From the Security Guardian Settings page you can:
From the Security Guardian Settings page you can:
If your organization uses Microsoft Sentinel and/or Splunk (Cloud Platform or Enterprise) as a SIEM solution, you can configure Security Guardian to forward Findings to the applicable tool for further analysis.
You can also configure email alerts for Findings, as well as for the first completed assessment.
Once configured, the tile for the forwarding destination shows details of the configuration, as well as when the last Finding was sent. A forwarding destination can also be edited or removed.
To access the Forwarding configuration page:
From the On Demand left navigation menu, choose Security | Settings.
Make sure the Forwarding tab is selected.
To configure Microsoft Sentinel as a forwarding destination:
Click Add Forwarding Destination, select Microsoft Sentinel.
Enter the Sentinel Workspace ID and Shared (Primary) Key.
Refer to the Microsoft documentation for instructions on Finding the Workspace ID and key.
Click Send Test Event to ensure that a connection can be made to Sentinel.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the Workspace ID and Shared Key were entered correctly.
Click Save.
To configure Splunk (Cloud Platform or Enterprise) as a forwarding destination:
Click Add Forwarding Destination, select Splunk.
Enter the Splunk HTTP Event Collector URL (e.g. <http or https>://<cloud or server address>:<port>) and Token.
Refer to the Splunk documentation for instructions on Finding the HTTP Event Collector URL and Token.
Click Send Test Event to ensure that a connection can be made to Splunk.
A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the URL and Token were entered correctly.
Click Save.
To configure Email as a forwarding destination:
Click Add Forwarding Destination, select Email.
Add the Forward To email recipients that you want alerts sent to. If you are entering multiple email addresses, separate each with a semicolon.
Click Save.
An indicator consists of a set of criteria that is used to evaluate collected data and generate Findings for:
|
NOTE: Indicator-specific detail, with listings by severity and by the data source, can be found in the Appendix. |
If you no longer want a Finding to be generated for an indicator, you can mute it.
|
EXCEPTION: New Tier Zero object indicators cannot be muted. |
To access the All Indicators page:
From the left navigation menu, choose Security | Settings.
Select the All Indicators tab.
A list of all indicators displays, with the following information for each:
Finding (Indicator name)
one of the following Severity levels:
Critical | Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero object security, have significant potential impact to the Active Directory environment, and are not part of the default Active Directory configuration. | |
High | Generally reserved for Hygiene and Detected Indicators that are of high concern but impact single objects, the discovery of new Tier Zero domain objects, and changes to Tier Zero objects that occur more often through normal business operations or are part of the default Active Directory configuration. | |
Medium | Generally reserved for the addition of Tier Zero user, computer, group, and Group Policy objects. |
Type (Tier Zero, Hygiene, Detected TTP, Detected Anomaly)
Active Findings
Inactive Findings
number of Muted Objects
Mute Status
|
NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:
|
Click the link for the indicator.
When Managing indicators you can mute (or unmute) selected indicators to prevent (or allow) Findings. You can also unmute objects that were muted during Findings investigation.
|
NOTES:
|
To mute (or unmute) indicators:
Either:
OR
To unmute objects within an indicator:
From the Indicator Details Muted Objects for this Indicator section, select the object(s) you want to unmute.
Click Unmute Object.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center