How to identify and troubleshoot false positive changes in Guardian

Summary

When monitoring Privileged Identity Management (PIM) entities, Cayosoft Guardian may occasionally display false positive changes. These can occur when the Microsoft API returns incomplete or inconsistent results during PIM data collection. As a result, Guardian may log changes that appear to have occurred but actually did not.

This article describes how to recognize these false positives, explains why they occur, and provides a workaround to minimize false alert notifications.

Symptoms

You may notice changes related to PIM entities that appear to have happened without any user or system action. These changes usually:

• Have no initiator.
• Occur as pairs of opposite changes one removing and another re-adding the same object, member, or assignment.
• Occur within a few minutes.

Scenarios

• A user appears to lose and regain a PIM-eligible role within minutes.
• A recently added assignment seems to be deleted and recreated without a corresponding event.
• A role’s membership list temporarily shows removals followed by additions.

In most cases, these are false positives rather than legitimate configuration changes.

Cause

During PIM entity collection, Cayosoft Guardianqueries the Microsoft Graph API to retrieve the current state of PIM-related objects such as roles, assignments, or eligible administrators.

When the API intermittently returns an empty or incomplete response, Cayosoft Guardianinterprets this as a change, for example, it may appear that an assignment was removed. On the next collection, when the API response is complete, the item is displayed again and logged an opposite “add” change.

These false positives are caused by temporary inconsistencies or replication delays within Microsoft’s backend services and not by real user activity.

Workaround

To prevent receiving notifications for temporary, inconsistent PIM changes, you can configure Guardian to alert only when a change has a valid initiator.

1. Open the Cayosoft Guardianweb portal and go to Alerting Rules.
2. Locate the rule that monitors PIM-related entities (for example, Entra role assignments or eligible role members).
3. Edit the rule and add a condition by Who to ensure that alerts are sent only when a valid initiator is detected.
4. Save your changes and monitor the next scheduled collection.

This configuration helps Cayosoft Guardiansuppress alerts for PIM-related changes that lack an initiator and are likely to be caused by temporary API inconsistencies.

Additional troubleshooting

If false positives continue to appear after applying the workaround:

1. Check the Execution History of the related change collection job for intermittent connection or API errors.
2. If such errors are present, verify network stability and API access configuration.
3. Contact Cayosoft Technical Support for assistance and provide the following information:
   1. A diagnostics zip generated via Collect Diagnostics in the Cayosoft Guardianconsole.
   2. A zip of the C:\ProgramData\Cayo Software\Guardian\logs folder.
   3. A JSON export of the affected Change History (filtered to include both real and false positive changes).