Skip to main content

Unified Audit Trail

CaseBender maintains a comprehensive, tamper-evident audit trail that records every significant action across the platform. The audit system is designed to satisfy the most stringent compliance requirements (SOC2 CC7.2, ISO 27001 A.8.15, HIPAA 164.312(b), CMMC AU.L2-3.3.1).

What’s Logged

Every audit entry captures:
FieldDescription
TimestampPrecise UTC timestamp of the action
ActorWho performed the action (user, system, integration, or API key)
ActionWhat was done (create, read, update, delete, export, authenticate, etc.)
TargetWhat entity was affected (case, alert, task, user, configuration, etc.)
ChangesBefore and after values for modifications
ContextIP address, user agent, session ID, tenant ID
Compliance FlagsWhich compliance frameworks this event satisfies

Event Categories

CategoryExamples
Entity AccessCase viewed, alert accessed, evidence downloaded
Entity ChangesCase updated, alert status changed, task assigned
AuthenticationLogin, logout, MFA challenge, SSO assertion, lockout
AuthorizationAccess granted, access denied, privilege elevated, role changed
System EventsService started, configuration changed, backup completed
Data ExportAudit log exported, case data exported, report generated
Security EventsAnomaly detected, threat indicator triggered, policy violation
Bulk OperationsBulk update, bulk delete, bulk assign (with individual item tracking)
The audit trail supports powerful querying:
  • Full-Text Search: Search across all audit fields
  • Filtered Views: Filter by date range, actor, action type, entity type, and more
  • Saved Filters: Save commonly used filter combinations
  • Export: Export filtered results in PDF, CSV, or structured JSON
  • Scheduled Reports: Configure recurring audit reports delivered via email

Audit Integrity

Tamper-Evident Hash Chains

CaseBender protects audit log integrity using cryptographic hash chains:
  • Each audit entry includes a SHA-256 hash of the previous entry
  • This creates an immutable chain — modifying any entry would break the chain
  • Integrity verification can detect tampering at any point in the chain
  • Verification can be performed on-demand or on a schedule

Integrity Verification

  • On-Demand Verification: Administrators can verify audit log integrity at any time
  • Scheduled Verification: Automated integrity checks run on a configurable schedule
  • Verification Report: Detailed report showing chain integrity status, any gaps, and anomalies
  • Alert on Tampering: If integrity verification fails, a security alert is generated immediately
Audit log integrity verification satisfies SEC Rule 17a-4 (WORM storage equivalent), SOC2 CC7.2 (system monitoring), and ISO 27001 A.8.15 (logging).

SIEM Forwarding

CaseBender forwards audit events to your existing SIEM in real-time for centralized security monitoring.

Supported Destinations

DestinationProtocolFormats
SplunkHTTP Event Collector (HEC)JSON, CEF
Elastic / ELKElasticsearch APIJSON (ECS-compatible)
IBM QRadarSyslog (TCP/TLS)LEEF
Microsoft SentinelLog Analytics APIJSON
Generic SyslogSyslog (TCP/UDP/TLS)CEF, LEEF, JSON
Custom WebhookHTTPS POSTJSON

Forwarding Features

  • Multiple Destinations: Forward to multiple SIEMs simultaneously
  • Event Filtering: Choose which event categories to forward
  • Buffering: Events are buffered during SIEM outages and delivered when connectivity is restored
  • Retry Logic: Failed deliveries are retried with exponential backoff
  • TLS Encryption: All forwarded events are encrypted in transit
  • Health Monitoring: Forwarding health is monitored with alerts on delivery failures
CaseBender includes a legal hold system for litigation preservation:
  • Hold Creation: Create legal holds with scope, custodians, and preservation requirements
  • Scope Definition: Define what data is preserved (cases, alerts, evidence, communications)
  • Custodian Management: Track custodians (individuals responsible for preserving data)
  • Evidence Preservation: Entities under legal hold are exempt from automated retention/deletion
  • Hold Release: Release holds when litigation concludes, with full audit trail
FeatureDescription
Automatic PreservationEntities matching hold scope are automatically preserved
Retention OverrideLegal holds override data retention policies
Custodian NotificationCustodians are notified of their preservation obligations
Compliance TrackingTrack custodian acknowledgment and compliance
Chain of CustodyMaintain evidence chain of custody documentation
Audit TrailAll hold actions are logged in the audit trail

E-Discovery Support

CaseBender supports the full e-discovery lifecycle:

E-Discovery Workflow

  1. Request: Receive and track e-discovery requests with deadlines and scope
  2. Collection: Collect responsive data from cases, alerts, comments, and audit logs
  3. Review: Review collected data in dedicated review sets with tagging and annotation
  4. Production: Produce responsive documents in required formats
  5. Export: Generate export packages for legal counsel

Review Capabilities

  • Review Sets: Organize collected data into review sets for efficient review
  • Tagging: Tag documents as responsive, privileged, or irrelevant
  • Bulk Review: Review multiple items simultaneously with consistent tagging
  • Decision Tracking: Track review decisions with reviewer attribution
  • Export Formats: PDF, CSV, native format, and structured data packages

Data Retention for Audit Logs

Audit logs follow configurable retention policies:
Data TypeDefault RetentionCompliance Requirement
Authentication events3 yearsSOC2, ISO 27001, CMMC
Authorization events3 yearsSOC2, ISO 27001, HIPAA
Data access events3 yearsGDPR, HIPAA, PCI DSS
Configuration changes7 yearsSEC Rule 17a-4
Security events3 yearsSOC2, CMMC, FedRAMP
Compliance evidence7 yearsMultiple frameworks
Audit logs under legal hold are retained indefinitely regardless of retention policy settings.