Configuring Auditing Policies

Cygna Auditor enables you to fine-tune Active Directory agent-based auditing and pre-filter events on the data collection stage with a help of auditing policies. You can pick the events you want to track and write only the most important ones to the audit database. On top of that, you can allow or forbid certain AD actions within your domain based on these auditing policies.

Example 1: configure an auditing policy to skip all service account activity.

Example 2: configure a protective auditing policy that will restrict modifications of domain-critical OUs and groups (e.g., Domain Admins) for all users except one or two system administrators.

Configuring auditing policies is optional. To collect all AD events without pre-processing, skip the steps below.

Note: Applies to agent-based data collection only.

  1. Navigate to Configuration / Active Directory / Auditing Policies and select to add a new policy.

  2. On the General step, select a domain and provide a policy name and description. You can create the policy without enforcing it (for example, create a pull of policies for the future) or enable it right away.

  3. On the Who step, assign the policy to all users or pick specific users from the list, include or exclude them. Tips:

    • Including a user means the policy you configure will only apply to this user, all users will be excluded.

    • Excluding a user means the policy you configure will apply to all users except those who are excluded.

    • Don't include and exclude users in the same policy to avoid collisions.

  4. On the What step, pick actions such as Create, Modify, etc. You can restrict actions to specific objects and attributes.

    If you create a protection policy, you'll typically want to restrict:

    • All deletes

    • All modify events for GPO

    • All modify or other events for group, contact, printQueue, volume, organizationalUnit, and container object types.

  5. On the Where step, decide if the policy applies to the entire domain or specific AD objects or containers. Include or exclude them if necessary.

  6. On the Actions step, enable options for the auditing policy. It can affect auditing and events collection as well as protect your AD domain from unauthorized actions.

Option

Description
Enable auditing

  • Enable auditing to start collecting events matching the criteria you specified.

  • Disabling auditing means any event matching the policy will skipped by Cygna Auditor and won't be written to the audit database. For example, you can create a policy and disable auditing to exclude changes by service accounts, or changes to attributes.

Enable protection

Enabling protection restricts events matching the policy from occurring. Users will typically get "Object not found" error as they try to perform restricted actions.

  • Select Write a Protection Policy Event to the Microsoft Event Log to capture such failed events and add them to the event log on the Domain Controller that prevented the change.

  • Select Write a Protection Policy Event to Cygna Auditor for AD audit log to capture such failed attempts and add them to Cygna Auditor database.

Continue reading:

Configuring Collector Settings

Dashboard

Auditing

Reports

Rollback for Active Directory

Recycle Bin for Active Directory

Active Directory Browser