Security Domains Guide

Last updated: 2026-04-29
Status: Stable

Purpose

Security Domain pages aggregate findings, assets, and connector health for a specific technology category. Each domain provides a focused view — an Endpoint Security Engineer can work entirely in the Endpoint domain without being distracted by network or cloud findings.

Domain Pages

Endpoint (`/domain-endpoint.html`)

Endpoint Domain

Relevant connectors: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, ManageEngine Endpoint Central, Jamf Pro, Microsoft Intune, ManageEngine MDM

What this domain covers: - EDR detections and threat alerts - Endpoint vulnerability assessments (unpatched software, CVEs on hosts) - Managed vs unmanaged device counts - Patch compliance percentage - Privilege escalation and lateral movement detections

Key panels: - Device Health Summary — count of managed, unmanaged, and non-compliant devices - Top Endpoint Risks — highest-score findings on endpoints - Patch Gap Chart — CVEs with available patches that remain unpatched (by severity) - Connector Status Strip — health of all endpoint connectors

Common action: Filter by "Unmanaged" assets to identify shadow IT devices (devices not in CMDB but visible to NAC or EDR).

See also: CONNECTOR_CATALOGUE.md — EDR

Identity (`/domain-identity.html`)

Relevant connectors: Microsoft Entra ID, Okta Workforce Identity

What this domain covers: - Risky sign-ins (impossible travel, unfamiliar locations) - Leaked credential detections - Privileged role changes - MFA bypass attempts - User lifecycle anomalies (active accounts for departed employees)

Key panels: - Identity Risk Score — aggregate risk score for identity domain - Risky Users — list of users flagged by Entra ID / Okta risk engine - Privileged Access Changes — recent additions to admin roles - Offboarding Loop — users terminated in Workday HRIS but still active in identity providers

Common action: Review the Offboarding Loop list daily. Each active account for a terminated employee is a direct access control failure.

Network (`/domain-network.html`)

Relevant connectors: Zscaler, Netskope, Cloudflare, Cisco Meraki, Check Point Quantum, Palo Alto NGFW, Fortiguard

What this domain covers: - Web access threats blocked by proxy/SWG - Shadow SaaS application usage (unsanctioned apps) - WAF blocks and DDoS events - Network intrusion attempts - Zero Trust access anomalies (ZPA / ZTNA policy violations)

Key panels: - Blocked Threats (24h) — count of threats blocked by network security tools - Shadow SaaS — unsanctioned cloud services in use (from CASB data) - Top Blocked IPs — most frequently blocked source IPs (IOC cross-reference) - WAF Block Chart — WAF rule fire distribution over 7 days

Common action: Review Shadow SaaS list monthly. Unsanctioned apps represent both data exfiltration risk and contractual liability.

Cloud (`/domain-cloud.html`)

Cloud Domain

Relevant connectors: AWS CSPM, Azure CSPM, GCP CSPM, Wiz CNAPP, Prisma Cloud, Orca Security

What this domain covers: - Cloud misconfiguration findings (open S3 buckets, public storage blobs, permissive IAM) - CNAPP vulnerability findings (container image CVEs, serverless function risks) - Cloud asset inventory (EC2, VMs, GKE clusters, Lambda functions) - Compliance posture against CIS Cloud Benchmarks

Key panels: - Posture Score by Provider — AWS / Azure / GCP compliance percentage - Critical Misconfigs — publicly exposed storage, admin APIs without MFA - Cloud Asset Map — all cloud assets by region and risk level

Common action: Filter by "Public access" assets — any storage bucket or VM with 0.0.0.0/0 ingress and a High+ finding should be escalated immediately.

See also: USER_GUIDE.md — CSPM

Email & Collaboration (`/domain-email-collab.html`)

Relevant connectors: Email Security (Google Workspace + M365 Defender for Office 365), Microsoft 365 Collaboration

What this domain covers: - Phishing and BEC (Business Email Compromise) detections - Malware-bearing attachments quarantined - Suspicious email forwarding rules (common exfiltration vector) - SharePoint external sharing events - OneDrive anomalous access - Teams guest access and external collaboration risks

Key panels: - Phishing Rate (30d) — phishing emails received vs blocked - BEC Alerts — account takeover and business email compromise detections - External Sharing Events — files shared outside the organisation - Top Targeted Users — users receiving the most phishing attempts

Common action: Review external sharing events weekly. A sudden spike in SharePoint external shares often precedes a data exfiltration incident.

Mobile (`/domain-mobile.html`)

Relevant connectors: Jamf Pro (Mac), Microsoft Intune, ManageEngine MDM

What this domain covers: - Mobile device compliance status (OS version, encryption, screen lock) - Unmanaged personal devices accessing corporate resources - MDM policy violations (jailbroken/rooted devices) - Application inventory on managed devices

Key panels: - Compliance Rate — percentage of enrolled devices meeting MDM policy - Non-Compliant Devices — list with specific policy failure reason - Unmanaged BYOD — personal devices accessing corporate Wi-Fi or email not enrolled in MDM

Common action: Any jailbroken or rooted device should be quarantined immediately — MDM agent integrity cannot be guaranteed.

OT / ICS (`/domain-ot.html`)

Relevant connectors: Armis OT, Forescout NAC

What this domain covers: - Industrial control system (ICS) and SCADA device inventory - OT vulnerability findings (CVEs on PLCs, HMIs, SCADA servers) - Unmanaged OT devices on the network - Lateral movement risk between IT and OT segments - Protocol anomalies (Modbus, DNP3, EtherNet/IP)

Key panels: - OT Asset Inventory — all OT devices with vendor, firmware version, criticality - Unpatched OT CVEs — vulnerabilities with no vendor patch (common in OT) - IT/OT Boundary — devices detected on both IT and OT network segments

Important note for OT: Patching OT devices often requires production downtime. Use the Risk Acceptance workflow for findings where patching is not feasible. Document the compensating control (e.g., air-gap enforcement, network segmentation).

External Threat (`/domain-external-threat.html`)

Relevant connectors: EASM (Censys/Shodan/Detectify), CloudSEK, BitSight, SafeBreach

What this domain covers: - External attack surface (exposed services, subdomains, open ports visible to the internet) - Dark web brand mentions, leaked credentials, targeted threat intelligence - Security ratings (BitSight) — board-level external posture score - Control validation results (SafeBreach BAS) — empirical test of whether your controls work

Key panels: - External Exposure Map — all internet-facing assets with open ports - Dark Web Alerts — leaked credentials or brand mentions from CloudSEK - BitSight Rating — current letter grade + trend (A/B/C/D/F) - SafeBreach Results — percentage of attacks successfully blocked by your controls

Common action: Any new subdomain discovered by EASM that is not in your known asset list should be investigated immediately — it may be shadow IT or a subdomain takeover vulnerability.

Domain Compliance Summary (`/domain-compliance-summary.html`)

Cross-domain view showing which compliance frameworks have controls mapped to each security domain. Useful for understanding where a domain's security posture directly impacts compliance scores.

Security Domains Guide

Purpose

Domain Pages

Endpoint (/domain-endpoint.html)

Identity (/domain-identity.html)

Network (/domain-network.html)

Cloud (/domain-cloud.html)

Email & Collaboration (/domain-email-collab.html)

Mobile (/domain-mobile.html)

OT / ICS (/domain-ot.html)

External Threat (/domain-external-threat.html)

Domain Compliance Summary (/domain-compliance-summary.html)

See Also