Monitoring Policies (Learning Mode)

At the most basic level, a Monitoring policy is a policy that takes no action. It exists only to gather data and you can use the data it gathers for audits or for assigning actions to application events, retrospectively. For trials and Proof of Concept (PoC) environments these can be pointed at specific endpoints in order to learn about events that are already happening, or in order to test-run specific applications that you want to quickly introduce into Privilege Manager.

Any Monitoring policy will have the Audit Policy Events set to active under the Actions section.

Audit Policy Events is generally inactive in production environments outside of specific auditing or data-collecting initiatives due to the large amount of data these policies can gather.

Creating a Monitoring Policy

Use the policy wizard to create a monitoring policy for the learning mode phase on your instance.

  1. Under your Computer Group, navigate to Application Policies. Click Create Policy.

  2. On the What type of policy? page, select Monitoring and click Next Step.

    alt

    Policies can also be created using a blank policy. Refer to Creating Policies.

  3. On the What processes do you want this policy to monitor in this computer group? page, select Everything and click Next Step.

  4. Enter a new name for the policy and click Create Policy.

  5. The policy page is displayed. On the Settings tab, continue to customize parameters for the policy, then click Save.

It is not recommended to assign this policy to than a handful of machines.

Discover Applications that Require Administrator Rights

The most influential applications are those that require administrator credentials to run. For setting up endpoints that are organized by Least Privilege, you can use a monitoring policy to discover all events requiring Administrator rights.

Use the policy wizard to create a monitoring policy for the learning mode phase on your instance.

  1. Under your Computer Group, navigate to Application Policies. Click Create Policy.
  2. On the What type of policy? page, select Monitoring and click Next Step.
  3. On the What processes do you want this policy to monitor in this computer group? page, select Applications Run as Admin and click Next Step.
  4. Enter a new name for the policy and click Create Policy.

monitor admin

View Policy Results

To view all feedback, or event, sent from your existing policies with the Send Policy Feedback activity checked, click the Policy Events tab for that policy. Events will be listed in the main section and on the left sidebar you can scope results for certain policies, computers, time frame, etc. You can use this view to assign any events to policies by clicking Assign to Policy under the event listing.

policy events

Discover All Events on Test Workstations

Another type of monitoring policy will discover all events on targeted machines regardless of whether the application requires Administrator Rights. This policy is used in test environments to quickly target policies at untrusted/unwanted applications, but is not recommended for production settings.

  1. Under your Computer Group, navigate to Application Policies. Click Create Policy.

  2. On the What type of policy? page, select Monitoring and click Next Step.

  3. On the What processes do you want this policy to monitor in this computer group? page, select Everything and click Next Step.

  4. Enter a new name for the policy and click Create Policy.

  5. In the General tab, locate Computer Groups Targeted.

    policy endpoints

  6. Add the Application Compatibility Testing Windows Computers (Target) collection and remove the Windows Computer target.

  7. Click Update.