise is configured, this link enables you to log into BloodHound (if you have at least Read permissions) and view attack paths between the object being investigated and other objects.

NOTE: If Security Guardian is the provider, this option will be hidden.

View Recent Activity This link opens the Quick Search page in On Demand Audit, which lists event data for the selected object.
Escalate this Finding
Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

How Do I fix this?

This section provides recommendations for investigation and remediation.

 

NOTE: If BloodHound Enterprise is the provider, the View Relationships link to BloodHound Enterprise is also provided in this section.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione