Audit

The MySafe Audit screen enables control and monitoring of activities related to stored items. Through it, administrative users can view a comprehensive report of all events related to the items, ensuring the security and traceability of information.

Functionality

• Ensure traceability of all actions performed: records who did what, when, and from which location, providing a complete history of activities.
• Filter events by various criteria: allows quick and easy retrieval of specific information in the report using filters such as item name, event type, user, period, among others.
• View detailed information for each event: provides detailed information about each recorded action, including date and time, user, IP address, and event type.
• Export the report in CSV format: allows downloading the report in a format compatible with various data analysis tools, facilitating the creation of customized reports and integration with other systems.
• Schedule periodic report delivery: administrative users can set up automatic email delivery of the audit report at a defined frequency for ongoing activity monitoring.
• Access historical records: access older event history, ensuring complete tracking of activities performed in MySafe.

Applicability

• Security audit: monitor access and activities related to stored items, ensuring information security.
• Compliance management: meet audit requirements and information security standards by documenting performed activities.
• Incident investigation: investigate suspicious activities and identify potential security breaches.
• Behavior analysis: analyze MySafe usage patterns and identify optimization opportunities.

Use case

Investigation of unauthorized access to critical password
Primary actor: Mark (MySafe user administrator).
Summary: this use case demonstrates how Mark uses MySafe’s Audit feature to investigate possible unauthorized access to a critical company password stored in MySafe.

Context
The MySafe administrator receives a security alert about suspicious activities related to access to the company’s database server password.

Basic flow

1. Receiving the alert: Mark receives a security alert about multiple failed attempts to access the database server password from an unknown IP address.
2. Accessing the Audit screen: Mark accesses the MySafe Audit screen to investigate the event.
3. Filtering events: on the Audit screen, Mark uses the filters to refine the search:
   • Name: "Database Server" (name of the password stored in MySafe)
   • Event: "View" (to identify access attempts)
   • Date: sets the period corresponding to the received alert.
4. Analyzing the records: the filtered report displays all view events for the database server password within the specified period. Mark reviews the records, checking:
   • Users: verifies if any of the listed users shouldn’t have accessed the password at that time.
   • IP addresses: checks if the IP addresses correspond to authorized locations and devices.
   • Date and time: confirms if the days and times of access align with the working hours of authorized users.
5. Identifying suspicious activity: Mark identifies access outside working hours from an unrecognized IP in the report.
6. Corrective actions: based on the evidence found, Mark takes the following actions:
   • Password reset: immediately resets the database server password.
   • Access blocking: blocks the suspicious IP on the company firewall.
   • Communication and investigation: informs the security team about the incident for further investigation and additional security measures.

Conclusion

The MySafe Audit screen allowed the administrator to investigate the security alert, identify unauthorized access, and take measures to protect the company's critical information. The filtering feature, detailed records, and the ability to export the report were essential for the rapid resolution of the incident.