Viewing Detail for an Assessed Vulnerability
When you select a Vulnerability from an Assessment's Results page, detail about the assessed vulnerability is displayed.
The left side of the page includes detailed information about the vulnerability as defined in the Discovery.
7 Day Assessment Trend
A graph depicts color-coded results over the past 7 days that the Assessment was run, as described below.
|
TIPS:
-
You can click individual states in State Filtering so that only the states you want to focus on are displayed in the graph. (The Compliant Objects state is always hidden by default.)
-
Hover over the graph to display the number of vulnerable objects (if any) detected per day.
-
Click on an area of the graph to display details about that Assessment run in the list below. |
|
Compliant objects |
|
Vulnerable objects |
|
Error
|
NOTE: An Error state indicates that an error occurred during data collection (for example, the server containing the objects to be evaluated could not be reached).
If an error occurred, the appropriate message displays. | |
|
Inconclusive
|
NOTE: An Inconclusive state indicates that data could not be collected for a non-error-related reason (for example, the scope of an Assessment includes Tier Zero objects but no Tier Zero objects were found, the number of Tier Zero objects exceeded the maximum number (10,000) that could be evaluated, or permissions were insufficient to collect the data).
If results were inconclusive for individual objects, hover over the icon for a description of the reason. | |
Below the graph a list of the Vulnerable Objects (up to 100,000) found out of the total number of Assessed Objects for the selected area of the graph.
|
NOTEs:
-
If more than 100,000 vulnerable objects are returned, it is advisable to investigate why so many objects are found to be vulnerable. For example, all domain users may have been added to a group they don't belong in.
-
For User and Computer vulnerabilities, the column Is Account Enabled? is included, allowing you to prioritize enabled accounts when implementing a remediation. |
To download the Vulnerable Objects list to a CSV file:
From the details page for the vulnerable objects, click Export to CSV.
The file will include all of the objects displayed in the Vulnerable Objects list.
Findings
Findings allow you to view and investigate notable events in your organization's Active Directory, including:
-
Tier Zero object activity, including the identification of unprotected Tier Zero objects
-
Hygiene indicators detected by Security Guardian Assessments
-
Detected TTP and Detected Anomaly Indicators collected by Security Guardian from On Demand Audit.
|
NOTE: Hygiene indicates that objects are susceptible to an adversary attack. Detected indicates that an action took place that could possibly be an adversary attack. Detected TTP (tactics, techniques and procedures) are search-based detected indicators whereas Detected Anomalies are indicators based on statistical analysis. |
To view Findings:
From the left navigation menu, choose Security | Findings.
The Findings list displays Active Directory objects, along with the following information for each:
-
Finding
-
one of the following Severity levels:
|
NOTE: Security Guardian calculates severity levels by a range of values (i.e., the lower the value, the higher severity). If you sort by this column, you can see the Findings in order of most to least severe. |
|
Critical |
Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero object security, have significant potential impact to the Active Directory environment, and are not part of the default Active Directory configuration. |
|
High |
Generally reserved for Hygiene and Detected Indicators that are of high concern but impact single objects, the discovery of new Tier Zero domain objects, and changes to Tier Zero objects that occur more often through normal business operations or are part of the default Active Directory configuration. |
|
Medium |
Generally reserved for the addition of Tier Zero user, computer, group, and Group Policy objects. |
-
Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
-
The date and time Last Detected
|
NOTE: This field displays the signed-in user's local date and time. |
-
Status (Active or Inactive)
|
NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:
|
From the Findings list you can dismiss one or more Findings and view Finding history.
Investigating Findings
From the Findings list, you can investigate Findings in more detail for indicators of:
-
Tier Zero objects that have been identified by the Tier Zero provider (Security Guardian or BloodHound Enterprise) or manually by a user
-
Hygiene and Detections that have been found through Security Guardian Assessments and On Demand Audit critical activity.
Click on the Finding you want to investigate.
The Investigate Finding page consists of three sections.
You can navigate between sections either by clicking a section name or using the Next and Back buttons.
Investigating Tier Zero Activity
The top of a Tier Zero Object Investigation page identifies the object being investigated, along with the following information:
-
the Severity of the Finding
-
the Finding Type (Tier Zero)
-
the Certification Status (Certified or Not Certified)
-
the Finding Status (Active or Inactive)
-
Last Updated (that is, the last time the Finding was detected)
|
NOTE: Last Updated displays a relative time. However, if you hover over the clock icon you can see an exact date and time. This field displays the signed-in user's local date and time. |
-
options to certify the Tier Zero object, dismiss the Finding, and view history of the Finding.
What Happened?
This section indicates why a Finding was raised for the Tier Zero object, as well why the object is considered Tier Zero and the number of other Tier Zero objects that it impacts and is impacted by.
|
NOTE: If BloodHound Enterprise is the Tier Zero provider, it can return a maximum of 10,00 related objects for each Tier Zero category. |
The What Happened? section for Tier Zero also includes a series of links to help you complete your investigation, as described in the following table.
View Details |
The properties of the Tier Zero object, including whether it was added by the system (Security Guardian or BloodHound Enterprise) or by a user, identifiers used for the object within Active Directory, the date the object was added and the date its information was last updated.
|
NOTE: The Date Added field displays the signed-in user's local date and time. | |
View Relationships
|
If BloodHound Enterprise is configured, this link enables you to log into BloodHound (if you have at least Read permissions) and view attack paths between the object being investigated and other AD objects.
|
NOTE: If Security Guardian is the Tier Zero provider, this option will be hidden. | |
View Recent Activity |
This link opens the Quick Search page in On Demand Audit, which lists event data for the selected object. |
Escalate this Finding |
Copy |
This link allows you to copy the text of the Finding to the clipboard so that you can share it with others. |
Send email |
This link allows you to prepare and send an escalation email to recipients with whom you want to share the Finding. |
How Do I fix this?
This section provides recommendations for investigation and remediation.
|
NOTE: If BloodHound Enterprise is the Tier Zero provider, the View Relationships link to BloodHound Enterprise is also provided in this section. |