Technical Changes and Potential Impact

The installation script for the Indicators of Attack (IoA) module creates a GPO that applies the following changes transparently on the monitored DCs:

  • A new GPO named “Tenable.ad” by default linked to the domain controller's organization unit (OU) by default.

  • Modification of a registry key to activate the Microsoft Advanced logging policy.

  • Activation of a new Event Log policy to force Domain Controllers to generate the ETW information that IoAs require.

    Note: The Event Log policy is mandatory so that the ETW engine can generate the insertion strings that Tenable Identity Exposure requires. This policy does not disable any existing logging policy but adds to them. If there is a conflict, the deployment script stops with an error message.
  • Addition of a write permission for the Tenable Identity Exposure service account that allows "Automatic updates" of the IoA configuration stored in the GPO folder.

Limitation and Potential Impacts

The Indicator of Attack (IoA) module can pose the following limitations:

  • The IoA module relies on the ETW data and operates within the limitations that Microsoft defines.

  • The installed GPO must replicate over the entire domain, and the GPO refresh interval must elapse for the installation process to complete. During this replication period, false positives and false negatives can happen, even though Tenable Identity Exposure minimizes this effect by not starting the checks in the Indicator of Attack engine immediately.

  • Tenable uses the SYSVOL file share to retrieve ETW information from domain controllers. As SYSVOL replicates to every domain controller in the domain, a significant increase of the replication activity appears during a high peak of Active Directory activity.

  • Replicating files between domain controllers and Tenable Identity Exposure also consumes some network bandwidth. Tenable Identity Exposure controls these impacts with the automatic removal of the files it collects, and limits the size of these files (500 MB maximum by default.)

  • Issues with slow or broken Distributed File System (DFS) replication. For more information, see DFS Replication Issues Mitigation .

See also