Articles in this section

See more
Print

Change Monitoring: Alerting

Avatar
Tatiana Golubovich
  • Updated
Follow

Content: 

Overview

In Cayosoft Guardian, custom change alerts can be raised by alerting rules to notify admins when critical changes are detected. Creating an alerting rule begins on the Change History page where the admin can easily add an Alerting rule from a saved query. An alerting rule is a workflow with predefined configurable actions. The selected actions are performed after an alerting rule executed the query based on the predefined filter and the returned data was matching the query conditions.
Note: For optimal query performance, it is recommended to specify as many filter parameters as possible in the query filter.
The actions in the alerting rule workflow can raise real-time alerts for each change detected, send notifications through Microsoft Teams and/or by email. Alerting rules can be added to any query across any connected Azure AD tenants or Active directory forests.

This article contains instructions on how to configure alerting rules for the following scenarios:

  1. When an Active Directory user password has been reset.
  2. When group policy link has been added for Active Directory Organizational Unit.
  3. When the Active Directory group whose name starts with Admins has been deleted.

 

Scenario 1: Active Directory user password has been reset

  1. In Cayosoft Guardian web portal, expand Change Monitoring node
  2. Click on the Change History node
  3. In Filter set:
    1. Action > Password reset
    2. Object type > AD User
  4. Click Apply.
  5. Click New Alert.
    New_Alert1.png
  6. Specify alert's name.
  7. Click Yes

When the user password has been reset you will see the alert:

New_alert_5.png

 

Scenario 2: Group policy link has been added for Active Directory Organizational Unit

  1. In Cayosoft Guardian web portal, expand Change Monitoring node
  2. Click on the Change History node
  3. In Filter set:
    1. Action > Add group policy link
    2. Object type > AD Organizational Unit
  4. Click Apply
  5. Click New Alert
    New_Alert7.png
  6. Specify alert's name
  7. Click Yes

When the group policy link has been added for Active Directory Organizational Unit you will see the alert:

New_Alert8.png

 

Scenario 3: Active Directory group whose name starts with Admins has been deleted

  1. In Cayosoft Guardian web portal, expand Change Monitoring node
  2. Click on the Change History node
  3. In Filter set:
    1. Action > Delete object.
    2. Object type > AD Group.
    3. Advanced > startswith(objectName, 'Admins')
      For more details about the Advanced filter please see this article: How to use advanced filter in Cayosoft Guardian – Cayosoft Help Center.
  4. Click New Alert.
    New_Alert9.png
  5. Specify alert's name.
  6. Click Yes

When the Active Directory group whose name starts with Admins has been deleted you will see the alert:

New_alert10.png

 

Alerting Rules

The created alerting rule will be displayed in Alerting Rules. You can configure the actions that should be executed in addition to raising the alert. For example, send alerts via Teams or via email. It is also possible to browse for its' Execution History or Generated Alerts:

New_Alert2.png

New_Alert3.png

 

Custom Queries

The created alerting rule is based on the query. This query will be displayed in Filter > Custom Queries. For more details about custom queries please see this article: Change Audit: Standard and Custom Queries – Cayosoft Help Center.

New_Alert6.png

 

 

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.