Deactivated Indicators of Attack

Occasionally, Tenable Identity Exposure may temporarily deactivate some Indicators of Attack (IoAs) to maintain optimal performance.

When deactivated, it shows the icon next to the IoA.

First Row Icon Status

  • Gray icon — Indicates that at least one IoA is temporarily deactivated.

  • Green checkmark icon — Indicates that all configured IoAs are activated.

Other Row Icon Status

  • Gray icon — Appears next to specific domains where IoAs are deactivated.

When hovering over the status icons, you'll see the following tooltips:

  • Gray icon — "One or several IoAs are deactivated temporarily"

  • Green checkmark icon — "All configured IoAs are activated"

  • Gray icon in other rows: "IoA temporarily deactivated (since yyyy-mm-dd hh:mm) to maintain performance."

When Tenable Identity Exposure deactivates IoAs, an alert message appears above the IoA table:

"To maintain performance, Tenable Identity Exposure deactivated some IoAs. They will be reactivated automatically once the situation stabilizes. Refer to the icon in your IoA configuration for more information."

The deactivated status is visible at both domain and forest levels.

  • If you uncheck a domain with a deactivation icon and no other domains have this icon, it disappears for the linked domain.

  • If all domains linked to a forest have no more deactivation icons, the icon disappears for the linked forest.

Tenable Identity Exposure automatically reactivates deactivated IoAs once the system performance stabilizes. No manual intervention is required.

The temporary deactivation of IoAs is a built-in feature designed to maintain system performance. Tenable Identity Exposure dynamically adjusts active IoAs to ensure optimal operation without compromising security monitoring capabilities.

When you see the gray "deactivated" icon:

  1. Wait for the situation to resolve: In most cases, all you need to do is wait. Tenable Identity Exposure automatically reactivates the IoAs once system performance stabilizes.

  2. For on-premises deployments:

    • If you notice this happening frequently, despite following the resource matrix recommendations, you may need to add more resources to the machine hosting the Cygni service.

    • Consider upgrading CPU, RAM, or disk space as needed to improve overall system performance.

  1. Monitor frequency: Keep track of how often you see this icon. If it appears regularly, it may indicate that your current resources are consistently under strain.

  2. Review your IoA configuration: While waiting for reactivation, you may want to review your current IoA setup to ensure it aligns with your security needs and available resources.