Auditor Manual¶
Introduction¶
The Auditor role uses the same interface as the Administrator and has access to the same information. The key difference is that Auditors have read-only access and cannot make any changes to the system. For example, they cannot delete users, modify settings, or connect to PAM targets.
This manual outlines the specific information an Auditor can view. For a complete guide to the interface, please refer to the Administrator Manual.
The Auditor Dashboard has the same layout as the Administrator Dashboard, with the following sections:
- Management: Profile, Users, Actions, Tokens, PAM, Identity Stores, Tenants, Geofences
- SAML: Service Providers, Identity Provider
- Security: OAuth Clients, Security Policies, Network Policy, Password Rotation Policy
- Insights: Statistics
- Others: Settings, About
Figure 1. Auditor Dashboard Overview
Management¶
Management - Profile¶
See the User Manual and Administrator Manual.
Management - Users¶
Users¶
Auditors can view a list of all users and their general information. The Actions column will be empty, as Auditors cannot perform actions like deleting users.
Figure 2. Users list overview
Invitations¶
Auditors can see the list of all user invitations. The only available action is to copy an invitation link. Re-inviting users or deleting invitations is not permitted.
Figure 3. Invitations list overview
Groups¶
Auditors can view the details of any user group but cannot perform any actions, such as editing or deleting them.
Figure 4. Groups list overview
Management - Actions, Tokens¶
In these sections, Auditors can view the same information as an Administrator. For more details, please see the User and Administrator Manuals.
Management - PAM¶
Targets¶
Unlike Administrators, Auditors can only view the details of PAM targets. They cannot connect to, edit, duplicate, or delete them.
Figure 5.PAM targets overview
Groups¶
Auditors can view the details of PAM target groups, but the Actions column will be empty.
Figure 6. No actions possible in the Actions column for Auditors
Sessions¶
Auditors can view the details of all PAM sessions, but no actions are available in the Actions column.
Figure 7. No actions possible in the Actions column for Auditors
Full-Text Search¶
Auditors have the same search functionalities as Administrators.
Figure 8. Full-Text Search overview
Management - Identity Stores¶
Auditors can see the list of Identity Stores, but they cannot view their details or perform any actions.
Figure 9. No actions possible in the Actions column for Auditors
Management - Tenants¶
Tenant List¶
Auditors can view the details of each tenant but cannot perform any actions from the Actions column.
Figure 10. Tenant list overview
Management - Geofences¶
Geofences¶
Auditors can view the list of all geofences and geofence groups but cannot make any changes.
Figure 11. Geofences overview
Groups¶
Figure 12. Geofence Groups overview
SAML¶
SAML - Service Providers¶
Service Providers¶
Groups¶
SAML - Identity Provider¶
Security¶
Security - OAuth Clients¶
Figure 13. OAuth Clients overview
Security - Policies¶
Figure 14. Security Policies overview
Security - Network Policy¶
Figure 15. Network Policy overview
Security - Password Rotation Policy¶
Figure 16. Password Rotation Policy overview
Insights¶
Insights - Statistics¶
General¶
Figure 17. Statistics overview
Devices¶
Figure 18. Devices overview
Actions¶
Figure 19. Actions overview
Others¶
Others - Settings¶
Email¶
Figure 20. Email settings overview
Others - About¶
Figure 21. About overview
Suggestions for Auditors¶
Auditor Checklist¶
When conducting a PAM audit, the audit team should use a checklist to ensure all items align with the audit's scope and objectives. The process usually involves interviewing key personnel, examining system settings, and reviewing logs to verify compliance.
- Review user access levels.
- Review user actions.
- Review Token usage.
- Review PAM Groups, Sessions, and Full-Text Search results.
- Audit Geofence settings.
- Review Security Policies and Rule Sets.
Analyze Audit Logs with a SIEM¶
For continuous auditing, we recommend integrating Excalibur logs with a Security Information and Event Management (SIEM) tool.
Analyze Your Logs Once integrated, you can analyze the logs. Modern SIEM tools use machine learning to detect unusual behavior and can send alerts for suspicious activity. These tools combine data from multiple sources, making it easier to connect user access logs with other security events. The more detailed the logs, the better the insights from the SIEM.
Look for tools that track:
- Adding or suspending privileged users.
- Accessing critical or sensitive data.
- Unusual activity, like large file deletions.
- Changes to user roles or permissions.
- Administrative updates to databases or servers.
SIEM tools provide a broad overview of network activity while focusing on potential issues. They help investigate security incidents and prevent attacks by detecting abnormal traffic patterns. These tools also manage large volumes of alerts from different systems, highlighting the most critical risks. This saves security teams time and helps them prioritize actions to address threats effectively.