How to Gain Visibility Into Audit Logs for Policy Customization in InsightVM

Since the launch of InsightVM’s Custom Policy Builder in June of this year, hundreds of organizations have created and customized secure configuration policies. While the standard CIS and DISA benchmarks are, by default, great for an organization to kickstart their policy and compliance program, customizations of those policies is integral to achieve better compliance as organizations mature. Through the policy scanning and customization features available within InsightVM, many organizations are improving their policy compliance and meeting their audit requirements in a continuous fashion.

As organizations continue to harden their policies through customizations, it becomes extremely important to keep track of all these changes, because these customizations may significantly impact an organization’s overall compliance. To enable our customers to get deeper visibility into all these changes, Custom Policy Builder now tracks every single change being performed on a policy. In this blog post, we will be focusing on a simple use case that enables your organization to achieve greater visibility into your policy customization process. To learn more about getting started with policy customization, check out this prior blog!

Example use case: Tracking custom policy changes made to disable rules

As soon as a policy user customizes and saves a policy, Custom Policy Builder will now show a new dialog box asking users to enter an optional message to associate with their recently performed change. In this particular example, as shown below, the user enters a simple statement to reflect the action they performed, which is disabling two rules in their policy.

Any user with Admin access to the Insight platform can now navigate to ‘View Audit Logs’ using the ‘More’ dropdown in Custom Policy Builder, as shown below:

This will open up a new tab, taking the user directly to the platform audit logging table that shows all the custom policy log events. All the actions performed during policy customization are now visible as a list of events, as shown below:

Now, the user can look at all the changes performed on a policy by drilling down into individual actions. For example, to check out more details about the rules that were disabled, click on the “View More” link on the DISABLE_RULES item to see more information on the exact two rules disabled. More information will display like this:

It’s as simple as that! You now have full visibility into the audit logs of custom policies so that you can know exactly when new changes have been made, what those changes are, and who put those changes into place. Check out our help documentation for more details.