Deviant Objects

Tenable Identity Exposure's Indicators of Exposure (IoE) can flag deviant objects that reveal weaknesses or potentially dangerous behaviors in an Active Directory (AD). Focusing on these deviant objects can help you pinpoint critical issues and remediate them. You can do any of the following:

  • Search for a deviant object.

  • Ignore a deviant object for a period of time.

  • Select the forests and domains to search for deviant objects.

  • Get explanations on the incriminating attributes affecting the IoE.

  • Download a report showing all deviant objects.

To display deviant objects:

  1. In Tenable Identity Exposure, click Indicators of Exposure in the navigation pane.

    The page for Indicators of Exposure opens. By default, Tenable Identity Exposure shows only the IoEs that contain deviances.

  2. Click on any Indicators of Exposure tile on the page.

    The Indicator details pane opens.

  3. Click on the Deviant objects tab.

    The list of deviant objects associated with the IoE appears.

    The deviant objects table includes the following information:

  • Type — Indicates the origin of any security-related change in the AD (LDAP or SMB protocols).

  • Object — Indicates the class or file extension associated with an AD object.

  • Path — Indicates the full path to an AD object to allow you to identify its unique location in the AD.

  • Domain — Indicates the domain where the change in your AD comes from.

  • Reasons — Lists the incriminating attributes affecting deviant objects.

To export the deviant objects report:

  1. At the bottom of the Deviant objects page, click Export all.

    The Export deviant objects pane appears.

  2. In the Export format box, click the drop-down arrow to select your format.

  3. Click Export all.

    Tenable Identity Exposure downloads the deviant objects report to your machine.

See also