Indicators of Exposure

Tenable Identity Exposure measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels to the flow of events that it monitors and analyzes. Tenable Identity Exposure triggers alerts when it detects security regressions.

To display IoEs:

  1. In Tenable Identity Exposure, click Indicators of Exposure in the navigation pane.

    The Indicators of Exposure pane opens. By default, Tenable Identity Exposure shows only the IoEs that contain deviances.

  2. (Optional) To show all IoEs, click the Show all indicators toggle to Yes.

Tenable Identity Exposure IoEs come with a range of features designed to boost your investigative capabilities :

  • Searchable and filterable: Effortlessly explore the IoE by applying filters based on forest and domain.

  • Export capability: Deviance object will allow you to export the IoE’s in CSV format.

  • Action on IoE incidents : Remove an exposure from the whitelist/re-enable it.

The data from the IoE include:

  • Information section: This section provides executive summary about each Indicator of Exposure (IoE), including known attack tools, affected domains, and relevant documentation.

  • Vulnerability details:This section provides more in depth information above the misconfiguration in Active Directory.

  • Deviant Objects: This section highlights misconfigurations in Active Directory that may contribute to broader attack surfaces.

  • Recommendation: This section guides you through effective configuration strategies to minimize your attack surface.

To search for an IoE:

  1. At the top of The Indicators of Exposure page, type a string in the Search box. This can be any term related to an IoE such as password, user, logon, etc.

  2. Press Enter.

    The IoE page updates with the indicators associated with your search term.

To filter IoEs for a specific forest or domain:

  1. Click n/n domain.

    A Forest and domains pane opens.

  2. Select the forest or domain.

  3. Click Filter on selection.

Level of Severity

Severity levels allow you to assess the severity of the detected vulnerabilities and to prioritize remediation actions.

The Indicators of Exposure pane shows IoEs as follows:

  • By severity level using color codes.

  • Vertically — from most severe to least severe(red for top priority and blue for least priority).

  • Horizontally — from most complex to least complex. Tenable Identity Exposure computes the complexity indicator dynamically to indicate the level of difficulty to remediate the deviant IoE.

Severity Description
Critical — Red Shows how to prevent attacks and compromise of the Active Directory by certain unprivileged users.
High — Orange

Deals with either post-exploitation techniques leading to credential theft or security bypass or with exploitation techniques that require chaining to be dangerous.
Medium — Yellow Indicates a limited risk for the Active Directory infrastructure.
Low — Blue Shows good security practices. Certain business contexts may allow low-impact deviances that do not necessarily affect AD security. These deviances have an impact on the AD only if an administrator makes an error such as by activating an inactive account.

Deviance Resolution and Detection Date

Tenable Identity Exposure shows the Latest detection as the most recent update recorded for the deviant object, not the moment the deviance was triggered.

Because AD objects can influence each other, a change on one object may create or resolve a deviance on another. In such cases, Tenable Identity Exposure uses the affected object’s last recorded event date, even if the triggering change occurred on a different object.

Example

If object A changes and this results in a deviance on object B, Tenable Identity Exposure displays B’s last update time as the detection date.

This follows the standard caching logic of Tenable Identity Exposure: each AD object stores its own latest event date, and Tenable Identity Exposure uses this timestamp whenever it detects or resolves a deviance for that object.

Trailflow Indicator

Tenable Identity Exposure attaches the Trailflow “diamond” indicator to the deviant object. If that object has not been updated recently, Tenable Identity Exposure may not display it in the current Trailflow view.

See also