Event Details

The Trail Flow in Tenable Identity Exposure provides detailed information on each event affecting your Active Directory (AD). Details on a specific event allow you to review technical information and take remedial actions that the Indicator of Exposure (IoE)'s severity level requires.

IoE, Event, and Deviant Object

  • An Indicator of Exposure (IoE) describes a threat that affects the AD. Tenable Identity Exposure's IoEs assesses security levels after receiving an event in real time. IoEs can include several technical vulnerabilities. IoEs provide information on detected vulnerabilities, associated deviant objects, and recommendations for remedial actions.

  • An event indicates a change related to security that can appear in an AD. It can be a password change, a user creation, a new or modified GPO, or a new delegated right, etc. An event can change the compliance status of an IoE from compliant to non-compliant.

  • A deviant object is a technical element — either on its own or associated with another deviant object — that allows the IoE's attack vector to work. For more information, see Indicators of Exposure.

Attributes Table

The Attributes table includes the following columns:

Column Description
Attributes Indicates the attributes of the AD object associated with the event that you selected in the Trail Flow table. Attributes describe the object characteristics. Multiple attributes can describe a single AD object.
Value at event Indicates the attribute value at the time that the event occurred.
Current value Indicates the value of the attribute in the AD at the moment when you are viewing it.
Tip: To display the value of the attribute before the event occurred, hover the blue dot on the left (if any).

Deviances

If an event in the Trail Flow contains deviances, the Event Details pane also displays them to allow you to drill down to the source of the problem.

Tenable Identity Exposure ties a deviance to a root object and can link it to multiple incriminating attributes. When you resolve one of these attributes, Tenable Identity Exposure resolves the deviance on the root object. It then creates a new deviance for the root object, keeping the same reason but including only the unresolved attributes.

For example, Tenable Identity Exposure ties a deviance to object A for a single reason that connects to multiple related objects (B, C, and D). When you resolve the incriminating attribute on object C, Tenable Identity Exposure resolves the deviance on object A. Then, it creates a new deviance for object A, linking it to the same reason but including only objects B and D.

During this process, Tenable Identity Exposure can generate a Trail Flow event that shows multiple deviances as resolved and reopened at the same timestamp.