Data Integrity Checks

Overview

Event Manager now has the ability to run anti-tampering and data integrity checks to verify if any asset has had information modified or deleted.

Such actions should be investigated as they may indicate that a threat actor is attempting to hide malicious activity. This check runs daily, with alerts sent if the integrity check has failed. This check also helps organizations adhere to regulations like GDPR and PCI CSS, which require integrity monitoring to meet compliance requirements.

The integrity check runs as a daily maintenance process. All security events are checked for “deleted information” alerts. Because of the potential volume of security events that can be generated each and every day, not all of them can be checked on daily basis looking for any altered information. Instead, a selection of security events are randomly chosen as part of the daily data integrity check.

NOTE: See Data Integrity Check Configuration with the Event Manager Installation Guide for more information including Advanced Configuration options.

Reviewing the Status of Data Integrity Checks

To review the status of all "Data Integrity Checks" click the View icon from the tool ribbon and select Data Integrity - Tampering proof Data Integrity Check from the Standard Views listed.

NOTE: Event Manager Views are explained in “Compliance Views” section in the Event Manager User Guide.

A Data Integrity Check not only generates alerts for tampered (modified) or deleted information, but also generates a list of summary events should no evidence of modification be found. These summary events are very important as they prove that the Data Integrity check is regularly being undertaken.

Example Data Integrity Check showing No Modifications

Setting Failed Data Integrity Check Notifications

If you want to be specifically notified to a failed data integrity check you can set Notifications from within the Security Control - "Failed Integrity Check (Standard)"

Click the Configuration icon on the options tool ribbon to open the Event Manager Configuration display.

Click Define your Security Controls.

On the Event Manager > Controls page, scroll down to the System Management section.

Click Failed Integrity Check (Standard).

Click the Notifications tab.

Enter the email address of the person to be notified in the event of a failed data integrity check. Multiple email addresses can be entered provided they are separated by a comma (,).

Click OK to confirm.