Monitoring and Incident Response

Effective security monitoring and incident response are essential components of a comprehensive cybersecurity program. This section describes the monitoring capabilities available in Antigen Plus, log locations and formats, incident response procedures, and how to report security issues to Antigen Plus.

The monitoring responsibilities for Antigen Plus deployments differ based on whether you use cloud-hosted databases (Azure SQL Database) or on-premise SQL Server databases. For details on the shared responsibility model, see Security Overview: Shared Responsibility Model in this cybersecurity guide.

Antigen Plus User Activity Logging

Antigen Plus maintains comprehensive audit logs for security monitoring and compliance purposes. The application automatically logs all security-relevant events, providing administrators with visibility into user activities and system access patterns.

User Activity Log

The Antigen Plus User Activity Log is a single, comprehensive log that tracks all security-relevant events and user activities. Different types of events are recorded in this same log, providing a complete audit trail for security monitoring and compliance.

What Is Logged:

Authentication Events:

• All user login and logout events
• Session timeout events

Patient Information (PHI) Access:

• All activity involving patient information
• Patient record views
• Patient data modifications

Saved Work and Panel Tracking:

• Every saved panel records the user who created it
• Timestamps for panel creation and modification
• Patient information edits are logged with:
  • User who made the change
  • Date and time of edit
  • Reason for the edit (required field)

All Events Include:

• Timestamp and user identification for all logged events

Accessing the Log:

• Available through View User Activity Log in the User Menu
• Only administrators can access the activity log
• Log can be exported in CSV format for external analysis
• Useful for security audits, compliance reporting, and incident investigation

For detailed instructions on accessing the user activity log, see View User Activity Log in the User Guide.

Security and Compliance Benefits:

• HIPAA compliance - tracks all access to PHI
• Accountability - associates all actions with specific users
• Incident response - provides forensic data for security investigations
• Audit support - demonstrates access controls are functioning

Data Retention:

• Saved panels are retained for a minimum of 10 years
• Panels cannot be deleted until they are at least 10 years old
• This ensures long-term availability for patient history and audits
• Supports regulatory requirements for laboratory record retention

For more detailed information about user activity logging and the complete audit trail, see Authentication and Authorization: User Activity Logging and Audit Trail.

Log Locations and Formats

Understanding where logs are stored and how to access them is essential for effective security monitoring and incident response.

User Activity Log Storage

Location:

• The user activity log is stored in the Antigen Plus database
• Accessed through the Antigen Plus application user interface
• No direct file system access required

Format:

• Viewable within the Antigen Plus application
• Exportable in CSV format for external analysis
• Includes timestamp, user identification, and action details

Access Requirements:

• Administrator role required to view the log
• Export functionality available to administrators
• Logs are retained in the database indefinitely

Raw Analyzer Output Logs

Location:

• Log files are stored in %APPDATA%\Rowny Systems, Inc\AntigenPlus
• This is a hidden folder inside the current user’s home directory
• Logging is disabled by default and must be explicitly enabled

Purpose:

• Used for troubleshooting communications between blood analyzers and Antigen Plus
• Not intended for routine security monitoring
• Should only be enabled temporarily during troubleshooting

LIS output from a blood analyzer may contain unencrypted Patient Health Information (PHI). You should only log raw analyzer output temporarily in order to troubleshoot communications problems. Delete the log files when troubleshooting is complete.

For configuration details, see Additional Global Settings: Logging raw analyzer output.

Database Audit Logs

The location and management of database audit logs depends on your deployment model:

Azure SQL Database:

• Audit logs are managed automatically by Microsoft Azure
• Azure provides built-in auditing and threat detection services
• Logs are stored in Azure storage accounts (configurable)
• See Azure Monitoring Services below for details

On-Premise SQL Server:

• Audit logs are the customer’s responsibility
• SQL Server audit logging must be configured by your database administrators
• Logs should be integrated with your organization’s SIEM system
• See On-Premises Database Monitoring below for details

Azure Monitoring Services

When using cloud-hosted databases in Microsoft Azure, Antigen Plus leverages Azure’s built-in monitoring and security services. These services provide comprehensive monitoring of both the database infrastructure and the Antigen Plus API servers.

Azure SQL Database Monitoring

Microsoft Azure automatically monitors all Azure SQL Database instances with comprehensive monitoring and security services:

Azure Monitor:

• Performance metrics and resource utilization tracking
• Connection monitoring and availability tracking
• Query performance insights
• Automatic alerting for performance issues

Auditing and Threat Detection:

• Database audit logging for all database activities
• Threat detection alerts for suspicious activities
• Anomaly detection for unusual access patterns
• Failed authentication attempt logging
• Connection attempt logging (including firewall violations)

Firewall Logging:

• All connection attempts are logged
• Failed connection attempts due to firewall rules are recorded
• IP address tracking for connection sources
• Useful for identifying unauthorized access attempts

Automatic Patching and Updates:

• Microsoft Azure manages all database platform security updates
• Automatic patching ensures databases remain secure
• No customer action required for platform updates

For details on Azure SQL Database security configuration, see Deployment Security: Azure SQL Security Configuration.

API Server Monitoring

Antigen Plus maintains API infrastructure in Azure to support software licensing, reagent lot data downloads, crash log collection, and connection string retrieval. This infrastructure is monitored by Antigen Plus:

Connection Monitoring:

• All API connections are monitored for availability and performance
• Failed connection attempts are logged
• Performance metrics are tracked to ensure responsive service

Security Monitoring:

• Authentication failures are logged
• Unusual access patterns are detected
• API endpoint availability is continuously monitored

For details on the API infrastructure and authentication, see Security Architecture: External Connections.

Customer Access to Azure Monitoring

What Customers Can Access:

• Customers do not have direct access to Azure SQL Database monitoring dashboards
• Azure SQL Database firewall logs are not directly accessible to customers
• Antigen Plus manages Azure infrastructure monitoring on behalf of customers

Shared Responsibility:

• Antigen Plus is responsible for monitoring Azure infrastructure and API servers
• Customers are responsible for monitoring application-level activities through the User Activity Log
• Customers should monitor their workstations and network connectivity
• Customers are responsible for monitoring on-premise components (if any)

Incident Notification:

• Antigen Plus will notify customers of any security incidents affecting Azure infrastructure
• Customers should report security concerns to Antigen Plus (see Reporting Security Issues to Vendor)

On-Premises Database Monitoring

When using an on-premise SQL Server database, your organization assumes full responsibility for monitoring the database infrastructure. This includes configuring audit logging, monitoring database access, and integrating with your organization’s security information and event management (SIEM) systems.

Customer Responsibilities

Database Monitoring:

• Configure SQL Server audit logging to capture security-relevant events
• Monitor database connection attempts and authentication failures
• Track unusual access patterns and database activity
• Monitor database performance and availability

SIEM Integration:

• Integrate SQL Server audit logs with your organization’s SIEM system
• Configure alerts for suspicious database activities
• Establish automated monitoring for security events
• Maintain log retention according to your organization’s policies

For information on configuring SQL Server security, see Deployment Security: On-Premise SQL Server Hardening.

Recommended Monitoring Practices

Database Connection Monitoring:

• Monitor all connection attempts to the SQL Server
• Alert on failed authentication attempts
• Track connection sources (IP addresses, workstations)
• Monitor for connections from unexpected locations

Failed Authentication Attempts:

• Log all failed login attempts
• Alert on repeated authentication failures
• Investigate patterns of failed access attempts
• Consider account lockout policies for repeated failures

Unusual Access Patterns:

• Monitor for access outside normal business hours
• Alert on access from unexpected workstations or IP addresses
• Track database access frequency and patterns
• Investigate sudden changes in access patterns

Performance and Availability Monitoring:

• Monitor database performance metrics
• Track query execution times
• Monitor database availability and uptime
• Alert on performance degradation or downtime

Integration with Antigen Plus Logs:

• Correlate SQL Server audit logs with Antigen Plus User Activity Log
• Use both logs together for comprehensive security monitoring
• Export Antigen Plus activity logs regularly for SIEM integration
• Maintain synchronized timestamps for log correlation

For information on how database access patterns can be detected by SIEM systems, see Security Architecture: Monitoring and Detection.

Security Event Logging

Antigen Plus and the underlying database infrastructure log various security-relevant events. Understanding what events are logged helps you establish effective monitoring and incident response procedures.

Events Logged by Antigen Plus

User Authentication Events:

• Successful user login events
• User logout events
• Failed login attempts
• Session timeout events

PHI Access Events:

• All access to patient information
• Patient record views
• Patient data modifications
• Panel creation and modification
• Patient information edits (with reason for edit)

Events Logged by Database Infrastructure

Azure SQL Database:

• All database connection attempts
• Failed authentication attempts
• Firewall rule violations
• Database query execution
• Administrative actions
• Threat detection alerts

On-Premise SQL Server:

• Database connection attempts (when audit logging configured)
• Failed authentication attempts
• SQL Server login events
• Database access events
• Administrative actions
• Performance and error events

Log Correlation

For comprehensive security monitoring, correlate events from multiple sources:

• Antigen Plus User Activity Log - Application-level user actions
• Database Audit Logs - Database-level access and queries
• Windows Event Logs - Operating system authentication and access
• Network Logs - Connection attempts and network activity
• SIEM Alerts - Aggregated security events and anomalies

Incident Response Procedures

Having well-defined incident response procedures ensures that security incidents are identified, contained, and resolved quickly. This section provides guidance on responding to security incidents involving Antigen Plus.

General Incident Response Procedures

1. Identify and Assess the Incident:

• Review User Activity Log for suspicious activities
• Check database audit logs for unusual access patterns
• Examine Windows Event Logs for authentication anomalies
• Review SIEM alerts and security monitoring dashboards
• Assess the scope and severity of the incident

2. Contain the Incident:

• Disable affected user accounts if unauthorized access is suspected
• Block network access from compromised workstations if necessary
• Isolate affected systems from the network if required
• Preserve evidence by exporting relevant log entries
• Document all containment actions taken

3. Investigate and Analyze:

• Export User Activity Log entries for the incident timeframe
• Correlate Antigen Plus logs with database and Windows logs
• Identify the root cause of the incident
• Determine what data or systems were affected
• Document findings and timeline of events

4. Remediate:

• Address the root cause of the incident
• Restore affected systems to a known-good state if necessary
• Update security controls to prevent recurrence
• Reset compromised credentials
• Verify that security controls are functioning correctly

5. Document and Report:

• Document the incident, response actions, and outcomes
• Report to organizational security team and management
• Report to Antigen Plus if vendor involvement is needed (see Reporting Security Issues to Vendor)
• Update incident response procedures based on lessons learned
• Conduct post-incident review

Specific Incident Scenarios

Unauthorized Access Attempts:

1. Review User Activity Log for failed login attempts
2. Check database audit logs for connection attempts from unknown sources
3. Identify the source of the access attempts (workstation, IP address)
4. Verify that firewall rules are correctly configured
5. Consider implementing additional access restrictions if needed
6. Report persistent unauthorized access attempts to Antigen Plus

Unusual User Activity Patterns:

1. Export User Activity Log for analysis
2. Identify unusual patterns (off-hours access, excessive data access, etc.)
3. Verify with the user whether the activity is legitimate
4. Review user’s role and access permissions
5. Investigate potential account compromise
6. Take appropriate action based on findings (account disable, role adjustment)

Data Integrity Concerns:

1. Review audit logs for data modifications
2. Identify which users made changes and when
3. Verify whether changes were authorized
4. Check for patterns of unauthorized modifications
5. Restore data from backups if unauthorized changes are confirmed
6. Review and strengthen access controls if needed

For information on data integrity controls, see Data Security: Data Integrity Controls.

Connection Failures or Anomalies:

1. Check network connectivity and firewall configuration
2. Review database connection logs for errors
3. Verify that Azure SQL Database firewall rules are correctly configured (for cloud databases)
4. Check for network infrastructure issues
5. Review Antigen Plus connection string configuration
6. Contact Antigen Plus support if issues persist

For network configuration details, see Deployment Security: Network Requirements and Firewall Configuration.

Using Activity Logs for Forensic Analysis

The Antigen Plus User Activity Log provides valuable forensic data for security investigations:

Log Export:

• Export the User Activity Log in CSV format for detailed analysis
• Filter logs by date range, user, or activity type
• Correlate with other log sources for comprehensive timeline

Key Information Available:

• Exact timestamps for all user actions
• User identification for each logged event
• Detailed action descriptions
• Patient information access records

Best Practices:

• Export logs immediately when an incident is suspected
• Preserve original log exports as evidence
• Use log analysis tools for pattern detection
• Maintain exported logs according to your retention policies
• Include log exports in incident documentation

For details on accessing and exporting the User Activity Log, see Antigen Plus User Activity Logging.

Reporting Security Issues to Vendor

If you discover a security vulnerability or experience a security incident that may require vendor assistance, you should report it to Antigen Plus promptly.

Contact Information

Primary Contact:

• Email: customerservice@antigenplus.com
• Use this email for all security-related inquiries and incident reports

When to Contact Vendor:

• Suspected security vulnerabilities in Antigen Plus software
• Security incidents that may affect other customers
• Questions about security configuration or best practices
• Assistance needed with security incident investigation
• Concerns about Azure infrastructure security (for cloud database customers)

When to Handle Internally:

• User account security issues (password resets, access control)
• Workstation security incidents (malware, unauthorized access)
• Network security issues within your organization
• On-premise database security incidents (for on-premise deployments)
• Routine security monitoring and log review

Information to Include in Security Reports

When reporting a security issue to Antigen Plus, include the following information:

Issue Description:

• Clear description of the security issue or vulnerability
• Steps to reproduce the issue (if applicable)
• Impact assessment (what data or systems are affected)
• When the issue was discovered

Evidence and Logs:

• Relevant User Activity Log entries (exported in CSV format)
• Database audit log entries (if applicable)
• Screenshots or error messages
• Network logs or connection information (if relevant)
• Any other evidence that helps explain the issue

Environment Information:

• Antigen Plus version
• Database deployment model (Azure or on-premise)
• Operating system version
• Network configuration details (if relevant)

Contact Information:

• Your name and organization
• Preferred method of contact
• Urgency level of the issue

Coordinated Vulnerability Disclosure

Antigen Plus is committed to responsible vulnerability disclosure and security coordination:

Vendor Responsibilities:

• Prompt acknowledgment of security reports
• Investigation and assessment of reported issues
• Development and testing of security patches
• Coordinated release of security updates
• Communication with affected customers

Customer Responsibilities:

• Report security vulnerabilities responsibly
• Allow reasonable time for vendor response and patch development
• Do not publicly disclose vulnerabilities before vendor coordination
• Test and apply security patches promptly
• Follow vendor guidance for vulnerability mitigation

For information on Antigen Plus security responsibilities, see Security Overview: Shared Responsibility Model.

Monitoring Best Practices

Establishing effective monitoring practices helps ensure that security incidents are detected and responded to promptly. This section provides recommendations for monitoring Antigen Plus deployments.

Regular Log Review Procedures

User Activity Log Review:

• Review the User Activity Log regularly (weekly or monthly, depending on your risk profile)
• Focus on unusual access patterns, off-hours activity, and excessive data access
• Investigate any suspicious activities immediately
• Document log review activities and findings
• Export logs periodically for long-term retention

Database Audit Log Review:

• Review database audit logs regularly (for on-premise deployments)
• Monitor for failed authentication attempts and unusual access patterns
• Correlate database logs with Antigen Plus User Activity Log
• Integrate database logs with SIEM for automated monitoring

Automated Monitoring:

• Configure SIEM alerts for suspicious activities
• Set up alerts for failed authentication attempts
• Monitor for access from unexpected locations or workstations
• Alert on unusual data access patterns or volumes

Compliance Considerations

HIPAA Audit Requirements:

• HIPAA requires regular review of access logs for PHI
• User Activity Log provides comprehensive PHI access tracking
• Maintain audit logs according to HIPAA retention requirements (minimum 6 years)
• Document log review activities for compliance audits

Regulatory Compliance:

• Ensure monitoring practices meet all applicable regulatory requirements
• Maintain audit trails for compliance reporting
• Document security monitoring procedures
• Include monitoring in security risk assessments

Integration with Organizational Security Policies

Security Policy Alignment:

• Align Antigen Plus monitoring with your organization’s security policies
• Integrate Antigen Plus logs with organizational SIEM systems
• Include Antigen Plus in security incident response procedures
• Ensure monitoring procedures are documented and communicated to staff

Staff Training:

• Train administrators on accessing and interpreting the User Activity Log
• Provide guidance on identifying suspicious activities
• Establish clear procedures for incident reporting and escalation
• Regular training on security monitoring best practices

Monitoring Checklist

Use this checklist to ensure comprehensive security monitoring:

• User Activity Log review procedures established and documented
• Regular schedule for User Activity Log review (weekly/monthly)
• Database audit logging configured (on-premise deployments)
• SIEM integration configured for automated monitoring
• Alerts configured for failed authentication attempts
• Alerts configured for unusual access patterns
• Log export procedures established for long-term retention
• Incident response procedures documented and tested
• Staff trained on security monitoring and incident response
• Vendor contact information readily available
• Monitoring activities documented for compliance audits
• Integration with organizational security policies confirmed

For additional security information, see:

• Authentication and Authorization - User activity logging details
• Deployment Security - Database security configuration
• Data Security - Audit trail and data integrity
• Security Architecture - System architecture and monitoring capabilities