Trail Flow Table

Tenable Identity Exposure lists the events in your Active Directory in the Trail Flow table continuously as they occur. It includes the following information:

Information Description

Indicates the origin of any security-related change in your AD infrastructures.

There are two possible sources:

  • Lightweight Directory Access Protocol (LDAP) used to communicate with your AD infrastructure.

  • Server Message Block (SMB) protocol used to share files, printers, etc.

Tenable Identity Exposure analyzes thoroughly LDAP and SMB traffic over your network to detect anomalies and potential threats.

Note: Active Directory (AD) allows administrators to create group policies that control settings deployed on user and machine accounts. The Group Policy Object (GPO) stores these control settings. The Sysvol folder stores GPO files on the domain controller. It is important to monitor the contents of GPOs for the security of your AD because each domain member can apply or execute them with a high level of privileges.

Shows the characteristic elements of an event such as:

  • ACL changed

  • SPN changed

  • Member removed

  • New member

  • New trust

  • Unknown file type added

  • New object

  • Object removed

  • Password changed

  • UAC changed

  • New GPO linked

  • GPO link removed

  • Owner change

  • File renamed

  • SPN created

  • Failed authentication reset

  • Failed authentication

Object Indicates the class or file extension associated with an AD object. You can search for a directory object (user, computer, etc.) or a file with a specific file name extension (ini, XML, csv).

Indicates the full path to an AD object to identify the unique location of this object in the AD.


Indicates the directory from which the change in your AD infrastructure came.


Indicates the time of the event.