Skip to content
This repository has been archived by the owner on Oct 14, 2019. It is now read-only.

Latest commit

 

History

History
90 lines (60 loc) · 5.11 KB

at_event.md

File metadata and controls

90 lines (60 loc) · 5.11 KB
copyright lastupdated keywords subcollection
years
2016, 2019
2019-05-01
IBM Cloud, Activity Tracker, event fields
cloud-activity-tracker

{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:download: .download} {:important: .important} {:note: .note} {:deprecated: .deprecated}

Event fields

{: #at_event}

{{site.data.keyword.cloudaccesstrailshort}} events are based on the Cloud Auditing Data Federation (CADF) standard. {:shortdesc}

{{site.data.keyword.cloudaccesstrailfull}} is deprecated. As of 9 May 2019, you cannot provision new {{site.data.keyword.cloudaccesstrailshort}} instances. Existing premium plan instances are supported until 9 October 2019. To continue monitoring the activity of your {{site.data.keyword.cloud_notm}} account, provision an instance of the {{site.data.keyword.at_full}}. {: deprecated}

Initiator fields

{: #initiator}

The following table lists common fields that are available for an {{site.data.keyword.cloudaccesstrailshort}} event:

Field Name Description Value
initiator.id ID of the initiator of the action.

Valid types of initiators are IBMID, serviceID, and Cloud Foundry (CF) user ID.		 Example of an IBMID is IBMid-000000XXX2
Example of a service ID is iam-ServiceId-12345678-0165-4c89-847d-9660b1632e14
Example of a CF user ID is 7666666b-23ae-4a34-8569-cu75tgdr4da3
initiator.name Username of the user that initiated the action. For example, an email address.
initiator.typeURI Type of the source of the event. Valid values are service/security/account/user, service/security/clientid, and service/security/account/serviceid.
initiator.credential.type Type of initiator ID credential. Valid values are user, token,and apikey.
{: caption="Table 1. Common initiator fields" caption-side="top"}

Target fields

{: #target}

The following table lists common target fields that are available for an {{site.data.keyword.cloudaccesstrailshort}} event:

Field Name Description Value
target.id Cloud Resource Name (CRN) of the resource on which the action is executed.
For more information, see CRN format.		 For example, crn:v1:bluemix:public:cloud-object-storage:global:a/12345678e6232019c6567c9123456789:fr56et47-befb-440a-a223c-12345678dae1:bucket:bucket1
target.name Human-readable name of the cloud resource on which the action is executed.
target.typeURI Type of the cloud resource on which the action is executed.
The format of this field is serviceName/objectType where servicename is the name of the service.		 For example, iam-am/policy or cloud-object-storage/bucket/acl
{: caption="Table 2. Common target fields" caption-side="top"}

Action fields

{: #action}

The following table lists common action fields that are available for an {{site.data.keyword.cloudaccesstrailshort}} event:

Field Name Description Value
action Action that triggers the event.
The format of this field is serviceName.objectType.action where servicename is the name of the service.
For more information about action values for events that are generated by a service, see Cloud services		 For example, iam-identity.serviceid-apikey.login
eventTime Indicates the timestamp when the event was created.
The date is represented as Coordinated Universal Time (UTC).
The format complies with ISO 8601.		 For example, 2017-10-19T19:07:50.32+0000
{: caption="Table 3. Common action fields" caption-side="top"}

Outcome fields

{: #outcomes}

The following table lists common outcome fields that are available for an {{site.data.keyword.cloudaccesstrailshort}} event:

Field Name Description Value
outcome Result of the action. Valid values are success, failure, and pending.
reason.reasonCode Numeric field that includes the HTTP response code. For example, 200 for a successful outcome.
severity Defines the level of threat an action may have on the Cloud. Valid values are normal, warning, and critical.

Normal is set for routine actions in the Cloud. For example, starting an instance, or refreshing a token.

Warning is set for actions where a Cloud resource is updated or its metadata is modified. For example, updating the version of a worker node, renaming a certificate, or renaming a service instance.

Critical is set for actions that affect security in the Cloud. For example, changing credentials of a user, deleting data, unauthorized access to work with a Cloud resource.
{: caption="Table 4. Common outcome fields" caption-side="top"}