Screenshots slowed audits; automated evidence from Intune and AWS Config fed immutable repo with ServiceNow approvals

Overview

A healthcare provider’s audit preparation meant chasing screenshots and exports from many tools—Endpoint Detection and Response (EDR), Mobile Device Management (MDM), and cloud configuration portals. Evidence lived in personal drives and chat threads, deadlines converged near assessments, and reviewers approved based on incomplete context. Intelligex automated evidence collection from source APIs into a secured, immutable repository, normalized it against a control catalog, and added reviewer attestation inside the existing workflow. Last?minute fire drills subsided, documentation became consistent, and auditor walkthroughs used a single, traceable system—while EDR, MDM, cloud platforms, and IT Service Management (ITSM) remained unchanged.

Client Profile

• Industry: Healthcare provider (clinical operations and shared services)
• Company size (range): Distributed clinics and corporate offices with centralized IT and Security
• Stage: Mixed EDR and MDM solutions across Windows, macOS, and mobile; multi?cloud infrastructure and SaaS; evidence gathered manually for audits
• Department owner: IT & Infrastructure (Security Engineering, Platform Engineering, and Compliance Operations)
• Other stakeholders: Clinical Systems, End?User Computing, Cloud Platform, Identity and Access Management, Legal/Privacy, Internal Audit, External Assessors

The Challenge

Evidence lived everywhere except where auditors needed it. Endpoint encryption status came from MDM dashboards, EDR findings from security consoles, and cloud control posture from separate provider portals. Teams took screenshots or exported CSVs, saved them to shared folders, and repeated the process with each request. When auditors asked for timing or query details, responses depended on who captured the screenshot and whether they still had the file.

Review and approval were manual. Control owners attested via email or in spreadsheets, and approvals were not tied to the exact evidence set or query used. The same control required different proofs across assessments because requests were interpreted differently. Near audit dates, teams paused projects to collect artifacts and reconcile conflicting versions of the truth.

Constraints were real. Core tools could not be replaced, and re?platforming identity or endpoint management was out of scope. The provider needed a way to extract evidence reliably, keep it tamper?evident, and layer approvals and context—without forcing changes to EDR, MDM, cloud platforms, or the ITSM.

Why It Was Happening

Evidence collection was a manual, decentralized activity. Each team knew how to pull the signals from its tools, but there was no automated pipeline to run queries, normalize results, and store them with provenance. Control owners signed off in email because the approval experience was not connected to the evidence set. Without a governed, repeatable flow, the organization recreated effort and risk every audit cycle.

Tooling fragmentation amplified the problem. EDR, MDM, and cloud platforms surfaced posture, but none offered cross?tool normalization or immutable storage. Evidence was captured as screenshots rather than as query outputs with timestamps and parameters. That made validation and reuse difficult and left reviewers to interpret whether a screenshot matched the intended control.

The Solution

Intelligex implemented an evidence pipeline that collected posture from source APIs, normalized results against a control catalog, and stored artifacts in an immutable repository with reviewer attestation. Schedules and change triggers ran collectors for EDR, MDM, and cloud configuration; outputs carried query text, parameters, and timestamps; and a ServiceNow workflow routed evidence packets to control owners for review and sign?off. Evidence was written to object storage with retention and legal hold, and auditors received read?only packets with lineage. The design used EDR and MDM APIs such as Microsoft Defender for Endpoint (Defender for Endpoint docs) and Microsoft Intune, cloud configuration services like AWS Config and Azure Policy, immutable storage features such as S3 Object Lock, and the existing ITSM for workflow and approvals (ServiceNow). Policy mapping aligned to healthcare security expectations (for example, the HIPAA Security Rule: HHS HIPAA Security).

• Integrations: EDR posture and alerts; MDM device encryption and compliance; cloud configuration and inventory (AWS, Azure, Google Cloud); identity and MFA configuration; vulnerability scan summaries; ITSM for routing and sign?offs; SIEM for pipeline logs.
• Control catalog: Canonical controls mapped to frameworks and internal policies; owners and review cadence; defined evidence queries and expected fields per control and platform.
• Evidence collection and normalization: Scheduled and change?triggered collectors; query text and parameters stored with results; normalization into a common schema; deduplication across sources.
• Immutable repository: Object storage with retention and legal hold; lineage and checksum for each artifact; role?based read paths for auditors; redaction rules for sensitive fields.
• Reviewer attestation: ServiceNow tasks with evidence attachments and deep links; standard attestations and reason codes; maker?checker for high?risk controls; exception handling with compensating controls and review dates.
• Dashboards and posture: Coverage by control and platform, stale or missing evidence, upcoming reviews, exception aging, and pipeline health; exportable packets with control mapping, queries, results, and sign?offs.
• Security and privacy: Least?privilege service accounts; secrets in the enterprise vault; encryption at rest and in transit; minimal collection of sensitive values; access logging on evidence and approvals.

Implementation

• Discovery: Cataloged controls, current evidence sources, and query methods; inventoried EDR, MDM, and cloud platforms; reviewed audit histories and common rework; gathered privacy constraints and retention requirements; identified control owners and review cadence.
• Design: Authored the control catalog with owners and mappings; defined per?control evidence queries and normalization fields; selected storage immutability settings and access patterns; designed ServiceNow workflows for attestation, exceptions, and escalations; planned dashboards and packet formats.
• Build: Implemented collectors for EDR, MDM, and cloud configuration APIs; built normalization and lineage capture; configured object storage with retention and legal hold; integrated ServiceNow for tasking and approvals; wired logs to the SIEM; added redaction and dataset splitting for sensitive outputs.
• Testing/QA: Ran in shadow mode to collect evidence without notifications; compared outputs to prior screenshots; validated lineage and immutability; piloted attestations with a subset of controls; tuned queries and field mappings based on reviewer feedback.
• Rollout: Enabled live attestations for high?value controls; expanded coverage to remaining controls and platforms; backfilled historical packets for upcoming assessments by re?running approved queries; kept manual paths as a controlled fallback during early cycles.
• Training/hand?off: Delivered sessions for control owners, Security, and Compliance on reviewing packets, raising exceptions, and exporting evidence; published query catalogs and packet examples; updated SOPs for audit prep and ad hoc requests; transferred catalog, collectors, and dashboards to Compliance Operations under change control.
• Human?in?the?loop review: Established recurring reviews of low?confidence outputs, stale evidence, and exception trends; recorded decisions with rationale and effective dates; improvements flowed back into queries, mappings, and approval paths.

Results

Evidence moved from screenshots to repeatable, query?backed packets. EDR, MDM, and cloud posture arrived on a schedule and at change time, with the queries and parameters that produced each artifact. Control owners reviewed and attested within the ITSM, and exceptions carried compensating controls and review dates. When auditors asked for context, packets provided lineage and mappings rather than ad hoc explanations.

Audit preparation became routine. Teams saw which controls had fresh evidence and which required attention well before assessments. Walkthroughs referenced the same repository and dashboards used day?to?day, and legal hold ensured artifacts remained intact for the required retention period. Core tools stayed the same; the change was a governed pipeline and approval layer that turned scattered proofs into durable evidence.

What Changed for the Team

• Before: Screenshots and exports gathered by hand. After: Evidence collected via APIs with queries, parameters, and timestamps recorded.
• Before: Approvals lived in email. After: Attestations and exceptions flowed through ServiceNow linked to the exact evidence set.
• Before: Artifacts drifted across folders. After: Evidence stored immutably with lineage and access controls.
• Before: Deadlines forced fire drills. After: Schedules and dashboards surfaced gaps early with clear owners.
• Before: Auditors asked for re?pulls and clarifications. After: Packets included mappings, queries, results, and sign?offs in one place.
• Before: Sensitive values risked over?collection. After: Redaction and scoped queries limited data exposure.

Key Takeaways

• Automate from the source; collect EDR, MDM, and cloud posture via APIs, not screenshots.
• Make evidence immutable; store artifacts with retention, legal hold, and lineage.
• Tie attestations to artifacts; approvals belong in the workflow that holds the evidence.
• Normalize and map; define control queries and expected fields so packets are consistent.
• Run in shadow mode; validate outputs against prior audits before switching processes.
• Integrate, don’t replace; keep existing tools—add a pipeline, repository, and governance layer.

FAQ

What tools did this integrate with? The pipeline pulled posture from EDR and MDM platforms such as Microsoft Defender for Endpoint and Microsoft Intune, and from cloud configuration services including AWS Config and Azure Policy. Evidence lived in object storage with immutability features such as S3 Object Lock. Attestations and exceptions ran through the existing ITSM (for example, ServiceNow), and pipeline logs flowed to the SIEM.

How did you handle quality control and governance? A control catalog defined owners, mappings, and query standards. Collectors stored query text, parameters, and timestamps with each artifact. Attestations required reason codes and maker?checker for high?risk controls. Evidence was written to immutable storage with retention and access logging. Dashboards tracked stale or missing artifacts, low?confidence outputs, and exception aging.

How did you roll this out without disruption? The pipeline ran in shadow mode to collect draft artifacts alongside existing processes. Teams compared packets to prior screenshots and tuned queries and mappings. Live attestations began with a subset of controls, and manual paths remained available during early cycles. Coverage expanded as owners gained confidence.

How did you protect PHI and other sensitive data? Queries were scoped to posture and configuration rather than to patient records. Redaction rules masked sensitive fields in outputs, and separate datasets handled content requiring restricted access. Evidence access followed role?based permissions, and all reads and exports were logged.

How were frameworks and policies mapped? Each control in the catalog referenced relevant policies and external frameworks, including healthcare?specific expectations such as the HIPAA Security Rule (HHS HIPAA Security). Packets included the mapping so auditors could trace from requirement to query and result.

What about multi?cloud and multiple EDR or MDM platforms? Collectors normalized outputs into a common schema across providers. Where platforms differed, the catalog defined platform?specific queries with the same intent and fields. The repository and attestation flow remained consistent regardless of source tool.

How were retention and legal hold enforced? Evidence was written with object lock or equivalent immutability and retention settings. Legal hold applied to packets linked to active assessments or investigations. Retention policies were configured per control family in alignment with Compliance and Legal guidance.

How did you keep evidence current between audits? Schedules ran collectors on a cadence and at change events, and dashboards showed upcoming reviews. Owners received tasks when evidence approached staleness, keeping posture fresh without waiting for the next assessment.