Morgan Holm

Active Directory is dead, long live Active Directory

If you were to look at topics being covered at Microsoft’s conferences, announcements, or social media one could easily assume that Active Directory (AD) is dead.  It is correct that many organizations are embracing SaaS solutions and are going through digital transformations.  While all of this is true, we are still at the beginning of the process that will take a long time to get the majority of workloads and organizations to become cloud only.  You only need to look at mainframe usage and that Windows XP still comprises ~ 1.6% of PC operating systems to understand that organizations resist changes and computing paradigm shifts can take decades, and some things won’t change.

There is no question that the move to cloud is well underway and is accelerating.  This means that a hybrid and multi cloud systems are the reality for most and will be for some time with AD as the primary identity store.  Many organizations use AD Connect to sync their on-prem users to Azure Active Directory (AAD) for Office / Microsoft 365 (M365).  All of this means that you still need to keep track of what is happening in AD to make sure is stays secure.  Recent cyber attacks, namely the Solarwinds breach got bad actors into on-prem systems where they moved laterally, elevated permissions to eventually gained access to M365 resources.


Cygna Auditor has the flexibility to gather events with or without an agent from both trusted and untrusted forests while also allowing you to control where and how long the audit data is kept.  Monitoring AD changes alone will not be sufficient to maintain security and availability in a hybrid system.  You will also need to closely keep track of activities of your cloud connected systems.  Even though AD has been around for a long time, your auditing solution doesn’t need to be dated as well.  We are running a limited time campaign for you to Switch to Cygna Auditor.  Ask us to see what a modern hybrid auditing solution can do for your organization.

Morgan Holm

Cygna Auditor SIEM Event Forwarding

Cygna Auditor can now forward events to SIEM systems in a standard syslog format or in a structured view to Splunk. Cygna Auditor events are presented in plain language which greatly simplifies the understanding and consumption of the audit information.  This enables operational and security teams to work efficiently and make decisions and react quickly.

Structured View

The structured view for Splunk normalizes the audit data in the SIEM views by the Detail (expandable list of the modification), Item (object/attribute that was changed), Source (system or platform of modification), Success (if the action succeeded or failed), What (the object/attribute that was changed) When (timestamp), Where (the system where the change was applied), Who (account that made the change).

structured event

In the following example, the expandable Detail node provides the GPO setting that was modified with both the old and new values.

Native Windows Event in SIEM

The following is a native GPO change event imported into a SIEM from the Windows Event Logs.  There is a substantial amount of text to sift through to try to understand what has occurred.  Since the friendly name of the GPO is not shown you would either have to know the GUID or do a search to find out which GPO was modified.  This also does not show you what has changed.  You would need to have a previously exported GPO report prior to the change and manually compare the settings with the current version.  Needless to say, this would be a very time-consuming task.

Cygna Auditor provides SIEM systems a data translation layer service that converts non-human readable raw log data into plain language values as they occur.

Configure Splunk for Structured Cygna Events

To send Cygna structured events to Splunk you will need to configure an HTTP Event Collector.  For more information on this topic please select the following Splunk documentation link or see the following example configuration.

The first thing you need to ensure the HTTP event collector is enabled in Splunk UI through:

  1. Settings -> Data Inputs
  2. HTTP Event Collector
  3. Global Settings

Make sure it is enabled and make note of the port #.

The second step is to create an Event Collector token:

  1. Settings -> Add Data
  2. Monitor
  3. HTTP Event Collector

For the Source Type under Input Settings step, make sure you pick  Select and then in the Select Source Type dropdown pick Structured  _json

Once the configuration is saved you will see a token value that will be required to configure the connection to Splunk from the Cygna server.

Configure Cygna Server to Send Structured Events to Splunk

 Enable Remote Logging

From the Cygna Server UI:

  1. Configuration -> System
  2. Select Remote Logging tab in the System Configuration window
  3. Change the type drop down to Splunk
  4. Enter the URL for the Splunk HTTP Collector with port#
  5. Enter the Splunk HTTP Event Collector Token Value
  6. Ensure the message format is set to JSON
  7. Save the configuration

Configure Which Events to Forward

Once both Cygna and Splunk have been configured to be able to send and receive events you can decide what events you want to send.  This is done through alert remote logging on the Cygna server.

Enable Event Forwarding

Cygna events can be forwarded to SIEM systems through the alerting feature in Cygna reports.  The alerts events can be sent via email notification or through remote logging to SIEM systems or both.

From the Cygna Server UI:

  1. Reports
  2. Alert settings

(a) For existing reports, select its menu icon (hamburger) and then Alerts and enable the toggle

(b) When creating a new report under the Manage alert settings tab choose Remote Logging and enable the toggle

Once the alert is saved any event matching the filtering criteria will be sent to the SIEM system defined in the Cygna Remote Logging configuration.