Activity tracking events for Secrets Manager
IBM Cloud services, such as IBM Cloud® Secrets Manager, generate activity tracking events.
Audit devices that you can enable with Vault, such as the syslog audit device, are not supported by Secrets Manager.
Activity tracking events report on activities that change the state of a service in IBM Cloud. You can use the events to investigate abnormal activity and critical actions and to comply with regulatory audit requirements.
You can use IBM Cloud Logs, a platform service, to route auditing events in your account to destinations of your choice by configuring targets and routes that define where activity tracking events are sent. For more information, see About IBM Cloud Logs.
You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed to an IBM Cloud Logs instance.
Locations where activity tracking events are generated
Secrets Manager sends activity tracking events to IBM Cloud Logs in the regions that are indicated in the following table.
Dallas (us-south) |
Washington (us-east) |
Toronto (ca-tor) |
Sao Paulo (br-sao) |
|---|---|---|---|
| Yes | Yes | Yes | Yes |
Tokyo (jp-tok) |
Sydney (au-syd) |
Osaka (jp-osa) |
Chennai (in-che) |
|---|---|---|---|
| Yes | Yes | Yes | No |
Frankfurt (eu-de) |
London (eu-gb) |
Madrid (eu-es) |
|---|---|---|
| Yes | Yes | Yes |
Viewing activity tracking events for Secrets Manager
You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed to an IBM Cloud Logs instance.
Launching IBM Cloud Logs from the Observability page
For information on launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.
Analyzing events
Successful events that are generated by an instance of the Secrets Manager service contain various fields that can help you to identify the initiator, the target resource, and the outcome of each completed action in your instance.
Due to the sensitivity of secrets, when an event is generated as a result of an API call to the Secrets Manager service, the generated event does not include the actual contents of a secret. Sensitive data, such as an API key or password, is replaced with identifying information about the secret only, or it is omitted from generated events altogether.
You can create views and alerts from all of your Secrets Manager instances, or from a specific instance.
To target a specific instance, replace host:secrets-manager with app:{INSTANCE_CRN}.
Query for finding all create secret actions:
Run the following query to find all create secret actions.
host:secrets-manager action:secrets-manager.secret.create
The action value can be replaced with any other applicable action.
Query for finding unauthorized access attempts
To see unauthorized access attempts, run the following query.
host:secrets-manager reason.reasonType:Unauthorized
Understanding generated events
The following events are generated for each category.
Events for secrets
The following table lists the secret actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.secret.create |
Create a secret. |
secrets-manager.secrets.list |
List secrets. |
secrets-manager.secret.read |
Get a secret. |
secrets-manager.secret.delete |
Delete a secret. |
secrets-manager.secret-metadata.read |
View the metadata of a secret. |
secrets-manager.secret-metadata.update |
Update the metadata of a secret. |
secrets-manager.secret-action.create |
Create a secret action |
secrets-manager.secret-versions.list |
List versions of a secret |
secrets-manager.secret-version.create |
Create a new secret version |
secrets-manager.secret-version.read |
Get a secret version |
secrets-manager.secret-version-metadata.update |
Update the metadata of a secret version |
secrets-manager.secret-version-metadata.read |
Get the metadata of a secret version |
secrets-manager.secret-version-data.delete |
Delete the data of a secret version |
secrets-manager.secret-version-action.create |
Create a version action |
Events for secret groups
The following table lists the secret group actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.secret-group.create |
Create a secret group. |
secrets-manager.secret-groups.list |
List secret groups. |
secrets-manager.secret-group.read |
View the details of a secret group. |
secrets-manager.secret-group.update |
Update a secret group. |
secrets-manager.secret-group.delete |
Delete a secret group. |
Events for secret locks
The following table lists the secret lock actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.secret-locks.create |
Create a secret lock. |
secrets-manager.secret-locks.list |
List secrets and their locks |
secrets-manager.secret-locks.delete |
Delete a secret lock. |
secrets-manager.secrets-locks.list |
List secret locks. |
secrets-manager.secret-version-locks.create |
Create secret version locks. |
secrets-manager.secret-version-locks.list |
List secret version locks. |
secrets-manager.secret-version-locks.delete |
Delete secret version locks. |
Events for instance operations
The following table lists the instance operation actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.instance.login |
Log in to Vault. |
secrets-manager.configuration.create |
Create a new configuration. |
secrets-manager.configuration-action.create |
Create a new configuration action. |
secrets-manager.configurations.list |
List configurations. |
secrets-manager.configuration.read |
View the details of a configuration. |
secrets-manager.configuration.update |
Update a configuration. |
secrets-manager.configuration.delete |
Delete a configuration. |
secrets-manager.endpoints.view |
Get service instance endpoints. |
secrets-manager.notifications-registration.create |
Create a registration with Event Notifications. |
secrets-manager.notifications-registration.read |
Get Event Notifications registration details. |
secrets-manager.notifications-registration.delete |
Delete an Event Notifications registration. |
secrets-manager.notifications-registration.test |
Send a test event. |