How Cayosoft Guardian collects changes

This article describes how Cayosoft Guardian performs the discovery of the initiator of the change (Who) and how to troubleshoot some common issues.

Active Directory change collection

Cayosoft Guardian collects changes in Active Directory (AD) using the DirSync control, which allows for efficient retrieval of delta changes. This method ensures that only modified objects and attributes are collected, reducing system overhead. For more details on how DirSync functions, see Polling for Changes Using the DirSync Control.

Additionally, Cayosoft Guardian can retrieve initiator details by analyzing security event logs on domain controllers. This enables organizations to determine who made specific modifications within AD.

Nested (transitive) group membership collection

When nested group membership collection is enabled, Cayosoft Guardian reports changes to effective (transitive) membership in addition to native member changes. For example, if a user is added to Group A and Group A is a nested member of Group B, Guardian creates a record for Group B reflecting that the user effectively became a member of Group B.

Key behaviors:

• Transitive records are generated as a reaction to native membership change records; the full transitive membership is not stored in the database. Guardian maintains in-memory group hierarchy caches that are updated as new native membership change records arrive.
• A separate record is generated for each affected parent group. When the added or removed member is itself a group, records may also be generated for the underlying hierarchy.
• Each transitive record includes a Membership propagation path showing how the object became a member (for example, Group B 🡸 Group A). A path may contain several values when an object is a member through more than one nesting chain.
• Circular nesting is detected automatically; Guardian stops processing a hierarchy once a cycle is found.
• Cross-domain nesting within a forest is supported.
• For large nested groups, child member records are split into packs of 1,000 members or fewer.
• Deleting or undeleting a nested group is treated like removing all of its members and removing it from all parent groups.

NOTE: Transitive change records currently cannot be rolled back.

To enable this collection, see Define collection scope for an AD Change Collection job.

Cloud change collection

For cloud environments, Cayosoft Guardian collects changes in Microsoft Entra ID (formerly Azure AD) using API-based monitoring. This method allows Cayosoft Guardian to track modifications made to cloud-based directory objects efficiently. Here's how it works:

Integration with Microsoft Entra ID Audit Logs

Guardian connects to Microsoft Entra ID through Microsoft Graph API, which provides access to the Audit Logs and Sign-in Logs. These logs contain details about user, group, and directory changes. For more information about the audit logs, see Microsoft Entra audit logs.

Retrieving delta changes

Guardian queries Microsoft Entra ID’s Audit Log API at regular intervals to detect changes such as:

• User modifications (e.g., password changes, role assignments)

• Group membership updates

• Application permission changes

• Policy modifications (e.g., conditional access policies)

Microsoft provides delta query capabilities in Graph API, allowing Guardian to collect only the new and modified records instead of retrieving the entire audit log each time.

Storing and analyzing changes

Once retrieved, changes are processed and stored in Guardian’s database. This enables:

• Tracking and reporting on who made what changes and when

• Triggering alerts on critical modifications

• Providing rollback capabilities if needed

Permissions

Guardian requires read access to Entra ID’s audit logs, which is granted through a registered Entra ID application with appropriate permissions. For more information see, Planning and preparation: Cayosoft Guardian system requirements .

Detecting initiator for Active Directory changes

Cayosoft Guardian uses events from the Windows Event Log to detect the initiator. The event collection job reads the log and correlates found events with previously created change records. Learn more about events collected by Cayosoft Guardian. Learn more in: Events collected by Cayosoft Guardian from the Windows Event Log related to the Active Directory operations.

Cayosoft Guardian uses discovery status as an indication of an event processing progress. The discovery status is shown as an icon in the Who column in the Change History.

For more information regarding common causes and solutions for missing initiator information, see Troubleshooting missing initiator issues in Cayosoft Guardian.

Discovery Status

The Discovery status property in the Change History displays the current state of the additional information discovery, such as initiator and event time. Discovery status also affects values in the When column.

The Search for initiator and event time in progress status means that a change has been collected from the target system and is pending information discovery.

Initiator and event time discovery complete status means that additional information was found and added to a change record. The initiator and event timestamp were added from the target system event log, also collection time is replaced with event time in When column.

The Search for corresponding event and initiator canceled by timeout status means that additional information was not found within the given period of time. This might happen if an event matching these Change Record details is not found in the target system event log.