NNT Change Tracker Gen 7 has been designed to be simple to set-up and use. This is a key differentiator from the more cumbersome legacy products such as Tripwire® Enterprise with complex combinations of Tasks, Actions, Rules and Policies all with regular expression pattern matches to configure.
The beauty of Change Tracker Gen 7 is that all the most common monitoring and reporting tasks are pre-packed and automatically assigned to devices based on an intelligent discovery process.
Forensic-level file integrity monitoring is essential for effective breach detection and change control but it has traditionally come at a price, that being the unwanted Change Noise.
Therefore it is necessary to employ techniques to exclude files/paths that generate change noise, or filter out changes from specific files or file types. Change Tracker Gen 7 makes this easy by providing a range of Built-in Changes Filters and File/Path Match Filters. Using these should cover the vast majority of common requirements, for example, the System File FileMatch Filter comprises the following settings
Any Folder, with Unlimited Recursion, matching on a Wildcard basis *.exe or *.sys or *.dll or *.drv
The File/Path Match filter works in conjunction with the Tracked Attributes/Change Type Filter to give you fine grain control over which changes you track. Likewise, you can then layer in an Exclusions specification that will also be merged with the Inclusion rules to give you just the changes you want to see and exclude the change noise.
Finally, you can use the Gen 7 UI to create new Custom Pathmatch Definitions
Custom Planned Change Rules – Conditional Classification of Planned Changes
If the previous range of options doesn’t give you what you are looking for then you can bring into play some precise evaluation of changes to further manage changes detected.
For example, where we want detect changes to a file but only when specified conditions are met, including
- Accept a change made by a specified user
- Accept a change made by a specified process
- Accept a change if it is anything other than a deletion
- Accept a change if it is a file length increase
Or in fact, any combination of logic can be applied to a huge range of Device Event Change Attributes, including:
Files: FileHash value or File Permissions can change to specified values only
Network Port Tracker: Open TCP Port changes can be within the Ephemeral/Dynamic Port Range
Installed Software: Version number must be greater than a minimum level
Security Policy Tracker: Allow specific policy settings to change, but no others
Database Tracker: Table Owner must not change, other attributes can
Example of Custom Planned Change Rule to accept changes made by User Account
NT Authority\System ie the built-in Windows service account used for automated Windows Updates. Any other changes made by other user accounts are flagged as Unplanned for investigation.
The earliest two changes were invoked by the NT Authority\System account – the PowerShell Web Access feature was added using Server Manager. However, the other changes were made using a regular User Account and as such end up as Unplanned Changes.