Version History
| Version | Date | Notes |
|---|---|---|
| 1.0 | 2026-03-31 | Initial release — 15 Active Directory, File System, and SharePoint Online risks |
| 1.1 | 2026-04-01 | Added PDF remediation guides to each risk action job folder; fixed duplicate group bug in Admin Accounts not in Protected Users report; improved SP_OpenResourceAccess query performance for Directly Applied Open Access risk |
Solution Download
Risk Dashboard_1.1.zip (2.0 MB)
Installation
Step 1 — Download and Transfer the ZIP
Download the Risk Dashboard.zip attachment from this post and transfer the file to your NAA application server.
Step 2 — Unblock the ZIP Before Extracting
Windows may block files downloaded from the internet. Before extracting, right-click on Risk Dashboard.zip and select Properties.
At the bottom of the General tab, check the Unblock checkbox if it is present, then click OK.
If the Unblock checkbox is not present, the file is already unblocked and you can proceed.
Step 3 — Extract the ZIP
Right-click the ZIP and select Extract All, then extract to a convenient location on the server.
Inside the extracted folder you will find a single folder named GROUP_Risk Dashboard.
Step 4 — Copy to the NAA Jobs Directory
Copy the GROUP_Risk Dashboard folder into the Jobs folder inside your NAA installation directory. The install path depends on where NAA was installed on your server — the default is typically under C:\STEALTHbits\StealthAUDIT\Jobs, but this will vary if NAA was installed to a different drive or path.
You can open the Jobs folder directly by running the following in a Run dialog (Win+R) or the address bar in Windows Explorer:
%sainstalldir%Jobs
%sainstalldir% is an environment variable set by the NAA installer that points to the installation directory. On a server where NAA was installed to F:\STEALTHbits\StealthAUDIT, for example, this resolves to F:\STEALTHbits\StealthAUDIT\Jobs.
Paste the GROUP_Risk Dashboard folder into this Jobs folder alongside the other existing job groups.
Step 5 — Refresh the Job Tree in NAA
Once the folder is in place, NAA needs to pick it up. Either right-click in the job tree and select Refresh if that option is available, or close and reopen the NAA console. The GROUP_Risk Dashboard job group will appear in the job tree once the console has refreshed.
Summary
The Risk Dashboard is a custom NAA job group that identifies, scores, trends, and surfaces the most important security risks across Active Directory, File Systems, and SharePoint — all in one place. It renders as a native Solution Dashboard in the NAA web console, giving administrators a severity-sorted view of active risks, a chart summarizing risk distribution, and a remediation status table with due dates and trend direction.
The solution ships with 15 pre-built risk checks organized into two parallel groups: GROUP_Reports (detection, scoring, and trending jobs) and GROUP_Actions (Remediate) (one remediation action job per risk). Every risk has a corresponding action job so an admin can move from identifying a finding to addressing it without leaving NAA.
Further risks are already being worked on for the next version release, so stay tuned!
Issue
NAA is an extremely powerful platform, but out of the box it does not have a unified view that tells an administrator which security risks are most urgent right now, how they have been trending over time, or where to start remediation. Security-relevant data lives across dozens of separate solution reports — AD inventory, permissions analysis, file system access, SharePoint — and an admin needs deep product knowledge just to know which jobs to look at, let alone to prioritize what they find.
Without a consolidated view, critical risks like Tier-0 accounts exposed to Kerberoasting or open access to sensitive data may sit unnoticed for weeks. There is no built-in mechanism to alert when a risk is trending in the wrong direction, no single table showing every active risk with a due date, and no way to track whether remediation efforts are actually moving the needle.
The Risk Dashboard was built to solve that. It runs on top of NAA’s existing scan data and produces a prioritized, actionable picture of your security posture — without requiring any changes to how your existing scans are configured.
Instructions
Job Group Overview
After importing the solution, the GROUP_Risk Dashboard job group contains two top-level subgroups.
GROUP_Reports contains all detection, scoring, and trending jobs:
GROUP_Actions (Remediate) contains one remediation action job per risk, organized by system:
First Run Sequence
Before scheduling, review the optional configuration on JOB_ServiceAccounts (under GROUP_0.Prep). This job identifies service accounts that are excluded or contextualized in AD risk scoring. Out of the box it auto-discovers service accounts from existing NAA data, but if your environment uses dedicated OUs, specific account names, or naming conventions for service accounts, you can add those to the job’s configuration grids before the first run.
Once you have reviewed the service accounts configuration, set up a daily schedule on GROUP_Reports. Scheduling at the group level runs all jobs inside it — the prep job, all risk detection jobs, the dashboard settings job, the trend builder, and the all available risks job — in the correct order automatically.
After creating the schedule, kick off the first run immediately by triggering the scheduled task manually rather than waiting until the next scheduled time. This populates the dashboard right away without having to run each job individually.
After the group finishes running, the Risk Dashboard will be populated and visible in the NAA web console.
Important: Run JOB_DashboardSettings after any configuration change — it is the job that applies dashboard settings to what is displayed. The dashboard will not reflect changes until this job runs.
The Risk Dashboard (Web Console)
Navigate to the Risk Dashboard in the NAA web console by selecting the Risk Dashboard solution underneath the Custom Report Sets panel on the bottom.
The dashboard has three sections: risk KPI tiles at the top, a Risk Summary chart at the bottom left, and a Remediation Status table at the bottom right.
Risk KPI Tiles
The tiles at the top of the dashboard represent the highest-priority active risks in your environment. Each tile shows the risk name and the current count of findings.
Tiles are sorted by severity (Critical first, then High, Medium, Low). By default, the dashboard shows the top risks by severity. The number of tiles shown and which systems are included can be configured in the DashboardSettings job (see below). Critical risks will always be shown.
Click any tile to navigate directly to that risk’s report.
Risk Summary Chart
The Risk Summary (by Severity) chart at the bottom left of the dashboard shows how many active risks are in each severity band across the currently displayed systems. This provides a quick read on overall exposure without requiring you to open individual reports.
Remediation Status Table
The Remediation Status table at the bottom right of the dashboard lists every active risk with the following columns: Risk, Current Total, Severity, Remediate By, Trending, Remediated, and Last Updated.
The table is ordered so the most actionable risks appear first:
- Risks with a Remediate By date (meaning remediable findings exist) sort to the top, ordered by severity then date
- Risks where all findings have been accepted sort next, showing “Only Accepted Risks Found”
- Risks where no findings were detected sort last, showing “No Risks Found”
The Trending column shows whether a risk is increasing, decreasing, or stable compared to its previous run. An upward trend on a Critical or High severity risk can be configured to generate an alert (see DashboardSettings below).
DashboardSettings Job — Configuration
JOB_DashboardSettings is the central control panel for the entire dashboard. Select it in the job tree to access its configuration grids.
Risk Trend Alert Options
The first configuration grid controls which severity levels trigger an upward-trend alert. Setting a value to 1 enables alerting for risks at that severity when they are trending upward.
The alert report (Upward Trend Alerts) will surface any risk matching the configured severity thresholds where the finding count increased since the previous run. Recommended to configure this report for email delivery so administrators receive a notification without needing to check manually.
Dashboard Display Options
The second section of configuration controls what appears on the dashboard.
- Show all risks on dashboard — set to 1 to display a tile for every identified risk regardless of count. Useful for full visibility at the expense of a busier dashboard.
- Show specified number of risks on dashboard — enter a number (e.g., 10) to limit the tiles shown to the top N risks by severity. Risks outside the top N are still visible in the Remediation Status table.
- Show AD risks on dashboard — set to 1 to include Active Directory risks in the tiles, chart, and table.
- Show FS risks on dashboard — set to 1 to include File System risks.
- Show SP risks on dashboard — set to 1 to include SharePoint risks.
Force Include / Exclude Lists
Two additional configuration grids let you pin or suppress specific risk tiles regardless of the Top N setting.
Add a row to the force include list to always display that risk’s tile even if it falls outside the Top N ranking. This is useful for risks your team is actively remediating — you want them visible on the dashboard every day.
Add a row to the force exclude list to permanently suppress a risk tile from the dashboard. The risk still appears in the Remediation Status table, but it does not occupy a tile slot.
After making any configuration change in DashboardSettings, run the JOB_DashboardSettings job to apply the changes. The dashboard will not update until the job runs.
Individual Risk Report Jobs
Clicking a KPI tile on the dashboard navigates to that risk’s report job. Each report job is also accessible directly from the job tree under GROUP_Reports → GROUP_Active Directory (or GROUP_FileSystem, GROUP_SharePoint).
Each report displays a description of the risk, why it matters, and how to use the report data. Read the description before working through the findings — it explains the priority tier model and what each column means.
The main report grid shows all findings for that risk. Key columns vary by risk type but typically include the affected account or resource, its current state, a priority label (P0–P3), and whether the risk has been accepted.
Priority labels run from P0 (highest urgency, never auto-remediate) to P3 (lowest urgency, safe for automated handling). Use these to sequence your remediation wave — start with P1 findings, work through P2, and handle P3 last.
Accepting a Finding as a Known Exception
Findings can be accepted to acknowledge them as a known exception — for example, a service account that legitimately requires a setting flagged by a risk, or a file share that is intentionally open for a documented business reason. Accepted findings are excluded from the active risk count on the dashboard tile and from automatic remediation waves, but remain visible in the report for audit purposes.
To accept a finding, select the risk report job in the job tree, then open its AcceptedRisks storage grid.
Add a new row to the grid. The columns you need to fill in depend on the type of risk:
Active Directory risks — identify the finding by the account:
| Column | What to enter |
|---|---|
| Domain | The domain the account belongs to (e.g., CONTOSO) |
| SID | The account’s SID — leave blank if entering NTAccount |
| NTAccount | The account’s NT account name (e.g., CONTOSO\svc-backup) |
| AcceptedDate | The date the exception was approved (e.g., 2026-03-31) |
| AcceptedBy | The name or username of who approved the exception |
| Justification | A brief explanation of why the finding is accepted |
| ExpiresOn | The date the exception expires — leave blank for no expiration |
File System risks — identify the finding by the path and trustee:
| Column | What to enter |
|---|---|
| UNC | The UNC path of the share or folder (e.g., \\server\share\folder) |
| Trustee | The account or group with access (e.g., CONTOSO\Everyone) |
| EffectivePermissions | The permission level being excepted (e.g., Read) |
| AcceptedDate | The date the exception was approved |
| AcceptedBy | The name or username of who approved the exception |
| Justification | A brief explanation of why the finding is accepted |
| ExpiresOn | The date the exception expires — leave blank for no expiration |
SharePoint risks — identify the finding by the resource URL and trustee:
| Column | What to enter |
|---|---|
| URL | The URL of the SharePoint resource |
| Trustee | The account or group with access |
| EffectivePermissions | The permission level being excepted |
| AcceptedDate | The date the exception was approved |
| AcceptedBy | The name or username of who approved the exception |
| Justification | A brief explanation of why the finding is accepted |
| ExpiresOn | The date the exception expires — leave blank for no expiration |
After saving the grid, run the risk report job again. The accepted finding will now show IsRiskAccepted as true in the report.
Expiring exceptions: If an ExpiresOn date is set, the finding will automatically re-enter the active risk count after that date when the job next runs. This is useful for temporary exceptions tied to a remediation window or a change freeze.
Risk Coverage Matrix (JOB_AvailableRiskReports)
JOB_AvailableRiskReports provides a complete inventory of all monitored risks and how they map to governance domains. Run it to generate a coverage report you can share with security leadership or use for compliance attestation.
The report shows each risk alongside its required NAA modules, primary and secondary governance domain, and executive relevance statement. This makes it easy to communicate to stakeholders what the Risk Dashboard is monitoring and why it matters from a business risk perspective.
Trend History (JOB_RemediationTrend)
JOB_RemediationTrend captures a point-in-time count of findings for every risk each time it runs. Over time this builds a historical trend line you can use to demonstrate that remediation efforts are working.
The job produces one trend line report per risk. Select a risk from the report list to see a line graph of finding counts over time.
Use these reports in executive briefings to show measurable reduction in risk exposure since the dashboard was deployed.
Action Jobs (GROUP_Actions Remediate)
Every risk has a corresponding action job in GROUP_Actions (Remediate). Action jobs allow you to remediate findings directly from NAA using either a forward action (makes the fix) and some also support a rollback action (reverts a previous fix if needed).
Select an action job to open it. The job homepage displays full remediation guidance — what the risk is, how to read the findings, what the action does, and the minimum permissions required to execute it.
The Technical Remediation Guidance documentation can be exported as pdf by right clicking on the homepage, selecting Print, and then selecting Print once more with Microsoft Print to PDF selected.
Running the Forward Action
The action job pulls findings from the corresponding report job. Use the grid filters to scope down to the rows you want to remediate before running — start with P0 findings, confirm results, then move to P1.
Select the rows you want to remediate, then configure and run the forward action.
Recommended: If a risk action supports different modes, always run in Audit mode first. Audit mode logs what the action would do without making changes. Review the audit output before switching to Execute mode.
Rollback
Some action jobs include a rollback action that reverts the most recent forward action. The rollback is a recovery tool — use it only if a forward action produced an unintended result and needs to be reversed promptly.
Rollback is a temporary recovery step, not a permanent solution. If a rollback is needed, investigate the root cause before re-running the forward action.
Least Privilege Note
The action job description documents the minimum permissions required to execute each action. Ensure the account configured to run the job holds only those permissions — action jobs should never run under a domain admin account unless the remediation specifically requires it.
Scheduling
Schedule the GROUP_Risk Dashboard job group to run on a recurring basis. Daily is recommended.
The account running the jobs needs:
- Local administrator rights on the NAA application server (to execute PowerShell scripts)
- db_owner rights to the NAA database (to read and write all risk and trend tables)
Set the schedule to run during business hours (e.g., start of the workday) so that the Upward Trend Alerts report arrives when administrators are available to act on it — rather than after hours when no one will see it until the next morning.
After configuring the schedule, the Risk Dashboard will maintain itself: risk jobs run, trend data accumulates, the dashboard updates, and alerts fire when something moves in the wrong direction. The result is continuous visibility into your security posture without any manual intervention.
