Audits and Notifications

22 minutes to read

As PAM360 deals with sensitive, privileged access information, it is essential to have a complete record of every single action performed by the users within the application. To ensure comprehensive tracking, all user actions are recorded as audits, with the timestamp and the IP address from where they accessed the application.

Audit trails in PAM360 are comprehensive, capturing almost all actions. If you wish to audit only specific operations, PAM360 provides flexible options for focused auditing. Additionally, you can configure notifications to alert designated recipients when specific events occur, providing enhanced monitoring and control over privileged access activities.

This document covers the following topics:

  1. Resource Audit
  2. User Audit
  3. Task Audit
  4. User Sessions Audit
  5. Recorded Connections
  6. Active Privileged Sessions
  7. Keys and Certificates Audit
  8. SDK Application Audit
  9. FAQs

1. Resource Audit

Resource audits in PAM360 provide comprehensive tracking and logging of all activities related to privileged accounts and passwords, resources, resource groups, sharing, and password policies. These audits ensure accountability by maintaining detailed records of access, modifications, and actions performed on critical resources. Navigate to Audit >> Resource Audit to view the resource audits.

1.1 Resource Audit Summary
(Applicable from build 7200 onwards)

PAM360 allows you to view a quick summary of any particular resource audit. A resource audit summary provides a detailed overview of all the details associated with that specific audit. To view a resource audit summary, click the Audit Summary icon under the Actions column beside the desired audit.

On the Resource Audit Summary page, you have options for exporting the resource audit summary. Click the Email Audit Summary icon to receive the audit summary in your mail, and the Export as PDF icon to download the audit summary as a PDF file to your machine.

1.2 Related Resource Audits
(Applicable from build 7200 onwards)

PAM360 allows you to view audits related to a particular resource audit. The Related Resource Audits feature provides insights about all the audits associated with a specific resource, helping you track audit trails effectively. This feature ensures that you have a complete picture of all the related audit activities. Follow these steps to view the related resource audits:

  1. Click the Related Audits icon under the Actions column beside the desired resource audit.
  2. On the Related Resource Audits page that opens, you can view all the audits related to the selected resource audit.
  3. Click Audit Actions and choose:
    1. Export as CSV to download the related resource audit details as an Excel file.
    2. Export as PDF to download the related resource audit details as a PDF file.
    3. Email Related Audits  to receive the related resource audit details in your email.

1.3 Manage Resource Audits and Notifications

PAM360 offers the flexibility to record audit trails only for specific events based on your requirements. Follow these steps to configure resource audit trails for specific events:

  1. Navigate to Audit >> Resource Audit >> Audit Actions >> Configure Resource Audit.
  2. In the Resource Audit Configuration window, select the operations for which you wish to generate audit records. Leave the checkboxes unchecked for operations you do not wish to audit.
  3. Click Save to apply the selected resource audit configuration.

Additionally, PAM360 can be configured to send email notifications, generate Syslog messages, or raise SNMP traps when specific events occur.

  1. In the Resource Audit Configuration window, select the checkboxes beside the desired operations for which you wish to send notifications.
  2. To avoid flooding your inbox with notification emails, you can customize settings to receive a single daily digest summarizing all the audit trails generated that day for the selected events. Tick the Notify the chosen events as a daily digest checkbox to enable this option.
  3. Specify the list of recipients who should receive these notifications and click Save.

1.4 Purge Resource Audit Trails

Most operations related to resources performed in PAM360 are audited, and the audit data is stored in the database. Consequently, the resource audit records grow at a faster rate. To manage disk space effectively, an option to purge audit records is available under the Purge Resource Audit Records pane in the Resource Audit Configuration window. If you do not require audit records older than a specified number of days, you can opt to purge them. To configure resource audit purging:

  1. Go to Resource Audit >> Audit Actions >> Configure Resource Audit >> Purge Resource Audit Records.
  2. Specify the number of days for which audit records should be retained in the provided text box. For example, entering 90 will automatically purge audit records that are older than 90 days.
  3. Click Save.

Note:
(Applicable from build 5400 onwards)
You can choose to retain or delete audit records related to specific operations by selecting the check box under the Purge Audit column. Select the checkbox beside the desired operations for which you wish to purge the audit trails. The audit records corresponding to the operations whose check boxes are left unselected will be retained permanently as a part of your audit trail.

1.5 Export Resource Audit Trails

Resource audit trails can be exported as PDF or CSV files for easy reference. To export these audit trails, go to Resource Audit >> Audit Actions and click Export as PDF or CSV button, depending on your requirement.

1.6 Resource Audit Filters

You can create customized views of resource audit trails by adding filters to display only the audit records of interest. Follow these steps to create an audit filter:

  1. Click the Create button on the Resource Audit page.
  2. Select the desired operation from the drop-down menu and enter your criteria to filter the audit trails. To configure the filter based on operation types, click the Operation Types button in the top-right corner of the screen to view the available options.
  3. Click Save to configure the audit filter successfully.

2. User Audit

User audits in PAM360 capture all user operations, providing detailed tracking of user activities. To view user audit records, navigate to Audit >> User Audit.

2.1 User Audit Summary
(Applicable from build 7200 onwards)

PAM360 allows you to view a quick summary of any particular user audit. A user audit summary provides an overview of all the details associated with that specific user audit. To view the user audit summary, click the Audit Summary icon under the Actions column beside the desired user audit.

Additionally, you can export the user audit summary from the User Audit Summary page. Click the Email Audit Summary icon to receive the audit summary in your mail, and the Export as PDF icon to download the audit summary as a PDF file to your machine.

2.2 Manage User Audits and Notifications

Follow these steps to configure user audit trails for specific events:

  1. Navigate to Audit >> User Audit >> Audit Actions >> Configure User Audit.
  2. In the User Audit Configuration window, select the user operations for which you wish to generate audit records. Leave the checkboxes unchecked for operations you do not want to audit.
  3. Click Save to apply the selected user audit configuration.

Additionally, you can configure PAM360 to send email notifications, generate Syslog messages, or raise SNMP traps when specific events occur.

  1. In the User Audit Configuration window, select the checkboxes beside the desired user operations.
  2. To avoid flooding your inbox with notifications, customize settings to receive a single daily digest summarizing all audit trails generated that day for selected events. Tick the Notify the chosen events as a daily digest checkbox to enable this option.
  3. Specify the list of recipients who should receive these notifications and click Save.

2.3 Purge User Audit Trails

User operations performed in PAM360 are comprehensively audited, resulting in a substantial accumulation of audit data. To manage disk space efficiently, you can purge user audit records older than a specified number of days using the Purge User Audit Records option in the User Audit Configuration window. To configure user audit purging:

  1. Go to User Audit >> Audit Actions >> Configure User Audit.
  2. Under the Purge User Audit Records pane, specify the number of days for which the audit records should be retained in the provided textbox.
  3. Click Save.

Note:
(Applicable from build 5400 onwards)
You can choose to retain or delete audit records related to specific operations by selecting the check box under the Purge Audit column. Select the checkbox beside the desired operations for which you wish to purge the audit trails. The audit records corresponding to the operations whose check boxes are left unselected will be retained permanently as a part of your audit trail.

2.4 Export User Audit Trails

User audit trails can be exported as PDF or CSV files for easy reference. To export these audit trails, go to User Audit >> Audit Actions and click the Export as PDF or CSV button, based on your requirement.

2.5 User Audit Filters

You can create customized views of user audit trails by adding filters to display only the audit records of interest. Follow these steps to create a user audit filter:

  1. Click the Create button on the User Audit page.
  2. Select the desired operation from the drop-down menu and enter your criteria to filter the audit trails. To filter by operation types, click the Operation Types button in the top-right corner to view available options.
  3. Click Save to configure the audit filter successfully.

3. Task Audit

Task audits in PAM360 capture records of all scheduled tasks created and executed, providing detailed tracking of task executions. To view task audit records, navigate to Audit >> Task Audit.

3.1 Task Audit Summary
(Applicable from build 7200 onwards)

The task audit summary provides a quick overview of any specific task audit, detailing all related information. To view the summary of a task audit trail, click the Audit Summary icon under the Actions column beside the desired task audit trail. Additionally, you can export the task audit summary from the Task Audit Summary page. Click the Email Audit Summary icon to receive the audit summary in your mail, and the Export as PDF icon to download the audit summary as a PDF file to your machine.

3.2 Related Task Audits
(Applicable from build 7200 onwards)

PAM360 allows you to view audits related to a particular task audit. The Related Task Audit feature provides insights about all the audits associated with a specific task audit, helping you track audit trails effectively. This feature provides a complete view of all related audit activities. Follow these steps to view the related task audits:

  1. Click the Related Audits icon in the Actions column beside the desired task audit.
  2. On the Related Task Audits page, you can view all the audits related to the selected task audit.
  3. Click Audit Actions and choose:
    1. Export as CSV to download the related task audit details as an Excel file.
    2. Export as PDF to download the related task audit details as a PDF file.
    3. Email Related Audits to receive the related task audit details in your mail.

3.3 Manage Task Audits and Notifications

Follow these steps to configure task audit trails for specific events:

  1. Navigate to Audit >> Task Audit >> Audit Actions >> Configure Task Audit.
  2. In the Task Audit Configuration window, select the operations for which you wish to generate audit records. Leave the checkboxes unchecked for operations you do not wish to audit.
  3. Click Save to apply the selected task audit configuration.

Additionally, you can configure PAM360 to send email notifications when specific events occur.

  1. In the Task Audit Configuration window, select the checkboxes beside the desired task audit operations for which you wish to trigger notifications.
  2. To avoid flooding your inbox with notification emails, customize settings to receive a single daily digest summarizing all audit trails generated that day for the selected events. Tick the Notify the chosen events as a daily digest checkbox to enable this option.
  3. Specify the list of recipients who should receive these notifications and click Save.

3.4 Purge Task Audit Trails

Tasks executed in PAM360 are comprehensively audited, resulting in a substantial accumulation of audit data. To manage disk space efficiently, you can purge task audit records older than a specified number of days using the Purge Task Audit Records option in the Task Audit Configuration window. To configure task audit purging:

  1. Go to Task Audit >> Audit Actions >> Configure Task Audit.
  2. Under the Purge Task Audit Records pane, specify the number of days for which audit records should be retained in the provided text box. For example, entering 90 will automatically purge task audit records that are older than 90 days.
  3. Click Save.

3.5 Export Task Audit Trails

Just like resource and user audit trails, task audit trails can be exported as PDF or CSV files for easy reference. To export these audit trails, go to Task Audit >> Audit Actions and click the Export as PDF or CSV button based on your requirement.

3.6 Task Audit Filters

You can create customized views of task audit trails by adding filters to display only the audit records of interest. Follow these steps to create a task audit filter:

  1. Click the Create button on the Task Audit page.
  2. Select the desired operation from the drop-down menu and enter your criteria to filter the audit trails. To filter by operation types, click the Operation Types button in the top-right corner to view available options.
  3. Click Save to configure the task audit filter successfully.

4. User Sessions Audit

User session audits in PAM360 capture records of all operations performed by users during their active sessions, providing detailed tracking of user activities. These audits can be viewed by selecting a particular user session during a specific date or within a specific date range. Administrators also have the option to terminate any active user session. To view, search, or terminate user session audit records, navigate to Audit >> User Sessions.

4.1 View User Sessions

Follow these steps to view user session audits:

  1. To view user sessions for a specific date, click the calendar icon beside the search field in the user sessions window and double-click the desired date.
  2. You can also view user sessions for a range of dates by selecting a start date and an end date using the Date Range Picker.
    1. By default, the current date will be chosen as both the start and end dates, and the selected date range cannot exceed three months.
    2. After selecting the date range, all the active user sessions for the selected date range will be listed.
  3. Click on the desired user session to view all the operations the user performed during that session.

4.2 Search User Sessions

Follow these steps to search for a specific User Session or Audit:

  1. Enter the username (first name, last name, or full name) in the search field to find a particular user session.
  2. You can also search for a specific audit by entering relevant keywords in the search field.

4.3 Terminate User Sessions

Follow these steps to terminate active user sessions:

  1. Click the Terminate button beside the active user session you wish to end.
  2. Provide a reason for terminating the session.
  3. Click OK to terminate the session.

Notes:

  1. Only users with Administrators, Password Administrators, Privileged Administrators, or custom user roles with administrator privileges can terminate any user session.
  2. The Org Manager's session can be terminated only by the administrators of their MSP organization.

5. Recorded Connections

All the recorded remote sessions can be accessed from Audit >> Recorded Connections. You can search for the desired recorded sessions using details such as resource name, account name, or time stamp. To view a recorded session, click the Play icon beside the desired recording and use the Seek bar to skip parts of the session as needed. Refer to this help document to know more in detail about recorded connection configurations and other settings.

6. Active Privileged Sessions

PAM360 allows administrators to monitor and join active privileged sessions on sensitive resources in real time, offering the ability to observe and terminate sessions if needed. Additionally, administrators can leverage this feature to assist users during troubleshooting sessions by shadowing their activities. To monitor an active privileged session, navigate to Audit >> Active Privileged Session, find the desired session, and click Join. Explore this link for more details about real-time monitoring of active privileged sessions.

7. Keys and Certificates Audit

The Keys and Certificates audit in PAM360 allows you to view detailed records of all operations related to SSH keys and SSL certificates. Navigate to Audit >> Keys/Certificate Audit to view the audit records. Additionally, you can apply filters and selectively access specific records as required. Certificate audits are accessible to all administrators, while the keys audits are user-specific, i.e., only the respective user can view their SSH key records. For more details about the SSH and SSL audits and reports, refer to this link.

8. SDK Application Audit

PAM360 enables administrators to monitor all operations performed within PAM360 SDK deployed applications or services. By navigating to Audit >> SDK Application Audit, you can view a comprehensive audit trail of activities executed directly from these SDK-deployed applications. Additionally, you can switch between different deployed SDK applications to review the specific actions performed from each application.

9. FAQs

1. Does PAM360 record attempts by users to view and retrieve passwords?

Yes, PAM360 helps in establishing strong accountability for all operations carried out within the application. All user operations, including password viewing, retrieval, and copying actions, are audited by PAM360. The list of operations that are audited, along with their timestamps and IP addresses, includes:

  1. User accounts created, deleted, and modified.
  2. Users logging in and off the application.
  3. Resources and passwords created, accessed, modified, and deleted.

2. How are the audit logs protected against modification?

All audit records are stored in the SQL database. To ensure security, the SQL server is configured not to accept connections from remote hosts. Additionally, the password to access the SQL server is randomly generated for every PAM360 installation. Therefore, unless unauthorized individuals gain direct access to the database, the audit records cannot be modified.
Top
Back to Top