Configuring Auditing Policies
Cygna Auditor enables you to fine-tune Active Directory agent-based auditing and pre-filter events on the data collection stage with a help of auditing policies. You can pick the events you want to track and write only the most important ones to the audit database. On top of that, you can allow or forbid certain AD actions within your domain based on these auditing policies.
Example 1: configure an auditing policy to skip all service account activity.
Example 2: configure a protective auditing policy that will restrict modifications of domain-critical OUs and groups (e.g., Domain Admins) for all users except one or two system administrators.
Configuring auditing policies is optional. To collect all AD events without pre-processing, skip the steps below.
Note: Applies to agent-based data collection only.
-
Navigate to Configuration / Active Directory / Auditing Policies and select to add a new policy.
-
On the General step, select a domain and provide a policy name and description. You can create the policy without enforcing it (for example, create a pull of policies for the future) or enable it right away.
-
On the Who step, assign the policy to all users or pick specific users from the list, include or exclude them. Tips:
-
Including a user means the policy you configure will only apply to this user, all users will be excluded.
-
Excluding a user means the policy you configure will apply to all users except those who are excluded.
-
Don't include and exclude users in the same policy to avoid collisions.
-
-
On the What step, pick actions such as Create, Modify, etc. You can restrict actions to specific objects and attributes.
If you create a protection policy, you'll typically want to restrict:
-
All deletes
-
All modify events for GPO
-
All modify or other events for group, contact, printQueue, volume, organizationalUnit, and container object types.
-
-
On the Where step, decide if the policy applies to the entire domain or specific AD objects or containers. Include or exclude them if necessary.
-
On the Actions step, enable options for the auditing policy. It can affect auditing and events collection as well as protect your AD domain from unauthorized actions.
Option |
Description |
---|---|
Enable auditing |
|
Enable protection |
Enabling protection restricts events matching the policy from occurring. Users will typically get "Object not found" error as they try to perform restricted actions.
|
Continue reading:
Configuring Collector Settings