Start Using Tenable Identity Exposure

After you deploy Tenable Identity Exposure, this section walks you through the key steps to begin using Tenable Identity Exposure effectively.

Each section contains links to more detailed descriptions and instructions for the related task.

  2. A Secure Relay securely transfers Active Directory data from your network to the Tenable Identity Exposure SaaS platform using TLS encryption instead of a VPN connection. Multiple Secure Relays are possible based on your requirements.

    Prerequisites:

    • Administrative access to a Windows server for the Secure Relay virtual machine (VM)

    • Latest Secure Relay installer downloaded from the Tenable Identity Exposure downloads portal

    • A single-use linking key from the Tenable Identity Exposure portal containing network address and authentication token

    For detailed prerequisites, see Secure Relay.

    1. Connect to theTenable Identity Exposure web portal with an administrator account.

    2. Click System > Configuration > Relay tab.

    3. Click the "Copy to clipboard" icon next to the linking key.

    1. On your Windows server VM, right-click the installer file and select "Run as administrator".

    2. In the installation wizard, click "Next" on the welcome screen.

    3. On the "Custom Setup" window, click "Browse" to change the disk partition if needed, then "Next".

    4. On the "Linking Key" window:

      • Paste the linking key copied from the portal.

      • Enter a name for your Secure Relay.

      • Click "Test Connectivity".

    1. If the test is successful (green icon), click "Next". If not, click "Back" to correct errors.

    2. On the "Ready to Install" window, click "Install".

    3. Once installed, click "Finish".

      For the detailed procedure, see Secure Relay for Tenable Identity Exposure .

    1. Return to the Tenable Identity Exposure portal.

    2. Click System > Relay Management tab.

      The newly installed Relay appears in the list of Relays.

    When you add domains to monitor, a new option appears to let you select the Secure Relay in charge of that domain. See Configure the Relay for the complete procedure.

    Automated updates:

    Tenable Identity Exposure automatically checks for and installs Secure Relay updates regularly (requires HTTPS access). A network tray icon indicates when updates occur. After updating, Tenable Identity Exposure services restart and data collection resumes.

  3. Before you configure Indicators of Exposure, you must have or create an Active Directory service account with the appropriate permissions. While Tenable Identity Exposure does not require administrative privileges for security monitoring, some containers require manual configuration to allow read access for the service account user.

    For complete information, see Access to AD Objects or Containers

    1. Log in to the Tenable Identity Exposure web portal with administrative credentials such as the default "[email protected]" account.

    2. Click the menu icon on the top left to expand the navigation panel, then click "System" in the left panel.

    1. In the Forest Management tab, click "Add a Forest".

    2. Provide a display name for the forest (e.g. Tenable).

    3. Enter the login and password for the service account to connect to all domains in this forest.

    4. Click "Add".

      For complete details, see Forests.

    1. Click "Add a Domain".

    2. Provide a display name for the domain to monitor (e.g. HQ).

    3. Enter the fully qualified domain name (e.g. sky.net).

    4. Select the corresponding forest from the drop-down list.

    5. If using SaaS with Secure Relay, select the relay to handle this domain.

    6. Enable "Privileged Analysis" toggle if the account has required privileges.

    7. If you enable "Privileged Analysis", optionally enable "Privileged Analysis Transfer" for Tenable Cloud.

    8. Provide details for the Domain Controller with Primary Domain Controller Emulator FSMO role:

      • IP address or hostname

      • Leave LDAP, Global Catalog, and SMB ports with pre-filled default values

    1. Click "Test Connectivity" at the bottom.

    2. If successful, click "Add".

      In the Domain Management view, you'll see columns for LDAP Initialization, SISFul Initialization, and Honey Account Configuration statuses showing a circular loading icon until initial crawling completes.

      For complete details, see Domains.

    1. Switch to the Trail Flow view. After a few minutes, data begins to flow in once analysis starts.

    2. Return to System > Domain Management.

    3. Wait for green icons indicating LDAP and SYSVOL initialization completed.

      You have now enabled Indicators of Exposure monitoring for this domain. Notifications on the web portal appear within minutes/hours depending on environment size.

    1. Click "Indicators of Exposure" in the left menu to see all indicators triggered for the added domain.

    2. Click on an indicator to view deviant object details causing non-compliance.

    3. Close the details and go to "Dashboards" to see the environment metrics.

  4. To deploy IoAs, you must first perform three configurations as described below:

    1. The IoA script is mandatory for all attack scenarios.

    2. The Honey Account configured to detect specific attacks such as Kerberoasting.

    3. Sysmon installation on all Domain Controllers of the monitored domain to detect attacks like OS Credential Dumping.

    Tenable Identity Exposure provides the IoA script, its command line, and the Honey Account configuration command line. However, you must perform these prerequisites directly on the Domain Controllers or an administrative machine with appropriate rights.

    For complete information, see Indicators of Attack Deployment.

    1. Log in to the Tenable Identity Exposure web portal using administrative credentials (e.g., [email protected]).

    2. Navigate to System > Configuration > Indicators of Attack.

    3. Select the attack scenarios you want to enable for your environment.

    4. Select the checkbox below the domain name to enable all available attack scenarios.

    5. Click "Save" at the bottom right.

    6. Click "See Procedure" at the top.

      A window appears, showing the procedure to deploy the IoA engine.

    1. Use the toggle to enable or disable the automatic updates feature.

    2. Click the first "Download" button to download the PS1 file.

    3. Click the second "Download" button to download the JSON file.

    4. Note where the location where you downloaded the installation files.

    5. Locate the field labeled "Run the following PowerShell commands."

    6. Copy the contents of the text field and paste them into a Notepad file.

    7. Copy the PS1 and JSON files to a Domain Controller or an administrative server with appropriate rights.

    8. Start the Active Directory module for Windows PowerShell as an administrator and navigate to the folder hosting the files.

    9. Paste the command copied from the Tenable Identity Exposure web portal and press Enter.

    10. Open the Group Policy Management console and find the GPO named "Tenable.ad" linked to the Domain Controller's OU.

    For the detailed procedure, see Install Indicators of Attack.

    1. Return to the Tenable Identity Exposure web portal.

    2. Navigate to System > Domain Management tab.

    3. Click the "+" icon under "Honey Account Configuration Status" to the right of your domain (available once the other two statuses are green).

    4. In the "Name Search" box, type the name of the account to use as a honey pot.

    5. Select the distinguished name of the object from the drop-down list.

    6. Copy the contents of the command line text field and paste them into a Notepad file.

    7. Go back to the server where you ran the IoA script.

    8. Open or start a PowerShell command line as an administrator.

    9. Paste the command copied from the Tenable Identity Exposure web portal and press Enter.

    10. Confirm that the command line ran properly.

    11. Return to the Tenable Identity Exposure web portal and click the "Add" button at the bottom.

      After a few seconds, the Honey Account Configuration status should show a green dot.

    For the detailed procedure, see Honey Accounts.

    The Tenable Identity Exposure web portal does not provide automatic deployment for Sysmon. See Install Microsoft Sysmon for the required Sysmon configuration file. You can install Sysmon manually as shown in the documentation or by GPO.

    For the detailed procedure, see Install Microsoft Sysmon.

  5. Tenable Identity Exposure also supports Microsoft Entra ID alongside Active Directory with specific IoEs for Entra ID identities.

    For complete information, see Microsoft Entra ID Support.

    1. Log in to the Azure Admin Portal at portal.azure.com with appropriate credentials.

    2. Click on the "Azure Active Directory" tile, then "App Registrations" from the left menu.

    3. Click "New Registration" and provide an application name (e.g., "Identity Exposure App").

    4. Click "Register" at the bottom.

    5. On the app's Overview page, note down the "Application (client) ID" and "Directory (tenant) ID".

    6. Click "Certificates & secrets" in the left menu.

    7. Click "New client secret", provide a description, and set expiration per policy.

    8. Click "Add", then save the displayed secret value securely.

    9. Click "API permissions" and "Add a permission".

    10. Select "Microsoft Graph", then "Application Permissions".

    11. Add the following permissions: Audit Log.Read.All, Directory.Read.All, IdentityProvider.Read.All, Policy.Read.All, lReports.Read.All, RoleManagement.Read.All, UserAuthenticationMethod.Read.All.

    12. Click "Add permissions" and "Grant admin consent".

    1. Connect to the Tenable Vulnerability Management web portal with the proper account.

    2. Click menu > Settings > Credentials.

    3. Click "Create Credential" and select the "Microsoft Azure" type.

    4. Provide a name, description, paste in the Tenant ID, Application ID, and Client Secret.

    5. Click "Create".

    6. Click menu > Settings > My Account > API Keys.

    7. Click "Generate", review the warning, and click "Continue".

    8. Copy the Access Key and Secret Key values.

    1. Connect with a Global Administrator account.

    2. Click menu > System > Configuration > Tenable Cloud.

    3. Toggle "Activate Microsoft Entra ID Support" to enable it.

    4. Enter the Access Key and Secret Key generated earlier.

    5. Click the checkmark to submit the API keys successfully.

    6. Click the Tenant Management tab and "Add a Tenant".

    7. Provide a name for the Azure AD tenant.

    8. Select the Azure credential created earlier.

    9. Click "Add".

    1. Tenable Identity Exposure scans the tenant. To see the next scan time, hover over "Scan Status".

    2. When the first scan ends, a green icon appears in the "Scan Status" column.

    3. Click "Indicators of Exposure" in the left menu.

    4. Use tabs to filter between AD and Azure AD indicators.

    5. Toggle "Show All Indicators" to see all available indicators.

    6. Three tabs provide Indicator details, Tenant Findings, and Recommendations.

    7. Review potential exposure risks and remediation guidance.

  6. Tenable Identity Exposure uses Indicators of Exposure to measure the security maturity of your Active Directory and assign severity levels to the flow of events that it monitors and analyzes.

    For complete information about IoEs, see Indicators of Exposure.

    Access IoEs:

    1. Sign in to Tenable Identity Exposure.

    2. Click the icon on the top left to expand the panel.

    3. Click "Indicators of Exposure" on the left side to see the IoEs.

      The default view shows configuration items in your environment that are potentially vulnerable, rated by severity: Critical, High, Medium, and Low.

    • Click the toggle to the right of "Show All Indicators".

      • You can see all the IoEs available in your Tenable Identity Exposure instance. Any item that shows no domain is an item where you do not have that exposure.

      • To the right of "Show All Indicators", you can see "Domain". If you have multiple domains in your environment, click on it and select the domains to view.

    • Click "Search an Indicator" and type a keyword, such as "password".

      All IoEs related to passwords appear.

    • To see additional information about an indicator, click on it.

      • The detailed view starts with an executive summary of the particular exposure.

      • It then lists documents related to it and known attacker tools that can expose this particular item.

    • To the right, you see "Impacted Domains".

      • Click the "Vulnerability Details" tab to read additional information about the checks done for this IoE.

      • Click the "Deviant Objects" tab to see the list of objects and reasons that triggered the exposure.

      • If you expand an object in the list, you can see more details about what caused the deviance.

    1. To create a query, click "Type an Expression" and enter a Boolean query for an item. You can also click the filter icon to the left to build a query.

    2. Set the start and end dates, choose domains, and search for ignored items by clicking the "Ignore" toggle.

      For complete procedures, see Search Deviant Objects.

    • You can hide objects in the list by ignoring them.

      • Select one or more objects, then click "Select an Action" at the bottom of the page.

      • Select "Ignore Selected Objects" and click "OK".

      • Choose the date until which you want to ignore the selected objects.

      • You can stop ignoring objects the same way, using the "Stop Ignoring Selected Objects" option.

    • To export the list of all deviant objects for this indicator as a CSV file, click the "Export All" button.

      For complete procedures, see Deviant Objects.

  7. The Trail Flow displays the real-time monitoring and analysis of events affecting your ad infrastructures. It allows you to identify critical vulnerabilities and their recommended courses of remediation.

    For complete information, see Trail Flow and Trail Flow Use Cases.

    Access the Trail Flow:

    1. Sign into Tenable Identity Exposure.

    2. Click the icon on the top left to expand the navigation bar.

    3. Click "Trail Flow".

    The Trail Flow page opens with a list of events, including the source type, object path, domain, and date.

    1. Click the date box in the upper right to indicate the dates that you are searching for.

    2. Click "Domain" to change which Active Directory servers or forests.

    3. Click the pause button in the upper right corner to pause or restart Trail Flow capture.

    There are two ways of creating queries for your search: manually or by using the wizard.

    • To filter events manually, type an expression in the search box to refine results using the Boolean operators.

      For complete information, see Search the Trail Flow Manually.

    Once you've identified an important event:

    1. Click on the event. This will bring up the attributes of the change on that object.

    2. Hover over the blue dot icon on the left to compare the values before and at the event.

    3. Hover over items to see additional information.

    4. Click "See Whole Value" and click the button to copy that information to the clipboard.

    One of the challenges of Active Directory server cybersecurity is the large number of configuration changes that do not impact cyber exposure. To identify configuration changes:

    1. Click the magic wand icon.

    2. Enable "Deviant Only".

    3. Click "Validate".

    Notice that the events have a red diamond symbol next to them. Click on an event to see information regarding the configuration change. An additional tab is available labeled "Deviances". Click on it to see the specific cyber exposure items that were created or resolved.

  8. Access IoAs:

    1. Sign into Tenable Identity Exposure.

    2. Click the icon at the top left to expand the navigation bar.

    3. Click "Indicators of Attack".

    By default, you see the timeline of attack detection for today. To change the filter:

    • Click "Day", "Month", or "Year".

    • To change the time frame, click the calendar icon and select the appropriate time frame.

    You can filter the view on specific domains or IoAs using the selector on the right side of the portal.

    1. Click "Domains" to view the choices and make selections.

    2. Click the X to close.

    3. Click "Indicators" to view the choices and make selections.

    4. Click the X to close.

    As an example, let's focus on what happened in 2022:

    1. Click the "Year" button and select "2022".

    2. Click the red and yellow bar in the timeline.

    3. You can now see a new view with the top three critical and top three medium attacks detected that month.

    4. Close the view by clicking outside the black box.

    Below the timeline, you see a card for the monitored domain on which the attack was detected.

    • Click the "Sort By" drop-down (currently set to "Domain").

    • You can sort the card by domain, indicator criticality, or forest.

    • To search for a specific domain or attack, use the search box.

    • By default, you only see a card for the domain under attack. Toggle the view to see each domain by switching "Show Only Domains Under Attack" from "Yes" to "No".

    A card contains two types of information: a chart and the top three attacks.

    1. To change the chart type, click the pencil icon at the top right of the card.

    2. Select either "Attack Distribution" or "Number of Events".

    3. Click "Save".

    To see more details about the attack that was detected:

    • Click the card to see incidents related to the domain.

    • To filter, use the search box, select a start or end date, specific indicators, or toggle the "No/Yes" box to show or hide closed incidents.

    • To close incidents, select an alert, click the "Select an Action" menu at the bottom, select "Close Selected Incidents", and click "OK".

    • To reopen an incident, select an alert, click the "Select an Action" menu, select "Reopen Selected Incidents", and click "OK".

    • Click on an attack to open the detail view. In the description panel, there is the incident description of the attack, MITRE ATT&CK framework information, and additional resources with links to external websites.

    • Click the Yara detection rules panel to see an example of a rule that can perform malware research in detection tools.

    • Export the list of incidents by clicking "Export All". CSV is the only format available.

    The Bell icon on the top right shows a notification when Tenable Identity Exposure detects an attack. These attacks appear in the attack alerts tab.

  9. The Tenable Identity Exposure alerting system helps you identify security regressions or attacks on your monitored Active Directory. It pushes analytics data about vulnerabilities and attacks in real-time through email or Syslog notifications.

    For complete procedures, see Alerts.

    1. Connect to Tenable Identity Exposure.

    2. Click "System" and then "Configuration".

    3. Configure the SMTP server from this menu.

    1. Under "Alerting Engine", click "Email".

    2. Click the "Add an Email Alert" button.

    3. In the "Email Address" box, type the recipient's email address.

    4. In the "Description" box, type a description for the address.

    5. From the "Trigger the Alert" drop-down list, select "On Changes", "On Each Deviance", or "On Each Attack".

    6. From the "Profiles" drop-down, select the profiles to use for this email alert.

    7. Check the "Send Alerts When Deviances" box to send email notifications when a system reboot triggers alerts.

    8. From the "Severity Threshold" drop-down, select the threshold at which Tenable Identity Exposure will send alerts.

    9. Select the indicators for which to send alerts.

    10. Select domains for alerts:

      1. Click "Domains" to select the domains for which Tenable Identity Exposure sends out alerts.

      2. Select the forest or domain and click the "Filter on Selection" button.

    11. Click the "Test the Configuration" button.

      A message confirms that Tenable Identity Exposure sent an email alert to the server.

    1. Click the "Add" button.

      A message confirms that Tenable Identity Exposure created the email alert.

    1. Click on "Syslog" and then click the "Add Syslog Alert" button.

    2. In the "Collector IP Address or Hostname" box, type the server IP or hostname of the server receiving the notifications.

    3. In the "Port" box, type the port number for the collector.

    4. From the "Protocol" drop-down, select either UDP or TCP.

    5. If you choose TCP, select the "TLS" option checkbox to enable TLS security protocol.

    6. In the "Description" box, type a brief description for the collector.

    7. Choose one of the three options for triggering alerts: "On Changes", "On Each Deviance", or "On Each Attack".

    8. From the "Profiles" drop-down, select the profiles to use for this Syslog alert.

    9. If you want to send alerts after a system reboot or upgrade, check "Send alerts when deviances are detected during the initial analysis phase."

    10. If you set alerts to trigger on changes, type an expression to trigger the event notification.

    11. Click the "Test the Configuration" button.

      A message confirms that Tenable Identity Exposure sent a Syslog alert to the server.

    12. Click "Add".

      A message confirms that Tenable Identity Exposure created the Syslog alert.

  10. Dashboards allow you to visualize data and trends affecting the security of your Active Directory. You can customize dashboards with widgets to display charts and counters according to your requirements.

    For complete information, see Dashboards.

    Access dashboards:

    1. Sign into Tenable Identity Exposure.

    2. Click the icon on the top left to expand the navigation bar.

    1. Go to "Dashboards" and click "Add".

    2. Click "Add a Dashboard".

    3. Give it a name and click "OK".

    1. Click "Add" in the upper right corner.

    2. Select "Add a Widget on this Dashboard" or click the button in the middle of the screen.

    3. Choose the type of widget (bar charts, line charts, or counters).

    1. Click "Line Charts".

    2. Name the widget, e.g., "Deviances in the Last 30 Days".

    3. Choose the type of data (users count, deviances count, or compliance score).

    4. Select "Deviances" and set it for one month.

    5. Click "No Indicator" and select which indicators to use.

    6. Name the data set, e.g., "Critical".

    7. Add other data sets as needed (e.g., for medium and low).

    1. Click "Add".

    1. Click "Bar Chart".

    2. Name it "Compliance" and choose the compliance score data type.

    3. Select all indicators.

    4. Name the data set, e.g., "IoE".

    5. Click "Add".

    1. Click "Counter".

    2. Name the widget, e.g., "Users", and set the type of data to "User's Count".

    3. Choose the status "All" and select the domain.

    4. Name the data set and click "Add".

  11. Tenable Identity Exposure offers several ways to visualize the potential vulnerability of a business asset through graphical representations.

    For complete information, see Attack Path.

    Access the Attack Path feature:

    1. Sign into Tenable Identity Exposure.

    2. Click the menu icon on the top left to expand the navigation bar.

    3. In the Security Analytics section, click "Attack Path". The Attack Path feature has three modes:

      • Attack Path

      • Blast Radius

      • Asset Exposure

    1. In the search box, type the name of the account (e.g., "John Doe").

    2. Select the account from the list and click the magnifying glass icon.

    3. Explore the blast radius from the selected compromised account.

    4. Filter and view nodes as needed.

    5. Hover over endpoints to view the attack path.

    6. Toggle the option to show all node tooltips.

    7. Use the zoom bar to adjust the view.

    8. To change the search object, click the X next to the account name and perform a new search.

    1. In the search box, type the name of the sensitive server (e.g., "srv-fin").

    2. Select the object from the list and click the magnifying glass icon.

    3. Explore the asset exposure to the selected sensitive server.

    4. Use similar options as in Blast Radius mode.

    5. Hover over paths to view details.

    6. Toggle the option to show all node tooltips.

    7. Adjust the view using the bottom bar.

    1. In the starting point search box, type the name of the compromised account (e.g., "John Doe").

    2. Click the account name.

    3. In the arrival point search box, type the name of the sensitive asset (e.g., "s or v-fin").

    4. Click the asset name.

    5. Click the magnifying glass icon.

    6. Explore the available attack paths between the compromised account and the sensitive asset.

    7. Use similar options as in Blast Radius and Asset Exposure modes.

    • "Who has control over my privileged assets": Shows all user and computer accounts that have an attack path leading to a privileged asset.

    • "What are my privileged assets": Lists tier zero assets and accounts with potential attack paths leading to those assets.

    • Switch between tabs to view the lists.

    • Click the magnifying glass icon next to an item to switch the view.

    • Click the blue arrow and dot icon to open the asset exposure view filtered to show only this asset.

    1. Use the Attack Path feature to confirm hypotheses and visualize dangerous attack paths between entities.

    2. Take remediation actions to close identified attack paths.

Tip: For additional information on Tenable Identity Exposure, review the following customer education materials: