立即与支持人员聊天
与支持团队交流

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Muting and Unmuting Indicators

When Managing indicators you can mute (or unmute) selected indicators to prevent (or allow) Findings. You can also unmute objects that were muted during Findings investigation.

 

NOTES:

  • New Tier Zero/Privileged [Object] Detected indicators cannot be muted and the Mute Indicator option will be disabled.

  • If an indicator for a Security Assessment vulnerability is muted, that vulnerability will not be evaluated in future Assessments.

  • If an indicator for On Demand Audit Critical Activity is muted, associated events will be hidden.

To mute (or unmute) indicators:

Either:

To unmute objects within an indicator:

  1. From the Indicator Details Muted Objects for this Indicator section, select the object(s) you want to unmute.

  2. Click Unmute Object.

Managing Data Collections

From the Data Collections page, you can monitor data collections for workloads within your organization. You can also:

To access the Data Collections page:

  1. From the On Demand left navigation menu, choose Security | Settings.

  2. Select the Data Collections tab.

The list of all scheduled data collections in the organization displays, with the following information:

  • the Workload (Active Directory or Entra ID)

  • the Tenant Name

    NOTE: For Active Directory workloads, this will be the location of the domain controller.

  • Last Collection, which may be:

    • the date and time of the last data collection

    • Never Collected (i.e., a data collection has not yet run for the workload or the first data collection attempt failed)

  • Duration of the data collection

  • Last Result, which may be:

    • Successful

    • Failed

    • - - (indicating that data was never collected)

  • Next Collection, which may be:

    • the date and time the next data collection is scheduled to run

    • - - (indicating that data was never collected)

  • Collection Status, which may be:

    • Ready (i.e., the next data collection has not started)

    • Running

    • Disabled

  • Remaining Collections (i.e., the remaining number of data collections that are permitted to be manually run for the workload within a 24 hour period)

    NOTE: The number of collections remaining is determined by the last successful collection duration and the number of successful manually run collections completed in the last 24 hour period. The maximum number of Remaining Collections possible is 24.

     

Appendix - Security Guardian Indicator Details

This appendix provides details of all indicators in Security Guardian, listed both by severity and by source.

 

NOTE: For the general criteria Security Guardian uses to determine severity levels, refer to the topic Managing Indicators.

Indicators by Severity

The following table lists all Security Guardian indicators, from most to least severe.

Indicator Type Severity Source
Possible Golden Ticket Kerberos exploit Detected Anomaly Critical On Demand Audit
Unsafe encryption used in Kerberos ticket (vulnerable to Kerberoasting) Detected TTP Critical On Demand Audit
Groups with SID from local domain in their SID History Hygiene Critical Assessments
User accounts with SID from local domain in their SID History Hygiene Critical Assessments
Groups with well-known SIDs in their SID History Hygiene Critical Assessments
User accounts with well-known SIDs in their SID History Hygiene Critical Assessments
Potential sIDHistory injection detected Detected Anomaly Critical On Demand Audit
File changes with suspicious file extensions Detected Anomaly Critical On Demand Audit
Irregular domain controller registration detected (DCShadow) Detected Anomaly Critical On Demand Audit
Irregular Active Directory replication activity detected (DCSync) Detected Anomaly Critical On Demand Audit
AD Database (NTDS.dit) file modification attempt detected Detected Anomaly Critical On Demand Audit
Inheritance is enabled on the AdminSDHolder container Hygiene Critical Assessments
Non-Tier Zero accounts that can promote a computer to a domain controller Hygiene Critical Assessments
Non-Tier Zero accounts can steal password hashes (DCSync) Hygiene Critical Assessments
Tier Zero users owned by non-Tier Zero accounts Hygiene Critical Assessments
Tier Zero computer is owned by a non-Tier Zero account Hygiene Critical Assessments
User accounts with non-default Primary Group IDs Hygiene Critical Assessments
Computer accounts with non-default Primary Group IDs Hygiene Critical Assessments
User accounts without readable Primary Group ID Hygiene Critical Assessments
Computer accounts without readable Primary Group ID Hygiene Critical Assessments
Managed and Group Managed Service accounts that have not cycled their password recently Hygiene Critical Assessments
Non-Tier Zero users with access to gMSA password Hygiene Critical Assessments
Non-Tier Zero accounts can access the gMSA root key Hygiene Critical Assessments
Non-Tier Zero accounts have access to write properties on certificate templates Hygiene Critical Assessments
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account Hygiene Critical Assessments
Active Directory Operator groups that are not protected by AdminSDHolder Hygiene Critical Assessments
Ordinary user accounts with hidden privileges (SDProp) Hygiene Critical Assessments
User accounts in protected groups that are not protected by AdminSDHolder (SDProp) Hygiene Critical Assessments
KRBTGT accounts with Resource-Based Constrained Delegation Hygiene Critical Assessments
Built-in Administrator account that has been used Hygiene Critical Assessments
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group Hygiene Critical Assessments
Built-in Guest account is enabled Hygiene Critical Assessments
Schema Admins group contains members Hygiene Critical Assessments
Default Active Directory groups which should not be in use contain members Hygiene Critical Assessments
DnsAdmins group contains members Hygiene Critical Assessments
Non Tier-Zero accounts with Reanimate tombstones permission delegation Hygiene Critical Assessments
Non-Tier Zero accounts with Migrate SID history permission delegation Hygiene Critical Assessments
Non Tier-Zero accounts with Unexpire password permission delegation Hygiene Critical Assessments
Tier Zero Group Policy allows Recovery Mode to be not password-protected Hygiene Critical Assessments
Tier Zero groups with SID History populated Hygiene Critical Assessments
Tier Zero group policy object changes Detected TTP Critical On Demand Audit
Domain level group policy linked changes detected Detected TTP Critical On Demand Audit
Non-Tier Zero accounts can link GPOs to the domain Hygiene Critical Assessments
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU Hygiene Critical Assessnebts
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site Hygiene Critical Assessments
Security changes to Tier Zero group policy objects Detected TTP Critical On Demand Audit
Tier Zero user accounts with Service Principal Names Hygiene Critical Assessments
User ServicePrincipalName attribute changed (vulnerable to Kerberoasting) Detected TTP Critical On Demand Aud
Non-Tier Zero user accounts with Service Principal Names Hygiene Critical Assessments
Tier Zero group changes Detected TTP Critical On Demand Audit
Unusual increase in failed AD changes Detected Anomaly Critical On Demand Audit
Unusual increase in permission changes to AD objects Detected Anomaly Critical On Demand Audit
Security changes to Tier Zero group objects Detected TTP Critical On Demand Audit
Security changes to Tier Zero user objects Detected TTP Critical On Demand Audit
Administrative privilege elevation detected (adminCount attribute) Detected TTP Critical On Demand Audit
Non-Tier Zero accounts are able to log onto Tier Zero computers Hygiene Critical Assessments
Tier Zero user logons to computers that are not Tier Zero Detected TTP Critical On Demand Audit
Domain Admins can log into computers with non-Tier Zero group policy Hygiene Critical Assessments
Unusual increase in failed AD Federation Services sign-ins Detected Anomaly Critical On Demand Audit
Unusual increase in failed on-premises sign-ins Detected Anomaly Critical On Demand Audit
Unusual increase in tenant sign-in failures Detected Anomaly Critical On Demand Audit
Unusual increase in AD account lockouts Detected Anomaly Critical On Demand Audit
Unusual increase in file renames Detected Anomaly Critical On Demand Audit
Unusual increase in share access permission changes Detected Anomaly Critical On Demand Audit
Unusual increase in file deletes Detected Anomaly Critical On Demand Audit
Unusual increase in successful AD Federation Services sign-in Detected Anomaly Critical On Demand Audit
Unusual increase in successful on-premises sign-ins Detected Anomaly Critical On Demand Audit
Unusual increase in successful tenant sign-ins Detected Anomaly Critical On Demand Audit
Unusual increase in successful tenant sign-ins Detected Anomaly Critical On Demand Audit
Tier Zero domain and forest configuration changes Detected TTP Critical On Demand Audit
Security changes to Tier Zero domain objects Detected TTP Critical On Demand Audit
AD schema configuration changes Detected TTP Critical On Demand Audit
Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users Hygiene Critical Assessments
Entra ID Privileged risk events Detected TTP High On Demand Audit
New Tier Zero Domain detected Tier Zero High Security Guardian
Non-Tier Zero account can use a misconfigured certificate template to impersonate any user Hygiene High Assessments
Non-Tier Zero account can request an overly permissive certificate with privileged EKU (ESC2) Hygiene High Assessments
Domain trust configured insecurely Hygiene High Assessments
Domain trust without Kerberos AES encryption enabled Hygiene High Assessments
Tier Zero computer accounts that have not cycled their password recently Hygiene High Assessments
Tier Zero computers that have not recently authenticated to the domain Hygiene High Assessments
Protected group credentials exposed on read-only domain controllers Hygiene High Assessments
Tier Zero account token can be stolen from a read-only domain controller Hygiene High Assessments
User accounts do not require a password Hygiene High Assessments
Group Policy allows reversible passwords Hygiene High Assessments
User accounts have a reversible password Hygiene High Assessments
Computer accounts with reversible password Hygiene High Assessments
Tier Zero account can be delegated Hygiene High Assessments
User accounts with Kerberos pre-authentication disabled Hygiene High Assessments
User accounts with unconstrained delegation Hygiene High Assessments
Computer accounts with unconstrained delegation Hygiene High Assessments
User accounts using DES encryption to log in Hygiene High Assessments
Entra ID privileged role members whose passwords have not changed recently Hygiene Medium Assessments
Tier Zero user accounts whose passwords have not changed recently Hygiene High Assessments
Tier Zero user accounts configured for Password Never Expires Hygiene High Assessments
Non-Tier Zero user accounts configured for Password Never Expires Hygiene High Assessments
Non-default configuration of the Microsoft Local Administrator Password Hygiene High Assessments
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access Detected TTP High Assessments
Group Policy scheduled task section modified Detected TTP High On Demand Audit
Suspicious ESX Admins group detected in domain Hygiene High Assessments
Suspicious group ESX Admins created or member added Detected TTP High On Demand Audit
Tier Zero computer can be compromised through Resource-Based Constrained Delegation Hygiene High Assessments
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account Hygiene High Assessments
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation Hygiene High Assessments
Accounts that allow Kerberos protocol transition delegation Hygiene High Assessments
DNS zone configuration allows anonymous record updates Hygiene High Assessments
Security changes to Tier Zero computer objects Detected TTP High On Demand Audit
Tier Zero user changes Detected TTP High On Demand Audit
Foreign Security Principals are members of a Tier Zero group Hygiene High Assessments
Guest accounts assigned to the Global Administrator role Hygiene High Assessments
Domain Controller is running SMBv1 protocol Hygiene High Assessments
All domain users can create computer accounts Hygiene High Assessments
Protected Users group is not being used Hygiene High Assessments
Abnormally large number of Tier Zero user accounts in the domain Hygiene High Assessments
Enabled Tier Zero user accounts that are inactive Hygiene High Assessments
Tier Zero groups that have computer accounts as members Hygiene High Assessments
Anonymous access to Active Directory is enabled Hygiene High Assessments
Entra ID Conditional Access policies do not protect all users from high user risk Hygiene High Assessments
Entra ID Conditional Access policies do not protect all users from risky sign-ins Hygiene High Assessments
Entra ID Privileged accounts that are not secured by multi-factor authentication (MFA) Hygiene High Assessments
Entra ID Conditional Access policies do not protect all privileged users with multi-factor authentication (MFA) Hygiene High Assessments
Entra ID Conditional Access policies do not protect all non-privileged users with multi-factor authentication (MFA) Hygiene High Assessments
Entra ID Conditional Access policies do not block legacy authentication for all users Hygiene High Assessments
Entra ID Privileged principal logons Detected TTP Medium On Demand Audit
Synchronized Active Directory user is assigned an Entra ID privileged role Hygiene Medium Assessments
Active Directory Tier Zero object synchronized to Entra ID Hygiene Medium Assessments
Attempt to access protected Active Directory database detected Detected TTP Medium On Demand Audit
Attempt to access protected Windows file or folder detected Detected TTP Medium On Demand Audit
Attempt to edit protected group policy object detected Detected TTP Medium On Demand Audit
Attempt to modify protected Active Directory object detected Detected TTP Medium On Demand Audit
Entra ID Privileged service principal changes Detected TTP Medium On Demand Audit
More than recommended number of Global Administrators in the organization Hygiene Medium Assessments
More than recommended number of privileged role assignments Hygiene Medium Assessments
Kerberos KRBTGT account password has not changed recently Hygiene Medium Assessments
Entra ID users are allowed to consent for all applications Hygiene Medium Assessments
Entra ID Privileged tenant level and directory activity Detected TTP Medium On Demand Audit
Password hash synchronization with on-premises Active Directory is not enabled Hygiene Medium Assessments
Administrators are not enabled for self service password recovery Hygiene Medium Assessments
Entra ID Privileged role changes Detected TTP Medium On Demand Audit
New Privileged Entra ID Role Detected Tier Zero Medium Security Guardian
Security defaults are enabled Hygiene Medium Assessments
Group Policy does not enforce built-in Administrator account lockout on all computers Hygiene Medium Assessments
New Tier Zero GPO detected Tier Zero Medium Security Guardian
Tier Zero Group Policy allows Authenticated Users to add computers to the domain Hygiene Medium Assessments
New Privileged Entra ID Service Principal Detected Tier Zero Medium Security Guardian
Entra ID Privileged group changes Detected TTP Medium On Demand Audit
New Tier Zero Group detected Tier Zero Medium Security Guardian
New Privileged Entra ID Group detected Tier Zero Medium Security Guardian
New Tier Zero Computer detected Tier Zero Medium Security Guardian
Entra ID Privileged user changes Detected TTP Medium On Demand Audit
New Tier Zero User detected Tier Zero Medium Security Guardian
New Privileged Entra ID User Detected Tier Zero Medium Security Guardian
Entra ID guest user accounts that are inactive Hygiene Medium Assessments
Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users Hygiene Medium Assessments
Password hash synchronization with on-premises Active Directory is delayed Hygiene Medium Assessments
Synchronization with on-premises Active Directory is delayed Hygiene Medium Assessments
Unprotected Tier Zero Domain Tier Zero Medium Protection
Entra ID cloud applications that are not included in a conditional access policy Hygiene Medium Assessments
Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation Hygiene Medium Assessments
Entra ID Conditional Access policies do not require token protection for sign-in sessions for users Hygiene Medium Assessments
Unprotected Tier Zero Group Policy Tier Zero Medium Protection
Unprotected Tier Zero Group Tier Zero Medium Protection
Unprotected Tier Zero Computer Tier Zero Medium Protection
Unprotected Tier Zero User Tier Zero Medium Protection
Printer Spooler service is enabled on a domain controller Hygiene Medium Assessments
Tier Zero user account is disabled Hygiene Medium Assessments
Domain with obsolete domain functional level Hygiene Medium Assessments
NTLM version 1 authentications Detected TTP Medium On Demand Audit
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级