Attribute Changes

When the value of an attribute changes, the Trail Flow shows a blue dot before the Attribute column.

To display the attribute change:

1. In Tenable Identity Exposure, click Trail Flow in the navigation bar on the left.

   The Trail Flow page opens with a list of events

2. Hover the blue dot in front of the event line to display the changes.

   The color of the Value at event label depends on the changes applied to the attribute:

   • Green — Addition

   • Red — Deletion

   • Gray — Unchanged

     

Attribute "ntsecuritydescriptor"

A security descriptor is a data structure that contains security information about an AD object such as its ownership and permissions. For more details, see Microsoft's online documentation.

To display details of an object security descriptor:

1. In Tenable Identity Exposure, click Trail Flow to open the Trail Flow page.

2. Click to select an entry in the Trail Flow table.

   The Event details pane opens.

3. Hover over the ntsecuritydescriptor attribute entry (Value at event or Current value column) **.

   

4. Click on See SDDL Description.

   The nSDDL Description pane opens.

5. Click on the arrows on the left of the SDDL (1), DACL (2), and Descriptor (3) to expand the description:

   

6. Browse to an Access Control Entry (ACE) (4) highlighted in color to display the object's access rights. The color codes indicate:

   • Red — Users have dangerous rights assigned to them and they must not have access rights to the object.

   • Orange — Privileged users have dangerous rights assigned to them but they generally have this type of right (for example: Domain Admins).

   • Green — There are no dangerous rights.

     

7. To copy the SDDL description, click Copy to clipboard.