Alerting

Are you enjoying reports but want to be notified about some actions immediately? Take advantage of alert notifications to ensure your response team never misses a security incident and keeps tabs on the most critical pieces of your business infrastructure such as changes to Azure AD admin rights or activity in folders containing personal or card payment data.

Depending on your company change control policies and revision routines, it can take days to discover an issue using regular reviews with Auditing or Reports. Alerts look for the same data as reports but notify you as soon as the action occurs. Sent directly to email, alerts warn your authorized personnel about a possible threat once the triggering action occurs and is processed by the product. Additionally, alert can remotely feed data to SIEM systems such as Splunk and various syslog-compatible solutions (see Remote Logging), and if Cygna Auditor for Microsoft 365 is configured, to mail-enabled Teams.

Cygna Auditor flexible configuration enables you to tailor alerts to your organization's specific needs and be notified on changes that matter to you the most while reviewing less important changes in due course. You enable alerting for any built-in report or you can create a custom report and set notifications for it.

QUICK TIP: Don't have access to alerts? You are missing required permissions. Discuss your permission set with Cygna Auditor's global administrator.

Note: To be able to send alert notifications, configure SMTP settings. On the product home page, navigate to Configuration / System and complete the fields. For more information, see Notifications.

To enable alerting:

QUICK TIP: Not sure what alerts you need? Try asking yourself, "What is the most important piece of my business environment? What changes have the highest impact both from the security and operability point of view?''.
For example, creating a new user in Active Directory is a relatively routine task that does not require supervision or immediate response. On the contrary, adding a user to the Domain Admins group may have a great impact on your domain operability and security. Such changes should be carefully reviewed and approved by authorized personnel as soon as they occur.
  1. Navigate to the Reports.

  2. Expand options next to a report and select Alerts.

  3. On the Smart Alerts tab, turn on smart alerting if you want to receive alerts only when a certain condition is met. Generally, the alert is sent every time the event occurs. With smart alerts, you can cofigure rules to trigger an alert notification. For example, when monitoring faield logon attempts, configure Cygna Auditor to send an alert when an event happens five times within two minutes and then surpress notifications for 3 minutes.

    Add criteria to send alerts, for example, when push alerts only when the event is permored by the same user or on the same object.

     

  4. On the Notifications tab, specify email recipients who should be warned if the action occurs.

  5. On the Remote Logging tab, enable pushing events to a remote logging SIEM system (e.g., Splunk).

  6. On the Event Log tab, enable writing alert events to Windows Event Log.

  7. On the Teams Notification tab, enable Teams alerts and specify a channel. Make sure you have an active Microsoft 365 subscription.