Chat now with support
Chat with Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Security Settings

From the Security Guardian Settings page you can:

Configuring a Forwarding Destination

 

If your organization uses Microsoft Sentinel and/or Splunk (Cloud Platform or Enterprise) as a SIEM solution, you can configure Security Guardian to forward Findings to the applicable tool for further analysis.

You can also configure email alerts for Findings, as well as for the first completed assessment.

 

Once configured, the tile for the forwarding destination shows details of the configuration, as well as when the last Finding was sent. A forwarding destination can also be edited or removed.

 

To access the Forwarding configuration page:

  1. From the On Demand left navigation menu, choose Security | Settings.

  2. Make sure the Forwarding tab is selected.

To configure Microsoft Sentinel as a forwarding destination:

  1. Click Add Forwarding Destination, select Microsoft Sentinel.

  2. Enter the Sentinel Workspace ID and Shared (Primary) Key.

    Refer to the Microsoft documentation for instructions on Finding the Workspace ID and key.

  3. Click Send Test Event to ensure that a connection can be made to Sentinel.

    A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the Workspace ID and Shared Key were entered correctly.

  4. Click Save.

To configure Splunk (Cloud Platform or Enterprise) as a forwarding destination:

  1. Click Add Forwarding Destination, select Splunk.

  2. Enter the Splunk HTTP Event Collector URL (e.g. <http or https>://<cloud or server address>:<port>) and Token.

    Refer to the Splunk documentation for instructions on Finding the HTTP Event Collector URL and Token.

  3. Click Send Test Event to ensure that a connection can be made to Splunk.

    A message will be returned indicating whether or not the test event was successfully sent. If the test event was not successful, ensure the URL and Token were entered correctly.

  4. Click Save.

To configure Email as a forwarding destination:

  1. Click Add Forwarding Destination, select Email.

  2. Add the Forward To email recipients that you want alerts sent to. If you are entering multiple email addresses, separate each with a semicolon.

  3. Click Save.

Managing Indicators

An indicator consists of a set of criteria that is used to evaluate collected data and generate Findings for:

  • Tier Zero object activity
  • The following Hygiene, Detected TTP, and Detected Anomaly indicators:
    • Security Assessment vulnerabilities detected by Security Guardian
    • Critical Activity and unprotected Tier Zero objects collected by On Demand Audit.

NOTE: Indicator-specific detail, with listings by severity and by the data source, can be found in the Appendix.

If you no longer want a Finding to be generated for an indicator, you can mute it.

EXCEPTION: New Tier Zero object indicators cannot be muted.

To access the All Indicators page:

  1. From the left navigation menu, choose Security | Settings.

  2. Select the All Indicators tab.

A list of all indicators displays, with the following information for each:

  • Finding (Indicator name)

  • one of the following Severity levels:

    Critical Generally reserved for Hygiene and Detected Indicators that are changes to Tier Zero object security, have significant potential impact to the Active Directory environment, and are not part of the default Active Directory configuration.
    High Generally reserved for Hygiene and Detected Indicators that are of high concern but impact single objects, the discovery of new Tier Zero domain objects, and changes to Tier Zero objects that occur more often through normal business operations or are part of the default Active Directory configuration.
    Medium Generally reserved for the addition of Tier Zero user, computer, group, and Group Policy objects.
  • Type (Tier Zero, Hygiene, Detected TTP, Detected Anomaly)

  • Active Findings

  • Inactive Findings

  • number of Muted Objects

  • Mute Status

NOTE: If you click the Filter button, you can filter displayed results by one or more of the following criteria:

  • Indicator

  • Severity

  • Type

  • Mute Status

To view Indicator Details:

Click the link for the indicator.

Muting and Unmuting Indicators

When Managing indicators you can mute (or unmute) selected indicators to prevent (or allow) Findings. You can also unmute objects that were muted during Findings investigation.

 

NOTES:

  • New Tier Zero [Object] Detected indicators cannot be muted and the Mute Indicator option will be disabled.

  • If an indicator for a Security Assessment vulnerability is muted, that vulnerability will not be evaluated in future Assessments.

  • If an indicator for On Demand Audit Critical Activity is muted, associated events will be hidden.

To mute (or unmute) indicators:

Either:

To unmute objects within an indicator:

  1. From the Indicator Details Muted Objects for this Indicator section, select the object(s) you want to unmute.

  2. Click Unmute Object.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating