Active Directory is likely the most critical piece of your IT infrastructure as it keeps your organization together, providing authentication and authorization services, restricting or allowing access to domain resources. Cygna Auditor helps reduce the potential attack surface by keeping the Active Directory activity on radar.
Cygna Auditor tracks activity across your domains and presents it in a user-friendly format. With Cygna Auditor, you will never miss a new group being created in your domain or a user being promoted to administrator.
Start Collecting Data
- On the Cygna Auditor home page, click the Configuration tile and then drill-down to Active Directory.
- Click to add a new domain.
Complete the domain auditing configuration. Generally, Cygna Auditor provides you with two auditing methods, one employing a non-intrusive monitoring service on your domain controllers and the over relying on event logs.
Domain Selection tab
Enter the user credentials. Specify a user name in the following format: domain\username.
Cygna Auditor will use this account to collect audit data from the domains this account has access to. If you specified event log-based auditing, make sure the account has access to domain controllers' event logs.
By default, the domain where Cygna Auditor is deployed is specified for auditing. To search for other domains in the forest, enter domain name in the search field and click the loop icon.
Data Collection tab
Data collection settings
Select one of the following:
Collect data using the Cygna Auditor agent (preferred)
Collect data from the event log
and set the data event collection interval — specify how often you want Cygna Auditor to collect audit events. By default, every 90 minutes. It means it will take up to 90 minutes for change records to become available for search and reporting.
Check Enable scheduled backups if you want to collect AD snapshots. The backups contain information on changes as well previous states, the backups are used to rollback AD changes and recover properties.
Specify how often you want Cygna Auditor to collect backups. By default, every 90 minutes. It means it will take up to 90 minutes for state records to become available in reports.
The Agent Configuration tab helps you customize data collection.
The Domain Controllers tab appears if you selected the agent-based data collection approach. Cygna Auditor will discover domain controllers for you, check those where you want to install the agent.
The Complete tab summarizes the data collection settings you specified.
The domains you configured for auditing will appear in the list, with status and data collection frequency for each domain. Click on the domain name to see agent's status for each specific domain controller.
Note: This step is only required if you use Windows authentication on your SQL Server.
To ensure the agent feeds audit data to your Cygna Auditor database, make sure it has sufficient permissions on your SQL Server instance.
For each domain controller where the agent runs, do the following: On SQL Server, create a login for each computer account (domain\computeraccount$) and assign it the db_owner and public roles for your Cygna Auditor database.