Event fields
Activity tracking events are based on the Cloud Auditing Data Federation (CADF) standard.
The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.
The CADF event model includes the following components:
Component | Description |
---|---|
Action |
The action is the operation or activity that an initiator performs, attempts to perform, or is waiting to complete. |
Initiator |
The initiator is the resource that makes an API call and generates a CADF event. The event that is triggered depends on the action that is requested by the API call. |
Observer |
The observer is the resource that creates and stores a CADF record from information available in a CADF event. |
Outcome |
The outcome is the status of the action against the target. |
Target |
The target is the resource against which the action is performed, attempted to perform, or is pending to complete. |
The following fields are included in each Activity Tracker event:
action (string)
This field indicates the action that triggers an event.
The format of this field is the following:
serviceName.objectType.action
Where
-
servicename
is the name of the service.There is an exception on the
servicename
that is set for actions reported by the VPC infrastructure. The format of theservicename
is composed of 2 parts that are separated by a dot (.
). -
objectType
describes the resource or resource attribute on which the action is requested. -
action
defines the task requested by the initiator.Some valid actions are:
activate
,add
,apply
,approve
,authorize
,bulkdelete
,create
,copy
,read
,update
,delete
,backup
,build
,capture
,clear
,commit
,configure
,deploy
,disable
,enable
,end
,get
,import
,init
,inspect
,list
,monitor
,notify
,pull
,push
,provision
,restore
,start
,stop
,undeploy
,update
,receive
,reimport
,remove
,send
,set
,setkeyfordeletion
,unsetkeyfordeletion
,set-on
,set-off
,authenticate
,renew
,revoke
,allow
,deny
,evaluate
,notify
,reset
,rotate
,ack-delete
,ack-restore
,ack-disable
,ack-enable
,ack-expire
,ack-restore-over
,ack-rotate
,ack-sync
,edit
,publish
,write
,pause
,refresh
,resume
,unsetkeyfordeletion
,failover
,split
,expire
,unwrap
,wrap
,rewrap
,head
,expire
,reapprove
,export
,start
,stop
,pause
,resume
,power-off
,reboot
,soft-reboot
,hard-reboot
,power-on
,rename
,rescue
,reload
,scale
,search
,reject
For more information about action values that are generated by services, see Services generating events.
For example, a sample action is iam-am.policy.create
.
correlationId (string)
This field indicates the unique GUID that you can use to correlate events across multiple services in your account.
dataEvent (boolean)
This field specifies the type of event, whether it is a management event or a data event.
- For a management event, this field is set to false.
- For a data event, this field is set to true.
eventTime (string)
This field indicates the timestamp when the event was created.
The timestamp that you see for an event in the UI is set from eventTime and indicates the time when the event was created.
The date is represented as Universal Time Coordinated (UTC).
The format of this field is:
YYYY-MM-DDTHH:mm:ss.SS+0000
For example, a sample eventTime is 2017-10-19T19:07:50.32+0000
.
id (string)
An optional field that can be used to correlate activity tracking events within a service.
Initiator fields
Initiator fields provide information about the user, service, or application that request to run an action in your account.
initiator.id (string)
This field provides information about the ID of the initiator that requests the action.
You can find any of the following initiators:
IBM ID
for users that use an IAM token to trigger an action in your account.Service ID
for services or applications that trigger an action in your account.Certificate ID
for requests where a certificate is used to trigger an action in your account.Profile ID
for requests that are run by using a trusted profile
initiator.name (string)
This field provides information about the username of the initiator of the action.
This is the human readable name that corresponds to the initiator.id
value.
When the initiator is an IBM Cloud service, the field is set to IBM
or the name of the service.
initiator.authnId (string)
ID of the user that logs in to IBM Cloud.
initiator.authnName (string)
Username of the user that logs in to IBM Cloud.
initiator.typeURI (string)
This field defines the type of the source of the event.
Valid values are:
service/security/account/user
service/security/account/serviceid
,service/security/client/certificateid
service/security/clientid
initiator.credential.type (string)
This field defines the type of credential that is used by the initiator to run the action.
Valid values are:
token
user
apikey
certificate
public-access
hmac
compute-resource
instance-identity-token
apikey-serviceid
s2s-authorization
initiator.host.address (string)
This field provides information about the address where the request came from. For example, the UI or CLI.
The format of this field is:
xxx.xxx.xxx.xxx
For example, a sample initiator.host.address
is 15.234.123.12
.
When the initiator of an action is an IBM Cloud service, this field is set to empty.
initiator.host.addressType (string)
This field provides information about the type of IP address where the request came from.
Valid values are:
IPv4
IPv6
CSE
subnet
The default value is IPv4
.
initiator.host.agent (string)
This field provides information that you can use to identify where the request originated.
This field will be set to the originating IP address of the request for IPV4
and IPv6
. For subnet
the CIDR block IP will be included. For CSE
the value will be blank.
logSourceCRN (string)
This field specifies the Cloud Resource Name (CRN) of the service instance that generates the event. For more information about the CRN format, see Cloud Resource Names.
message (string)
This field is set to the human-readable description of the event.
The format of this field is:
serviceName: {event description} [outcome]
Where
servicename
indicates the name of the service.{event description}
provides a human-readable version of the what the event is reporting.outcome
is optional and is only included when the outcome of the request isfailure
.
observer.name (string)
This field is set to the fixed value ActivityTracker.
outcome (string)
This field indicates the result of the action.
Valid values are: success
, pending
, or failure
.
Reason fields
Reason fields provide information about the outcome of the request.
reason.reasonCode (numeric)
This field returns the HTTP response code of the action requested.
For example the reason.reasonCode
field is set to:
403
to report forbidden access or unauthorized409
to report conflict
Reason code values can be found in HTTP response codes.
reason.reasonType (string)
This field provides additional information about the result of the action requested.
reason.reasonForFailure (string)
This field provides additional information as to why the action has failed.
requestData (JSON)
When the field is available, it includes additional information about the request.
The information that is included in requestData is specific for each type of action. Check the API documentation of a request to learn about some of the fields that may be included.
responseData (JSON)
When the field is available, it includes additional information about the request.
The information that is included in responseData is specific for each type of action. Check the API documentation of a request to learn about some of the fields that may be included.
saveServiceCopy (boolean)
This field determines whether the IBM Cloud service that generates the event saves a copy of the event for IBM Cloud auditing.
When it is set to true
, the service that generates the event saves a copy.
severity (string)
This field defines the level of threat an action may have on the IBM Cloud.
Valid values are: normal
, warning
, and critical
.
The following table describes how this field is set based on the type of action:
Value | Type of action | Sample of action |
---|---|---|
normal |
Routine actions in the IBM Cloud | Start an instance |
warning |
Actions that fail Actions where a resource is updated or its metadata is modified |
Rename a service instance |
critical |
Actions that affect security in the IBM Cloud such as changing credentials of a user or deleting data Actions where the initiator is not authorized to work with an IBM Cloud resource |
Delete a security key |
When the reasonCode for an API call is any of the following values, the value of severity is set as follows:
reasonCode | description | severity |
---|---|---|
400 |
Bad Request |
warning |
401 |
Unauthorized |
critical |
403 |
Forbidden |
critical |
409 |
Conflict |
warning |
424 |
Failed Dependency |
warning |
500 |
Internal Server Error |
warning |
502 |
Bad Gateway |
warning |
503 |
Service Unavailable |
critical |
504 |
Gateway Timeout |
warning |
505 |
HTTP Version Not Supported |
warning |
507 |
Insufficient Storage |
critical |
Target fields
Target fields provide information about the resource that is accessed, created, updated, or deleted by the initiator's action in your account.
The following table lists common target fields that are available for each event:
Field Name | Description | Value |
---|---|---|
target.id |
Cloud Resource Name (CRN) of the resource on which the action is executed. | For example, crn:v1:bluemix:public:cloud-object-storage:global:a/12345678e6232019c6567c9123456789:fr56et47-befb-440a-a223c-12345678dae1:bucket:bucket1 |
target.name |
Human-readable name of the resource on which the action is executed. | |
target.typeURI |
Type of the cloud resource on which the action is executed. | For example, iam-am/policy or cloud-object-storage/bucket/acl |
target.host.address |
IP Address or URL of the target service |
target.id (string)
This field indicates the IBM Cloud resource on which the action is executed.
The format of this field is a CRN. For more information, see CRN format.
target.name (string)
This field indicates the human readable name of the IBM Cloud resource on which the action is executed.
Make sure that the name of resources does not include sensitive or PII data.
target.alias (string)
Set this value to the alias of the cloud resource that is used in the request and on which the action is executed.
This field is optional.
target.typeURI (string)
This field indicates the type of the target of the event.
This field does not include action information.
The format of this field is:
serviceName/objectType/attribute
Where
servicename
is the name of the service.objectType
is the resource on which the action is run.
For example:
action | target.typeURI |
---|---|
cloudcerts.certificate.import | cloudcerts/certificate |
container-registry.namespace.create | container-registry/namespace |
kms.secrets.read | kms/secrets |
cloud-object-storage.instance.create | cloud-object-storage/instance |
cloud-object-storage.object-multipart.create | cloud-object-storage/object/multipart |
target.resourceGroupId (string)
This field is set to the resource group CRN that is associated with the resource on which the action is requested.
This field only applies to events that are generated by services whose resources are associated with a resource group. For example, services that are global and cannot be provisioned within the context of a resource group do not include this field.
target.host.address (string)
This field defines the IP Address or URL of the target service.
This field is optional.
Labels and line identifiers
Labels and line identifiers provide information about the service that is generating the event.
These are only used for events sent to IBM Cloud Activity Tracker hosted event search.
The following table outlines common labels and line identifiers that you can find in events:
Area | Label | Description | Event field name that you can use to search |
---|---|---|---|
IBM |
platform-service |
Service that generates the event | _platform |
Line identifier |
Source |
Service that generates the event | host |
Line identifier |
Env |
Environment: production |
env |
Line identifier |
App |
CRN of the service instance in your account | app |