Removing Manually-Added Tier Zero Objects
You can remove Tier Zero objects that have been manually added by a user from the Tier Zero Objects list.
|
|
NOTE: Tier Zero objects added by the Tier Zero provider (Security Guardian or BloodHound Enterprise) cannot be removed via On Demand. |
Note that, if you remove a manually-added object from the Tier Zero list, it will no longer be monitored and if re-added, it will revert to being Not Certified, regardless of its status when it was removed.
To remove a manually-added Tier Zero object:
-
From the Tier Zero Objects list, the object(s) you want to remove.
-
Click Remove Tier Zero.
|
|
NOTE: If any Tier Zero objects added by the Tier Zero provider are in the selection, the Remove Tier Zero option will be disabled. |
You will be prompted to confirm the action.
Certifying Tier Zero Objects
Certification is a means by which you can verify that any object identified by the Tier Zero provider or added manually by a user as Tier Zero qualifies as Tier Zero. Once certified, it will be used to establish a baseline for generating Findings for Indicators of Compromise and Indicators of Exposure.
By default, any object added as Tier Zero (which includes objects in the initial list collected by the Tier Zero provider), its status is Not Certified. This encourages you, as a Security Guardian administrator, to review each object for privileged account security risks.
|
|
EXCEPTION: Because they pose the highest security risk to your Active Directory environment, Tier Zero Domain objects identified by the Tier Zero provider (Security Guardian or BloodHound Enterprise) are certified automatically. |
You can certify one or multiple objects from the Tier Zero Objects list, or individually from the Investigate Finding page or within a New Tier Zero Object's Details view on the Dashboard.
It is strongly recommended that any manually-added Tier Zero objects that, after review, have not been certified as Tier Zero be removed.
|
|
Caution: Once a Tier Zero object has been certified, it cannot be uncertified. |
To certify Tier Zero objects from the Tier Zero list:
-
From the Tier Zero list, select the object(s) you want to certify.
-
Click Certify Tier Zero.
To certify a Tier Zero object from the Findings Investigation page:
Click Certify Tier Zero Object.
You will be prompted to confirm the certification. The confirmation dialog also includes a check box that allows you to dismiss the Finding at the same time.
|
|
NOTE: Once a Tier Zero object has been certified, it will no longer display in the New Tier Zero Objects tile on the Dashboard. |
Protecting Tier Zero Objects
If Change Auditor version 7.4 is integrated with On Demand, you can protect Tier Zero objects from unauthorized or accidental modifications or deletions from the Security Guardian interface.
You can protect Tier Zero objects from the Findings Investigation page if one or more unprotected Tier Zero objects have been detected as an Indicator of Exposure or Compromise, or from the Tier Zero list.
|
|
NOTES:
-
Currently, you cannot unprotect objects in On Demand. However, Change Auditor can be used to unprotect objects. Once an object is unprotected, a new Finding will be raised in Security Guardian.
-
When an object within a Finding is protected, it no longer displays in the Findings investigation page. However, object protection status details can be viewed in Change Auditor. |
Tier Zero Protection Status
The Tier Zero protection status is displayed in the Protection Status column of the Tier Zero Objects List. The status may be:
-
Not Protected
-
Protected
-
Pending Evaluation
|
|
NOTE: A Pending Evaluation status indicates that either Change Auditor has not completed processing the protection request or that Change Auditor 7.4 or later is not integrated with On Demand. |
To protect Tier Zero objects from the Tier Zero list:
-
Select the unprotected object(s) you want to protect.
-
Click the Enable Protection button.
To protect Tier Zero objects from the Findings Investigation page (if applicable):
-
On the Findings Investigation page What Happened? section, select the Tier Zero object(s) that you want to protect.
-
Click the Enable Protection button.
Assessments
Assessments are a set of Discoveries that are evaluated against collected data to identify vulnerabilities in your organization's Active Directory domain(s). They run automatically once added, and then run periodically, depending on how often Active Directory data is collected. This allows you to identify which Active Directory objects within scope contain vulnerabilities that require further investigation and remediation.
To access Assessments functionality:
From the left navigation menu, choose Security | Assessments.
