Converse agora com nosso suporte
Chat com o suporte

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Working with Hybrid Audit Brokers

Hybrid Audit uses the hybrid agent to communicate with on-premises Active Directory domains. A Hybrid Audit Broker is a Hybrid Audit agent that has been assigned the Manage Security Guardian Hybrid Audit permission.

The Hybrid Audit Broker: 

  • Scans your Active Directory forest topology to identify where Hybrid Audit agents can be deployed.

  • Acts as a communication hub, sending commands to the agent and forwarding collected audit events to be displayed in Security Guardian.

 

IMPORTANT:Each Active Directory forest where hybrid audit agents are deployed must have at least one hybrid audit broker installed.

For more information, see:

Audited Events Page Overview

The Audited Events page shows all events that are currently being monitored, as well as those that can be monitored by the Hybrid Audit agent.

  • Enabling an event begins tracking the specified changes within the Active Directory forest.

  • Disabling an event stops tracking those changes.

NOTE:

  • Events that are disabled by default are typically noisy events that should only be enabled for specific investigations.

  • Active Directory, Group Policy, and Logon Activity events recorded by the deployed Hybrid Audit agents are available to search in Audit | Search. Specific events can be searched by using the Hybrid Audit Event Name in the Change Auditor Event Class Name search filter.

To view event details:

  • Click an event link to open a window with additional information, including the event’s Name, Description, Subsystem, and current Status.

To enable and disable the events:

  • Check the box to select the event and click the Enable or Disable button as required.

To filter the display:

  • Click Filter to apply filters by column and value or click a column header to sort or filter directly.

 

Working with Protection Templates

The Protection page in Security Guardian displays a list of templates used to protect Active Directory and Group Policy objects. Each domain within a forest has its own unique set of protection templates. For example, if a forest contains two domains, two separate sets of Tier Zero protection templates—one for each domain is displayed.

For information on enabling protection, see Protecting Tier Zero Objects.

NOTE: Protection templates are only created and applied to domains that meet both of the following conditions:

  • The domain is listed under Tenants | Active Directory Domain.

  • The domain has an assigned Tenants | Hybrid Agent with Manage Security Guardian Hybrid Audit enabled.

Administrators can edit existing templates to remove Active Directory objects and group policies from protection and manage override accounts.

NOTE:

  • You cannot add new protected objects during edit.

  • Template name and type remain fixed.

  • Predefined override accounts are permanent and cannot be removed.

To view the enabled protection templates:

  • Navigate to Hybrid Audit from the left-hand menu and select Protection. From here you can view and filter protection templates.

Table 2: Available Protection Information

Column Description
Template Name The name assigned to the protection template.
Domain The domain associated with the template.
Type Indicates whether the template applies to Active Directory or Group Policy.
Protected Object The specific object being protected by the template.

To filter the display:

  • Click Filter to apply filters by column and value or click a column header to sort or filter directly.

To view template details:

  1. In the Protection table, locate the template you want to view.

  2. Click the template name link.

A flyout opens and displays the name of the selected protection template, the name of the account that overrides protection, and whether the override applies to Active Directory or Group Policy.

To edit protection:

  1. In the Protection table, locate the template you want to view.

  2. Select a single Active Directory or Group Policy template.

  3. Click Edit.

  4. Select the required objects, click Remove, and click Save and Continue to optionally edit the override accounts.

  5. Add or remove override accounts as required.

  6. Click Save and Finish to apply the updates.

 

 

Security Settings

From the Security Guardian Settings page you can:

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação