# Why we audit user activity

Have you ever wondered if your employer is keeping a record of when you log into company systems?

Well, they are, if they're implementing the third and final function of the authentication, authorization, and accounting framework.

Accounting is the practice of monitoring the access logs of a system.

These logs contain information like who accessed the system, and when they accessed it, and what resources they used.

Security analysts use access logs a lot.

The data they contain is a helpful way to identify trends, like failed login attempts.

They're also used to uncover hackers who have gained access to a system, and for detecting an incident, like a data breach.

In this field, access logs are essential.

Oftentimes, analyzing them is the first procedure you'll follow when investigating a security event.

So, how do access logs compile all this useful information?

Let's examine this more closely.

Anytime a user accesses a system, they initiate what's called a session.

A session is a sequence of network HTTP basic auth requests and responses associated with the same user, like when you visit a website.

Access logs are essentially records of sessions that capture the moment a user enters a system until the moment they leave it.

Two actions are triggered when the session begins.

The first is the creation of a session ID.

A session ID is a unique token that identifies a user and their device while accessing the system.

Session IDs are attached to the user until they either close their browser or the session times out.

The second action that takes place at the start of a session is an exchange of session cookies between a server and a user's device.

A session cookie is a token that websites use to validate a session and determine how long that session should last.

When cookies are exchanged between your computer and a server, your session ID is read to determine what information the website should show you.

Cookies make web sessions safer and more efficient.

The exchange of tokens means that no sensitive information, like usernames and passwords, are shared.

Session cookies prevent attackers from obtaining sensitive data.

However, there's other damage that they can do.

With a stolen cookie, an attacker can impersonate a user using their session token.

This kind of attack is known as session hijacking.

Session hijacking is an event when attackers obtain a legitimate user's session ID.

During these kinds of attacks, cyber criminals impersonate the user, causing all sorts of harm.

Money or private data can be stolen.

If, for example, hijackers obtain a single sign-on credential from stolen cookies, they can even gain access to additional systems that otherwise seem secure.

This is one reason why accounting and monitoring session logs is so important.

Unusual activity on access logs can be an indication that information has been improperly accessed or stolen.

At the end of the day, accounting is how we gain valuable insight that makes information safer.