Trail Flow

Tenable Identity Exposure's Trail Flow shows the real-time monitoring and analysis of events affecting your AD infrastructure. It allows you to identify critical vulnerabilities and their recommended courses of remediation.

Using the Trail Flow page, you can go back in time and load previous events or search for specific events. You can also use its search box at the top of the page to search for threats and detect malicious patterns.

The Trail Flow tracks the following events:

  • User and group changes: Includes the creation, deletion, and modification of accounts and groups.

  • Permission alterations: Encompasses modifications to access controls on objects such as files, folders, and printers.

  • System configuration adjustments: Involves changes to Group Policy Objects (GPOs) and other critical settings.

  • Suspicious activities: Encompasses unauthorized attempts, privilege escalations, and other events that raise red flags.

Tenable Identity Exposure offers these capabilities to leverage the Trail Flow data:

  • Searchable and filterable: Easy navigation through the event stream by using keywords or specific criteria, enabling focused attention on pertinent activities while minimizing extraneous noise.

  • Detailed event information: Each event entry furnishes exhaustive details, encompassing the affected object, the user responsible for the change, the protocol utilized, and associated Indicators of Exposure (IoEs).

  • Visualized relationships: The ability to illustrate the relationships between events, illuminating how seemingly unrelated activities may contribute to a broader attack campaign.

How does the data appear in the Trail Flow?

  1. When you perform an action within your Active Directory (AD) interface, such as:

    • Creating a new user account

    • Modifying a user's group membership

    • Resetting a password

    • Disabling an account

    • Enabling an account

    • Deleting an account

    • Moving an object

    • Modifying permissions

  1. The Active Directory (AD) automatically generates an event log entry, capturing details of the operation, including:

    • Timestamp

    • Administrator performing the action

    • Object(s) affected

    • Specific changes made

  1. Tenable Identity Exposure continuously collects and analyzes these event logs and correlates events, identifies patterns, an detects anomalies.

  1. The Trail Flow page visualizes the operation's flow and impact:

    • Timeline: Displays a chronological sequence of events, highlighting the recent operation.

    • Object Details: Provides specific information about the affected objects, including their attributes and relationships.

    • Change History: Shows a history of modifications made to the object(s), including the current operation.

    • Risk Insights: Identifies potential risks associated with the operation, such as excessive permissions or membership in sensitive groups.

    • Compliance Information: Indicates any compliance violations related to the operation.

See also