The system audit trail

Whenever a resource is created, modified, or deleted from Cased, whether via the website or REST API, an audit event is published to your Cased system audit trail.

  • Both Live and Test environments have their own system audit trails. Audit events published to the System audit trail answer the who, what, when, and where of actions performed on Cased.
  • The System audit trail is immutable and guaranteed to show all activity that happens on Cased with your data.

Example

Actions recorded in System audit trail

API Keys

ActionDescription
api_key.createAn API key created for publishing events to an audit trail, audit trail policy, or environment.
api_key.deleteAn API key was deleted.

Audit Event Unmask

ActionDescription
audit_event_unmask.createPersonally Identifiable Information within an audit event has been unmasked.

Audit Trail Export

ActionDescription
audit_trail_export.createEvents from an audit trail policy have been exported.
audit_trail_export.successThe requested events from an audit trail policy have been successfuly exported.
audit_trail_export.errorExporting events from an audit trail policy could not be completed.
audit_trail_export.downloadThe requested events from an audit trail policy have been downloaded.

Audit Trail

ActionDescription
audit_trail.createAn audit trail was created.
audit_trail.updateAn audit trail was updated.
audit_trail.deleteAn audit trail was deleted.

Audit Trail Policy

ActionDescription
audit_trail.createAn audit trail policy was created.
audit_trail.updateAn audit trail policy was updated.
audit_trail.add_audit_trailAn audit trail was added to an audit trail policy.
audit_trail.add_groupA group was given access to an audit trail policy.
audit_trail.add_userA user was given access to an audit trail policy.
audit_trail.remove_audit_trailAn audit trail was removed from an audit trail policy.
audit_trail.remove_groupA group's access to an audit trail policy was revoked.
audit_trail.remove_userA user's access to an audit trail policy was revoked.
audit_trail.deleteAn audit trail policy was deleted.

Environment

ActionDescription
environment.createThe live or test environment has been created.

Events

ActionDescription
events.searchA user performed a search authorized by an audit trail policy.

Group

ActionDescription
group.createA group has been created.
group.update_nameA group's name has been modified.
group.createA group was deleted from a Cased account.

Guard Application

ActionDescription
guard_application.approve_on_unreachableGuard sessions will be approved for a Guard application in the event Cased.com is unavailable.
guard_application.connect_slack_channelSlack channel has been configured for a Guard application.
guard_application.createA Guard application has been created.
guard_application.deleteA Guard application was deleted.
guard_application.deny_on_unreachableGuard sessions will be denied for this Guard application in the event Cased.com is unavailable.
guard_application.disconnect_slack_channelSlack channel was removed from a Guard application.
guard_application.reason_not_requiredA reason is not required to start Guard sessions for a Guard application.
guard_application.reason_requiredA reason is required to start Guard sessions for a Guard application.
guard_application.self_approval_disabledGuard sessions cannot be approved by the same user starting a Guard session for a Guard application.
guard_application.self_approval_enabledGuard sessions can be approved by the same user starting a Guard session for a Guard application.
guard_application.update_approval_durationThe window of time in minutes a Guard session will automatically be approved if a user already has an active, approved session has been updated for a Guard application.
guard_application.update_approval_timeoutThe amount of time in minutes a Guard session must be responded to before another Guard session request must be initiated.
guard_application.update_message_of_the_dayThe message displayed to users when starting a Guard session for this Guard application has been updated.
guard_application.update_nameA Guard application's name has been modified.
guard_application.update_custom_commandsCustom auto-approved commands for Guard sessions have been modified.

Guard Session

ActionDescription
guard_session.approveA Guard session was approved per the Guard application's approval requirements.
guard_session.cancelA Guard session was canceled by the user who originally requested access to a Guard application.
guard_session.denyA Guard session was denied for a Guard application.
guard_session.requestedA Guard session was initiated.
guard_session.timeoutA Guard session has timed out per the Guard application's settings.

User

ActionDescription
user.createA user has been created.
user.update_emailA user's email has been updated.
user.update_passwordA user's password has been modified.
user.update_groupA user has changed groups.
user.deleteA user was deleted from a Cased account.
user.loginA user successfully authenticated with Cased.
user.failed_loginA user failed to authenticate with their Cased account.
user.initiate_single_sign_onA user initiated a Single Sign-On session with the organization's configured identity provider.

Organization

ActionDescription
organization.createA new Cased account was created.
organization.updateA Cased account was updated.
organization.update_default_groupThe default group user's accounts are assigned if not specified during provisioning was modified.
organization.update_default_sensitivity_levelThe default sensitivity level a sensitive label is assigned when first detected by Cased.
organization.update_default_sensitive_response_expirationThe default amount of time in minutes a sensitive data request expires in was modified.

SAML Provider

ActionDescription
saml_provider.createA SAML Single Sign-On identity provider has been configured for a Cased account.
saml_provider.updateA SAML Single Sign-On configuration has been updated.
saml_provider.deleteA SAML Single Sign-On identity provider was deleted.

Sensitive Data Request

ActionDescription
sensitive_data_request.pendingA request to access sensitive data is pending.
sensitive_data_request.approvedA request to access sensitive data has been approved.
sensitive_data_request.deniedA request to access sensitive data has been denied.

Sensitive Label

ActionDescription
sensitive_label.createA new sensitivity label was created.
sensitive_label.update_descriptionA sensitivity label's description was modified.
sensitive_label.update_sensitivity_levelA sensitivity label's sensitivity level was modified.
sensitive_label.deleteA sensitivity label's was deleted.

Sensitivity Level

ActionDescription
sensitivity_level.createA new sensitivity level was created.
sensitivity_level.update_levelThe sensitivity level's identifier has been updated.
sensitivity_level.update_descriptionThe sensitivity level's description has been updated.
sensitivity_level.update_approval_requirementThe sensitivity level's approval requirement has been updated.
sensitivity_level.deleteA sensitivity level was deleted.

Workflows

ActionDescription
workflow.createA new workflow was created.
workflow.update_nameThe workflow's name has been updated.
workflow.deleteA workflow was deleted.

Workflow Authentication Control

ActionDescription
workflows_controls_authentication.enableUser authentication for a workflow has been enabled.
workflows_controls_authentication.disableUser authentication for a workflow has been disabled.

Workflow Approval Control

ActionDescription
workflows_controls_approval.enableApprovals were enabled for a workflow.
workflows_controls_approval.update_countThe number of approvals for a workflow to be fulfilled has been updated.
workflows_controls_approval.update_timeoutThe approval timeout duration has been updated.
workflows_controls_approval.update_durationThe duration the approval lasts for has been updated.
workflows_controls_approval.enable_self_approvalAbility for authenticated user to approve own workflow has been enabled.
workflows_controls_approval.disable_self_approvalAbility for authenticated user to approve own workflow has been disabled.
workflows_controls_approval.disableApprovals were disabled for a workflow.

Workflow Approvals

ActionDescription
workflows_approval.requestA workflow approval request was delivered.
workflows_approval.approveA workflow approval request met all approval requirements.
workflows_approval.denyA workflow approval request did not meet all approval requirements.
workflows_approval.timeoutA workflow approval request timed out.
workflows_approval.cancelA workflow approval request was canceled.

Workflow Approval Responses

ActionDescription
workflows_approvals_response.approveA workflow approval request received an approval response.
workflows_approvals_response.denyA workflow approval request received a denied response.

Workflow Reason Control

ActionDescription
workflows_controls_reason.enableA reason must be provided for a workflow to run.
workflows_controls_reason.disableA reason is not necessary for a workflow to run.

Questions? Contact us.
FAQ


Did this page help you?