Auditing events for Activity Tracker Event Routing
As a security officer, auditor, or manager, you can use the Activity Tracker Event Routing service to track how users and applications interact with the Activity Tracker Event Routing service in IBM Cloud.
Activity Tracker Event Routing records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.
Managing auditing events in an IBM Cloud account
You can manage auditing events in an IBM Cloud account in any of the following ways:
-
By configuring Activity Tracker hosted event search in the IBM Cloud account
You can use Activity Tracker hosted event search, an IAM enabled service, to manage auditing events through instances that you provision in each IBM Cloud region where you operate.
Activity Tracker hosted event search routes location-based auditing events to an Activity Tracker instance in the region where they are generated and routes global auditing events to the Activity Tracker Event Routing instance that is provisioned in Frankfurt. For more information about locations where Activity Tracker Event Routing generates events, see Locations of Activity Tracker Event Routing events.
For more information about how to configure Activity Tracker hosted event search, see Getting started with Activity Tracker hosted event search.
-
By configuring Activity Tracker Event Routing in the IBM Cloud account
You can use Activity Tracker Event Routing, a platform service, to manage auditing events at the account-level by configuring targets and routes that define where auditing data is routed.
Activity Tracker Event Routing routes events based on the location that is specified in the
logSourceCRNfield included in the event. You can define a target, the resource where events are routed to, in any Activity Tracker Event Routing supported region. However, the target resource can be located in any region where that type of target is supported, in the same account or in a different account. You can define rules to determine where auditing events are to be routed by configuring 1 or more routes in the account. You can define rules for managing global events and location-based events that are generated in regions where Activity Tracker Event Routing is supported.For more information about how to configure Activity Tracker Event Routing, see Getting started with Activity Tracker Event Routing.
Activity Tracker Event Routing can only route events that are generated in supported regions. Other regions, where Activity Tracker Event Routing is not available, continue to manage events by using Activity Tracker hosted event search.
You can manage auditing events that are generated by Activity Tracker Event Routing by using any of the following methods:
| Method | Supported |
|---|---|
| Configuring Activity Tracker Event Routing |  |
| Configuring Activity Tracker hosted event search | |
Locations of service events
Activity Tracker Event Routing automatically generates events in all of the supported regions so that you can track activity of the service in the account.
The following tables list the locations where the automatic collection of Activity Tracker Event Routing service events is enabled.
| Locations in Americas | Service events available |
|---|---|
Dallas (us-south) |
|
Washington (us-east) |
|
| Locations in Asia Pacific | Service events available |
|---|---|
Sydney (au-syd) |
|
| Locations in Europe | Service events available |
|---|---|
Frankfurt (eu-de) |
|
London (eu-gb) |
|
Viewing events
Viewing events managed through Activity Tracker Event Routing
Activity Tracker Event Routing routes events based on the location that is specified in the logSourceCRN field included in the event.
You can define a target, the resource where events are routed to, in any Activity Tracker Event Routing supported region. However, the target resource can be located in any region where that type of target is supported, in the same account or in a different account. For more information about supported targets, see Targets.
You can define rules to determine where auditing events are to be routed by configuring 1 or more routes in the account. You can define rules for managing global events and location-based events that are generated in regions where Activity Tracker Event Routing is supported. For more information, see supported regions.
To view events, you must access the target and download the object.
Viewing events managed through Activity Tracker hosted event search
Activity Tracker hosted event search routes location-based auditing events to an Activity Tracker Event Routing instance in the region where they are generated and routes global auditing events to the Activity Tracker Event Routing instance that is provisioned in Frankfurt.
Events that are generated by Activity Tracker Event Routing are automatically forwarded to the Activity Tracker service instance that is available in the same location. For more information, see Services generating events by location.
Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.
Management events
Targets
The following table lists the auditing events that are generated when you manage targets:
| Action | Description |
|---|---|
atracker.target.create |
This event is generated when an administrator creates a new Cloud Object Storage (COS) target with specified COS endpoint information and credentials. |
atracker.target.list |
This event is generated when an administrator lists all Cloud Object Storage (COS) targets defined under a region. |
atracker.target.get |
This event is generated when an administrator retrieves a target and its details by specifying the ID of the target. |
atracker.target.update |
This event is generated when an administrator updates a target details by specifying the ID of the target. |
atracker.target.delete |
This event is generated when an administrator deletes a target by specifying the ID of the target. |
Routes
The following table lists the auditing events that are generated when you manage routes:
| Action | Description |
|---|---|
atracker.route.create |
This event is generated when an administrator creates a route with rules defined how to route auditing events to targets for a region. |
atracker.route.list |
This event is generated when an administrator lists routes defined under this region. |
atracker.route.get |
This event is generated when an administrator retrieves a route and its details by specifying the ID of the route. |
atracker.route.update |
This event is generated when an administrator replaces a route details by specifying the ID of the route. You can also get this event when you validate a target by checking the credentials to write to the bucket. |
atracker.route.delete |
This event is generated when an administrator deletes a route by specifying the ID of the route. |
Settings
The following table lists the auditing events that are generated when you manage settings:
| Action | Description |
|---|---|
atracker.setting.set |
This event is generated when an administrator configures the Activity Tracker Event Routing settings for an account. |
atracker.setting.get |
This event is generated when an administrator gets information about the Activity Tracker Event Routing settings for an account. |