IBM Cloud Docs
Event fields

Event fields

IBM Cloud Activity Tracker events are based on the Cloud Auditing Data Federation (CADF) standard.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025.

The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.

The CADF event model includes the following components:

Table 1. Components that are available in a CADF event model
Component Description
Action The action is the operation or activity that an initiator performs, attempts to perform, or is waiting to complete.
Initiator The initiator is the resource that makes an API call and generates a CADF event. The event that is triggered depends on the action that is requested by the API call.
Observer The observer is the resource that creates and stores a CADF record from information available in a CADF event.
Outcome The outcome is the status of the action against the target.
Target The target is the resource against which the action is performed, attempted to perform, or is pending to complete.

The following fields are included in each Activity Tracker event:

action (string)

This field indicates the action that triggers an event.

The format of this field is the following:

serviceName.objectType.action

Where

  • servicename is the name of the service.

    There is an exception on the servicename that is set for actions reported by the VPC infrastructure. The format of the servicename is composed of 2 parts that are separated by a dot (.).

  • objectType describes the resource or resource attribute on which the action is requested.

  • action defines the task requested by the initiator.

    Some valid actions are: activate, add, bulkdelete, create, read, update,delete, backup, build, capture, clear, commit, configure, deploy, disable, enable, get, import, inspect, list, monitor, pull, push, restore, start, stop, undeploy, receive, reimport, remove, send, set, setkeyfordeletion, set-on, set-off, authenticate, renew, revoke, allow, deny, evaluate, notify, reset, rotate, ack-delete, ack-restore, ack-disable, ack-enable, ack-rotate, edit, publish, authorize, write, pause, resume, unsetkeyfordeletion, failover, split

For more information about action values that are generated by services, see Services generating events.

For example, a sample action is iam-am.policy.create.

correlationId (string)

This field indicates the unique GUID that you can use to correlate events across multiple services in your account.

dataEvent (boolean)

This field specifies the type of event, whether it is a management event or a data event.

  • For a management event, this field is set to false.
  • For a data event, this field is set to true.

eventTime (string)

This field indicates the timestamp when the event was created.

The timestamp that you see for an event in the UI is set from eventTime and indicates the time when the event was created.

The date is represented as Universal Time Coordinated (UTC).

The format of this field is:

YYYY-MM-DDTHH:mm:ss.SS+0000

For example, a sample eventTime is 2017-10-19T19:07:50.32+0000.

Initiator fields

Initiator fields provide information about the user, service, or application that request to run an action in your account.

initiator.id (string)

This field provides information about the ID of the initiator that requests the action.

You can find any of the following initiators:

  • IBM ID for users that use an IAM token to trigger an action in your account.
  • Service ID for services or applications that trigger an action in your account.
  • Certificate ID for requests where a certificate is used to trigger an action in your account.
  • Profile ID for requests that are run by using a trusted profile

initiator.name (string)

This field provides information about the username of the initiator of the action.

This is the human readable name that corresponds to the initiator.id value.

When the initiator is an IBM Cloud service, the field is set to IBM or the name of the service.

initiator.authnId (string)

ID of the user that logs in to IBM Cloud.

initiator.authnName (string)

Username of the user that logs in to IBM Cloud.

initiator.typeURI (string)

This field defines the type of the source of the event.

Valid values are:

  • service/security/account/user
  • service/security/account/serviceid,
  • service/security/client/certificateid
  • service/security/clientid

initiator.credential.type (string)

This field defines the type of credential that is used by the initiator to run the action.

Valid values are:

  • token
  • user
  • apikey
  • certificate
  • public-access
  • hmac
  • compute-resource
  • instance-identity-token
  • apikey-serviceid
  • s2s-authorization

initiator.host.address (string)

This field provides information about the address where the request came from.

The format of this field is:

xxx.xxx.xxx.xxx

For example, a sample initiator.host.address is 15.234.123.12.

When the initiator of an action is an IBM Cloud service, this field is set empty.

initiator.host.addressType (string)

This field provides information about the type of IP address where the request came from.

Valid values are:

  • IPv4
  • IPv6
  • CSE

The default value is IPv4.

initiator.host.agent (string)

This field provides information that you can use to identify where the request originated.

logSourceCRN (string)

This field defines the Cloud Resoiurce Name (CRN) of the resource on which the action is requested. For more information about the CRN format, see Cloud Resource Names.

message (string)

This field is set to the human-readable description of the event.

The format of this field is:

serviceName: {event description} [outcome]

Where

  • servicename indicates the name of the service.
  • {event description} provides a human-readable version of the what the event is reporting.
  • outcome is optional and is only included when the outcome of the request is failure.

observer.name (string)

This field is set to the fixed value ActivityTracker.

outcome (string)

This field indicates the result of the action.

Valid values are: success, pending, or failure.

Reason fields

Reason fields provide information about the outcome of the request.

reason.reasonCode (numeric)

This field returns the HTTP response code of the action requested.

For example the reason.reasonCode field is set to:

  • 403 to report forbidden access or unauthorized
  • 409 to report conflict

reason.reasonType (string)

This field provides additional information about the result of the action requested.

reason.reasonForFailure (string)

This field provides additional information as to why the action has failed.

requestData (JSON)

When the field is available, it includes additional information about the request.

The information that is included in requestData is specific for each type of action. Check the API documentation of a request to learn about some of the fields that may be included.

responseData (JSON)

When the field is available, it includes additional information about the request.

The information that is included in responseData is specific for each type of action. Check the API documentation of a request to learn about some of the fields that may be included.

saveServiceCopy (boolean)

This field determines whether the IBM Cloud service that generates the event saves a copy of the event for IBM Cloud auditing.

When it is set to true, the service that generates the event saves a copy.

severity (string)

This field defines the level of threat an action may have on the IBM Cloud.

Valid values are: normal, warning, and critical.

The following table describes how this field is set based on the type of action:

Table 3. Severity values by type of action
Value Type of action Sample of action
normal Routine actions in the IBM Cloud Start an instance
warning Actions that fail
Actions where a resource is updated or its metadata is modified		 Rename a service instance
critical Actions that affect security in the IBM Cloud such as changing credentials of a user or deleting data
Actions where the initiator is not authorized to work with an IBM Cloud resource		 Delete a security key

When the reasonCode for an API call is any of the following values, the value of severity is set as follows:

Table 4. Severity value for some reason codes
reasonCode description severity
400 Bad Request warning
401 Unauthorized critical
403 Forbidden critical
409 Conflict warning
424 Failed Dependency warning
500 Internal Server Error warning
502 Bad Gateway warning
503 Service Unavailable critical
504 Gateway Timeout warning
505 HTTP Version Not Supported warning
507 Insufficient Storage critical

Target fields

Target fields provide information about the resource that is accessed, created, updated, or deleted by the initiator's action in your account.

The following table lists common target fields that are available for each event:

Table 5. Common target fields
Field Name Description Value
target.id Cloud Resource Name (CRN) of the resource on which the action is executed. For example, crn:v1:bluemix:public:cloud-object-storage:global:a/12345678e6232019c6567c9123456789:fr56et47-befb-440a-a223c-12345678dae1:bucket:bucket1
target.name Human-readable name of the resource on which the action is executed.
target.typeURI Type of the cloud resource on which the action is executed. For example, iam-am/policy or cloud-object-storage/bucket/acl
target.host.address IP Address or URL of the target service

target.id (string)

This field indicates the IBM Cloud resource on which the action is executed.

The format of this field is a CRN. For more information, see CRN format.

target.name (string)

This field indicates the human readable name of the IBM Cloud resource on which the action is executed.

Make sure that the name of resources does not include sensitive or PII data.

target.alias (string)

Set this value to the alias of the cloud resource that is used in the request and on which the action is executed.

This field is optional.

target.typeURI (string)

This field indicates the type of the target of the event.

The format of this field is:

serviceName/objectType/attribute

Where

  • servicename is the name of the service.
  • objectType is the resource on which the action is run.

For example:

Table 6. target.typeURI examples
action target.typeURI
container-registry.namespace.create container-registry/namespace
kms.secrets.read kms/secrets
cloud-object-storage.instance.create cloud-object-storage/instance
cloud-object-storage.object-multipart.create cloud-object-storage/object/multipart

target.resourceGroupId (string)

Set to the resource group CRN that is associated with the resource on which the action is requested.

This field only applies to events that are generated by services whose resources are associated with a resource group. For example, services that are global and cannot be provisioned within the context of a resource group do not include this field.

target.host.address (string)

This field defines the IP Address or URL of the target service.

This field is optional.

Labels and line identifiers

Labels and line identifiers provide information about the service that is generating the event.

The following table outlines common labels and line identifiers that you can find in events:

Table 7. labels and line identifiers
Area Label Description Event field name that you can use to search
IBM platform-service Service that generates the event _platform
Line identifier Source Service that generates the event host
Line identifier Env Environment: production env
Line identifier App CRN of the service instance in your account app