Tulip allows you to get notifications on changes to specific elements in your security application configurations (e.g. Okta, Microsoft Entra ID, Intune, Defender for Endpoint, Cloudflare, CrowdStrike, Jamf, Splunk, Ping Identity). This helps ensure you won’t have incidents in the sensitive and less transparent areas of your security applications' configuration data.
Creating a new notification
First, make sure that you already connected an application and fetched its configuration data.
Then, navigate to your applicaiton connection settings page.
Go to the 'Monitor changes' section and click on 'Set up new notification'
Provide a title for your notification, select the elements you would like to track and choose whether to get notified via Slack or Email, or both (you can have multiple notification channels).
Upon the completion of a successful fetch or deployment, Tulip will check whether the elements you monitor were changed, and notify you accordingly, with the change details.
Monitoring changes deployed via Tulip or directly via the service
You can choose to track only changes deployed via Tulip, changes made directly via the service or both.
Frequency
We recommend setting the application connection fetch frequency to daily or hourly, to monitor changes as they occur.
Filtering referenced elements
Sometimes, you would like to monitor only elements that are referenced by other elements.
To do that, click on the filter ‘Referenced by elements’.
Filtering change type
You can monitor ‘any change’ to a specific element, or only ‘additions’, ‘deletions’, ‘modifications’.
Query-based selection
If you can't select the elements that you want to monitor using the checkboxes tree, you can use our query language.
When using a query, all the elements that match its pattern are selected, in runtime.
Select existing and future elements, by replacing any character or characters of their name or id (path), with '*', as shown in the example below:
Use the right pane to see the current results of the query.
Use the left pane to add elements to the query, by clicking on them.
Once ready, click 'SHIFT' + 'ENTER', to save it.
Common monitors
Keep track of sensitive security application elements and get notified when unauthorized users or groups are changing them, such as:
Okta policies and assignments
Microsoft Entra ID conditional access policies
Intune device compliance policies
Defender for Endpoint security settings
Cloudflare firewall rules
CrowdStrike sensor policies
Jamf configuration profiles
Splunk saved searches
Ping Identity authentication policies
Know about changes that impact your integrations, to avoid incidents in the less transparent areas of your security configuration, for example:
Notify your security operations team about changes that will impact authentication flows or device compliance.
Monitor key configuration fields that are integrated in important security monitoring or reporting dashboards.
Track script, automation, and workflow changes, especially those that impact security enforcement or monitoring.
Get notified on changes done by your contractors or external administrators.
Monitor frequently changed security policies or configurations to ensure they are not being altered outside of approved workflows.
Avoid incidents that impact users or customers by tracking changes to authentication, authorization, or network access rules.
Know about automation changes by tracking policy updates, triggers, and automated remediation workflows.
Monitor heavily tested elements, so that you can make sure the required tests are planned and the change is properly validated.
Microsoft Teams
Currently, only email and Slack notifications are supported. As for Microsoft Teams notifications, you can quickly generate ones from Tulip's email notifications. To do so, set up email notifications in Tulip per the above instructions and then integrate your email client with your MS Teams application via an integration tool, e.g., Zapier, MS Power Automate or automate.io.