The system audit trail

Whenever a resource is created, modified, or deleted from Cased, whether via the website or REST API, an audit event is published to your Cased <strong class="css-0">system</strong> audit trail.
Overview
Both Live and Test environments have their own system audit trails. Audit events published to the System audit trail answer the who, what, when, and where of actions performed on Cased.
The System audit trail is immutable and guaranteed to show all activity that happens on Cased with your data.
Example
Actions recorded in System audit trail
API Keys
Action
Description
api_key.create
An API key created for publishing events to an audit trail, audit trail policy, or environment.
api_key.delete
An API key was deleted.
Audit Event Unmask
Action
Description
audit_event_unmask.create
Personally Identifiable Information within an audit event has been unmasked.
Audit Trail Export
Action
Description
audit_trail_export.create
Events from an audit trail policy have been exported.
audit_trail_export.success
The requested events from an audit trail policy have been successfuly exported.
audit_trail_export.error
Exporting events from an audit trail policy could not be completed.
audit_trail_export.download
The requested events from an audit trail policy have been downloaded.
Audit Trail
Action
Description
audit_trail.create
An audit trail was created.
audit_trail.update
An audit trail was updated.
audit_trail.delete
An audit trail was deleted.
Audit Trail Policy
Action
Description
audit_trail.create
An audit trail policy was created.
audit_trail.update
An audit trail policy was updated.
audit_trail.add_audit_trail
An audit trail was added to an audit trail policy.
audit_trail.add_group
A group was given access to an audit trail policy.
audit_trail.add_user
A user was given access to an audit trail policy.
audit_trail.remove_audit_trail
An audit trail was removed from an audit trail policy.
audit_trail.remove_group
A group's access to an audit trail policy was revoked.
audit_trail.remove_user
A user's access to an audit trail policy was revoked.
audit_trail.delete
An audit trail policy was deleted.
Environment
Action
Description
environment.create
The live or test environment has been created.
Events
Action
Description
events.search
A user performed a search authorized by an audit trail policy.
Group
Action
Description
group.create
A group has been created.
group.update_name
A group's name has been modified.
group.create
A group was deleted from a Cased account.
Guard Application
Action
Description
guard_application.approve_on_unreachable
Guard sessions will be approved for a Guard application in the event Cased.com is unavailable.
guard_application.connect_slack_channel
Slack channel has been configured for a Guard application.
guard_application.create
A Guard application has been created.
guard_application.delete
A Guard application was deleted.
guard_application.deny_on_unreachable
Guard sessions will be denied for this Guard application in the event Cased.com is unavailable.
guard_application.disconnect_slack_channel
Slack channel was removed from a Guard application.
guard_application.reason_not_required
A reason is not required to start Guard sessions for a Guard application.
guard_application.reason_required
A reason is required to start Guard sessions for a Guard application.
guard_application.self_approval_disabled
Guard sessions cannot be approved by the same user starting a Guard session for a Guard application.
guard_application.self_approval_enabled
Guard sessions can be approved by the same user starting a Guard session for a Guard application.
guard_application.update_approval_duration
The window of time in minutes a Guard session will automatically be approved if a user already has an active, approved session has been updated for a Guard application.
guard_application.update_approval_timeout
The amount of time in minutes a Guard session must be responded to before another Guard session request must be initiated.
guard_application.update_message_of_the_day
The message displayed to users when starting a Guard session for this Guard application has been updated.
guard_application.update_name
A Guard application's name has been modified.
guard_application.update_custom_commands
Custom auto-approved commands for Guard sessions have been modified.
Guard Session
Action
Description
guard_session.approve
A Guard session was approved per the Guard application's approval requirements.
guard_session.cancel
A Guard session was canceled by the user who originally requested access to a Guard application.
guard_session.deny
A Guard session was denied for a Guard application.
guard_session.requested
A Guard session was initiated.
guard_session.timeout
A Guard session has timed out per the Guard application's settings.
User
Action
Description
user.create
A user has been created.
user.update_email
A user's email has been updated.
user.update_password
A user's password has been modified.
user.update_group
A user has changed groups.
user.delete
A user was deleted from a Cased account.
user.login
A user successfully authenticated with Cased.
user.failed_login
A user failed to authenticate with their Cased account.
user.initiate_single_sign_on
A user initiated a Single Sign-On session with the organization's configured identity provider.
Organization
Action
Description
organization.create
A new Cased account was created.
organization.update
A Cased account was updated.
organization.update_default_group
The default group user's accounts are assigned if not specified during provisioning was modified.
organization.update_default_sensitivity_level
The default sensitivity level a sensitive label is assigned when first detected by Cased.
organization.update_default_sensitive_response_expiration
The default amount of time in minutes a sensitive data request expires in was modified.
SAML Provider
Action
Description
saml_provider.create
A SAML Single Sign-On identity provider has been configured for a Cased account.
saml_provider.update
A SAML Single Sign-On configuration has been updated.
saml_provider.delete
A SAML Single Sign-On identity provider was deleted.
Sensitive Data Request
Action
Description
sensitive_data_request.pending
A request to access sensitive data is pending.
sensitive_data_request.approved
A request to access sensitive data has been approved.
sensitive_data_request.denied
A request to access sensitive data has been denied.
Sensitive Label
Action
Description
sensitive_label.create
A new sensitivity label was created.
sensitive_label.update_description
A sensitivity label's description was modified.
sensitive_label.update_sensitivity_level
A sensitivity label's sensitivity level was modified.
sensitive_label.delete
A sensitivity label's was deleted.
Sensitivity Level
Action
Description
sensitivity_level.create
A new sensitivity level was created.
sensitivity_level.update_level
The sensitivity level's identifier has been updated.
sensitivity_level.update_description
The sensitivity level's description has been updated.
sensitivity_level.update_approval_requirement
The sensitivity level's approval requirement has been updated.
sensitivity_level.delete
A sensitivity level was deleted.
Workflows
Action
Description
workflow.create
A new workflow was created.
workflow.update_name
The workflow's name has been updated.
workflow.delete
A workflow was deleted.
Workflow Authentication Control
Action
Description
workflows_controls_authentication.enable
User authentication for a workflow has been enabled.
workflows_controls_authentication.disable
User authentication for a workflow has been disabled.
Workflow Approval Control
Action
Description
workflows_controls_approval.enable
Approvals were enabled for a workflow.
workflows_controls_approval.update_count
The number of approvals for a workflow to be fulfilled has been updated.
workflows_controls_approval.update_timeout
The approval timeout duration has been updated.
workflows_controls_approval.update_duration
The duration the approval lasts for has been updated.
workflows_controls_approval.enable_self_approval
Ability for authenticated user to approve own workflow has been enabled.
workflows_controls_approval.disable_self_approval
Ability for authenticated user to approve own workflow has been disabled.
workflows_controls_approval.disable
Approvals were disabled for a workflow.
Workflow Approvals
Action
Description
workflows_approval.request
A workflow approval request was delivered.
workflows_approval.approve
A workflow approval request met all approval requirements.
workflows_approval.deny
A workflow approval request did not meet all approval requirements.
workflows_approval.timeout
A workflow approval request timed out.
workflows_approval.cancel
A workflow approval request was canceled.
Workflow Approval Responses
Action
Description
workflows_approvals_response.approve
A workflow approval request received an approval response.
workflows_approvals_response.deny
A workflow approval request received a denied response.
Workflow Reason Control
Action
Description
workflows_controls_reason.enable
A reason must be provided for a workflow to run.
workflows_controls_reason.disable
A reason is not necessary for a workflow to run.
Security - Previous
Managing API Keys
Next - Security
Data subprocessors
Last modified 9mo ago
Copy link
On this page
Overview
Example
Actions recorded in System audit trail
API Keys