From the Security Guardian Settings page you can:
Introducing Quest Security Guardian
About On Demand
About Security Guardian
Access Control
Functional Overview
Configuring Additional Components
Using the Dashboard
Tier Zero Objects
How Tier Zero Objects are Identified
Tier Zero Objects List
Viewing Tier Zero Object Details
Adding Tier Zero Objects Manually
Certifying Tier Zero Objects
Protecting Tier Zero Objects
Exporting the Tier Zero Objects List
Assessments
First Assessment Notification Email
Built-in Assessments
All Assessments List
Discoveries and Vulnerabilities
Findings
Discoveries List
Pre-Defined Discoveries and Vulnerabilities
Creating an Assessment
Viewing, Editing, and Deleting an Assessment
Assessment Results
Discovery for Credential Access Vulnerabilities
Discovery for Defense Evasion Vulnerabilities
Discovery for Discovery Vulnerabilities
Discovery for Initial Access Vulnerabilities
Discovery for Lateral Movement Vulnerabilities
Discovery for Persistence Vulnerabilities
Discovery for Privilege Escalation Vulnerabilities
Discovery for Reconnaissance Vulnerabilities
Creating a Discovery
Viewing, Editing, and Deleting a Discovery
Investigating Findings
Muting Findings for Hygiene and Detected Indicators
Dismissing Findings
Viewing Finding History
Security Settings
Appendix - Security Guardian Indicator Details
Security Settings
Configuring a Forwarding Destination
If your organization uses Microsoft Sentinel and/or Splunk (Cloud Platform or Enterprise) as a SIEM solution, you can configure Security Guardian to forward Findings to the applicable tool for further analysis.
You can also configure email alerts for Findings, as well as for the first completed assessment.
Once configured, the tile for the forwarding destination shows details of the configuration, as well as when the last Finding was sent. A forwarding destination can also be edited or removed.
To access the Forwarding configuration page:
-
From the On Demand left navigation menu, choose Security | Settings.
-
Make sure the Forwarding tab is selected.
To configure Microsoft Sentinel as a forwarding destination:
-
Click Add Forwarding Destination, select Microsoft Sentinel.
-
Enter the Sentinel Workspace ID and Shared (Primary) Key.
Refer to the Microsoft documentation for instructions on Finding the Workspace ID and key.
-
Click Send Test Event to ensure that a connection can be made to Sentinel.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the Workspace ID and Shared Key were entered correctly.
-
Click Save.
To configure Splunk (Cloud Platform or Enterprise) as a forwarding destination:
-
Click Add Forwarding Destination, select Splunk.
-
Enter the Splunk HTTP Event Collector URL (e.g. <http or https>://<cloud or server address>:<port>) and Token.
Refer to the Splunk documentation for instructions on Finding the HTTP Event Collector URL and Token.
-
Click Send Test Event to ensure that a connection can be made to Splunk.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the URL and Token were entered correctly.
-
Click Save.
To configure Email as a forwarding destination:
-
Click Add Forwarding Destination, select Email.
-
Add the Forward To email recipients that you want alerts sent to. If you are entering multiple email addresses, separate each with a semicolon.
-
Click Save.
Managing Indicators
An indicator consists of a set of criteria that is used to evaluate collected data and generate Findings for:
- Tier Zero object activity
- The following Hygiene, Detected TTP, and Detected Anomaly indicators:
- Security Assessment vulnerabilities detected by Security Guardian
- Critical Activity and unprotected Tier Zero objects collected by On Demand Audit.
|
|
NOTE: Indicator-specific detail, with listings by severity and by the data source, can be found in the Appendix. |
If you no longer want a Finding to be generated for an indicator, you can mute it.
|
|
EXCEPTION: New Tier Zero object indicators cannot be muted. |
To access the All Indicators page:
-
From the left navigation menu, choose Security | Settings.
-
Select the All Indicators tab.
A list of all indicators displays, with the following information for each:
-
Finding (Indicator name)
-
one of the following Severity levels:
Critical Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero object security, have significant potential impact to the Active Directory environment, and are not part of the default Active Directory configuration. High Generally reserved for Hygiene and Detected Indicators that are of high concern but impact single objects, the discovery of new Tier Zero domain objects, and changes to Tier Zero objects that occur more often through normal business operations or are part of the default Active Directory configuration. Medium Generally reserved for the addition of Tier Zero user, computer, group, and Group Policy objects. -
Type (Tier Zero, Hygiene, Detected TTP, Detected Anomaly)
-
Active Findings
-
Inactive Findings
-
number of Muted Objects
-
Mute Status
|
|
NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:
|
Click the link for the indicator.
Muting and Unmuting Indicators
When Managing indicators you can mute (or unmute) selected indicators to prevent (or allow) Findings. You can also unmute objects that were muted during Findings investigation.
|
|
NOTES:
|
To mute (or unmute) indicators:
Either:
- Select one or more indicators from the All Indicators list and click Mute (or Unmute).
OR
- From Indicator Details, click Mute Indicator (or Unmute Indicator).
To unmute objects within an indicator:
-
From the Indicator Details Muted Objects for this Indicator section, select the object(s) you want to unmute.
-
Click Unmute Object.