Audits and Notifications

As PAM360 deals with sensitive, privileged access information, it is essential to have a complete record of every single action performed by the users within the application. To ensure comprehensive tracking, all user actions are recorded as audits, with the timestamp and the IP address from where they accessed the application.

Audit trails in PAM360 are comprehensive, capturing almost all actions. If you wish to audit only specific operations, PAM360 provides flexible options for focused auditing. Additionally, you can configure notifications to alert designated recipients when specific events occur, providing enhanced monitoring and control over privileged access activities.

This document covers the following topics:

  1. Resource Audit
  2. User Audit
  3. Task Audit
  4. User Sessions Audit
  5. Recorded Connections
  6. Active Privileged Sessions
  7. Keys and Certificates Audit
  8. SDK Application Audit
  9. FAQs

1. Resource Audit

Resource audits in PAM360 provide comprehensive tracking and logging of all activities related to privileged accounts and passwords, resources, resource groups, sharing, and password policies. These audits ensure accountability by maintaining detailed records of access, modifications, and actions performed on critical resources. Navigate to Audit >> Resource Audit to view the resource audits.

1.1 Resource Audit Summary
(Applicable from build 7200 onwards)

PAM360 allows you to view a quick summary of any particular resource audit. A resource audit summary provides a detailed overview of all the details associated with that specific audit. To view a resource audit summary, click the Audit Summary icon under the Actions column beside the desired audit.

On the Resource Audit Summary page, you have options for exporting the resource audit summary. Click the Email Audit Summary icon to receive the audit summary in your mail, and the Export as PDF icon to download the audit summary as a PDF file to your machine.

1.2 Related Resource Audits
(Applicable from build 7200 onwards)

PAM360 allows you to view audits related to a particular resource audit. The Related Resource Audits feature provides insights about all the audits associated with a specific resource, helping you track audit trails effectively. This feature ensures that you have a complete picture of all the related audit activities. Follow these steps to view the related resource audits:

  1. Click the Related Audits icon under the Actions column beside the desired resource audit.
  2. On the Related Resource Audits page that opens, you can view all the audits related to the selected resource audit.
  3. Click Audit Actions and choose:
    1. Export as CSV to download the related resource audit details as an Excel file.
    2. Export as PDF to download the related resource audit details as a PDF file.
    3. Email Related Audits  to receive the related resource audit details in your email.

1.3 Manage Resource Audits and Notifications

PAM360 offers the flexibility to record audit trails only for specific events based on your requirements. Follow these steps to configure resource audit trails for specific events:

  1. Navigate to Audit >> Resource Audit >> Audit Actions >> Configure Resource Audit.
  2. In the Resource Audit Configuration window, select the operations for which you wish to generate audit records. Leave the checkboxes unchecked for operations you do not wish to audit.
  3. Click Save to apply the selected resource audit configuration.

Additionally, PAM360 can be configured to send email notifications, generate Syslog messages, or raise SNMP traps when specific events occur.

  1. In the Resource Audit Configuration window, select the checkboxes beside the desired operations for which you wish to send notifications.
  2. To avoid flooding your inbox with notification emails, you can customize settings to receive a single daily digest summarizing all the audit trails generated that day for the selected events. Tick the Notify the chosen events as a daily digest checkbox to enable this option.
  3. Specify the list of recipients who should receive these notifications and click Save.

1.4 Purge Resource Audit Trails

Most operations related to resources performed in PAM360 are audited, and the audit data is stored in the database. Consequently, the resource audit records grow at a faster rate. To manage disk space effectively, an option to purge audit records is available under the Purge Resource Audit Records pane in the Resource Audit Configuration window. If you do not require audit records older than a specified number of days, you can opt to purge them. To configure resource audit purging:

  1. Go to Resource Audit >> Audit Actions >> Configure Resource Audit >> Purge Resource Audit Records.
  2. Specify the number of days for which audit records should be retained in the provided text box. For example, entering 90 will automatically purge audit records that are older than 90 days.
  3. Click Save.

Note:
(Applicable from build 5400 onwards)
You can choose to retain or delete audit records related to specific operations by selecting the check box under the Purge Audit column. Select the checkbox beside the desired operations for which you wish to purge the audit trails. The audit records corresponding to the operations whose check boxes are left unselected will be retained permanently as a part of your audit trail.

1.5 Export Resource Audit Trails

Resource audit trails can be exported as PDF or CSV files for easy reference. To export these audit trails, go to Resource Audit >> Audit Actions and click Export as PDF or CSV button, depending on your requirement.

1.6 Resource Audit Filters

You can create customized views of resource audit trails by adding filters to display only the audit records of interest. Follow these steps to create an audit filter:

  1. Click the Create button on the Resource Audit page.
  2. Select the desired operation from the drop-down menu and enter your criteria to filter the audit trails. To configure the filter based on operation types, click the Operation Types button in the top-right corner of the screen to view the available options.
  3. Click Save to configure the audit filter successfully.

2. User Audit

User audits in PAM360 capture all user operations, providing detailed tracking of user activities. To view user audit records, navigate to Audit >> User Audit.

2.1 User Audit Summary
(Applicable from build 7200 onwards)

PAM360 allows you to view a quick summary of any particular user audit. A user audit summary provides an overview of all the details associated with that specific user audit. To view the user audit summary, click the Audit Summary icon under the Actions column beside the desired user audit.

Additionally, you can export the user audit summary from the User Audit Summary page. Click the Email Audit Summary icon to receive the audit summary in your mail, and the Export as PDF icon to download the audit summary as a PDF file to your machine.

2.2 Manage User Audits and Notifications

Follow these steps to configure user audit trails for specific events:

  1. Navigate to Audit >> User Audit >> Audit Actions >> Configure User Audit.
  2. In the User Audit Configuration window, select the user operations for which you wish to generate audit records. Leave the checkboxes unchecked for operations you do not want to audit.
  3. Click Save to apply the selected user audit configuration.

Additionally, you can configure PAM360 to send email notifications, generate Syslog messages, or raise SNMP traps when specific events occur.

  1. In the User Audit Configuration window, select the checkboxes beside the desired user operations.
  2. To avoid flooding your inbox with notifications, customize settings to receive a single daily digest summarizing all audit trails generated that day for selected events. Tick the Notify the chosen events as a daily digest checkbox to enable this option.
  3. Specify the list of recipients who should receive these notifications and click Save.

2.3 Purge User Audit Trails

User operations performed in PAM360 are comprehensively audited, resulting in a substantial accumulation of audit data. To manage disk space efficiently, you can purge user audit records older than a specified number of days using the Purge User Audit Records option in the User Audit Configuration window. To configure user audit purging:

  1. Go to User Audit >> Audit Actions >> Configure User Audit.
  2. Under the Purge User Audit Records pane, specify the number of days for which the audit records should be retained in the provided textbox.
  3. Click Save.

Note:
(Applicable from build 5400 onwards)
You can choose to retain or delete audit records related to specific operations by selecting the check box under the Purge Audit column. Select the checkbox beside the desired operations for which you wish to purge the audit trails. The audit records corresponding to the operations whose check boxes are left unselected will be retained permanently as a part of your audit trail.

2.4 Export User Audit Trails

User audit trails can be exported as PDF or CSV files for easy reference. To export these audit trails, go to User Audit >> Audit Actions and click the Export as PDF or CSV button, based on your requirement.

2.5 User Audit Filters

You can create customized views of user audit trails by adding filters to display only the audit records of interest. Follow these steps to create a user audit filter:

  1. Click the Create button on the User Audit page.
  2. Select the desired operation from the drop-down menu and enter your criteria to filter the audit trails. To filter by operation types, click the Operation Types button in the top-right corner to view available options.
  3. Click Save to configure the audit filter successfully.

3. Task Audit

Task audits in PAM360 capture records of all scheduled tasks created and executed, providing detailed tracking of task executions. To view task audit records, navigate to Audit >> Task Audit.

3.1 Task Audit Summary
(Applicable from build 7200 onwards)

The task audit summary provides a quick overview of any specific task audit, detailing all related information. To view the summary of a task audit trail, click the Audit Summary icon under the Actions column beside the desired task audit trail. Additionally, you can export the task audit summary from the Task Audit Summary page. Click the Email Audit Summary icon to receive the audit summary in your mail, and the Export as PDF icon to download the audit summary as a PDF file to your machine.

3.2 Related Task Audits
(Applicable from build 7200 onwards)

PAM360 allows you to view audits related to a particular task audit. The Related Task Audit feature provides insights about all the audits associated with a specific task audit, helping you track audit trails effectively. This feature provides a complete view of all related audit activities. Follow these steps to view the related task audits:

  1. Click the Related Audits icon in the Actions column beside the desired task audit.
  2. On the Related Task Audits page, you can view all the audits related to the selected task audit.
  3. Click Audit Actions and choose:
    1. Export as CSV to download the related task audit details as an Excel file.
    2. Export as PDF to download the related task audit details as a PDF file.
    3. Email Related Audits to receive the related task audit details in your mail.

3.3 Manage Task Audits and Notifications

Follow these steps to configure task audit trails for specific events:

  1. Navigate to Audit >> Task Audit >> Audit Actions >> Configure Task Audit.
  2. In the Task Audit Configuration window, select the operations for which you wish to generate audit records. Leave the checkboxes unchecked for operations you do not wish to audit.
  3. Click Save to apply the selected task audit configuration.

Additionally, you can configure PAM360 to send email notifications when specific events occur.

  1. In the Task Audit Configuration window, select the checkboxes beside the desired task audit operations for which you wish to trigger notifications.
  2. To avoid flooding your inbox with notification emails, customize settings to receive a single daily digest summarizing all audit trails generated that day for the selected events. Tick the Notify the chosen events as a daily digest checkbox to enable this option.
  3. Specify the list of recipients who should receive these notifications and click Save.

3.4 Purge Task Audit Trails

Tasks executed in PAM360 are comprehensively audited, resulting in a substantial accumulation of audit data. To manage disk space efficiently, you can purge task audit records older than a specified number of days using the Purge Task Audit Records option in the Task Audit Configuration window. To configure task audit purging:

  1. Go to Task Audit >> Audit Actions >> Configure Task Audit.
  2. Under the Purge Task Audit Records pane, specify the number of days for which audit records should be retained in the provided text box. For example, entering 90 will automatically purge task audit records that are older than 90 days.
  3. Click Save.

3.5 Export Task Audit Trails

Just like resource and user audit trails, task audit trails can be exported as PDF or CSV files for easy reference. To export these audit trails, go to Task Audit >> Audit Actions and click the Export as PDF or CSV button based on your requirement.

3.6 Task Audit Filters

You can create customized views of task audit trails by adding filters to display only the audit records of interest. Follow these steps to create a task audit filter:

  1. Click the Create button on the Task Audit page.
  2. Select the desired operation from the drop-down menu and enter your criteria to filter the audit trails. To filter by operation types, click the Operation Types button in the top-right corner to view available options.
  3. Click Save to configure the task audit filter successfully.

4. User Sessions Audit

The User Sessions audit in PAM360 provides a comprehensive view of all user sessions, including the currently active sessions in your environment. The User Sessions audit page is divided into two sections: the left pane and the Session Details section. The left pane displays the currently active sessions along with essential user information such as username, role, and login time. By default, the current date is selected, and all sessions for that date are listed in the left pane.

When a session is selected, the Session Details section displays information about the selected session including the user's email ID, the IP address and hostname of the machine used for login, the login time, and a detailed record of all operations performed by the user during that session.

4.1 View User Sessions

Follow these steps to view the list of all user sessions in your environment and the operations performed during each user session:

  1. Navigate to Audit >> User Sessions.
  2. To view the list of user sessions on a specific date, click the Calendar icon beside the search field in the left pane, navigate to the desired month on the calendar, and double-click the desired date.
  3. To view the list of user sessions over a range of dates, use the Custom Range picker to select the start and end dates.
  4. Now, from the displayed user session entries, select the desired user session on the left pane to view all the operations performed during that session.
  5. Additionally, you can use the Search option in the left pane to view all user sessions of a specific user on the selected date or within a specific date range. Enter the user's first name, last name, or full name in the search bar to filter user sessions.
  6. After selecting a session, you can use the Search option within the Session Details window to locate specific operations performed during that session using relevant keywords.

4.2 Terminate User Sessions

PAM360 allows administrators to terminate any active user session in case of suspicious activity, unauthorized access attempts, or policy violations. Follow these steps to terminate an active user session:

  1. Click the Terminate button under the desired user session to terminate that session.
  2. In the Terminate Session window that appears, enter the reason for termination in the Reason field and click Ok.

Notes:

  1. Only users with the Terminate User Sessions privilege in their user role can terminate a user session.
  2. The client organization owner's (i.e., Account Manager's) session can only be terminated by the administrators of the MSP organization.
  3. When a user session is terminated, only the selected session will be terminated. Any other active sessions initiated by the same user will remain unaffected.

4.3 Terminate User Sessions and Lock User Accounts

(Applicable from PAM360 Builds 8100 and Above)

Administrators can terminate active user sessions and lock the associated user accounts in case of suspicious activity or security concerns. Follow these steps to terminate an active user session and lock the user accounts:

  1. To terminate an active session and temporarily lock the user from accessing their PAM360 account, click the Terminate and Lock button in the top-right corner of the Session Details window.
  2. In the Terminate Session and Lock User window that appears, enter the reason for termination in the Reason field, and click Ok. This action will terminate all active user sessions for the selected user and lock the user from accessing their PAM360 account until it is unlocked by an administrator.

Note: To unlock a user account, navigate to the Users tab and click the User Actions icon beside the desired user you wish to unlock and select Unlock User from the displayed options.

5. Recorded Connections

All the recorded remote sessions can be accessed from Audit >> Recorded Connections. You can search for the desired recorded sessions using details such as resource name, account name, or time stamp. To view a recorded session, click the Play icon beside the desired recording and use the Seek bar to skip parts of the session as needed. Refer to this help document to know more in detail about recorded connection configurations and other settings.

Note: All the recorded RDP, SSH, Telnet, VNC, and SQL sessions can be accessed from Audit >> Recorded Server Connections, and the recorded website sessions can be viewed from Audit >> Recorded Website Connections.

6. Active Privileged Sessions

PAM360 allows administrators to monitor and join active privileged sessions on sensitive resources in real time, offering the ability to observe and terminate sessions if needed. Additionally, administrators can leverage this feature to assist users during troubleshooting sessions by shadowing their activities. To monitor an active privileged session, navigate to Audit >> Active Privileged Session, find the desired session, and click Join. Explore this link for more details about real-time monitoring of active privileged sessions.

7. Keys and Certificates Audit

The Keys and Certificates audit in PAM360 allows you to view detailed records of all operations related to SSH keys and SSL certificates. Navigate to Audit >> Keys/Certificate Audit to view the audit records. Additionally, you can apply filters and selectively access specific records as required. Certificate audits are accessible to all administrators, while the keys audits are user-specific, i.e., only the respective user can view their SSH key records. For more details about the SSH and SSL audits and reports, refer to this link.

8. SDK Application Audit

PAM360 enables administrators to monitor all operations performed within PAM360 SDK deployed applications or services. By navigating to Audit >> SDK Application Audit, you can view a comprehensive audit trail of activities executed directly from these SDK-deployed applications. Additionally, you can switch between different deployed SDK applications to review the specific actions performed from each application.

9. FAQs

1. Does PAM360 record attempts by users to view and retrieve passwords?

Yes, PAM360 helps in establishing strong accountability for all operations carried out within the application. All user operations, including password viewing, retrieval, and copying actions, are audited by PAM360. The list of operations that are audited, along with their timestamps and IP addresses, includes:

  1. User accounts created, deleted, and modified.
  2. Users logging in and off the application.
  3. Resources and passwords created, accessed, modified, and deleted.

2. How are the audit logs protected against modification?

All audit records are stored in the SQL database. To ensure security, the SQL server is configured not to accept connections from remote hosts. Additionally, the password to access the SQL server is randomly generated for every PAM360 installation. Therefore, unless unauthorized individuals gain direct access to the database, the audit records cannot be modified.
Top