Most IT issues begin with a change. A new privileged account is added. MFA is disabled. A firewall rule changes. A license is removed. A dormant account becomes active again.
But in many environments, those changes go unnoticed until they create an outage, trigger a security incident, or generate a support ticket.
Without historical visibility into what changed, when it changed, and who made the change, troubleshooting becomes reactive and heavily dependent on assumptions.
Liongard helps MSPs operationalize Change Detection by continuously monitoring systems for configuration changes, surfacing those changes through Actionable Alerts, and integrating them directly into operational workflows.
This allows teams to:
Detect unexpected changes earlier
Build evidence-driven troubleshooting workflows
Automate ticket generation
Reduce manual investigation time
Improve incident response
Strengthen compliance visibility
Standardize operational processes across environments
Instead of asking: “What changed?”Teams can immediately see:
What changed
When it changed
Which system was impacted
What the previous value was
What the new value became
Why change detection matters
Most MSP environments are constantly changing.
Examples include:
Privileged access updates
MFA policy changes
Firewall modifications
VPN configuration updates
Endpoint drift
Licensing changes
Group membership updates
Security configuration changes
Without continuous monitoring:
Technicians waste time troubleshooting blindly
Changes go undocumented
Root cause analysis becomes difficult
Security risks remain hidden
Repeat incidents occur
Audit preparation becomes manual and painful
Operationalizing Change Detection helps teams move from reactive troubleshooting to evidence-driven operations.
How Liongard Change Detection works
Liongard continuously inspects customer environments and compares historical inspection data over time.
When changes occur:
Change Detection surfaces the difference
Actionable Alerts can trigger automatically
PSA tickets can be created automatically
Historical timelines provide before-and-after visibility
Technicians can investigate using evidence instead of assumptions
Change Detection works across systems such as:
Microsoft 365
Active Directory
Firewalls
Endpoints
Azure AD
Google Workspace
Networking infrastructure
Security platforms
From Change Detection to operational workflow
Change Detection becomes significantly more valuable when integrated into repeatable operational workflows.
Instead of manually reviewing changes, MSPs can:
Automatically route tickets to the PSA
Trigger escalation workflows
Create operational review processes
Build compliance evidence trails
Standardize investigation procedures
Reduce repeat incidents through alerting
Building a Change Detection workflow
Step 1 — Configure Actionable Alerts
Actionable Alerts allow Liongard to automatically detect and operationalize changes across environments.
Alerts are built using:
Rules
Templates
Environment assignments
Rules define:
What Liongard is monitoring
What conditions trigger an alert
Templates determine:
Alert routing
PSA destinations
Notification workflows
Operational ownership
Environments determine:
Which customers receive which alerts
Examples of common Change Detection alerts:
New admin account created
MFA disabled
Firewall rule modified
VPN configuration changed
Dormant account activated
New privileged access detected
Step 2 — Route alerts into operational workflows
Once configured, Liongard can automatically create PSA tickets when changes occur.
Alerts can route to:
ConnectWise PSA
HaloPSA
Autotask PSA
Microsoft Teams
Email notifications
Internal operational queues
This allows teams to operationalize Change Detection instead of relying on manual reviews.
Examples:
Security changes → SOC queue
Endpoint drift → Service Desk
Firewall modifications → Network Team
Identity changes → Cloud Team
Step 3 — Investigate using evidence
When an alert triggers, technicians can investigate directly inside Liongard.
Using:
Change Detection timelines
Historical inspection data
Before-and-after values
Related system visibility
teams can quickly determine:
Whether a change was expected
Whether it introduced risk
Whether additional systems were impacted
Whether the issue is recurring
This significantly reduces:
Portal hopping
Guesswork
Manual data collection
Investigation time
Step 4 — Close the operational loop correctly
Liongard’s ticket lifecycle management is designed around actual system state.
If the underlying issue still exists:
Liongard can reopen the PSA ticket automatically
Once the issue is resolved:
Liongard can automatically close the ticket after the next successful inspection cycle
This helps ensure:
Issues are actually remediated
Operational workflows stay aligned with real system state
Tickets are not prematurely closed
Common operational workflows
Security escalation workflows
Detect:
MFA disabled
Privileged access changes
Unauthorized accounts
Firewall drift
Unexpected VPN modifications
Automatically escalate:
P1 or P2 security workflows
SOC review
Incident response processes
Evidence-driven troubleshooting
Instead of asking:
“Did something change?”
technicians can immediately validate:
When the change occurred
Which values changed
Which systems were impacted
Whether the issue aligns with the timeline of the incident
This reduces average ticket resolution time and improves first-touch resolution.
Compliance & audit workflows
Change Detection timelines and historical records help support:
CIS v8 alignment
SOC 2 operational evidence
HIPAA reviews
Internal governance processes
Cyber insurance reporting
Exports and timelines create stronger evidence trails for audits and investigations.
Configuration drift monitoring
Monitor for:
Unauthorized configuration changes
Standardization drift
Policy inconsistencies
Security posture degradation
This helps MSPs maintain operational consistency across environments.
Example operational workflow
Scenario: MFA Disabled for Privileged User
Detection
Liongard detects MFA disabled on a privileged Microsoft 365 account.
Alerting
An Actionable Alert automatically:
Creates a PSA ticket
Routes the issue to the Security queue
Flags the issue as P2 priority
Investigation
The technician reviews:
Change Detection timeline
Previous vs current MFA state
Related identity activity
Recent privileged account changes
Resolution
The technician:
Confirms the change was unauthorized
Re-enables MFA
Documents remediation steps
Allows Liongard to auto-close the ticket after the next inspection confirms remediation
Operational Outcome
Faster response time
Evidence-based remediation
Reduced manual investigation
Audit trail preserved automatically
Reducing operational noise
Not every change requires escalation.
Liongard supports:
Rule silencing
Scoped suppressions
RoarExclude exclusions
Template-level rule management
This helps MSPs:
Reduce alert fatigue
Avoid duplicate tickets
Maintain technician trust
Build cleaner operational workflows
The goal is operational signal — not alert volume.
Operational outcomes & benefits
Building workflows around Change Detection helps MSPs:
Detect operational risk earlier
Reduce troubleshooting time
Improve incident response
Automate ticket generation
Reduce repeat incidents
Improve operational consistency
Strengthen audit readiness
Reduce technician burnout
Improve client trust through evidence-based operations
Best practices
Treat Liongard as the first stop during ticket investigation
Build alerting around meaningful operational risk
Route alerts based on operational ownership
Review recurring alerts regularly
Suppress expected changes appropriately
Avoid manually closing tickets before remediation is complete
Use timelines and historical visibility during every investigation
Convert recurring incidents into new alerting workflows
Recommended operational cadence
Workflow | Recommended Frequency |
Open alert triage | Daily |
Alert pattern review | Weekly |
Silence rule review | Monthly |
Template/rule review | Quarterly |
From reactive troubleshooting to evidence-driven operations
High-performing MSPs do not troubleshoot based on assumptions.
They troubleshoot based on evidence.
Liongard Change Detection helps teams operationalize visibility into configuration changes, security drift, and operational anomalies so technicians can respond faster, investigate with confidence, and build repeatable workflows around real system data instead of guesswork.
Related Resources
Using Liongard’s Example Template — docs.liongard.com/docs/using-liongards-example-template
How to Set Up Actionable Alerts — docs.liongard.com/docs/how-to-set-up-actionable-alerts
How to Write a Custom Actionable Alert — docs.liongard.com/docs/custom-actionable-alert-rule
Reading Actionable Alerts — docs.liongard.com/docs/reading-actionable-alerts
Understanding Actionable Alerts — docs.liongard.com/docs/understanding-actionable-alerts
Silence Actionable Alert Rules — docs.liongard.com/docs/silence-actionable-alert-rules
Actionable Alerts Knowledge Base & FAQs — support.liongard.com
Liongard Alert / CIS v8 Controls Mapping
Build a Clean Alert Baseline with Actionable Alerts
Automate Operational Response with Actionable Alerts
Resolve Help Desk Tickets Faster with Unified Visibility
Continuous Asset Discovery & Inventory with Liongard