Ignore a Deviant Object or a Reason (Deviance)

In Tenable Identity Exposure, a deviant object refers to any object in the Active Directory (AD) that exhibits abnormal or risky behaviors, such as improper configurations or permissions, which could potentially expose security vulnerabilities. These objects are identified through Tenable's Indicators of Exposure (IoE), which identify deviations from best practices and security norms.

A reason, also known as a "deviance," is the specific attribute or factor that makes an object deviant. Multiple reasons may contribute to why the IoE flagged an object as deviant. For example, an object could be marked deviant due to incorrect file permissions, misconfigurations, or risky delegation, each of which represents a distinct "reason."

In summary:

  • Deviant Object: An AD object flagged for risky or abnormal behavior.

  • Reason/Deviance: The specific attribute or factor that causes the IoE to flag the object.

These reasons are critical to understanding the underlying security weaknesses associated with each deviant object.

When you choose to ignore a deviant object, you also ignore all associated reasons or deviances.

This can be useful for reducing clutter in the interface when certain flagged objects are not of immediate concern.

However, ignoring these objects does not resolve the underlying issues; it simply prevents them from appearing in reports or investigation screens for the specified timeframe.

To ignore deviant objects:

  1. In Tenable Identity Exposure, display the list of Deviant Objects

  1. Select the check boxes in front of the deviant object to ignore.

  2. Optionally, you can also filter for deviant objects to ignore:

    • Click the Calendar box to select a start date and an end date.

    • Click on n/n Domains to select forests and domains.

Tip: For faster selection, you can check the Select all pages or Select current page box at the bottom of the page.

  1. From the drop-down list at the bottom of the page, select Ignore selected objects.

  2. Click OK.

    The Ignore selected objects pane appears.

  3. Click the Ignore until box to display the calendar and select a date until which Tenable Identity Exposure must ignore the deviant object.

  4. Click OK.

    Tenable Identity Exposure displays a confirmation message and updates the list of remaining deviant objects.

To show ignored deviant objects:

  1. Click the Ignored toggle to Yes.

  2. At the bottom of the page, click Select all pages.

  3. Select Stop ignoring selected objects from the drop-down list.

  4. Click OK.

    A confirmation pane appears.

  5. Click OK to validate your changes.

    Tenable Identity Exposure displays the ignored deviant objects.

When you choose to ignore a specific reason (or "deviance") in Tenable Identity Exposure, the IoE stops alerting you about that particular issue, but it doesn't resolve the problem itself.

The ignored deviance no longer appears in the active monitoring dashboard, effectively silencing the alert for that specific reason.

However, other deviances related to the same object continue to trigger alerts unless you also ignored them individually.

To ignore a reason ("deviance"):

  1. In Tenable Identity Exposure, display the list of Deviant Objects

    A list of deviant objects appears.

  2. Identify a deviant object and click on the arrow (>) at the end of the line.

    The view expands to show the details of the reason.

  3. Click the checkbox at the end of the line. If there are several reasons, select the ones to ignore or click Select all to ignore all associated reasons.

  4. Click OK.

    The Ignore selected deviances pane appears.

  5. Click the Ignore until box to display the calendar and select a date until which Tenable Identity Exposure must ignore the deviance.

  6. Click OK.

    Tenable Identity Exposure displays a confirmation message and updates the list of remaining deviances.

To show ignored deviances:

  1. Click the Ignored toggle to Yes.

    The list of deviant objects updates with an expanded view for all reasons. The ignored reasons show the icon.

  2. Select the ignored reason and click Stop ignoring selected deviance from the drop-down list.

  3. Click OK.

    The pane "Stop ignoring selected deviances " appears.

  4. Click OK.

    Tenable Identity Exposure displays a confirmation message and updates the list of remaining deviances.

See also