Operational Indicators of Attack

Ensuring that Indicators of Attack processes are functioning properly is essential for accurate detection and response. This section provides step-by-step instructions to verify that IoA components are operational, troubleshoot common issues, and resolve problems efficiently. Follow the steps below to confirm everything is working as expected.

• Ensure that the Indicators of Attack (IoA) monitoring is operational across your Domain Controllers.

  • Check connectivity to the domain — Ensure that the Domain connectivity is functional by verifying the configuration. For more information, see Domains.

• Verify IoA GPO folder in SYSVOL:

  • Check the IoA GPO folder in the SYSVOL directory to confirm that each Domain Controller is producing an up-to-date .gz file.

  • If any Domain Controller is not generating this .gz file, proceed to the next steps.

• Confirm that the IoA Event Listener process is running:

  • Verify that the process Register-TenableADEventsListener.exe is running.

  • In the latest versions, this process is listed as "Tenable - IOA Events Listener" in Task Manager in addition to Register-TenableADEventsListener.exe.

    For more information, see Event Logs Listener Validation.

• If the process is not running:

  • Ensure any EDR/Antivirus software on the Domain Controllers is not blocking the Register-TenableADEventsListener.exe process.

    For more information, see Antivirus Detection.

• Start the process manually:

  • Edit the associated task (TenableADTask_*) in the Task Scheduler and click OK to restart the process.

• Escalate if issues persist — If the above steps do not resolve the issue, raise a Support Case with Tenable. There may be an underlying issue preventing the Register-TenableADEventsListener.exe process from running.