Auditing events

As a security officer, auditor, or manager, you can use the Activity Tracker service to track how users and applications interact with the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud®.

Activity Tracker Event Routing records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see the getting started tutorial for Activity Tracker Event Routing.

IBM Cloud Security and Compliance Center Workload Protection automatically generates events so that you can track activity on your service instance.

Captures: List of management events

Captures: List of activity tracker actions
Action	Description
`sysdig-secure.capture.create`	An event is created when you create a capture
`sysdig-secure.capture.read`	An event is created when you access a capture
`sysdig-secure.capture.list`	An event is created when you list captures
`sysdig-secure.capture.update`	An event is created when you update a capture
`sysdig-secure.capture.delete`	An event is created when you delete a capture

Teams: List of management events

Teams: List of activity tracker actions
Action	Description
`sysdig-secure.team.create`	An event is created when you create a team
`sysdig-secure.team.read`	An event is created when you view a team definition
`sysdig-secure.team.list`	An event is created when you list the definied teams
`sysdig-secure.team.update`	An event is created when you update a team definition
`sysdig-secure.team.delete`	An event is created when you delete a team

AccessKey: List of management events

AccessKey: List of activity tracker actions
Action	Description
`sysdig-secure.accessKey.create`	An event is created when you create an access key
`sysdig-secure.accessKey.list`	An event is created when you view the access key
`sysdig-secure.accessKey.delete`	An event is created when you delete an access key

Where to view the events

The following table lists the IBM Cloud® locations and the Activity Tracker Event Routing instance location where you can find events:

Corresponding Activity Tracker instance and IBM Cloud Security and Compliance Center Workload Protection location.
Instance location	Location of events
`Dallas (us-south)`	`Dallas (us-south)`
`Washington (us-east)`	`Washington (us-east)`
`Toronto (ca-tor)`	`Toronto (ca-tor)`
`Sao Paulo (br-sao)`	`Sao Paulo (br-sao)`
`Tokyo (jp-tok)`	`Tokyo (jp-tok)`
`Osaka (jp-osa)`	`Osaka (jp-osa)`
`Sydney (au-syd)`	`Sydney (au-syd)`
`Frankfurt (eu-de)`	`Frankfurt (eu-de)`
`London (eu-gb)`	`London (eu-gb)`