Proofpoint | ObserveIT On-Premises Insider Threat Management

Auditing Configuration Changes

Configuration Change Auditing

For enhanced security auditing, ObserveIT enables you to track configuration changes that were made while working in the Web Console. For example, when anonymization is enabled/disabled, when an endpoint server is unregistered, or when an Agent's recording was turned off or changes were made in a recording policy configuration, you can track exactly who did this, and when it happened. These reports are valuable for security auditing and change management.

An audit entry is created whenever the user makes configuration changes in one of the following Areas in the Web Console:

  • Alerts changes. For example, changing the status of Alert.

  • Alert & Prevent Rules changes. For example, activating or inactivating Alert Rules.

  • Alert & Prevent Settings. For example: The setting "Disable notifications and messages to all users" was selected (by default, it is deselected to allow notifications and messages to be sent to users).

  • Application Server modifications. For example:

    • A specific server is configured to require a security password when installing an Agent. In this case, "Require password to install an Agent" is changed from Disable to Enabled.

    • An Agent security installation password was changed.

  • Anonymization Settings configuration changes. For example: The Anonymization mode was changed from Disabled to Enabled, or the Anonymization password was changed.

  • Archive changes. For example, change archiving configuration such as archive mode (archive, delete) and scheduled time.

  • Console Users changes. For example, creating new Console User or AD Group.

  • Endpoint Unregistration. For example:

    • An endpoint server is manually unregistered from the Endpoints list.

    • An endpoint server is scheduled for automatic unregistration.

  • Identification modifications. For example: A new LDAP Target Domain Identification was added.

  • In-App Elements configuration changes. For example: In-App elements detection was disabled.

  • Licensing changes. For example: The total number of Registered Agents was changed.

  • Lists changes. For example, editing the list items included within lists.

  • Recording Policies creation, modification, or remove operations. For example:

    • System Settings configuration changes. For example: The first day of the week for generating reports, alerts, etc., was changed from the default day (Monday).

    • The Agent recording status was temporarily disabled.

    • A User Recording policy was modified in order to record only specific users.

    • Continuous recording was enabled in a Windows system policy.

  • Report changes. For example creating or deleting a report.

  • Search triggering, such as running a new search.

  • Session Data Integrity definition changes. For example: Image Security was enabled on the Application Server in order to protect images in the database.

  • Session Privacy modifications. For example: Session Replay Privacy Protection was changed to Enabled.

  • System Event changes. For example, deleting System Events.

  • Upgrade Set changes. Includes Stop/Resume Upgrade Set, Delete Upgrade Set, Create Upgrade Set

To view configuration changes in the Web Console

  1. Navigate to the Configuration > Security & PrivacyAudit > Configuration Changes tab.

    The Configuration Changes list displays the newest changes at the top (organized by date/time).

    For each audit entry, the Configuration Changes list displays the following details:

    • Time: The time that the action occurred (that is, the change was made).

    • Console User: The Console User that was logged in to the Web Console.

    • Client IP: The Client IP address of the user that performed the action.

    • Area: The area in the Web Console that was changed.

    • Item: The item in the area on which the configuration was changed. For example: LDAP Target Domain, Default Windows-based Policy, and so on.

    • Action: The action that was performed on the configured item. For example: Changed, Removed, Added, Created, Activated, Deactivated, Renamed, Triggered.

  2. You can click to expand an entry to view more details about the configuration changes, such as:

    • The specific property of a configuration Item that was changed. For example, "System PolicyEnable keylogging" refers to the property of a specified recording policy.

    • The action that was performed on the configuration property item (for example, Changed to).

    • New value that was given to a changed configuration property item (for example, Disabled).

  3. You can filter the display of the Configuration Changes list according to the following search criteria:

    • Area: To search for configuration changes by area, select an option from list or select All to view all changed areas.

    • Item: To search for configuration changes by item, select an option from the list or select All to display all changed items.

    • Period/Date range: To search for configuration changes by time period, specify the time period or date range for your search.

    When you have finished defining your search criteria, click Show to update the Configuration Changes list according to the specified details.

  4. To clear the filter fields, click Reset.

 

version 7.12.2

Copyright © 2021 ObserveIT a division of Proofpoint