The diagrams below illustrate how Security Guardian functions for Active Directory, including how additional components are integrated.
|
NOTE: You can click on individual images within the diagram to link to the applicable topic in this guide. |
Functional Overview for Active Directory
.
Additional components need to be configured to make Security Guardian fully functional.
To configure additional components:
-
From the On Demand left navigation menu, choose Security | Dashboard.
-
From the Configuration Status tile, configure the necessary components.
|
NOTE: Once an additional component is configured in On Demand, it's available to any other module that uses it. |
Hybrid Agent |
Gives Security Guardian access to the Active Directory domain(s) that you want to keep secure. |
On Demand Global Settings User Guide - Managing your on-premises domains
When configuring the agent, ensure that:
- the action Collect Active Directory object data is selected
- any domain for which you want object data to be collected is added.
|
SpecterOps BloodHound Enterprise
(Optional) |
Identifies Tier Zero assets in your organization's Active Directory domain(s), which you can monitor and assess for security vulnerabilities in Security Guardian.
|
NOTE: If BloodHound Enterprise is not configured, Security Guardian will be used as your organization's Tier Zero provider once the Hybrid Agent is configured. | |
On Demand Audit User Guide - SpecterOps BloodHound Integration |
SIEM solution:
(Optional) |
Allows Security Guardian Findings to be forwarded to a configured SIEM tool for further analysis
|
NOTE: Regardless of whether your organization uses a SIEM solution, you can also have Finding alerts sent via email. | |
Configuring a Forwarding Destination |
The Security Guardian dashboard displays a visual summary of the current security status of your organization's Active Directory.
To access the Security Guardian dashboard:
From the On Demand left navigation menu, choose Security | Dashboard. The dashboard contains tiles for each of the following components:
- Uncertified Tier Zero Objects
- Highest Severity Findings
- Active Directory Tier Zero certification summary
- Active Hygiene and Active Detected
- Configuration Status
The Uncertified Tier Zero Objectstile:
-
displays the last time the objects list was synchronized
-
lists the last ten uncertified objects that were added to Security Guardian (you can click View All for an object type to view the complete list)
|
NOTE: Objects that have been certified are excluded from the list. |
-
provides links that allow you to
- view object details (by clicking an object name)
-
|
NOTE: From within the Details view you can also certify the object. Once an object is certified, it will no longer display in this tile. |
- Investigate the Finding for the object
- add a new Tier Zero or Privieged object
- if BloodHound Enterprise is configured, log into BloodHound (if you have at least Read permissions) to open the Attack Paths page
-
|
NOTE: If Security Guardian is your provider, this link is hidden. |
- view the Tier Zero Objects list.
The Highest Severity Findings tile displays the top five active findings of the highest severity. Information includes:
- the Finding name
- when the Finding was Detected
- the Finding Type (Tier Zero, Hygiene, Detected TTP, or Detected Anomaly)
- the Severity indicator (Critical, High, or Medium)
- a link that allows you to Investigatethe Finding
The View All link at the bottom of the tile allows you to view the list of all active Findings for the organization.
The Active Directory Tier Zero Objectstile display graphical representations of the number of certified vs. uncertified objects.
The Active Hygiene and Active Detected tile shows the total number of Hygiene and Detected (TTP and Anomaly) Findings in the organization by severity level (Critical, High, and Medium).
From the Configuration Status tile you can configure additional components and view existing configurations.
Tier Zero objects are the most critical assets within an organization's Active Directory. Within the Microsoft enterprise access model, Tier Zero objects in Active Directory include accounts, groups, and other assets that have direct or indirect administrative control of AD and the assets within it.
Currently, Security Guardian supports the following Tier Zero object types:
- Domains
- Computers
- Groups
- Group Policies
- Users
The Tier Zero provider (Security Guardian or BloodHound Enterprise) identifies Tier Zero objects within the organization's Active Directory domain(s). These objects are then collected by and displayed in Security Guardian.
You can also add Tier Zero objects to Security Guardian manually.