Chat now with support
Chat with Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Security Guardian Inteligence Tier Zero Objects Shields Up Protection Privileged Objects Assessments Managing Workload Identities Findings Security Settings Appendix - Security Guardian Indicator Details Appendix - Data Collection Details

Creating a Discovery

You can create custom Discoveries based on pre-defined vulnerability templates.

NOTE: All of the available vulnerability templates are used in pre-defined Discoveries. You can refer to the Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID sections for guidance when creating a new Discovery.

To create a Discovery:

  1. From the Discoveries list, click Create.

  2. Select a Workload (Active Directory or Entra ID).

  3. Enter a Discovery Type.

  4. Click Select Vulnerabilities to display a list of available vulnerability templates for the workload.

  5. Select each vulnerability template you want to add to the Discovery, then click Select.

  6. For each vulnerability added to the Discovery:

    1. Enter a Vulnerability Name.

    2. For Risk, enter the reason why the vulnerability is considered a risk. For Remediation, enter the recommendation for resolving the vulnerability.

      TIP: You can refer to Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID for examples of Risk and Remediation text.

  7. If the vulnerability includes a Scope, specify the objects that you want the Assessment to evaluate. Use the information in the following table for guidance.

    NOTES:

    • If the Tier Zero or Privileged objects checkbox is selected, all applicable Tier Zero or Privileged objects, both those collected from the provider (Security Guardian or BloodHound Enterprise) and any that were manually-created, will be included in/excluded from the scope (depending on which option you select).

    • If a vulnerability pertains to a specific object or set of objects, the Scope section will be hidden. For example, if the vulnerability pertains to users, only Tier Zero users will be included. If the vulnerability pertains to a specific AD group, such as Built-In administrators, only that group will be included.

    Scope selection Description
    All {objects} All objects in the workload that are the applicable object type, including both Tier Zero/Privileged and non-Tier Zero/Non-Privileged objects.
    Select {objects} Only the objects you specify based on your selection criteria will be included. When finished, click Add Object to add the object (s) to the Selected {Object}s list. If you want to exclude individual objects within your selection (for example, you selected an AD group but want to exclude individual members from the scope), click Add Exceptions and enter the object(s) as you would if you were adding objects.
    All Except Selected {objects} Only the objects you specify based on your selection criteria will be excluded from the scope. You can add multiple objects, separated by semicolons. When finished, click Add Object to add the object (s)to the Selected {Object}s list.

  8. Click Save.

Viewing, Editing, and Deleting a Discovery

From the Discoveries list, you can view the details of a Discovery. You can also edit or delete a user-created Discovery. You can also change the scope of a pre-defined Discovery (if applicable) and, in a few cases, the What to find value. (Refer to the Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID sections for specific Vulnerability templates.)

 

NOTE: You cannot delete pre-defined Discoveries and the option will be disabled.

To view a Discovery:

Click the Discovery Type link.

To edit a Discovery:

  1. Either:

    • In the Discoveries list, select the Discovery that you want to edit.

      OR

    • Open the Discovery that you want to edit.

  2. Click Edit.

  3. Update the Discovery as needed.

  4. Click Save.

To delete a user-created Discovery:

NOTE: Currently, you can only delete one Discovery at a time.

  1. Either:

    • In the Discoveries list, select the Discovery that you want to delete.

      OR

    • Open the Discovery that you want to delete.

  2. Click Delete.

You will be prompted to confirm the deletion.

Managing Workload Identities

The Workload Identities page in Quest On Demand provides visibility into service principals and their associated security posture within your Entra ID environment. This feature helps administrators identify risky permissions, assess sign-in status, and monitor compliance with security standards.

Best Practices

  • Regularly review identities with Critical or High risk.

  • Ensure all identities have at least one owner.

  • Rotate secrets and remove expired credentials promptly.

  • Limit privileged access to essential identities only.

To access Workload Identities: 

  • From the On Demand left navigation menu, choose Security | Workload Identities. The following information displays all service principals with key security attributes:

Column Description
Service Principal Name The name of the service principal registered in Entra ID.
Application Tenant The tenant ID or tenant name of the application for the workload identity and whether the application is local or external.
Category Compliance category (such as FISMA, GDPR, HIPAA).
Certification Status Shows if the identity is privileged and certified or not.
Total Owners Number of assigned owners for the identity.
Total Risky Permissions Count of permissions flagged as risky.
Sign-In Status Displays if the identity has successfully signed-in in the last 30 days.
Secret Status Indicates the state of credentials (for example, None, Current, Expired).
Assessed Risk Risk level based on configuration and permissions (Critical, High, Medium, Low).
Last Reloaded The last time the information was retrieved and from Entra ID and assessed.
Tenant Tenant where the Service Principal resides.
Account Status Indicator whether the workload identity is enabled or disabled.
Service Principal Type Indicator showing the type of workload Identity (Application, Managed Identity, AI Agent).

From this page you can:

Viewing Workload Identity Details

The Workload Identity Details panel provides in-depth information about a selected service principal, including its properties, risk classification, ownership, and permissions. This helps administrators assess potential security risks and take corrective actions. It also provides an AI generated risk analysis assessment.

Best Practices

  • Review Critical or High risk identities immediately.

  • Determine if inactive identities should be disabled or removed.

  • Investigate permissions that are high risk or flagged for review.

  • Ensure ownership is assigned to avoid orphaned identities.

  • Rotate secrets regularly and remove expired credentials.

To review workload identity details:

  1. Navigate to Security | Workload Identities.

  2. Click on a service principal in the list to view the following information:

    • Key identifiers and metadata including Object ID, Category, Application Name, Application ID, Application Tenant ID, AI Agent Source, Azure Resource ID, and Malicious Indicator.

  • Risk Analysis: The risk analysis evaluates configuration and behavior to determine if the identity poses a security risk.

  • Sign-ins: Shows sign-in activity.

  • Owners: Lists assigned owners.

  • Certificates and Secrets: Displays credential status.

  • Permissions: Lists granted permissions.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating