(844) 442-9462
Free Trial
Contact Sales
Sign in
MS Sentinel and Cygna Auditor
Morgan Holm
Aug 09, 2022
This post reviews Microsoft Sentinel and the Cygna Auditor platform to highlight some of the main differences and complimentary aspects between the two solutions.
Sentinel is a SaaS based security information and event manager (SIEM) platform used for threat detection and analysis. Raw log data is collected and stored in the cloud for analysis by security operations center (SOC) personnel.
Cygna Auditor is a comprehensive, integrated auditing, alerting, reporting, and recovery platform that provides insight for your organization’s key hybrid and multi-cloud infrastructure for analysis by security operations center (SOC) and operations (OPS) personnel.
Cygna Auditor gathers audit events and wherever possible transcribes values such as GUIDs and UPNs to make them human readable. These plain language events are also normalized to show the who, what where and when information simplifying both the understanding and filtering of events. This is especially important when there is a need to find out information quickly for a potential security breach or an operational interruption.
Raw Azure AD Event
An example of a raw Azure AD audit event in JSON that displays the data in name value pairs with several cryptic entries is as follows:
[{"id":"Directory_24215103-7885-4e29-93e7-fb4f84d0db1b_Q60SD_75566166",
"category":"GroupManagement",
"correlationId":"24215103-7885-4e29-93e7-fb4f84d0db1b",
"result":"success",
"resultReason":"",
"activityDisplayName":"Update group",
"activityDateTime":"2022-04-12T19:40:42.9289636+00:00",
"loggedByService":"Core Directory",
"initiatedBy":{"user":{"id":"aae7a22a-2f5e-4ee1-8959-a7d49c4fb763",
"displayName":null,
"userPrincipalName":"Sync_MEM-01_************@cygnacore.onmicrosoft.com",
"ipAddress":"",
"homeTenantId":null,
"homeTenantName":null}},
"userAgent":null,
"targetResources":[{"id":"e050775a-9c29-4266-a8e9-ba3239177d17",
"displayName":"Accountants",
"type":"Group","userPrincipalName":null,
"groupType":"unknownFutureValue",
"modifiedProperties":[{"displayName":"LastDirSyncTime",
"oldValue":"[\"2022-04-10T23:27:31Z\"]",
"newValue":"[\"2022-04-12T19:40:42Z\"]"},
{"displayName":"Included Updated Properties",
"oldValue":null,"newValue":"\"LastDirSyncTime\""},
{"displayName":"Action Client Name",
"oldValue":null,
"newValue":"\"DirectorySync\""},
{"displayName":"TargetId.GroupType",
"oldValue":null,"newValue":"\"\""}]}],
"additionalDetails":[{"key":"GroupType",
"value":""}]}In the Microsoft Sentinel console, it would appear similar to the following screenshot (note: not the same event) with most of the data in name value pairs with several cryptic entries:
Creating queries against audit data in Sentinel requires specialized technical resources. The queries are created with Kusto Query Language (KQL), (see screencap below for an example) and require in depth technical knowledge of both the query language and the specific raw events to get at the desired information.
KQL Query
Example of a KQL query:
AzureActivity
| sort by TimeGenerated desc
| where TimeGenerated > datetime(01-01-2021) and TimeGenerated < datetime(19-05-2022)
| where Level == 'Critical'
| project TimeGenerated, Level, OperationNameValue, ResourceGroup, _ResourceIdCygna Auditor Queries and Filtering
Creating queries against audit data in Cygna Auditor is straight forward, no need to know a special data query language. It can all be done in the UI with drop down lists and auto complete on many fields.
Sorts can be set by simply clicking on the desired column in the audit grid which can then be toggled for ascending or descending or even changing columns without rerunning the query.
Setting the “when’ filter is also accomplished with drop downs quantifiers and a calendar / time selection control (if applicable).
Working With Data in Cygna Auditor
Along with the normalized standard event data there are data source specific event details available. These can be selected from drop down lists for filter creation alleviating the need to know the correct syntax, case sensitivity and kinds of information available for different types of events.
Depending on the selection there could be additional aids such as type ahead searching or other event specific criteria such as selecting the desired levels with no need to know the correct syntax or worrying about case sensitivity.
It also straightforward to select the columns of event data for both normalized and data source specific events details.
Returned audit events can be further refined by hovering over to either exclude or include that specific criterion. This allows for quick refinement of the query results to drill down to the dataset you need for the task at hand.
When creating queries for a report or for review later, the speed at which you can create them has a productivity impact. When creating queries for an ongoing potential security incident or a service interruption, time is critical and being slow to respond can be costly. Cygna Auditor is designed to simplify the whole process and get to the desired data quickly and easily.
KQL Query Results
Example of KQL query results:
Cygna Auditor Query Results
The query results can be exported to CSV or PDF formats and saved as reports that can be ran ADHOC or on a schedule. These reports can be delegated and are subject to Cygna RBAC and scoping settings. Cygna Auditor also ships with built-in reports for each data source. Important events can also be set as alerts that can be sent to any combination of email, event log, Teams or to SIEM systems. Cygna Auditor events are stored in one or more databases of the customers choosing. This provides scalability and long event retention and can be used to comply with data residency requirements. The database connection can also be delegated to control access to the audit data they store. Many Cygna customers, especially the larger ones, utilize both a SIEM system and Cygna Auditor. They use Cygna Auditor as a data translation layer service that converts non-human readable raw log data into plain language values and stream desired events to their SIEM as they occur. Another common reason these customers leverage both systems is that their SIEM system is setup for threat hunting and may not even collect events that only have operational impacts. In some organizations SIEM system access is limited to security personnel only and if the operations team need information, they need to submit a request to the SOC. Operations teams use Cygna Auditor to track and alert on changes from an availability and desired configuration standpoint which is not solely focused on security as SIEM implementations tend to be. Cygna has several customers that wish to limit the number of events they send to their SIEM for a variety of reasons.
- Cost – most SIEMs price their solutions based on the volume or size of data sent to the system
- Cloud hosted SIEM – Potential regulatory violation
- Cloud hosted SIEM – Data residency mandates
- Cloud hosted SIEM – Data retention and archival costs
- Cloud hosted SIEM – Searching queries and job costs
Another major difference between Cygna Auditor and Sentinel is that there is a rollback button in applicable event details. Cygna Auditor integrates with Cygna Recovery solutions for both AD and Azure AD. This allows changes to be undone and go back to the prior values or point in time snapshots with a simple wizard to correct accidental or unwanted changes. This greatly reduces the time and effort required to correct changes that could have costly operational or security impacts.
From the rollback screen the change can be rolled back directly without the need to change any other settings.
There is an option to use the most recent data (default) or choose prior point in time snapshots.
There is also the ability to select one or more specific attributes to be rolled back in cases where changes impact more than one value. This allows only the incorrect values to be changed, especially useful when there are errors with scripted updates where one type of attribute is incorrect, but the others are fine.
The summary screen shows the selected options that can be reviewed before the rollback.
Another powerful Cygna Auditor capability is the simplicity at which you can combine multiple data sources in a single view with the interactive filtering feature. Hybrid data sources such as Active Directory and Azure Active Directory can be examined together for analysis. Exchange Online from M365 can also be examined along with Exchange On-Premises events for example.
The hybrid and multi cloud views of audit data are further enhanced by another feature, Cygna Identity. This feature allows you to map disparate accounts back to an individual or to group accounts that reside in separate non connected identity stores. It provides a quick way to perform activity searches of an identity and the related accounts. This is especially useful where organization have users that can make modifications to multiple systems or data sources, in this example AD on-prem, file system and Azure AD.
Cygna Auditor provides events in plain language normalized to the who, what, when and where information making them simple to understand. The user interface simplifies interaction with the audit data to filter and get at the information you need quickly. This is especially important for time sensitive scenarios that may impact service or pose a security risk. Combining audit data across hybrid and multi cloud sources with the ability to instantly undo unwanted or accidental changes further reduces the impact of costly mistakes by reducing the time to recover. Therefore, many Cygna Auditor customers leverage our solutions along with SIEM systems like Microsoft Sentinel.