How do I find out who changed my threat model?

An audit trail is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device.

Put simply and audit trail allows us to identify who did what when; usually to track down why something in our system has changed

IriusRisk provides multiple levels of logging within the platform. In order to answer questions such as

what has been updated within a project (threat model),

• who has logged in

• who has modified a library

• when was a custom field removed

• when was a rule deleted

We can access an audit log of events within the product dashboard

Each event is described by

• timestamp(UTC)

• the User who performed an action/even, this is the Username (email or other as defined in Users and Permissions), or system (automated event invoked by the rules engine)

• the Project impacted, this may be a threat model (the name of the project), a library (the name of the security library), null (system wide)

• the Event, what action was performed. Some example events are shown below, but this includes details of any actions, either automated or manual that are applied to your projects (threat models), adding/removing components, importing threats and countermeasures etc.

• Details of the event

Each of these columns can be used to filter and/or sort the audit log, simply start typing and the log will dynamically pattern match the column. Case insensitive pattern matching is applied, so if the filter is anywhere within the column it will return the matching log information, for example

Event Type filter update will return events such as Asset Updated and Component Updated