Start Using Tenable Identity Exposure
After you deploy Tenable Identity Exposure, this section walks you through the key steps to begin using Tenable Identity Exposure effectively.
Each section contains links to more detailed descriptions and instructions for the related task.
-
Log in and navigate the user interface
-
Log in to Tenable Identity Exposure portal. The home page opens, as shown in this example.
-
Your initial login is [email protected] and the password is verySecure1.
-
Expand or collapse the side navigation bar:
-
To expand: click the menu at the top left of the window.
-
To collapse: click the at the top left of the window.
-
-
Navigate the Tenable Identity Exposure User Portal.
-
-
Enable Indicators of Exposure (IoE) for an Active Directory Domain
Before you configure Indicators of Exposure, you must have or create an Active Directory service account with the appropriate permissions. While Tenable Identity Exposure does not require administrative privileges for security monitoring, some containers require manual configuration to allow read access for the service account user.
For complete information, see Access to AD Objects or Containers
-
Log in to the Tenable Identity Exposure web portal with administrative credentials such as the default "[email protected]" account.
-
Click the menu icon on the top left to expand the navigation panel, then click "System" in the left panel.
Add a Forest:-
In the Forest Management tab, click "Add a Forest".
-
Provide a display name for the forest (e.g. Tenable).
-
Enter the login and password for the service account to connect to all domains in this forest.
-
Click "Add".
For complete details, see Forests.
Add a Domain:-
Click "Add a Domain".
-
Provide a display name for the domain to monitor (e.g. HQ).
-
Enter the fully qualified domain name (e.g. sky.net).
-
Select the corresponding forest from the drop-down list.
-
If using SaaS with Secure Relay, select the relay to handle this domain.
-
Enable "Privileged Analysis" toggle if the account has required privileges.
-
If you enable "Privileged Analysis", optionally enable "Privileged Analysis Transfer" for Tenable Cloud.
-
Provide details for the Domain Controller with Primary Domain Controller Emulator FSMO role:
-
IP address or hostname
-
Leave LDAP, Global Catalog, and SMB ports with pre-filled default values
-
-
Click "Test Connectivity" at the bottom.
-
If successful, click "Add".
In the Domain Management view, you'll see columns for LDAP Initialization, SISFul Initialization, and Honey Account Configuration statuses showing a circular loading icon until initial crawling completes.
For complete details, see Domains.
Monitor initialization:-
Switch to the Trail Flow view. After a few minutes, data begins to flow in once analysis starts.
-
Return to System > Domain Management.
-
Wait for green icons indicating LDAP and SYSVOL initialization completed.
You have now enabled Indicators of Exposure monitoring for this domain. Notifications on the web portal appear within minutes/hours depending on environment size.
Review exposure data:-
Click "Indicators of Exposure" in the left menu to see all indicators triggered for the added domain.
-
Click on an indicator to view deviant object details causing non-compliance.
-
Close the details and go to "Dashboards" to see the environment metrics.
-
-
Deploy Indicators of Attack (IoA) for a domain
To deploy IoAs, you must first perform three configurations as described below:
-
The IoA script is mandatory for all attack scenarios.
-
The Honey Account configured to detect specific attacks such as Kerberoasting.
-
Sysmon installation on all Domain Controllers of the monitored domain to detect attacks like OS Credential Dumping.
Tenable Identity Exposure provides the IoA script, its command line, and the Honey Account configuration command line. However, you must perform these prerequisites directly on the Domain Controllers or an administrative machine with appropriate rights.
For complete information, see Indicators of Attack Deployment.Configure Attack Scenarios:-
Log in to the Tenable Identity Exposure web portal using administrative credentials (e.g., [email protected]).
-
Navigate to System > Configuration > Indicators of Attack.
-
Select the attack scenarios you want to enable for your environment.
-
Select the checkbox below the domain name to enable all available attack scenarios.
-
Click "Save" at the bottom right.
-
Click "See Procedure" at the top.
A window appears, showing the procedure to deploy the IoA engine.
-
Use the toggle to enable or disable the automatic updates feature.
-
Click the first "Download" button to download the PS1 file.
-
Click the second "Download" button to download the JSON file.
-
Note where the location where you downloaded the installation files.
-
Locate the field labeled "Run the following PowerShell commands."
-
Copy the contents of the text field and paste them into a Notepad file.
-
Copy the PS1 and JSON files to a Domain Controller or an administrative server with appropriate rights.
-
Start the Active Directory module for Windows PowerShell as an administrator and navigate to the folder hosting the files.
-
Paste the command copied from the Tenable Identity Exposure web portal and press Enter.
-
Open the Group Policy Management console and find the GPO named "Tenable.ad" linked to the Domain Controller's OU.
For the detailed procedure, see Install Indicators of Attack.
Configure the Honey Account:-
Return to the Tenable Identity Exposure web portal.
-
Navigate to System > Domain Management tab.
-
Click the "+" icon under "Honey Account Configuration Status" to the right of your domain (available once the other two statuses are green).
-
In the "Name Search" box, type the name of the account to use as a honey pot.
-
Select the distinguished name of the object from the drop-down list.
-
Copy the contents of the command line text field and paste them into a Notepad file.
-
Go back to the server where you ran the IoA script.
-
Open or start a PowerShell command line as an administrator.
-
Paste the command copied from the Tenable Identity Exposure web portal and press Enter.
-
Confirm that the command line ran properly.
-
Return to the Tenable Identity Exposure web portal and click the "Add" button at the bottom.
After a few seconds, the Honey Account Configuration status should show a green dot.
For the detailed procedure, see Honey Accounts.
Install Sysmon:The Tenable Identity Exposure web portal does not provide automatic deployment for Sysmon. See Install Microsoft Sysmon for the required Sysmon configuration file. You can install Sysmon manually as shown in the documentation or by GPO.
For the detailed procedure, see Install Microsoft Sysmon.
-
-
Set up and use IoEs in your environment
Tenable Identity Exposure uses Indicators of Exposure to measure the security maturity of your Active Directory and assign severity levels to the flow of events that it monitors and analyzes.
For complete information about IoEs, see Indicators of Exposure.Access IoEs:
-
Sign in to Tenable Identity Exposure.
-
Click the icon on the top left to expand the panel.
-
Click "Indicators of Exposure" on the left side to see the IoEs.
The default view shows configuration items in your environment that are potentially vulnerable, rated by severity: Critical, High, Medium, and Low.
View all IoEs:-
Click the toggle to the right of "Show All Indicators".
-
You can see all the IoEs available in your Tenable Identity Exposure instance. Any item that shows no domain is an item where you do not have that exposure.
-
To the right of "Show All Indicators", you can see "Domain". If you have multiple domains in your environment, click on it and select the domains to view.
-
Search IoEs:-
Click "Search an Indicator" and type a keyword, such as "password".
All IoEs related to passwords appear.
Review IoE details:-
To see additional information about an indicator, click on it.
-
The detailed view starts with an executive summary of the particular exposure.
-
It then lists documents related to it and known attacker tools that can expose this particular item.
-
-
To the right, you see "Impacted Domains".
-
Click the "Vulnerability Details" tab to read additional information about the checks done for this IoE.
-
Click the "Deviant Objects" tab to see the list of objects and reasons that triggered the exposure.
-
If you expand an object in the list, you can see more details about what caused the deviance.
-
Create queries:-
To create a query, click "Type an Expression" and enter a Boolean query for an item. You can also click the filter icon to the left to build a query.
-
Set the start and end dates, choose domains, and search for ignored items by clicking the "Ignore" toggle.
For complete procedures, see Search Deviant Objects.
Ignore/Export deviant objects:-
You can hide objects in the list by ignoring them.
-
Select one or more objects, then click "Select an Action" at the bottom of the page.
-
Select "Ignore Selected Objects" and click "OK".
-
Choose the date until which you want to ignore the selected objects.
-
You can stop ignoring objects the same way, using the "Stop Ignoring Selected Objects" option.
-
-
To export the list of all deviant objects for this indicator as a CSV file, click the "Export All" button.
For complete procedures, see Deviant Objects.
Remediation recommendations:-
Click the "Recommendations" tab to see recommendations on how to remediate this indicator.
See also Remediate Deviances from Indicators of Exposure for remediation use cases.
-
-
Track configuration changes in AD using the Trail Flow
The Trail Flow displays the real-time monitoring and analysis of events affecting your ad infrastructures. It allows you to identify critical vulnerabilities and their recommended courses of remediation.
For complete information, see Trail Flow and Trail Flow Use Cases.
Access the Trail Flow:
-
Sign into Tenable Identity Exposure.
-
Click the icon on the top left to expand the navigation bar.
-
Click "Trail Flow".
Navigate the Trail Flow page:The Trail Flow page opens with a list of events, including the source type, object path, domain, and date.
-
Click the date box in the upper right to indicate the dates that you are searching for.
-
Click "Domain" to change which Active Directory servers or forests.
-
Click the pause button in the upper right corner to pause or restart Trail Flow capture.
Create queries:There are two ways of creating queries for your search: manually or by using the wizard.
-
To filter events manually, type an expression in the search box to refine results using the Boolean operators.
For complete information, see Search the Trail Flow Manually.
-
To use the search wizard:
-
Click the magic wand icon on the left.
-
Follow the prompts to create and combine query expressions.
For complete information, see Search the Trail Flow Using the Wizard and Customize Trail Flow Queries
-
View event details:Once you've identified an important event:
-
Click on the event. This will bring up the attributes of the change on that object.
-
Hover over the blue dot icon on the left to compare the values before and at the event.
-
Hover over items to see additional information.
-
Click "See Whole Value" and click the button to copy that information to the clipboard.
Identify configuration changes:One of the challenges of Active Directory server cybersecurity is the large number of configuration changes that do not impact cyber exposure. To identify configuration changes:
-
Click the magic wand icon.
-
Enable "Deviant Only".
-
Click "Validate".
View cyber exposure items:Notice that the events have a red diamond symbol next to them. Click on an event to see information regarding the configuration change. An additional tab is available labeled "Deviances". Click on it to see the specific cyber exposure items that were created or resolved.
-
-
Identify potential attacks on AD using IoAs
Access IoAs:
-
Sign into Tenable Identity Exposure.
-
Click the icon at the top left to expand the navigation bar.
-
Click "Indicators of Attack".
Filter the timeline:By default, you see the timeline of attack detection for today. To change the filter:
-
Click "Day", "Month", or "Year".
-
To change the time frame, click the calendar icon and select the appropriate time frame.
Filter the view:You can filter the view on specific domains or IoAs using the selector on the right side of the portal.
-
Click "Domains" to view the choices and make selections.
-
Click the X to close.
-
Click "Indicators" to view the choices and make selections.
-
Click the X to close.
As an example, let's focus on what happened in 2022:
-
Click the "Year" button and select "2022".
-
Click the red and yellow bar in the timeline.
-
You can now see a new view with the top three critical and top three medium attacks detected that month.
-
Close the view by clicking outside the black box.
View details of detected attacks:Below the timeline, you see a card for the monitored domain on which the attack was detected.
-
Click the "Sort By" drop-down (currently set to "Domain").
-
You can sort the card by domain, indicator criticality, or forest.
-
To search for a specific domain or attack, use the search box.
-
By default, you only see a card for the domain under attack. Toggle the view to see each domain by switching "Show Only Domains Under Attack" from "Yes" to "No".
Customize the chart:A card contains two types of information: a chart and the top three attacks.
-
To change the chart type, click the pencil icon at the top right of the card.
-
Select either "Attack Distribution" or "Number of Events".
-
Click "Save".
Viewing incident details:To see more details about the attack that was detected:
-
Click the card to see incidents related to the domain.
-
To filter, use the search box, select a start or end date, specific indicators, or toggle the "No/Yes" box to show or hide closed incidents.
-
To close incidents, select an alert, click the "Select an Action" menu at the bottom, select "Close Selected Incidents", and click "OK".
-
To reopen an incident, select an alert, click the "Select an Action" menu, select "Reopen Selected Incidents", and click "OK".
View attack details and Yara detection rules:-
Click on an attack to open the detail view. In the description panel, there is the incident description of the attack, MITRE ATT&CK framework information, and additional resources with links to external websites.
-
Click the Yara detection rules panel to see an example of a rule that can perform malware research in detection tools.
-
Export the list of incidents by clicking "Export All". CSV is the only format available.
Notification and alerts:The Bell icon on the top right shows a notification when Tenable Identity Exposure detects an attack. These attacks appear in the attack alerts tab.
-
-
Set up and use alerts
The Tenable Identity Exposure alerting system helps you identify security regressions or attacks on your monitored Active Directory. It pushes analytics data about vulnerabilities and attacks in real-time through email or Syslog notifications.
For complete procedures, see Alerts.Configure the SMTP Server:-
Connect to Tenable Identity Exposure.
-
Click "System" and then "Configuration".
-
Configure the SMTP server from this menu.
Create email alerts:-
Under "Alerting Engine", click "Email".
-
Click the "Add an Email Alert" button.
-
In the "Email Address" box, type the recipient's email address.
-
In the "Description" box, type a description for the address.
-
From the "Trigger the Alert" drop-down list, select "On Changes", "On Each Deviance", or "On Each Attack".
-
From the "Profiles" drop-down, select the profiles to use for this email alert.
-
Check the "Send Alerts When Deviances" box to send email notifications when a system reboot triggers alerts.
-
From the "Severity Threshold" drop-down, select the threshold at which Tenable Identity Exposure will send alerts.
-
Select the indicators for which to send alerts.
-
Select domains for alerts:
-
Click "Domains" to select the domains for which Tenable Identity Exposure sends out alerts.
-
Select the forest or domain and click the "Filter on Selection" button.
-
-
Click the "Test the Configuration" button.
A message confirms that Tenable Identity Exposure sent an email alert to the server.
-
Click the "Add" button.
A message confirms that Tenable Identity Exposure created the email alert.
Create Syslog alerts:-
Click on "Syslog" and then click the "Add Syslog Alert" button.
-
In the "Collector IP Address or Hostname" box, type the server IP or hostname of the server receiving the notifications.
-
In the "Port" box, type the port number for the collector.
-
From the "Protocol" drop-down, select either UDP or TCP.
-
If you choose TCP, select the "TLS" option checkbox to enable TLS security protocol.
-
In the "Description" box, type a brief description for the collector.
-
Choose one of the three options for triggering alerts: "On Changes", "On Each Deviance", or "On Each Attack".
-
From the "Profiles" drop-down, select the profiles to use for this Syslog alert.
-
If you want to send alerts after a system reboot or upgrade, check "Send alerts when deviances are detected during the initial analysis phase."
-
If you set alerts to trigger on changes, type an expression to trigger the event notification.
-
Click the "Test the Configuration" button.
A message confirms that Tenable Identity Exposure sent a Syslog alert to the server.
-
Click "Add".
A message confirms that Tenable Identity Exposure created the Syslog alert.
-
-
Set up dashboards in the Tenable Identity Exposure portal
Dashboards allow you to visualize data and trends affecting the security of your Active Directory. You can customize dashboards with widgets to display charts and counters according to your requirements.
For complete information, see Dashboards.Access dashboards:
-
Sign into Tenable Identity Exposure.
-
Click the icon on the top left to expand the navigation bar.
Create a custom dashboard:-
Go to "Dashboards" and click "Add".
-
Click "Add a Dashboard".
-
Give it a name and click "OK".
Add widgets to the dashboard:-
Click "Add" in the upper right corner.
-
Select "Add a Widget on this Dashboard" or click the button in the middle of the screen.
-
Choose the type of widget (bar charts, line charts, or counters).
Configure a line chart widget:-
Click "Line Charts".
-
Name the widget, e.g., "Deviances in the Last 30 Days".
-
Choose the type of data (users count, deviances count, or compliance score).
-
Select "Deviances" and set it for one month.
-
Click "No Indicator" and select which indicators to use.
-
Name the data set, e.g., "Critical".
-
Add other data sets as needed (e.g., for medium and low).
-
Click "Add".
Add a bar chart widget:-
Click "Bar Chart".
-
Name it "Compliance" and choose the compliance score data type.
-
Select all indicators.
-
Name the data set, e.g., "IoE".
-
Click "Add".
Add a counter widget:-
Click "Counter".
-
Name the widget, e.g., "Users", and set the type of data to "User's Count".
-
Choose the status "All" and select the domain.
-
Name the data set and click "Add".
-
-
View Attack Paths
Tenable Identity Exposure offers several ways to visualize the potential vulnerability of a business asset through graphical representations.
For complete information, see Attack Path.Access the Attack Path feature:
-
Sign into Tenable Identity Exposure.
-
Click the menu icon on the top left to expand the navigation bar.
-
In the Security Analytics section, click "Attack Path". The Attack Path feature has three modes:
-
Attack Path
-
Blast Radius
-
Asset Exposure
-
Use the Blast Radius mode:-
In the search box, type the name of the account (e.g., "John Doe").
-
Select the account from the list and click the magnifying glass icon.
-
Explore the blast radius from the selected compromised account.
-
Filter and view nodes as needed.
-
Hover over endpoints to view the attack path.
-
Toggle the option to show all node tooltips.
-
Use the zoom bar to adjust the view.
-
To change the search object, click the X next to the account name and perform a new search.
Use the Asset Exposure mode:-
In the search box, type the name of the sensitive server (e.g., "srv-fin").
-
Select the object from the list and click the magnifying glass icon.
-
Explore the asset exposure to the selected sensitive server.
-
Use similar options as in Blast Radius mode.
-
Hover over paths to view details.
-
Toggle the option to show all node tooltips.
-
Adjust the view using the bottom bar.
Use the Attack Path mode:-
In the starting point search box, type the name of the compromised account (e.g., "John Doe").
-
Click the account name.
-
In the arrival point search box, type the name of the sensitive asset (e.g., "s or v-fin").
-
Click the asset name.
-
Click the magnifying glass icon.
-
Explore the available attack paths between the compromised account and the sensitive asset.
-
Use similar options as in Blast Radius and Asset Exposure modes.
Additional capabilities:-
"Who has control over my privileged assets": Shows all user and computer accounts that have an attack path leading to a privileged asset.
-
"What are my privileged assets": Lists tier zero assets and accounts with potential attack paths leading to those assets.
-
Switch between tabs to view the lists.
-
Click the magnifying glass icon next to an item to switch the view.
-
Click the blue arrow and dot icon to open the asset exposure view filtered to show only this asset.
Interpret results:-
Use the Attack Path feature to confirm hypotheses and visualize dangerous attack paths between entities.
-
Take remediation actions to close identified attack paths.
-