Change Monitoring: Alerting

With Cayosoft Guardian, you can configure custom change alerting rules to be notified about critical changes detected. An alerting rule is a workflow with predefined configurable actions. The workflow executes all enabled steps, such as running the query based on the predefined filters and processing the returned data by raising alerts for each record matching the query conditions. Then, notifications can be sent through Microsoft Teams and/or by email if the appropriate steps are enabled and configured. An automatic rollback can be set up to enable an immediate response to the changes of the security-critical objects. Alerting rules work seamlessly across any connected Microsoft Entra tenants or Active directory forests.

NOTE: For optimal query performance, it is recommended to specify as many filter parameters as possible in the query filter.

This article contains examples of the alerting rules that can be configured.

Example 1: Active Directory user password has been reset

1. In the Cayosoft Guardian web portal, expand the Change Monitoring node.
2. Click the Change History node.
3. In the Quick Filter bar, select the condition, Action > Password reset.
4. Add another condition Object type > AD User (microsoft.ad.user).
5. In the Quick Filter bar, click Save, to add these conditions to a new query.
6. Provide a name for your query (e.g., Active Directory user password has been reset) and click Add.
7. Click Add Alert to create a new alerting rule.
8. Reset a user password and observe an alert in the web portal.

Example 2: Group policy link has been linked to an Active Directory Organizational Unit

1. In the Cayosoft Guardian web portal, expand the Change Monitoring node.
2. Click the Change History node.
3. In the Quick Filter bar, select the condition, Action > Add group policy link.
4. Add another condition Object type > AD Organizational Unit.
5. In the Quick Filter bar, click Save to add these conditions to a new query.
6. Provide a name for your query (e.g., Group policy link has been linked to an Active Directory Organizational Unit) and click Yes.
7. Click the Add Alert action to create a new alerting rule.
8. Add a group policy link to an Active Directory Organizational Unit and observe the alert.

Alerting Rules

The created alerting rule will be displayed in Change Alerting Rules. You can configure the actions that should be executed in addition to raising the alert. For example, send alerts via Teams or Email. It is also possible to browse:

• Alert Parameters
• Suppression
• Generated Alerts
• Workflow Steps
• Execution History

Customizing recipients in Change Alerts

To customize the recipients for your Change History alerts, follow these steps:

1. Navigate to Change Monitoring > Change Alerting Rules.

2. Select an alerting rule and open its Properties.

3. On the Configure notifications tab, select Mail notifications and/or Teams notifications.
   
   
   
   

4. Under Recipients, click Add Value and enter the recipient’s name or email address from the To field.

5. Under CC Recipients, click Add Value and enter the recipient’s name or email address from the CC field.

6. Under BCC Recipients, click Add Value and enter the recipient’s name or email address (a copy of the email but conceals their email address from all other recipients) from the BCC field.

7. To send the alert to multiple recipients, add each email separately using Add Value.

   
   
   

8. Click Yes to apply the changes.

Custom Queries

The alerting rule created is based on the query. This query will be displayed in Filter > Custom Queries. For more details about custom queries, see this article: Change Monitoring: Built-in and custom queries.