Converse agora com nosso suporte
Chat com o suporte

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Findings

Findings allow you to view and investigate notable events in your organization's Active Directory and Entra ID, including:

  • Active Directory Tier Zero and Entra ID Privileged object activity, including the identification of unprotected Tier Zero objects.
  • Hygiene indicators detected by Assessments.
  • Detected TTP and Detected Anomaly Indicators collected by Audit.

NOTE:

  • Hygiene indicators identified by Assessments show that certain objects may be vulnerable to adversary attacks.
  • Detected indicators suggest that an action occurred which could potentially be an adversary attack. Detected TTPs (tactics, techniques, and procedures) are indicators found through search-based detection, while Detected Anomalies are indicators identified through statistical analysis.

To view Findings:

  • From the left navigation menu, choose Security | Findings.

The Findings list displays the following information for each finding:

  • Finding name
  • Severity level

    NOTE: Security Guardian calculates severity levels by a range of values (for example, the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe.

    Critical Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero and Privileged object security, have significant potential impact to the Active Directory or Entra ID environment, and are not part of the default Active Directory or Entra ID configuration.
    High

    Generally reserved for:

    • Hygiene and Detected Indicators that are of high concern but impact single objects.

    • the discovery of new Tier Zero domain objects and Privileged tenant objects.

    • changes to Tier Zero and Privileged objects that occur more often through normal business operations or are part of the default Active Directory or Entra ID configuration.

    Medium

    Generally reserved for the discovery of:

    • Tier Zero user, computer, group, and Group Policy objects.

    • Privileged user, role, group, and service principal objects.

  • Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
  • Workload (Active Directory or Entra ID)
  • Last Detected date and time. (This field displays the signed-in user's local date and time.)
  • Status (Active or Inactive)

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

  • Finding

  • Severity

  • Type

  • Status

    (Active Findings display by default. You can choose to display either Active or Inactive Findings in the list, but not both.)

From the Findings list you can dismiss one or more Findings and view Finding history.

Investigating Findings

From the Findings list, select a Finding to investigate in more detail:

  • Tier Zero and Privileged objects that have been identified by the provider (Security Guardian or BloodHound Enterprise) or added manually by a user.
  • Hygiene and Detected Indicators that have been found through Security Guardian Assessments and Audit Critical Activity.

From the Investigate Finding page, you can:

  • View a summary of the Finding key elements

  • Access Security Guardian Intelligence to answer your questions and provide a high-level overview of your environment, including identified Findings and recommended actions to resolve issues.

NOTE:

  • Before you can access the Security Guardian Intelligence assistance, you need to read and accept the AI Terms of Use.

  • To refresh the Security Guardian Intelligence content in the flyout, click the AI icon next to a different user object.

  • Access guiding questions:

    • What Happened?, or for Hygiene, What Is Wrong?

    • How Do I Fix This?

NOTE: Navigate between questions either by clicking a the name or using the Next and Back buttons.

 

 

 

 

 

Investigating Tier Zero and Privileged Object Findings

The top of a Tier Zero or Privileged object Investigation page identifies the object being investigated, along with the following information:

  • the Severity of the Finding

  • the Finding Type (Tier Zero)

  • the Certification Status (Certified or Not Certified)

  • the Finding Status (Active or Inactive)

  • Last Updated (that is, the last time the Finding was detected)

    NOTE: Last Updated displays a relative time. However, if you hover over the clock icon you can see an exact date and time. This field displays the signed-in user's local date and time.

  • options to certify the object, dismiss the Finding, and view history of the Finding.

What Happened?

This section indicates why a Finding was raised for the object, as well why the object is considered Tier Zero or Privileged and the number of other Tier Zero or Privileged objects that it impacts and is impacted by.

NOTE: If BloodHound Enterprise is the provider, it can return a maximum of 1000 related objects for each category.

The What Happened? section also includes a series of links to help you complete your investigation, as described in the following table.

Link Description
View Details

The properties of the object, including whether it was added by the system (Security Guardian or BloodHound Enterprise) or by a user, identifiers used for the object within Active Directory or Entra ID, the date the object was added and the date its information was last updated.

NOTE: The Date Added field displays the signed-in user's local date and time.

View Relationships

 

If BloodHound Enterprise is configured, this link enables you to log into BloodHound (if you have at least Read permissions) and view attack paths between the object being investigated and other objects.

NOTE: If Security Guardian is the provider, this option will be hidden.

View Recent Activity This link opens the Quick Search page, which lists event data for the selected object.
Escalate this Finding
Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

How Do I fix this?

This section provides recommendations for investigation and remediation.

 

NOTE: If BloodHound Enterprise is the provider, the View Relationships link to BloodHound Enterprise is also provided in this section.

Investigating Hygiene and Detected Indicators

  • Findings for Hygiene and Detected Indicators are raised when:
    • vulnerabilities are detected when a Security Guardian Assessment is run

    AND/OR

    • critical activity anomalies are detected by Audit.

    NOTE: Hygiene indicates that objects are susceptible to an adversary attack. Detected indicates that an action took place that could possibly be an adversary attack.

    • Detected TTP (tactics, techniques and procedures) Indicators are search-based.

    • Detected Anomaly Indicators are based on statistical analysis.

    The top of an Investigation page identifies the object being investigated, along with the following information:

    • Finding Severity

    • Finding Type (Hygiene, Detected TTP, Detected Anomaly)

    • Finding Status (Active or Inactive)

    • MITRE ATT&CK TTP (if applicable)

      NOTE: Up to three TTPs may be returned for the finding. If "+ [number]" is shown to the right of the displayed TTP, hover over the icon to view the additional values.

    • Number of Affected Objects

    • Last Updated The last time the Finding was detected)

      NOTE: Last Updated displays a relative time. However, you can hover over the clock icon to see an exact date and time (which displays the local date and time of the signed-in user).

    Security Guardian Intelligence

    From here you can enter your question directly or select from the following to get started.

    • Summary offers a concise overview of a specific Finding, including an explanation, the affected objects, real-world examples of similar issues, and suggested follow-up questions to guide further investigation.

    • Related Findings highlights other active Findings that are connected by object type or potential attack paths, helping you understand broader security implications and offering additional follow-up questions.

    • Additional Information provides a detailed risk overview, including severity levels, affected objects, potential security threats, real-world exploit incidents, and a security risk review, along with relevant follow-up questions.

    • Remediation outlines recommended remediation steps, including detailed instructions,and follow-up questions to support implementation.

    What Happened?/What Is Wrong?

    The What Happened? (for Detected Indicators) or What Is Wrong? (for Hygiene) page provides a description of the Finding and lists the objects that are affected. The following information is included for each object:

    • Object Name (with a link that allows you to display object details.)

      User objects also include access to Security GuardianIntellligence.

      exception: If an Object Type is trustedDomain, Container or dnsZone, object details cannot be displayed from the Investigation page and the Object Name link will be disabled.

    • Principal Name (which is searchable)

    • Object Type

    • First Discovered date and time

      NOTE: This field displays the signed-in user's local date and time.

    • Certification Status, which may be

      NOTE: A status of "Status Not Available" may occur if the object has been deleted from Active Directory/Entra ID or the Object ID cannot otherwise be identified.

    This section also includes a series of links to help you complete your investigation, as described in the following table.

    Link Description
    For Selected Objects in the list

    Object Name

    (for a single object)

    The properties of the object, including whether or not it is Tier Zero/Privileged, identifiers used for the object within Active Directory or Entra ID, the date the object was added and the date its information was last updated.

    NOTE: This field displays the signed-in user's local date and time.

    For user objects, select the Security Guardian Intelligence icon to view a detailed security overview of the user, including summary information, recent activity, user object changes, location details, related findings, activity analysis, conclusions, and follow-up questions.

    Mute Object button See Muting Findings for Hygiene and Detected Indicators.

    View Activity button

    (for a single object)

    		 This link opens the Quick Search page, which lists event data for the object being investigated.

    View Assessment button

    (for a single object)

    If the indicator was raised by a Security Guardian Assessment, this link opens the Assessment Results Vulnerability Detail page that includes the selected object.

    NOTE: This button is enabled only when a single object is selected.

    View critical activity link If the indicator was raised by an Audit critical activity event, this link opens Critical Activity event details.
    Escalate this Finding
    Copy This link allows you to copy the text of the Finding to the clipboard so that you can share it with others.
    Send email This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding.

    How Do I fix this?

    This section provides the recommended remediation.

    • Documentos relacionados

    The document was helpful.

    Selecione a classificação

    I easily found the information I needed.

    Selecione a classificação