Whenever a resource is created, modified, or deleted from Cased, whether via the website or REST API, an audit event is published to your Cased <strong class="css-0">system</strong> audit trail.
Overview
Both Live and Test environments have their own system audit trails. Audit events published to the System audit trail answer the who, what, when, and where of actions performed on Cased.
The System audit trail is immutable and guaranteed to show all activity that happens on Cased with your data.
Example
Actions recorded in System audit trail
API Keys
Action
Description
api_key.create
An API key created for publishing events to an audit trail, audit trail policy, or environment.
api_key.delete
An API key was deleted.
Audit Event Unmask
Action
Description
audit_event_unmask.create
Personally Identifiable Information within an audit event has been unmasked.
Audit Trail Export
Action
Description
audit_trail_export.create
Events from an audit trail policy have been exported.
audit_trail_export.success
The requested events from an audit trail policy have been successfuly exported.
audit_trail_export.error
Exporting events from an audit trail policy could not be completed.
audit_trail_export.download
The requested events from an audit trail policy have been downloaded.
Audit Trail
Action
Description
audit_trail.create
An audit trail was created.
audit_trail.update
An audit trail was updated.
audit_trail.delete
An audit trail was deleted.
Audit Trail Policy
Action
Description
audit_trail.create
An audit trail policy was created.
audit_trail.update
An audit trail policy was updated.
audit_trail.add_audit_trail
An audit trail was added to an audit trail policy.
audit_trail.add_group
A group was given access to an audit trail policy.
audit_trail.add_user
A user was given access to an audit trail policy.
audit_trail.remove_audit_trail
An audit trail was removed from an audit trail policy.
audit_trail.remove_group
A group's access to an audit trail policy was revoked.
audit_trail.remove_user
A user's access to an audit trail policy was revoked.
audit_trail.delete
An audit trail policy was deleted.
Environment
Action
Description
environment.create
The live or test environment has been created.
Events
Action
Description
events.search
A user performed a search authorized by an audit trail policy.
Group
Action
Description
group.create
A group has been created.
group.update_name
A group's name has been modified.
group.create
A group was deleted from a Cased account.
Guard Application
Action
Description
guard_application.approve_on_unreachable
Guard sessions will be approved for a Guard application in the event Cased.com is unavailable.
guard_application.connect_slack_channel
Slack channel has been configured for a Guard application.
guard_application.create
A Guard application has been created.
guard_application.delete
A Guard application was deleted.
guard_application.deny_on_unreachable
Guard sessions will be denied for this Guard application in the event Cased.com is unavailable.
guard_application.disconnect_slack_channel
Slack channel was removed from a Guard application.
guard_application.reason_not_required
A reason is not required to start Guard sessions for a Guard application.
guard_application.reason_required
A reason is required to start Guard sessions for a Guard application.
guard_application.self_approval_disabled
Guard sessions cannot be approved by the same user starting a Guard session for a Guard application.
guard_application.self_approval_enabled
Guard sessions can be approved by the same user starting a Guard session for a Guard application.
guard_application.update_approval_duration
The window of time in minutes a Guard session will automatically be approved if a user already has an active, approved session has been updated for a Guard application.
guard_application.update_approval_timeout
The amount of time in minutes a Guard session must be responded to before another Guard session request must be initiated.
guard_application.update_message_of_the_day
The message displayed to users when starting a Guard session for this Guard application has been updated.
guard_application.update_name
A Guard application's name has been modified.
guard_application.update_custom_commands
Custom auto-approved commands for Guard sessions have been modified.
Guard Session
Action
Description
guard_session.approve
A Guard session was approved per the Guard application's approval requirements.
guard_session.cancel
A Guard session was canceled by the user who originally requested access to a Guard application.
guard_session.deny
A Guard session was denied for a Guard application.
guard_session.requested
A Guard session was initiated.
guard_session.timeout
A Guard session has timed out per the Guard application's settings.
User
Action
Description
user.create
A user has been created.
user.update_email
A user's email has been updated.
user.update_password
A user's password has been modified.
user.update_group
A user has changed groups.
user.delete
A user was deleted from a Cased account.
user.login
A user successfully authenticated with Cased.
user.failed_login
A user failed to authenticate with their Cased account.
user.initiate_single_sign_on
A user initiated a Single Sign-On session with the organization's configured identity provider.
Organization
Action
Description
organization.create
A new Cased account was created.
organization.update
A Cased account was updated.
organization.update_default_group
The default group user's accounts are assigned if not specified during provisioning was modified.
organization.update_default_sensitivity_level
The default sensitivity level a sensitive label is assigned when first detected by Cased.