Cygna Labs Auditor is a comprehensive reporting and compliance solution for Microsoft hybrid environments. Cygna Labs Auditor provides auditing and reporting capabilities across Office 365 (O365), the Azure Active Directory, Windows File Services, and the on-premises Active Directory. The following article reviews the installation of the Cygna Labs Auditor Azure Active Directory (AD) and O365 modules. It also discusses the reporting and alerting functionalities of these modules.

Travis Roberts

Travis Roberts is the Manager of Data Center Services at a Minnesota based Credit Union. Travis has 20 years of IT experience in the legal, pharmaceutical and marketing industries, and has worked with IT hardware manufacturers and managed service providers. Travis has held numerous technical certifications over the span of his career from Microsoft, VMware, Citrix and Cisco.

Hybrid services have become mainstream due to products such as O365. Organizations are quickly adopting the hybrid approach with SharePoint and Exchange due to the price and reliability. Without proper management, however, hybrid services create management headaches. Regulatory compliance requirements, for example, are more difficult to satisfy with multiple points of management, and configuration mistakes can open an organization to vulnerabilities given that hybrid services rely on internet connectivity.

Microsoft offers solutions for reporting, but these can be spread across multiple portals. Cloud native reporting lacks monitoring for on-premises services. Reporting data is available for creating advanced reports for most cloud services, but most small and medium-sized businesses have limited in-house resources to develop and maintain custom reports. This is where Cygna Labs Auditor comes into play.

Installation ^

The Cygna Labs Auditor installation is well-documented and straightforward. In my example, two servers were deployed. The first was a Microsoft SQL 2016 server for the database. The second server was used to support the collector service and web interface. While these roles can be combined for testing, splitting them provides better performance. The Cygna Labs Auditor server required IIS with Windows Authentication and ASP.Net 4.6 Role installed, along with the ASP.NET 4.6 feature (see Figures 1 and 2).

Required Role for Cygna Labs Auditor

Required Role for Cygna Labs Auditor

Figure 2. Required Feature for Cygna Labs Auditor

The Cygna Labs Auditor setup process is similar to other Windows application setups. Once you install Cygna Labs Auditor, log in with the Windows account used to install the application to finish the setup. Once you are logged in, you will see three tiles labeled Configuration, Delegation, and System Status (Figure 3).

Cygna Labs Auditor setup options

Cygna Labs Auditor setup options

To begin setup, click the Configuration tile and then select Office 365. The Cygna service has to be assigned rights to connect to the O365 tenant and pull log information. Click the Authenticate button on the Office 365 screen to start this process. An O365 authentication window will appear. Log in there with an account that has sufficient rights to the tenant. Once the authentication is completed, Cygna Labs Auditor will have rights to read log data from O365.

Cygna Labs Auditor O365 screen

Cygna Labs Auditor O365 screen

Notice in the screenshot above that you can also set the polling interval for new events at this screen In this example, it’s set to 3 minutes. The Cygna Labs Auditor service can be reauthorized from this location if required, and there is an option to verify O365 connectivity if needed for troubleshooting.

Next, configure the email server settings for reports and alerts under the Email settings tab (Figure 5). I used Papercut installed on the local server to test email delivery, hence the loopback address for the SMTP server shown in the example. Update this screen with your SMTP information. In this location, you can also update the service account under the Service tab and add a proxy address under the Proxy tab.

Cygna Labs Auditor email server settings

Cygna Labs Auditor email server settings

Clicking the License tile mentioned above displays the Active License tab (Figure 6), where you can verify your license information, the Cygna Customer Portal tab, where you can change the Cygna portal password, and the Manual License Entry tab, where you can manually add a license if needed.

Cygna Labs Auditor license settings

Cygna Labs Auditor license settings

Cygna Labs Auditor relies on O365 Security and Compliance logging. Some O365 tenants are deployed in a “dehydrated” state, that is, at a high level, less frequently used items in a Microsoft tenant are consolidated to save space. Before logging can be enabled, the tenant has to be “hydrated.” This is done with the Enable-OrganizationCustomization command. I ran into the “hydration” issue with my test tenant. It took about 24 hours after running the command for any logging activity to show up for Exchange and SharePoint online. Also, be aware that if you plan to use Azure AD auditing, you will need an Azure P1 or P2 license.

Azure Active Directory ^

I started by reviewing the capabilities of Cygna Labs Auditor and Azure AD. Once you log into the web portal, you can populate all available services using an easy-to-navigate interface.

Cygna Labs Auditor home page

Cygna Labs Auditor home page

Clicking on the Azure AD (Active Directory) tile shown above opens the Azure AD section. There you will see an option to display data “widgets” in each section. This is useful as a quick reference to visualize the data from your environment (see Figure 8). Each section has several pre-defined widget options.

Azure AD data widgets

Azure AD data widgets

Each section offers the functions shown in Figure 9.

Azure AD function menu

Azure AD function menu

Search

The Search function helps you find specific items within a given context. For example, if you wanted to know who added a user to a new Azure AD Role and when, you would choose the “Add member to role” search option shown in Figure 10.

Azure AD “Add member to Role” search example

Azure AD “Add member to Role” search example

This search will return a list of users who have been assigned new roles (see Figure 11). In this instance, the report shows that user “Test2” was added to the Report Reader role.

Azure AD “Add Role” search results

Azure AD “Add Role” search results

While searching is useful for finding specific information, Cygna Labs Auditor also features an Azure AD reporting option to keep track of predetermined events. For example, if you wanted to track all failed login attempts in an environment, you could do so with the “All Failed Azure AD Logins” report. The reports can be found under the Reports tile (see Figure 9) for each service. Figure 12 shows an example output from the “Failed Logins” report. Notice that an option to export the results is available.

Azure AD failed login report results

Azure AD failed login report results

Cygna Labs Auditor provides many other preset reporting options along with an option to create custom reports. This is a great option if you need to specify information for different regulatory or compliance requirements. Such custom reports are created by selecting Custom Reports under the Reports tile. Figure 13 shows a custom report that lists all logins by the admin account.

Azure AD admin sign in report

Azure AD admin sign in report

Alerts

Cygna Labs Auditor provides an alerts function to notify designated recipients of audit events that need immediate attention. This feature is found under the Alerts tile. The available alert options vary depending on the service. Alerts have two parts: a condition and an action. Entering alert conditions is done in a manner similar to creating reports. In the example in Figure 14, the alert conditions were set to send an alert any time a user is added.

Alert condition – User added

Alert condition – User added

The next step in creating an alert is to add an action. For this action, you can choose SMS (text message) or email. The alert set in Figure 15 sends an email to the designated recipients when the event condition is met. Once you enter the desired email addresses, be sure to click the “+” sign next to the “enter email address” box before you click the Save button.

Azure AD alert action – User added

Azure AD alert action – User added

When you click Save, you will see the dialog box shown in Figure 16. Name the alert and, if desired, add a description and tag and then click Save again.

Save alert action – User added

Save alert action – User added

With this example alert, when a new user is added, the email alert shown in Figure 17 is triggered and sent.

Azure AD alert email – User added

Azure AD alert email – User added

Office 365 ^

Cygna Labs Auditor is not limited to monitoring and reporting activity on Azure AD. By adding modules such as the O365 module, you can extend monitoring, reporting, and alerting to Microsoft Exchange and SharePoint. The SharePoint portal is shown in Figure 18.

The O365 module is set up in a fashion similar to the Azure AD module. As with Azure AD, a selection of widget, search, report, and alert options is available.

IMAGE SharePoint Online

Cygna Labs Auditor provides many options for monitoring and reporting on SharePoint and OneDrive services. One of these that may be helpful is auditing shared OneDrive or SharePoint links. The report shown in Figure 18 presents the audit results for shared links to external users from OneDrive.

O365 module shared link audit

O365 module shared link audit

Exchange

Two great advantages of Cygna Labs Auditor is the consistent interface and capabilities for each of the modules. These advantages extend to the Exchange module. For this example, I created a report that lists the mailboxes that were added or removed in the past week. I created the report using the same steps I used for the Azure AD “failed login” report. The information produced by reports like this is useful for ongoing monitoring and management tasks. Figure 19 shows the Exchange module report’s listing of mailboxes created and removed in the past seven days.

Exchange module add remove mailbox report

Exchange module add remove mailbox report

Summary ^

Hybrid services have become commonplace in most environments, and managing security and regulatory compliance requirements can be difficult when these hybrid systems span numerous environments. This management is made easier, however, with Cygna Labs’ suite of auditor products. In particular, in addition to the modules outlined above, Cygna Labs Auditor contains modules for monitoring and managing local file services and Active Directory. Overall, Cygna Labs Auditor is a full-featured tool for managing a Microsoft hybrid cloud environment.

Win the monthly 4sysops member prize for IT pros

0
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account