Audit policies

This topic describes how you can track the way policies are implemented and enforced in your EPM deployment.

Overview

EPM provides policy auditing tools that give the Set administrator an in-depth look at the way EPM policies protect your environment, in either a report or screen-recorded videos of end user activity.

Policy audits track the way policies are used, and give you an in-depth, aggregated view of events that are triggered when EPM applies policies to applications on endpoints.

You can filter the collected events by parameters or file types. By default, no filtering is applied.

View aggregated policy audit events

The Policy Audit page displays a list of aggregated policy audit events, to give you an immediate picture of policy usage on endpoints.

By default, events in this table are sorted according to the most recent event detected by EPM. You can resort the events according to any column and apply filters to view a more focused list.

At the top of the list of audit events, you can see the number of events that are currently displayed and the total number of events that have been sent to the EPM service.

By default, 250 aggregated events are displayed at a time. This is configurable in Server configuration > Common settings.

When the total number of aggregated events is higher than 20,000, EPM displays 20,000+. This number increases every 10,000 events.

Click any row to open a split view and see more details about the aggregated policy audit event.

The number displayed in the Events column indicates the total number of times this event occurred on all agents, as received by the EPM server.

View event raw details

View the raw details of each audit event to get more information.

  1. In the policy audit event to view, click the number in the Events column to display the Policy Audit Events page. This list includes an audit of every time the policy was used.

    By default, this table is sorted chronologically, according to the most recent date of occurrence detected by EPM. You can resort them according to any column, and apply filters to view a more focused list.

    Events on Linux agents are not currently aggregated, so each line indicates a separate event.

  2. Click an event to open the details pane and view specific information.

    The Source and Pre-history tabs are empty if EPM has not received these details.

Event types

The aggregated events in each policy audit are categorized according to the type of activity that triggered policy usage. Depending on the event type, you can take action to apply a policy, add the application to an application group, or discover more information about the audit.

Events are categorized into the following types:

Event type

Description

Access restricted

A Restrict policy was applied to an application's attempt to access a protected resource.

Access detected

A Detect policy was applied to an application's attempt to access a protected resource.

Block

A Block policy was applied to a managed application.

Script

A Script policy was applied when a managed script was run.

Elevation

An Elevation policy was applied to a managed application.

Installation

An application policy that manages installation was applied.

Launch

An Allow policy was applied to an application that doesn't require elevated privileges to launch.

Trust

An Elevate policy was applied to a managed application.

On Linux agents, EPM collects events about privileged commands (sudo).

UAC audit

A User account control (UAC) monitoring policy was applied.

More policy audit actions

In the row of the application to manage, click More actions (...) and then one of the following options:

Option

Description

Add to policy

Add the application to an existing policy or to create a new advanced policy. For details, see Add an application to a policy, below.

Add to application group

Add the application to an existing application group or create a new one. For details, see Add an application to an application group, below.

Threat Intelligence

Run threat analysis for this application. For details, see Run threat analysis for an application.

File Summary

Opens a new tab that displays the File Summary page for this application. For details, see View application details.

Add an application to a policy

Add an application to an existing policy

You can add applications to existing policies to apply immediate coverage.

  1. In the line of the application to add to the policy, click the More actions (...) button and select Add application to policy.

  2. In the Select application policy window, search for the existing policy. Enter the name, action and status of the policy, then click Apply to display a list of policies that match these criteria.

  3. Select the policy to add the application to, then click one of the following buttons:

    Option

    Description

    Edit in policy

    Open the Edit policy page to add the application to the policy and set properties.

    Add to policy

    Add the application to the policy to give it immediate coverage.

  4. In the Policy form, under Scope, click View all to display all the definitions that are configured for this policy, including the new one you are adding now. The new policy definition appears at the top of the list.

  5. In the line of the definition for the application you are adding now, click the More actions (...) button, and select Edit.

  6. In the Application definition window, click Add properties from event to display a list of the event details.

    The details that are already in the policy scope are checked. Select additional properties to include in the policy scope, then click Add.

    If you add a property to the policy scope definition and then change it, you can still revert to the original value before you save the policy.

  7. Click Add properties from event again and select the event property. This overwrites the changed value and applies the value collected by the event.

  8. To remove a property that was automatically included, delete it from the list of properties.

  9. When you have finished setting the application definitions, click Done to return to the Policy form.

  10. Define the rest of the policy, as described in Application policies.

Add an application to a new policy

You can add applications to a new policy and apply it immediately.

  1. In the line of the application to add to the new policy, click the More actions (...) button and select Add application to policy.

  2. In the Select application policy window, click Create advanced policy, and confirm that you want to create an advanced application policy.

  3. Specify the name of the policy, the platform, and the action that the policy will manage, then click Continue.

  4. Under Scope, the details of the event are already listed.

    If you can't see all the events you selected, click View all to refresh the scope. The new policy definition appears at the top of the list.

    To edit this scope, click the More actions (...) button and select Edit.

  5. In the Application definition window, click Add properties from event to display a list of the event details.

    The details that are already in the policy scope are marked. Select additional properties to include in the policy scope, then click Add.

    If you add a property to the policy scope definition and then change it, you can still revert to the original value before you save the policy.

  6. Click Add properties from event again and select the event property. This overwrites the changed value and applies the value collected by the event.

  7. To remove a property that was automatically included, delete it from the list of properties.

  8. Define the rest of the policy, as described in Application policies.

Add an application to an application group

Add an application to an existing application group

You can add an application to an existing application group to immediately apply the policy coverage that has already been defined for that group.

  1. In the line of the application to add to the existing application group, click the More actions (...) button and select Add application to application group.

  2. Search for the existing application group. Enter the name and type of the application group, then click Apply to display a list of groups that match these criteria.

  3. Select the application group to add the application to, then click one of the following:

    Option

    Description

    Edit in application group

    Open the Edit application group page, then add the application to the group and set properties.

    Add to application group

    Add the application to the application group and apply the policies that manage the selected application group immediately.

    All policies that manage the selected application group apply to this application immediately.

  4. In the Application Groups form, under Scope, click View all to display all the definitions that are configured for this application group, including the new application you are adding now. The new application appears at the top of the list.

  5. In the line of the definition for the application you are adding now, click the More actions (...) button and select Edit.

  6. In the Application definition window, click Add properties from event to display a list of the application definitions.

    The details that are already in the scope of the application group are checked. Select additional properties to include in the scope, then click Add.

    If you add a property to the scope definition and then change it, you can still revert to the original value before you save the policy.

  7. Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.

  8. To remove a property that was automatically included, in the Application definition window, delete it from the list of properties.

  9. When you have finished defining the Application definitions, click Done to return to the Application Group form, and then Save to add the new application(s) to the group.

Add an application to a new application group

You can create a new application group and add applications to it directly.

  1. In the line of the application to add to the existing application group, click the More actions (...) button and select Add application to application group.

  2. In the Select application group window, click Create application group, then specify the name of the application group and the platform of the applications it will include.

  3. In the Application Groups form, under Scope, click View all to display the definitions for this application group. EPM takes these from the application(s) you are adding now.

  4. In the line of the definition for each application, click the More actions (...) button and select Edit.

  5. In the Application definition window, click Add properties from event to display a list of the application definitions.

    The details that are already in the scope of the application group are checked. Select additional properties to include in the scope, then click Add.

    If you add a property to the scope definition and then change it, you can still revert to the original value before you save the policy.

  6. Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.

  7. To remove a property that was automatically included, in the Application definition window, delete it from the list of properties.

  8. When you have finished defining the Application definitions, click Done to return to the Application Group form, and then Create to add the new application(s) to the group.

For more details, see Application groups.

Run threat analysis for an application

You can run a threat analysis for a policy audit.

  1. In the row of the application to manage, click the More actions (...) button and select Threat Intelligence.

  2. Select the threat intelligence service to run for the selected application. Depending on the application you selected, either a pop-up appears and displays the results or EPM opens a full report in a browser for a third party site.

For more details, see Assess threats.

View additional policy usage reports

In addition, the EPM Set administrator can view several audit reports that outline policy usage.

In the EPM Management console, select Reports, then click Policy Audit Reports.

View endpoint activity

 

This is only applicable for Windows policies.

When a policy that is configured to create audit videos is applied to an application, EPM records all end user activity while they use the targeted application and saves it in an audit video. EPM starts recording when the application is launched and ends when the application instance is closed.

View audit videos

From the EPM Management console, select Policy Audit, and then click Audit Video to display a filterable display of the collected audit videos.

 

You cannot view audit videos in the EPM console. Instead, access them on your local computer or network share at the location specified in the audit video details.

Filter audit videos

By default, the Audit Video window is filtered to display recordings made during the last 24 hours.

In addition, you can filter recordings by one of the following criteria:

Criteria

Specify...

Computer

The name of an endpoint.

User

The user name and domain of the end user who activated the event.

Policy

The name of the policy that triggered the audit video recording.

Last Time

The time period to include in the report.

The main pane lists all audit video recordings, based on the filter that is currently applied.

The Status column indicates the status of the video. You can only view recordings with the Ready status.

Additional options

The Actions menu offers the following additional options:

Option

Description

Details

Provides additional details of the selected video including size and location.

Delete

Deletes a selected audit video.

Settings

Redirects you to the Audit video configuration settings, where you can define advanced audit video settings.

Report

Displays the audit video report in another browser tab for the selected date range, and presents expandable details about audit videos. Reports can be exported to a PDF, Word or Excel document, refreshed, or printed.

 

The Audit Video Report is also available in the Reports window.

Export to Excel

Exports the list of the audit video recordings to an Excel file.