Email Download Link

Achieve GAMP 5 compliance with ManageEngine

Good Automated Manufacturing Practice, fifth edition (GAMP 5), published by the International Society for Pharmaceutical Engineering (ISPE), is the globally recognized framework for validating computerized systems used in good practice-(GxP)-regulated industries.

Get started free  Request a demo 
Compliance

How can ManageEngine support organizations in meeting GAMP 5 standards?

With ManageEngine Log360 (SIEM), organizations can start aligning with the principles of GAMP 5. See the key clauses and how our solutions help in the table below.

Appendix 1: Handover Ensure a controlled transfer of the computerized system from project to operational use, with all required procedures, training records, and operational readiness checks in place before go-live.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Verify all SOPs, user roles, and access controls are operational before go-live.
  2. Capture a baseline of system configuration and user privileges.
  3. Ensure logging and monitoring are enabled from day one.
  4. Retain handover evidence for audit.
  1. Centralized log collection from more than 750 sources begins at go-live, providing a verifiable audit baseline.
  2. ADAudit Plus captures the initial AD configuration, GPO, and user/role baseline.
  3. Configuration change auditing flags any deviation from the approved handover state.
  4. Real-time alerts confirm logging pipelines are healthy from the initial stage.
  1. Local Account Management (User Account Created / Modified / Enabled)
  2. Group Management → Members added to Security group
  3. GPO Changes → GPO Created / Modified / Deleted
  4. Program Inventory → Software Installed / Software Updated
  5. Policy Changes → System Audit Policy Changes
  1. Local User Creation
  2. Net.exe User Account Creation
  3. Suspicious Windows ANONYMOUS LOGON Local Account Created
  4. Active Directory User Backdoors
  5. Audit Policy Changed

Appendix 2: Establishing and Managing Support Services Establish and manage support services (help desk, vendor support, SLAs) for the operational system, including monitoring of service performance.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Define support roles and SLAs.
  2. Track support tickets and resolution times.
  3. Monitor support-account activity.
  4. Audit third-party / vendor remote access.
  1. Integration with ServiceDesk Plus, ServiceNow, Jira, Zendesk for ticket correlation with security events.
  2. Privileged-user session monitoring for support and vendor accounts.
  3. VPN, RDP, and remote-access auditing.
  4. Workflow automation triggers tickets on incidents.
  1. SDP → Debug Reports: Successful Logins / Failed Logins
  2. Terminal Server Gateway Logons → Successful user connections to the resource / Failed connection authorizations
  3. Windows Logon Reports → Remote Interactive Logon / Remote Desktop Services Activity
  4. Windows Sessions → Remote Interactive Sessions / PMP Sessions
  5. Cisco/Fortinet/PaloAlto VPN Logon Reports → VPN Logons / Failed VPN Logons
  1. Admin User Remote Logon(Valid Accounts)
  2. Interactive Logon to Server Systems (Valid Accounts)
  3. Suspicious PsExec Execution(Remote Services)
  4. RDP Login from Localhost(Remote Services)
  5. Failed Logon From Public IP(External Remote Services)

Appendix 3: Performance Monitoring Continuously monitor system performance, availability, and capacity to ensure the system remains fit for intended use.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Monitor server, application, and network performance KPIs.
  2. Detect availability issues proactively.
  3. Trend capacity over time.
  4. Alert on performance anomalies.
  1. EventLog Analyzer monitors Windows/Linux/Unix server performance and service health.
  2. Application log analytics for IIS, Apache, SQL, Oracle, etc.
  3. Real-time alerts on service stops, high CPU/memory, disk thresholds.
  4. Custom dashboards for availability KPIs.
  1. Windows System Events → Low Disk Space / Hard disk failures
  2. Windows Startup Events → System Uptime / UnExpected Shutdown
  3. Service Audit → Service Stopped / Service Failed
  4. MSSQL Advanced Auditing Reports → Waits Information Report / Blocked Processes Report
  5. Device Severity Reports → Critical Events / Error Events
  1. DoS Attacks / DoS Attack Entered Defensive Mode(Threat Detection)
  2. Stop Windows Service(Service Stop)
  3. Microsoft Malware Protection Engine Crash(Exploitation for Defense Evasion)
  4. Hyper-V Disk Out of Space(Hyper-V VM Management)
  5. Blue Screen Error (BSOD)(Application Crashes)

Appendix 4: Incident Management All incidents impacting the system shall be recorded, classified, investigated, resolved, and reviewed for root cause.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Detect and log every security/operational incident.
  2. Classify by severity and impact.
  3. Track investigation and closure.
  4. Preserve forensic evidence.
  1. Vigil IQ correlation engine detects incidents across data sources in real time.
  2. Built-in incident-management console with assignment, status, and audit trail.
  3. Forensic search with timestamped, tamper-evident archives.
  4. MITRE ATT&CK® -aligned alert context for triage.
  1. Windows Eventlog Reports → Security Logs Cleared / Event Logs Cleared
  2. Windows Important Events → Audit Logs Cleared / Audit Policy Changed
  3. Failed Logon Reports → Top reasons for windows logon failure / Failed Logons Trend
  4. Threat Detection From Antivirus → Defender Malware Detection / Threat Detections by McAfee
  5. Sophos HeartBeat Status → Endpoint Risk Report / Endpoint Warning Report
  1. Eventlog Cleared / Security Eventlog Cleared (Indicator Removal on Host)
  2. Suspicious Eventlog Clear or Configuration Using Wevtutil (Indicator Removal on Host)
  3. Account Tampering – Suspicious Failed Logon Reasons (Valid Accounts)
  4. Maze Ransomware (User Execution)
  5. NotPetya Ransomware Activity (Indicator Removal on Host)

Appendix 5: Corrective and Preventive Action (CAPA) Implement CAPA processes triggered by incidents, deviations, or audit findings; verify effectiveness of actions taken.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Link CAPAs to source incidents.
  2. Track action owners and due dates.
  3. Verify recurrence does not happen.
  4. Document evidence of effectiveness.
  1. Automated workflows execute predefined response actions (disable user, isolate host, kill process).
  2. Repeat-incident detection reopens linked alerts to verify CAPA effectiveness.
  3. Audit trail of every workflow execution stored immutably.
  1. Nessus Vulnerability Reports → Patch Report / Top Exploitable Vulnerabilities
  2. Qualys Reports → Confirmed vulnerabilities / Severe Vulnerabilities
  3. Program Inventory → Windows Updates - Installed / Windows update process failed
  4. Policy Changes → System Audit Policy Changes / Domain Policy Changes
  5. Trend Reports → Weekly Report / Hourly Report
  1. NotPetya Ransomware Activity(Indicator Removal on Host)
  2. Maze Ransomware(User Execution)
  3. Possible Ransomware or Unauthorized MBR Modifications(Pre‑OS Boot)
  4. Suspicious Reconnaissance Activity(Account Discovery)
  5. Disabling Windows Event Auditing (Impair Defenses)

Appendix 6: Operational Change & Configuration Management All changes to the validated system shall be assessed, approved, documented, implemented, and reviewed under formal change control; configuration baselines shall be maintained.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Detect every configuration change in real time.
  2. Match changes to approved CRs.
  3. Maintain a configuration baseline.
  4. Roll back unauthorized changes.
  1. ADAudit Plus tracks every AD object, GPO, schema, and OU change with before/after values.
  2. Server configuration auditing (registry, file, service, scheduled task).
  3. Network device configuration change tracking (firewall, router, switch).
  4. Alerts on changes outside approved windows.
  1. Registry Changes → Registry Value Modified / Registry Permission Changes
  2. GPO Changes → GPO Modified
  3. Windows Firewall Auditing → Windows Firewall Rule Added / Modified / Deleted
  4. Service Audit → New Service Installed / Service Stopped
  5. MSSQL DDL Auditing → Schemas Altered / Tables Altered
  1. Direct Autorun Keys Modification
  2. Suspicious Service Path Modification
  3. New Service Creation
  4. Disabling Windows Event Auditing
  5. COMPlus_ETWEnabled Registry Modification.

Appendix 7: Repair Activity Repairs shall be performed by qualified personnel under controlled conditions and documented; system shall be reverified before return to use.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Restrict repair to authorized engineers.
  2. Capture all actions taken during repair.
  3. Reverify configuration post-repair.
  4. Retain evidence of work.
  1. Privileged session recording context (who/when/where for repair logons).
  2. File-integrity monitoring rebaselines after repair.
  3. Configuration drift reports compare pre/post-repair state.
  1. Service Audit → New Service Installed / Service Failed
  2. System Events → Failed loadings of Kernel driver / Code Integrity Check
  3. Windows Backup and Restore → Successful Windows restores / Failed Windows restores
  4. Registry Changes → Registry Value Modified / Registry Permission Changes
  5. Program Inventory → Software Installed / Failed software installations
  1. New Service Creation(Create or Modify System Process)
  2. Suspicious Service Path Modification(Create or Modify System Process)
  3. Malicious Service Installations(Create or Modify System Process)
  4. Failed Code Integrity Checks(Obfuscated Files or Information)
  5. Suspicious Driver Loaded By User (Impair Defenses)

Appendix 8: Periodic Review The system shall be periodically reviewed to confirm it remains in a validated, compliant state and continues to meet its intended use.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Schedule periodic reviews (annually or risk-based).
  2. Review access rights, incidents, changes, deviations.
  3. Document review outcome and actions.
  1. Scheduled compliance and access reports auto-delivered to reviewers.
  2. User access review dashboards (inactive users, stale privileges).
  3. Trend dashboards for incidents, changes, and policy violations across the period.
  1. Logon Reports → Top Logons by User / Logons Trend
  2. Local Account Management → User Accounts Created With no password expiry
  3. Domain Controller Logon Reports → DC Credentials Validation Success
  4. Policy Changes → User Rights Assigned / User Rights Removed
  5. Trend Reports → Weekly Report
  1. AD Privileged Users or Groups Reconnaissance
  2. Admin User Remote Logon
  3. Enabled User Right in AD to Control User Objects
  4. Interactive Logon to Server Systems
  5. User Added to Local Administrators

Appendix 9: Backup and Restore Adequate, tested backup and restore procedures shall be in place to ensure data and system recovery; backup activity and integrity shall be monitored.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Verify backup jobs run successfully.
  2. Detect failed/missed backups.
  3. Audit restore operations.
  4. Protect backup integrity.
  1. Audits backup software events (Veeam, NetBackup, Veritas, Windows Backup, etc.).
  2. Alerts on failed/missed backup jobs.
  3. Logs all restore operations and who performed them.
  4. Detects deletion or tampering of backup files.
  1. Windows Backup and Restore → Successful Windows backup / Failed Windows backup
  2. Windows Backup and Restore → Successful Windows restores / System Restored
  3. MSSQL Backup and Restore → Databases Backed Up / Database Backup Failed
  4. MSSQL Backup and Restore → Database Restore
  5. System Events → AD Backup Error
  1. Backup Catalog Deleted
  2. Shadow Copies Deletion Using Operating Systems Utilities
  3. NotPetya Ransomware Activity
  4. Possible Ransomware or Unauthorized MBR Modifications
  5. Modification of Boot Configuration

Appendix 10: Business Continuity Management Business continuity and disaster recovery plans shall ensure system availability for critical regulated processes; plans shall be tested.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Maintain DR plan and test it.
  2. Monitor BCP-critical systems continuously.
  3. Detect events that could impact continuity.
  1. High-availability deployment of Log360 itself ensures monitoring continuity.
  2. DR drill-event correlation across primary and secondary sites.
  3. Real-time alerts on outages of business-critical services and links.
  1. Windows Startup Events → UnExpected Shutdown / Windows Restarts
  2. Service Audit → Service Failed / Service Stopped
  3. System Events → Hard disk failures / Low Disk Space
  4. Application Crashes → Blue Screen Error(BSOD)
  5. Threat Detection From Antivirus → Defender Malware Detection
  1. Maze Ransomware
  2. Stop Windows Service
  3. Shadow Copies Deletion Using Operating Systems Utilities Inhibit System Recovery – Modification of Boot Configuration
  4. Secure Deletion with SDelete

Appendix 11: Security Management Logical and physical security controls shall protect the system, data, and electronic records from unauthorized access, use, modification, or destruction. Security events shall be monitored.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Enforce least privilege.
  2. Detect intrusions and policy violations in real time.
  3. Monitor privileged access.
  4. Respond to threats automatically.
  1. Full SIEM with real-time correlation (Vigil IQ) and more than 2,000 detection rules.
  2. UEBA detects insider threats and compromised accounts via behavior baselining.
  3. Integrated threat-intel feeds (STIX/TAXII, Webroot) flag malicious IPs/URLs/domains.
  4. MITRE ATT&CK-aligned detection coverage.
  5. Automated response workflows (disable account, block IP, isolate host).
  1. Eventlog Reports → Security Logs Cleared / Event Logs Cleared
  2. Failed Logon Reports → Failed Logons Trend / Top reasons for windows logon failure
  3. Threat Detection → DoS Attacks / Replay Attack
  4. Windows Important Events → Audit Logs Cleared
  5. File Integrity Monitor → File Monitoring Overview
  1. Eventlog Cleared / Security Eventlog Cleared
  2. Suspicious Eventlog Clear or Configuration Using Wevtutil
  3. Metasploit SMB Authentication (Brute Force)
  4. Mimikatz Use / Mimikatz Command Line
  5. Possible Impacket SecretDump Remote Activity

Appendix 12: System Administration System administration activities (account management, patching, scheduled tasks, etc.) shall be controlled, segregated from end-user activity, and auditable.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Track all admin actions.
  2. Enforce SoD between admin and user roles.
  3. Audit account life cycle (create/modify/disable/delete).
  4. Monitor patch and scheduled-task changes.
  1. Comprehensive admin-action auditing across AD, Azure AD/Entra ID, Microsoft 365, Linux/Unix, databases, and network devices.
  2. Account life cycle reporting (creation, enable/disable, deletion, password reset).
  3. Scheduled-task and service-account change tracking.
  4. Patch and update event correlation.
  1. Local Account Management → User Account Created / User Account Modified
  2. Group Management → Members added to Security group / Security Group Changed
  3. GPO Changes → GPO Created / GPO Modified
  4. Policy Changes → User Rights Assigned / Authentication Policy Change (Grant)
  5. Process Tracking → Scheduled Task Created / Scheduled Task Updated
  1. User Added to Local Administrators(Valid Accounts)
  2. Suspicious Windows ANONYMOUS LOGON Local Account Created (Create Account)
  3. Active Directory User Backdoors(Account Manipulation)
  4. Addition of SID History to Active Directory Object (Access Token Manipulation)
  5. Password Change on Directory Service Restore Mode (DSRM) Account(Account Manipulation)

Appendix 13: Archiving and Retrieval Records (including electronic records and audit trails) shall be retained for the required period in a secure, retrievable, and tamper-evident form.

Compliance actions How Log360 helps Reports and evidences Threat rules
  1. Define retention period per record class.
  2. Protect archives from tampering.
  3. Ensure records remain retrievable and readable.
  4. Securely destroy when retention expires.
  1. Encrypted, hash-stamped, tamper-evident log archives.
  2. Configurable retention per log source / regulation.
  3. Fast forensic search across archived data.
  4. Role-based access to archived records.
  1. Windows Backup and Restore → Successful windows backup / Failed Windows backup
  2. MSSQL Backup and Restore Events → Databases Backed Up / Database Backup Failed
  3. Eventlog Reports → Event log automatic backup / Security Log Full
  4. File Integrity Monitor → File (or) Folder Modified / Folder Permission Changes
  5. Eventlog Reports → Security Logs Cleared / Event Logs Cleared
  1. Backup Catalog Deleted(Indicator Removal on Host)
  2. Shadow Copies Deletion Using Operating Systems Utilities (Inhibit System Recovery)
  3. Secure Deletion with SDelete(Indicator Removal on Host)
  4. Eventlog Cleared / Security Eventlog Cleared(Indicator Removal on Host)
  5. Modification of Boot Configuration(Inhibit System Recovery)
Home »

Awards & recognition

ManageEngine named in 2025 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  8th time in the MQ in 2025  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link