Health Checks

The health check feature in Tenable Identity Exposure provides you with real-time visibility into the configuration of your domains and service accounts in one consolidated view, from which you can drill down to investigate any configuration anomalies leading to connectivity or other issues in your infrastructure. It verifies that everything is properly set up to ensure the smooth operation of Tenable Identity Exposure and gives you the ability to take quick and precise actions to remedy issues, as well as the confidence that your configuration settings are optimal to enable Tenable Identity Exposure to function efficiently.

Health checks are visible by default for administrative roles and by permission for certain user roles. You can also create Syslog or email alerts on each change in health check status.

Health Checks and DC Sync Attack Detection

Health checks provide valuable information about the status and usability of Tenable Identity Exposure services. It verifies the service account's capability to collect sensitive information like password hashes and DPAPI backup keys used for Privileged Analysis. In the health check report, Tenable attempts to collect sensitive data to determine if the service account has the Privileged Analysis feature properly configured, without actually collecting anything if this feature is not in use. To prevent detection of a DCSync attack during this process, Tenable automatically whitelists the provided service account for the DCSync Indicator of Attack.

Domain Status

Tenable Identity Exposure performs the following checks for each domain:

  • Authentication to the AD domain — LDAP settings and status, credentials, and SMB access

  • Domain reachability — Working connection to the dynamic RPC port, a reachable SMB server, a reachable domain controller IP address or FQDN, a working connection to the RPC port, a reachable LDAP server, and a reachable global catalog LDAP server.

  • Permissions — Ability to access AD domain data and collect privileged data.

  • Domain Linked to Relay — The domain is correctly associated to a relay service.

  • Indicators of Attack: Domain Controller activity — Tenable Identity Exposure receives Windows event logs from all Domain Controllers.

  • Indicators of Attack: Domain installation — Ensure Tenable IoA GPO configuration is correct.

Platform Status

Tenable Identity Exposure performs the following checks on your platform configuration:

  • Running Relay service — Whether or not the Relay configuration is correct with troubleshooting tips.

  • Relay version consistency — Whether or not the Relay version is consistent with the Tenable Identity Exposure version.

  • Running AD data collector service — Whether or not the data collector service, broker, and collector bridge are operational to relay data to other services.

  1. At the bottom-left corner of the Tenable Identity Exposure page, hover over the icon to see the global status of your infrastructure.

  2. Click on the icon to open the Health Check page. Under the Domain Status or the Platform Status tab, you see either one of the following:

    • A message that all health checks passed

    • A list of warnings or issues with specific statuses:

      The check succeeded and shows a normal result.
      The check failed and identifies an issue.

      The check failed but the issue does not prevent Tenable Identity Exposure from working correctly.

      For example, the check for data collection will result in failure due to a misconfiguration of the Active Directory on the client end if the service account cannot collect privileged data. However, it is not a serious issue because you haven't activated the Privileged Analysis feature on this domain in Tenable Identity Exposure, hence the warning. But if you activate Privileged Analysis, the check will immediately fail.
      The check shows an unknown result because a dependent check failed. For example, the check for network reachability cannot proceed if the check for authentication failed.

  • Above the list of health checks on the right, click the toggle Show successful checks to enabled to list all the checks that Tenable Identity Exposure performed with the following information:

    • Health check name

    • Status (pass, fail, fail but non-blocking, or unknown)

    • Impacted domain and its associated forest (for domain status checks only)

    • Time of the last check performed

    • How long the check has remained in this status

  • Although it performs health checks on a regular basis, Tenable Identity Exposure does not update the page with the results in real time. Click on to refresh the list of results.

  1. Above the list of health checks on the right, click on n/n health checks or n/n domains (for domain status only).

    The Health Checks or Forests and Domains pane opens.

  2. Select the health check types or forests/domains (if applicable) and click on Filter on selection.

  1. In the list of health checks, click on a health check name or the blue arrow () at the end of the line.

    The Details pane opens and shows a description of the check and a list of relevant details. For more information, see List of Health Checks below.

  2. Click the arrow at the end of the detail line to expand it and show more information about the result.

By default, Tenable Identity Exposure shows the health check status icon at the bottom-left corner of the screen.

  1. In Tenable Identity Exposure, go to System in the left navigation bar and select the Configuration tab.

    Alternatively, you can click on at the top-right corner of the Health Check page and select Configuration.

  2. Under Application Services, select Health Check.

  3. Click the toggle Show the Global Health Check Status to disabled.

    Tenable Identity Exposure hides the health check icon at the bottom-left corner of the screen.

  1. In Tenable Identity Exposure, go to Accounts in the left navigation bar and select the Roles Management tab.

  2. In the list of roles, select the user role and click on at the end of the line.

    The Edit a role pane opens.

  3. Select the System configuration entities tab.

  4. Select the Health Check entity and click the permission toggle from Unauthorized to Granted.

  5. Click Apply and close.

For more information about permissions, see Set Permissions for a Role.

  1. In Tenable Identity Exposure, go to System in the left navigation bar and select the Configuration tab.

    Alternatively, you can click on at the top-right corner of the Health Check page and select Alerts.

  2. Under Alerting Engine, select Syslog or Email.

  3. Click Add a Syslog alert or Add an email alert.

    A new pane opens. For the complete procedure, see Alerts.

  4. Under Alert Parameters, in the Trigger the Alert box, select On health check status change from the drop-down menu.

  5. Click the arrow in the Health Checks box to select the health check type to trigger an alert, and click Filter on selection.

  6. Click Add.

List of Health Checks

Health Check Name Type Description of Check Details

Domain Reachability

(HC-DOMAIN-REACHABILITY)

 Domain Ability to establish a connection with the AD domain

  • Reachable Domain Controller IP Address or FQDN

  • Reachable Global Catalog LDAP Server

  • Reachable LDAP Server

  • Reachable SMB Server

  • Working Connection to the Dynamic RPC Port

  • Working Connection to RPC Port

Authentication to the AD Domain

(HC-DOMAIN-AUTHENTICATION)

 Domain Ability to authenticate to the AD domain

  • Valid Credentials

  • Idle LDAP Server

  • Available LDAP Server

  • LDAP Access Granted

  • SMB Access Granted

Permissions to Collect the AD Domain Data

(HC-DOMAIN-DATA-COLLECTION)

 Domain Ability to collect the AD domain data

  • Granted Permissions to Collect Privileged Data

Permissions to Access the AD Containers

(HC-DOMAIN-CONTAINER-ACCESS)

 Domain Ability to can access the AD containers

  • Granted Permissions to Access Deleted Objects Container

  • Granted Permissions to Access Password Settings Container

Domain Linked to Relay

(HC-DOMAIN-LINKED-TO-RELAY)

 Domain The domain is linked to a Relay

  • Domain Linked to a Relay
IoAs - Domain Controller Activity Domain Tenable Identity Exposure receives Windows event logs from all Domain Controllers

  • Inactive Domain Controllers
IoAs - Domain Installation Domain Ensure Tenable IoA GPO configuration is correct

  • Tenable IoA GPO exists in the LDAP

  • Tenable IoA GPO folder exists in the SYSVOL

  • Tenable IoA GPO IoA folder exists in the SYSVOL

  • Tenable IoA GPO EVT Subscribe listener file exists in the SYSVOL

  • Tenable IoA GPO configuration file exists in the SYSVOL

  • Tenable IoA GPO audit.csv file exists in the SYSVOL

Relay Service Up

(HC-PLATFORM-RELAY-UP)

 Platform The Relay is working as expected

  • Running Relay Service

Relay Service Version

(HC-PLATFORM-RELAY-VERSION)

 Platform The Relay version is aligned with the product

  • Relay Version Consistency

AD Data Collector Up

(HC-PLATFORM-AD-DATA-COLLECTOR-UP)

 Platform The AD data collector is working as expected

  • Running AD Data Collector Bridge

  • Running AD Data Collector Service

  • Running Broker
Synchronization between Tenable Cloud & Tenable Identity Exposure services Platform Created Tenable Cloud group, permissions, and users are synchronized with Tenable Identity Exposure database.

  • Tenable Cloud availability