Initiator discovery process in Cayosoft Guardian

This article describes how Cayosoft Guardian performs the discovery of the initiator of the change (Who) and how to troubleshoot some common issues.

How Cayosoft Guardian detects initiator for Active Directory changes

Cayosoft Guardian relies on DirSync control for polling changes in the Active Directory. The change Collection job processes the incoming stream of changes and creates change records. However, the initiator of the change could not be detected using this method.

Cayosoft Guardian uses events from Windows Event Log to detect the initiator. The event collection job reads the log and correlates found events with previously created change records. Learn in Events collected by Cayosoft Guardian from the Windows Event Log related to the Active Directory operations.

Cayosoft Guardian uses discovery status as an indication of an event processing progress. The discovery status is shown as an icon in the Who column in the Change History.

Threat definitions in Cayosoft Guardian have two detection methods: real-time and scheduled. The scheduled method usually reads data from a live system and information about the initiator in most cases could not be identified as this data is not available in the system.

Discovery Status

The Discovery status property in the Change History displays the current state of the additional information discovery, such as initiator and event time. Discovery status also affects values in the When column.

• Search for initiator and event time in progress: This status means that the change is collected from the target system and is pending information discovery.
• Initiator and event time discovery complete: This status means that additional information was found and added to a change record. The initiator and event timestamp were added from the target system event log, and the collection time is replaced with the event time in the When column.
• Search for corresponding event and initiator canceled by timeout: This status means that additional information was not found within the given period. It might happen if an event matching the Change Record details is not found in the target system event log.

How to fix some common issues with the missing initiator

1. Domain is not properly configured

When a domain is added to Cayosoft Guardian using the wizard, the Audit switch must be set to Enabled. If the switch is set to Enabled, Cayosoft Guardian adds necessary access controls for this domain. Once access control entries are added, a domain controller starts to generate an event every time an operation is performed on an Active Directory object.

2. Group policies generating events are not configured

To detect an initiator of specific changes or events like an account lockout or password change, a corresponding group policy must be enabled beforehand. Learn more about events collected by Cayosoft Guardian and prerequisites such as Group Policies to be configured.

3. Event collection job is not running properly

Event collection jobs process and correlate events from the domain controllers. If the job is stopped, or it fails with errors, the Who column is not populated.

To collect events, Cayosoft Guardian connects to all domain controllers using Windows Remote Management (WinRM). If a WinRM-related error is reported by an Event collection job, check that connection ports are not blocked by a firewall.

Check that there are no errors in the execution history of the Event Collection job:

1. Open Cayosoft Guardian Web Portal.
2. Select Jobs under Configuration.
3. Select the Event Collection job and click Properties.
4. Switch to the Execution History tab and check that there are no errors in the Execution Result column.

4. Security Event Log is not properly configured

If a Security event log size is too small, events might be overwritten before they are collected by Cayosoft Guardian. Ensure that the security event log keeps events from the last 24 hours at least. Security event log size and retention settings can be configured on each domain controller or propagated via a GPO to all target domain controllers.

To modify Security event log on the domain controller locally:

1. Click Win + R.
2. Type eventvwr.msc.
3. Open Event Viewer > Windows Logs > Security.
4. Right-click on the Security log and select Properties.
5. Configure Maximum log size and change retention method to Overwrite Events As Needed.

To modify Security event log on the domain controller via GPO:

1. Open GPMC.
2. Open the corresponding GPO applied to the domain controllers.
3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.
4. Configure Maximum security log size.
5. Configure retention method for the security log to Overwrite Events As Needed.