IBM Cloud Docs
Activity tracking events for Secrets Manager

Activity tracking events for Secrets Manager

IBM Cloud services, such as IBM Cloud® Secrets Manager, generate activity tracking events.

Audit devices that you can enable with Vault, such as the syslog audit device, are not supported by Secrets Manager.

Activity tracking events report on activities that change the state of a service in IBM Cloud. You can use the events to investigate abnormal activity and critical actions and to comply with regulatory audit requirements.

You can use IBM Cloud Logs, a platform service, to route auditing events in your account to destinations of your choice by configuring targets and routes that define where activity tracking events are sent. For more information, see About IBM Cloud Logs.

You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed to an IBM Cloud Logs instance.

Locations where activity tracking events are generated

Secrets Manager sends activity tracking events to IBM Cloud Logs in the regions that are indicated in the following table.

Regions where activity tracking events are sent in Americas locations
Dallas (us-south) Washington (us-east) Toronto (ca-tor) Sao Paulo (br-sao)
Yes Yes Yes Yes
Regions where activity tracking events are sent in Asia Pacific locations
Tokyo (jp-tok) Sydney (au-syd) Osaka (jp-osa) Chennai (in-che)
Yes Yes Yes No
Regions where activity tracking events are sent in Europe locations
Frankfurt (eu-de) London (eu-gb) Madrid (eu-es)
Yes Yes Yes

Viewing activity tracking events for Secrets Manager

You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed to an IBM Cloud Logs instance.

Launching IBM Cloud Logs from the Observability page

For information on launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.

Analyzing events

Successful events that are generated by an instance of the Secrets Manager service contain various fields that can help you to identify the initiator, the target resource, and the outcome of each completed action in your instance.

Due to the sensitivity of secrets, when an event is generated as a result of an API call to the Secrets Manager service, the generated event does not include the actual contents of a secret. Sensitive data, such as an API key or password, is replaced with identifying information about the secret only, or it is omitted from generated events altogether.

You can create views and alerts from all of your Secrets Manager instances, or from a specific instance.
To target a specific instance, replace host:secrets-manager with app:{INSTANCE_CRN}.

Query for finding all create secret actions:

Run the following query to find all create secret actions.

host:secrets-manager action:secrets-manager.secret.create

The action value can be replaced with any other applicable action.

Query for finding unauthorized access attempts

To see unauthorized access attempts, run the following query.

host:secrets-manager reason.reasonType:Unauthorized

Understanding generated events

The following events are generated for each category.

Events for secrets

The following table lists the secret actions that generate an event.

List of secret events
Action Description
secrets-manager.secret.create Create a secret.
secrets-manager.secrets.list List secrets.
secrets-manager.secret.read Get a secret.
secrets-manager.secret.delete Delete a secret.
secrets-manager.secret-metadata.read View the metadata of a secret.
secrets-manager.secret-metadata.update Update the metadata of a secret.
secrets-manager.secret-action.create Create a secret action
secrets-manager.secret-versions.list List versions of a secret
secrets-manager.secret-version.create Create a new secret version
secrets-manager.secret-version.read Get a secret version
secrets-manager.secret-version-metadata.update Update the metadata of a secret version
secrets-manager.secret-version-metadata.read Get the metadata of a secret version
secrets-manager.secret-version-data.delete Delete the data of a secret version
secrets-manager.secret-version-action.create Create a version action

Events for secret groups

The following table lists the secret group actions that generate an event.

List of secret group events
Action Description
secrets-manager.secret-group.create Create a secret group.
secrets-manager.secret-groups.list List secret groups.
secrets-manager.secret-group.read View the details of a secret group.
secrets-manager.secret-group.update Update a secret group.
secrets-manager.secret-group.delete Delete a secret group.

Events for secret locks

The following table lists the secret lock actions that generate an event.

List of secret lock events
Action Description
secrets-manager.secret-locks.create Create a secret lock.
secrets-manager.secret-locks.list List secrets and their locks
secrets-manager.secret-locks.delete Delete a secret lock.
secrets-manager.secrets-locks.list List secret locks.
secrets-manager.secret-version-locks.create Create secret version locks.
secrets-manager.secret-version-locks.list List secret version locks.
secrets-manager.secret-version-locks.delete Delete secret version locks.

Events for instance operations

The following table lists the instance operation actions that generate an event.

List of instance operation events
Action Description
secrets-manager.instance.login Log in to Vault.
secrets-manager.configuration.create Create a new configuration.
secrets-manager.configuration-action.create Create a new configuration action.
secrets-manager.configurations.list List configurations.
secrets-manager.configuration.read View the details of a configuration.
secrets-manager.configuration.update Update a configuration.
secrets-manager.configuration.delete Delete a configuration.
secrets-manager.endpoints.view Get service instance endpoints.
secrets-manager.notifications-registration.create Create a registration with Event Notifications.
secrets-manager.notifications-registration.read Get Event Notifications registration details.
secrets-manager.notifications-registration.delete Delete an Event Notifications registration.
secrets-manager.notifications-registration.test Send a test event.