Summary

Reporting and intelligence are essential components to a successful information security program. Smartcrypt’s data security intelligence allows enterprise security teams and audit/risk personnel to track which files were encrypted, the users who accessed them, what devices they were on, and where these events took place.  This data can be reported on directly through the data security intelligence interface in the Smartcrypt Manager, picked up by a SIEM agent or retrieved via API for transformation and load to a customer data-mart.  

Events

EventEvent Description

Account Transfer

Account Transfer is an event triggered when an account is logged into a new device on the first login. This event is different than a normal login because this event transfers the user's encrypted metadata to the device to be decrypted by the Smartcrypt Agent for use with Smartcrypt.

{
	"app": "MDS",
	"event": "Account Transfer",
	"level": 3,
	"tags": "Account, Access",
	"text": "Successful Account Transfer - User First Last (first.last@domain.com)",
	"time": "2016-05-25T03:18:22Z",
	"userId": 9
}
CODE

Add Certificate

When a System Administrator or Security Administrator adds a new contingency key into the system to be used with a policy, the Add Certificate event is stored by the Smartcrypt Manager.

{
	"app": "MDS",
	"assetId": 0,
	"event": "Add Certificate",
	"level": 3,
	"participantId": 0,
	"tags": "Certificate",
	"text": "first.last@domain.com Uploaded Contingency Public Key \"CK Admin\"",
	"time": "2016-05-04T01:27:24Z",
	"userId": 0
}
CODE

Add Smartkey

When a user creates a new Smartkey on any device, the event is captured in the Data Security Intelligence reporting.

{
	"app": "MDS",
	"assetId": 44,
	"event": "Add Smartkey",
	"level": 3,
	"tags": "Smartkey, Add",
	"text": "First Last (first.last@domain.com) added Smartkey \"Test-CLI-Test\"",
	"time": "2016-05-25T03:18:37Z",
	"userId": 9
}
CODE

Allow

When a user requests access to a Smartkey, an access request is posted (and emailed) to the owner of the Smartkey. When the owner responds with an allow (giving the participant access to the Smartkey and thus decryption/encryption abilities), this event is stored noting the access being given.

{
	"app": "MDS",
	"assetId": 43,
	"event": "Allow",
	"level": 3,
	"participantId": 9,
	"tags": "Asset, Membership",
	"text": "Allow First Last(first.last@domain.com) access to \"The dynamic duo\" (id=43): by user hodor(first2.last2@domain.com)",
	"time": "2016-05-10T18:54:00Z",
	"userId": 32
}
CODE

Create Account

When a new user accesses Smartcrypt for the first time, the Smartcrypt Manager needs to create an account for the user. The account is created by the Smartcrypt Manager and this event captures the date and time when it occurred.

{
	"app": "MDS",
	"assetId": 0,
	"event": "Create Account",
	"level": 3,
	"participantId": 0,
	"tags": "Account, Settings",
	"text": "Successful Create Account - user Steve Price(Steve.Price@domain.com)",
	"time": "2016-04-13T13:21:13Z",
	"userId": 27
}
CODE

Create Community

System Administrators and Security Administrators can create Community Keys within the Smartcrypt Manager based on groups of individual user objects stored in Active Directory. The event is stored in the system to capture the creation of a new Community Key being available in the system. Learn more about Community Keys here.

{
	"app": "MDS",
	"assetId": 0,
	"event": "Create Community",
	"level": 3,
	"participantId": 0,
	"tags": "Community",
	"text": "first.last@domain.com Created Community \"Community: Engineering\" - Added Participant Engineering.",
	"time": "2016-04-12T22:35:15Z",
	"userId": 0
}
CODE

Create Locker

A System Administrator and Security Administrator can create a Locker on a Smartcrypt Device to create a protected folder on a device. Data Security Intelligence captures this event to show when a folder started being protected. Learn more about Lockers here.

{
	"app": "MDS",
	"assetId": 0,
	"event": "Create Locker",
	"level": 3,
	"participantId": 0,
	"tags": "Locker",
	"text": "first.last@domain.com Created Locker on FILESERVER owned by first2.last2@domain.com - Path=C:\\Shares\\Product Development.\nSmartkey=Community: Infrastructure Team.\nWhite List=(blank).\nBlack List=(blank).\nSweep Interval=0.",
	"time": "2016-05-02T23:17:54Z",
	"userId": 0
}
CODE

Create Policy

A System Administrator and Security Administrator can create a policy to control how users will interact with the Smartcrypt product deployed on their desktops/servers. A Create Policy event shows the time, date, and the login information for the Administrator who defined the policy. Learn more about policies here.

{
	"app": "MDS",
	"assetId": 0,
	"event": "Create Policy",
	"level": 3,
	"participantId": 0,
	"tags": "Policy",
	"text": "first.last@domain.com Created Policy \"Policy created 5/5/2016 2:28:30 PM\"",
	"time": "2016-05-05T19:28:30Z",
	"userId": 0
}
CODE

Delete Community

System Administrators and Security Administrators can delete Community keys within the Smartcrypt Manager. This is very dangerous activity to do because existing data encrypted with the community key will no longer be able to be decrypted by the Community key. This event will capture what Administrator deleted the Community Key as well as the date and time. Learn more about Community Keys here.

{
	"app": "MDS",
	"assetId": 0,
	"event": "Delete Community",
	"level": 3,
	"participantId": 0,
	"tags": "Community",
	"text": "first.last@domain.com Deleted Community \"Community: Engineering-Key\"",
	"time": "2016-04-12T22:45:00Z",
	"userId": 0
}
CODE

Delete Locker

A System Administrator and Security Administrator can delete a Locker on a Smartcrypt Device. This event does not cause the data to be decrypted in the locker, but only stops the automatic encryption from occurring on the next plain-text file discovered in the locker. Data Security Intelligence captures this event to show when a folder stopped being protected. Learn more about Lockers here.

 {
	"app": "MDS",
	"assetId": 0,
	"event": "Delete Locker",
	"level": 3,
	"participantId": 0,
	"tags": "Locker",
	"text": "first.last@domain.com Deleted Locker on FILESERVER owned by first.last@domain.com - Path=C:\\Shares\\Engineering.\nSmartkey=Community: Infrastructure Team.\nWhite List=(blank).\nBlack List=(blank).\nSweep Interval=86400.",
	"time": "2016-04-12T22:44:00Z",
	"userId": 0
}
CODE

Delete Policy

A System Administrator and Security Administrator can remove an existing policy from the system. This will remove the controls in place for the defined set up uses that were using the Smartcrypt application. The event stores the date, time and login name of the Administrator who deleted the policy. Learn more about policies here.

 {
	"app": "MDS",
	"assetId": 0,
	"event": "Delete Policy",
	"level": 3,
	"participantId": 0,
	"tags": "Policy",
	"text": "first.last@domain.com Deleted Policy \"Policy created 4/12/2016 3:30:02 PM\"",
	"time": "2016-04-12T20:30:34Z",
	"userId": 0
}
CODE

Deny

When a user requests access to a Smartkey, an access request is posted (and emailed) to the owner of the Smartkey. When the owner responds with Deny (blocking the participant access to the Smartkey and thus not allowing decryption/encryption abilities), this event is stored noting the access is being denied.

 {
	"app": "MDS",
	"assetId": 41,
	"event": "Deny",
	"level": 3,
	"participantId": 0,
	"tags": "Asset, Membership",
	"text": "Deny Email ben.shields@domain.com (not yet a Smartcrypt User) access to \"Project-Tomahawk\" (id=41): by user First Last(first.last@domain.com)",
	"time": "2016-05-02T11:43:43Z",
	"userId": 10
}
CODE

Issue Access Token

Smartcrypt clients need to be authenticated to communicate with the Smartcrypt Manager. The application will take care of this behavior for the user by getting an access token. The server can refuse to give any device an access token, which will force the device to be disabled. This event captures the event of a specific device communicating with the Smartcrypt Manager and receiving a token for access.

 {
	"app": "MDS",
	"deviceId": 4,
	"event": "Issue Access Token",
	"level": 3,
	"tags": "Account, Access",
	"text": "Successful Issue Access Token - Device WINSRV-DEMO, User First Last (first.last@domain.com)",
	"time": "2016-06-20T22:23:46Z",
	"userId": 10
}
CODE

Login

When a user logs in on a device (not first time login, that is called "Account Transfer"). This event proves the user is accessing the device and authenticating with the Smartcrypt Manager.

 {
	"app": "MDS",
	"deviceId": 11,
	"event": "Login",
	"level": 3,
	"tags": "Account, Access",
	"text": "Successful Login - Device First Last's iPhone, User First Last (first.last@domain.com)",
	"time": "2016-06-20T22:23:40Z",
	"userId": 10
}
CODE

Smartcrypt Show Passphrase

To allow Smartkey-encrypted archives to be decrypted by an external third-party application, a passphrase can be extracted from the archive to enable the archive to be decrypted and extracted. This event captures the user, device, time and date when the passphrase was generated for a given archive.

{
	"category": "step",
	"item": "Test_SSN 50 XLSX.xlsx",
	"kms": {
		"data": "{\"assets\":[{\"smartcrypt-00jK9pKsgAhnP7Xj49k01YO+8QHgPUTn-MA_16_GOU3dBQnAAw5OHN6XTa8Xq2s8xUn7bXJ63g2Xew6BFE=:4\":\"2b10af26b5e29435619f5f68bb1f0a9d1cbd779b34583ca80d124bb2c5960daa9ba446b088e6f3326470bd2a07cc3e2d6c22997bb08649a0d5b85c2faf2d31b5\"}],\"homeServer\":\"SAT_mHpAluA,27Yj3lw7yo5sAuKxZecSgehWa52fhOoxfQ0=\",\"owner\":\"MA_16_GOU3dBQnAAw5OHN6XTa8Xq2s8xUn7bXJ63g2Xew6BFE=\"}",
		"provider": "Smartcrypt"
	},
	"action": "Show Passphrase",
	"archive": "C:\\Users\\First.Last\\Desktop\\Test_SSN 50 XLSX(1).zip",
	"cmd": "\"C:\\Program Files\\PKWARE\\PKZIPW\\pkzipw.exe\" -openArchive \"C:\\Users\\First.Last\\Desktop\\Test_SSN 50 XLSX(1).zip\"",
	"cwd": "C:\\Users\\First.Last\\Desktop",
	"host": "winsrv-demo.domain.com",
	"session_id": 6291595126613358767,
	"task_id": 6291595123352594790,
	"user": "First.Last",
	"time": "2016-06-02T14:02:22Z",
	"text": "Show Passphrase Test_SSN 50 XLSX.xlsx Archive=C:\\Users\\First.Last\\Desktop\\Test_SSN 50 XLSX(1).zip - device 28:WINSRV-ROBB - user Anthony Moss(First.Last@domain.com)",
	"event": "Smartcrypt Show Passphrase",
	"tags": "Archive,Show Passphrase",
	"level": 3,
	"app": "Smartcrypt",
	"deviceId": 28,
	"userId": 23
}
CODE

Smartcrypt Decrypt

When any user decrypts an archive, the Data Security Event captures information about the decryption. Attributes included are filename, archive name, method of decryption, policy controlling user, device information, date and time of the event.

 {
	"category": "step",
	"encryption": {
		"access": "Passphrase",
		"method": "AES (256-bit)"
	},
	"event": "Smartcrypt Decrypt",
	"item": "Medical Form.docx",
	"modified": "2015-09-01T07:24:17Z",
	"path": "C:\\Users\\DORA~1.CLA\\AppData\\Local\\Temp\\3\\PKE85D.tmp\\Medical Form.docx",
	"size": 15637,
	"status": {
		"code": 4,
		"description": "Aborted",
		"level": "warning"
	},
	"step_id": 1,
	"tags": "Archive,Extract,Encrypted",
	"text": "Decrypt Medical Form.docx Archive=C:\\Users\\first.last\\Dropbox\\Mergers\\Medical Form.docx.zip - Aborted - device 27:WINSRV-DEMO - user First Last(first.last@domain.com)",
	"action": "Extract",
	"archive": "C:\\Users\\first.last\\Dropbox\\Mergers\\Medical Form.docx.zip",
	"cmd": "\"C:\\Program Files\\PKWARE\\PKZIPW\\pkzipw.exe\" \"C:\\Users\\first.last\\Dropbox\\Mergers\\Medical Form.docx.zip\"",
	"crl": "none",
	"cwd": "C:\\Users\\first.last\\Dropbox\\Mergers",
	"fips": false,
	"fne": false,
	"host": "winsrv-demo.domain.com",
	"policy": {
		"id": 1,
		"updated_at": "2016-04-06T13:16:00Z",
		"name": "Site-wide Default"
	},
	"session_id": 6299341797372788995,
	"task_id": 6299341800310898723,
	"user": "first.last",
	"time": "2016-06-23T11:03:25Z",
	"level": 0,
	"app": "Smartcrypt",
	"deviceId": 27,
	"userId": 22
}
CODE

Smartcrypt Encrypt

When any user encrypts an archive, the Data Security Event captures information about the encryption. Attributes included are filename, archive name, method of encryption, policy controlling user, device information, date and time of the event.

 {
	"action": "Add",
	"category": "step",
	"encryption": {
		"access": "Smartkey",
		"kms": {
			"data": "{\"assets\":[{\"smartcrypt-cLAG1PWgq5hI+8,ezEngZ4,QQzJ8cR4B-MA_16_EiumrYTcCugQ+VUDjHqfRqEfT_v9uWS_KsZ0laJ2DbA=:1\":\"5a724aaaf40274d54c34a268b17720762d2e430e46f10d65f2e632dd0197ad8e93210aa0055a0d046306a8cd3249488f546ffca6928cf46a5b99b841d40d5026\"}],\"homeServer\":\"SAT_mHpAluA,27Yj3lw7yo5sAuKxZecSgehWa52fhOoxfQ0=\",\"owner\":\"MA_16_EiumrYTcCugQ+VUDjHqfRqEfT_v9uWS_KsZ0laJ2DbA=\"}",
			"provider": "Smartcrypt"
		},
		"method": "AES (256-bit)"
	},
	"item": "locker-checker.py",
	"item_id": "18639011E0983CF216AD2C1AA00B940FC1EA3B08",
	"modified": "2016-04-27T13:15:52Z",
	"signature": [
		{
			"name": "First Last"
		}
	],
	"size": 928,
	"archive": "C:\\Users\\First.Last\\Desktop\\gill\\agent-log.zip",
	"cmd": "\"C:\\Program Files\\PKWARE\\PKZIPW\\pkzipw.exe\" \"C:\\Users\\First.Last\\Desktop\\gill\\agent-log.zip\"",
	"contingency_keys": [],
	"crl": "none",
	"cwd": "C:\\Users\\First.Last\\Desktop\\gill",
	"fips": false,
	"fne": false,
	"host": "winsrv-demo.domain.com",
	"policy": {
		"id": 18,
		"updated_at": "2016-03-22T20:57:00Z",
		"name": "locked-down"
	},
	"session_id": 6300954167851130321,
	"task_id": 6300954167259782428,
	"user": "First.Last",
	"time": "2016-06-27T19:20:14Z",
	"assetId": 95,
	"text": "Encrypt locker-checker.py Archive=C:\\Users\\First.Last\\Desktop\\gill\\agent-log.zip - device 36:WINSRV-DEMO - user First Last(First.Last@domain.com)",
	"event": "Smartcrypt Encrypt",
	"tags": "Archive,Add,Encrypted",
	"level": 3,
	"app": "Smartcrypt",
	"deviceId": 36,
	"userId": 2
}
CODE


Update Community

System Administrators and Security Administrators can create Community keys within the Smartcrypt Manager based on individual user objects stored in Active Directory. Over time, access to the Community Key can change which will result in a Smartcrypt Update event being stored logging the change. Learn more about Community Keys here.

 {
	"app": "MDS",
	"assetId": 16,
	"event": "Update Community",
	"level": 3,
	"tags": "Community",
	"text": "first.last@domain.com Updated Community \"Community: Accounting\" - Added Participant Joseph.Sturrock@domain.com.",
	"time": "2016-06-27T21:36:50Z"
}
CODE

Update Locker

A System Administrator and Security Administrator can update a Locker on a Smartcrypt Device to create a protected folder on a device. The update could include which key to be used, or even what folder path to protect. Data Security Intelligence captures this event to show when a folder started being protected. Learn more about Lockers here.

 {
	"app": "MDS",
	"event": "Update Locker",
	"level": 3,
	"tags": "Locker",
	"text": "first.last@domain.com Updated Locker on IP-C6136EE4 owned by first2.last2@domain.com - Path=C:\\myData.\nSmartkey=Community: Accounting (was Test-CLI-Test).",
	"time": "2016-06-27T21:35:44Z"
}
CODE

Update Policy

A System Administrator and Security Administrator can update an existing policy from the system. This action has the potential to remove the controls in place for the defined setup users that were using the Smartcrypt application, or add controls to different users who were added to be incorporated into the policy. The event stores the date, time and login name of the Administrator who updated the policy. Learn more about policies here.

 Stored: 6/2/2016 12:09:54 PM
{
	"app": "MDS",
	"event": "Update Policy",
	"level": 3,
	"tags": "Policy",
	"text": "first.last@domain.com Updated Policy \"PKWARE Test Policy\" - Contingency Keys=PKWARE Policy Key (was Contingency2016).\nRemoved Contingency Group Member first.last@domain.com.",
	"time": "2016-06-02T17:09:54Z"
}
CODE