IBM Cloud Docs
Getting started with IBM Cloud Activity Tracker

Getting started with IBM Cloud Activity Tracker

Use the IBM Cloud® Activity Tracker service to capture a record of your IBM Cloud activities and monitor the activity of your IBM Cloud account. You can use this service to investigate abnormal activity and critical actions, and comply with regulatory audit requirements. In addition, you can be alerted on actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. IBM Cloud Logs will become generally available 2Q2024 in Frankfurt and Madrid with day-one support for EU-managed controls. The service will continue its worldwide multizone region (MZR) roll-out through 3Q2024.

For more information about IBM Cloud Activity Tracker Event Routing, see About Activity Tracker Event Routing.

About IBM Cloud® Activity Tracker

Compliance with internal policies and industry regulations is a key requirement in any organization's strategy, regardless of where applications run: on-premises, in a hybrid cloud, or in a public cloud. The IBM Cloud Activity Tracker service provides the framework and functionality to monitor API calls to services on the IBM Cloud and produces the evidence to comply with corporate policies and market industry-specific regulations.

The IBM Cloud Activity Tracker service
Figure 1. Activity Tracker hosted event search flow

When you work in a cloud environment, such as the IBM Cloud, you must plan the cloud strategy for auditing and monitoring workloads and data in accordance with your internal policies and with industry and country-based compliance requirements. You can use the information that is registered through the IBM Cloud Activity Tracker service to identify security incidents, detect unauthorized access, and comply with regulatory and internal auditing requirements.

  • IBM Cloud Activity Tracker supports high-level security governance for your IT resources in the cloud.
  • IBM Cloud Activity Tracker provides a solution for administrators to capture, store, view, search, and monitor API activity in a single place. It also offers a notification feature to alert you by using any of the supported notification channels.
  • IBM Cloud Activity Tracker provides capabilities to export events that you can then use to generate an audit trail report. These reports might be required so that your organization complies with internal regulations and external industry and country regulations.

IBM Cloud Activity Tracker collects and stores audit records for API calls made to resources that run in the IBM Cloud. You can archive these events on IBM Cloud for long-term storage.

IBM Cloud administrators can configure an IBM Cloud account to collect auditing events automatically for most enabled-services. However, some services might require an upgrade of the service plan, a configuration setting, or both, for you to be able to collect and analyze auditing events due to the high volumes of data that they generate. Learn more about enabling Activity Tracker events.

For information on the services that are sending events to Activity Tracker, see IBM Cloud services that generate Activity Tracker events.

Depending on your compliance and organizational requirements, you can choose IBM Cloud Activity Tracker Event Routing or an IBM Cloud Activity Tracker hosted event search offering.

  • Application environments seeking to maintain Financial Services (FS) validation status on IBM Cloud should use IBM Cloud Activity Tracker Event Routing .
  • Application environments seeking compliance with PCI, SOC2, Privacy Shield and HIPAA should use an IBM Cloud Activity Tracker hosted event search offering.

Getting started with Event Routing Getting started with hosted event and search offerings

Security

Consider the following information about security when you work with the IBM Cloud Activity Tracker service:

  • IBM services that generate IBM Cloud Activity Tracker events follow the IBM Cloud security policy. For more information, see Trust the security and privacy of IBM Cloud.
  • The IBM Cloud Activity Tracker service captures user-initiated actions that change the state of IBM Cloud services. The information does not provide direct access to databases or applications.
  • Only authorized users can view and monitor IBM Cloud Activity Tracker event logs. Each user is identified by their unique ID in the IBM Cloud.
  • You can only provision 1 instance of the service per IBM Cloud location (region).

Getting started

Complete this tutorial to learn how to provision an IBM Cloud Activity Tracker service in the IBM Cloud. Find out what common data is available in each event and how it can help you monitor your IBM Cloud environment. Learn to navigate in the web UI.

Prerequisites

  • You need a user ID that is a member, or an owner of, an IBM Cloud account. To get an IBM Cloud user ID, go to: Create an account.

  • If you prefer to work with the command line, you must install the IBM Cloud CLI. For more information, see Installing the IBM Cloud CLI.

  • To complete the steps to manage access to the service, your user ID needs administrator platform permissions to manage the IBM Cloud Activity Tracker service. Contact the account owner. The account owner can grant another user access to the account for the purposes of managing user access, and managing account resources. Learn more.

Provision an instance of the IBM Cloud Activity Tracker service

Complete the following steps to provision an instance:

  1. Log in to your IBM Cloud account.

    After you log in with your user ID and password, the IBM Cloud UI opens.

  2. Go to the menu icon Menu icon and select Observability to access the Observability dashboard.

  3. Select Activity Tracker, then click Create.

  4. Enter a name for the service instance.

  5. Select the Frankfurt location.

    For more information about the regions where the service is available, see Regions.

  6. Select a resource group.

    By default, the default resource group is set.

    Note: If you are not able to select a resource group, check that you have editing permissions on the resource group where you want to provision the instance.

  7. Select the Lite service plan.

    By default, the lite plan is set.

  8. Click Create.

    After you provision an instance, the Activity Tracker dashboard, that is located in the Observability section of the IBM Cloud UI, opens.

Manage access to the service

Every user that accesses the IBM Cloud Activity Tracker service in your account must be assigned an access policy with an IAM user role defined. The policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles. Learn more.

To grant a user management permissions to work with the IBM Cloud Activity Tracker service within the context of a resource group, complete the following steps:

Create an access group

Complete the following steps to create an access group:

  1. From the menu bar, click Manage > Access (IAM), and select Access Groups.
  2. Click Create.
  3. Enter a name and optional description for your group, and click Create.

Add permissions to manage events

After you set up your group, you must assign a common access policy to the group. Any policy that you set for an access group applies to all entities, users and service IDs, within the group.

When you define the policy, you need to select a platform role and a service role:

  • Platform management roles cover a range of actions, including the ability to create and delete instances, manage aliases, bindings, and credentials, and manage access. The platform roles are administrator, editor, operator, viewer. Platform management roles also apply to account management services that enable users to invite users, manage service IDs, access policies, catalog entries, and track billing and usage depending on their assigned role on an account management service.
  • Service access roles define a user or service’s ability to perform actions on a service instance. The service access roles are manager, writer, and reader.

To manage the IBM Cloud Activity Tracker service, a user needs the following roles:

  • Platform role: Administrator.
  • Service role: Manager.

Complete the following steps to assign a policy through the UI:

  1. From the menu bar, click Manage > Access (IAM).
  2. Select Access Groups.
  3. Select the name of the group that you want to assign access to.
  4. Click Access policies > Assign access.
  5. Select IAM services.
  6. For the field What type of access do you want to assign?, select IBM Cloud Activity Tracker.
  7. For the in field, select the resource group.
  8. Select the platform role Administrator.
  9. Select the service role Manager.
  10. Click Add. Then, select Assign.

Add the user to the group

Complete the following steps to add the user to the access group:

  1. Click Add users on the Users tab.
  2. Select the user that you want to add from the list, and click Add to group.

Generate IBM Cloud Activity Tracker events

If you have a pay-as-you-go account, you can use IBM® Key Protect to create an event. If you don't have a pay-as-you-go account, provisioning any of the available lite services triggers an event.

  1. From the IBM Cloud catalog, select the category Security.

  2. Select the Key Protect service.

  3. (Optional) Provision an instance of the Key Protect service.

Launch the web UI

Complete the following steps to launch the web UI:

  1. Log in to your IBM Cloud account.

    After you log in with your user ID and password, the IBM Cloud dashboard opens.

  2. In the navigation menu, select Observability.

  3. Select Activity Tracker.

    The list of instances that are available on IBM Cloud is displayed.

  4. Select the instance that is located in Frankfurt. Then, click Open Dashboard.

    Global events, such as provisioning a service, are available through the global domain instance that is located in Frankfurt.

The web UI opens.

View events

The IBM Cloud Activity Tracker service captures activity data that is related to API calls and other actions that are made to selected cloud services in the IBM Cloud.

  • Events are collected automatically.
  • Events that are collected in IBM Cloud Activity Tracker comply with the Cloud Auditing Data Federation (CADF) standard. The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.
  • IBM Cloud Activity Tracker stores and groups events by location.
  • Events that report on global IBM Cloud account actions, are collected and stored in Frankfurt (EU-DE).
  • The service plan that you select for your IBM Cloud Activity Tracker instance sets the number of days that events are available for search through the web UI.

When the web UI opens, the EVERYTHING view is displayed. You can see events through this view.

You can also define custom views to view a set of events by applying a timestamp, a search query, or both. Learn more.

Learn about the structure of an event

Events comply with the Cloud Auditing Data Federation (CADF) standard. The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.

The CADF event model includes the following components:

Table 1. Components that are available in a CADF event model
Component Description
Action The action is the operation or activity that an initiator performs, attempts to perform, or is waiting to complete.
Initiator The initiator is the resource that makes an API call and generates a CADF event. The event that is triggered depends on the action that is requested by the API call.
Observer The observer is the resource that creates and stores a CADF record from information available in a CADF event.
Outcome The outcome is the status of the action against the target.
Target The target is the resource against which the action is performed, attempted to perform, or is pending to complete.

Learn more.

Next steps

  1. Define custom views.

  2. Upgrade the IBM Cloud Activity Tracker service plan to a paid plan to be able to search events by applying a query and configure alerts.

    For more information about IBM Cloud Activity Tracker service plans, see Service plans.