Auditing policies: Decide which data-related activities to audit

Safetica can audit data-related activities on protected devices. Learn to properly create auditing policies to gain insight into company data.

In this article, you will learn more about:

 

Introduction: What are auditing policies

Safetica records data-related activities on protected devices, such as creating new files, copying them to different locations, uploading them to the web, printing, deleting, and renaming files, etc. Safetica filters out system operations and records only user activities.

With auditing policies, you can control which data-related activities to audit and thus effectively audit company data. 


 

How to enable auditing of data-related activities

  • In Policies > Auditing, you can customize which data-related activities will and won’t be recorded by Safetica and for whom.
  • Auditing results are displayed in the Data section and can help you facilitate the implementation of protection policies.
  • Safetica can audit:
    • Applications: Safetica records activities performed in running applications.
    • External devices: Safetica records the connection/disconnection of USB storages (USB drives, external drives, etc.). 
    • Emails: Safetica records all email communication. The visibility of certain email-related records depends on the license you purchased.
    • Files: Safetica records file operations performed by users (opening files, sending files, etc.).
    • Print: Safetica records printing of documents.
    • Websites: Safetica records visited websites.

🍏macOS devices: Auditing features are slightly limited on macOS:

  • Printing is audited for mapped printers (both physical and virtual) only.
  • Virtual printing into files (such as virtual printing into .pdf) is not audited.
  • Website visits are audited only for Safari and Chrome browsers. 
  • Web upload and download are audited only for Safari and Chrome browsers. For Firefox and Opera, only web downloads are audited.
  • Incoming and outgoing email communication via email clients is audited only for Apple Mail app.
  • The following destination types are not audited: FTP, RDP, git, external CD/DVD, virtual printer.
  • Move operations performed within one physical drive (including folders synced to the cloud) are not audited.
  • Open and Create operations are not audited.

Learn more about the differences in features between Windows and macOS here.

 

How to create an auditing policy

To create a new auditing policy:

  1. Go to Policies > Auditing and click Add policy.
  2. Enter the policy name and then click Add auditing rules.
  3. Select one or more rules to specify which activities should be audited.
  4. Select to which users/teams should the policy apply.
  5. Change the policy status on the right side to Enabled. You can also do this by toggling the switch next to the policy name in the list.

✍️Creating a custom policy allows you to easily set exceptions for selected users or teams. Just place the “exception policy” above more general policies applied to the whole company.

Example: Creating an exception from file audit

If you decide to enable Files in an auditing policy, Safetica will record all file operations (such as when a user opens a file or sends a file). If you then decide you want to disable file audit for the Development team but keep it enabled for the rest of the company, you can create an “exception policy” – with file audit disabled for Development. Do not forget to place the exception policy above the general one in the policy list.

 

Read next:

Data classification

How are policies evaluated and prioritized

How to create and delete policies

How to create data policies