With Event Routing, you can configure and route your Activity Tracker event data to multiple locations within the IBM Cloud Activity Tracker service.
IBM Cloud Activity Tracker is expanding your ability to configure and route activity event data to alternate locations. Audit events are critical data for security operations and a key element for meeting compliance requirements. Control over the handling of these events, and the storage location is critical to building enterprise-grade solutions on the IBM Cloud.
Effectively immediately, you can configure and route your Activity Tracker event data to multiple locations within the IBM Cloud Activity Tracker service. Routing includes the ability to redirect or forward both global and location-based event data from one region to an Activity Tracker hosted search or IBM Cloud Object Storage (COS) bucket in an alternate region. This enables you to do the following:
- Consolidate Activity Tracker data to the region of your primary operations
- Route to one or multiple locations
- Improve your data residency compliance stature, keeping data at-rest within certain regions
- Feed a data lake for analytics
- Forward your activity event data to IBM COS for IBM Cloud for Financial Services compliance
This new ability is available within the IBM Cloud Activity Tracker Event Routing feature. The feature is supported the Dallas, Washington DC, Frankfurt, London and Sydney regions. The Event Routing feature is also enhanced to support service-to-service authorization, helping to simplify IP allow list security configurations when sending data to a COS bucket.
Consolidate your activity event data
Activity Tracker data originates within the regions of each IBM Cloud account where you use IBM Cloud. Location-based events default to the region they originate, optimized for data residency. Global events may cover multiple regions and default to Frankfurt, optimized for GDPR compliance. These default approaches are not practical in some operations environments because it results in data needing to be managed through multiple Activity Tracker instances:
The new Event Routing feature enables you to consolidate your event data to a single Activity Tracker instance within your account or to consolidate multiple locations of activity event data into a common Activity Tracker instance within an account. The account may also be an enterprise account consolidating event data from multiple accounts.
In the example below, location-based and global events from Account A and Account B are routed to a common Activity Tracker-hosted event search instance. Events aggregated to the common instance may be alerted and searched together within a single instance. Consolidated data may also be shared with a SIEM or data lake locations:
Route to multiple locations
The new routing features also supports sending data to multiple locations at the same time. An example is a global company running on IBM Cloud with multiple applications running across multiple accounts. Each account maintains their own operations. The company also needs an additional copy of activity event data required for corporate-level management and compliance:
Routing data to target instances can be defined for one or more locations. Routing data to targets is accomplished through a set of defined routes. Routes may have multiple rules assigned, and multiple routes can be configured per account. Routes can be coordinated across accounts to build enterprise-grade solutions.
Whether your use of IBM Cloud as a single account or an enterprise with multiple child accounts, the IBM Cloud Activity Tracker Event Routing features provide the ability to control the target location of the data.
Improve your data residency stature
The Activity Tracker Event Routing feature helps improve your data residency compliance stature if data needs to be kept within a designated region or country. Global event data generated in IBM Cloud can be routed to land in the region of your choice:
For example, a technology company has a compliance requirement to keep all related activity events in-country, including global events. Routes can be configured to redirect global events to a desired target within a location. Routes may also be configured to redirect location-based events from regions where event routing is supported.
The new Event Routing features also help you maintain control for how your data and route metadata is managed. Your account can be configured to only use private endpoints. Routing metadata can be stored in designated regions:
Add data-level control with Activity Tracker streaming
The IBM Cloud Activity Tracker streaming feature boosts your level of data control, and you can configure advanced filtering of event data in-motion. Filtering is done with exclusion rules evaluating each data event. Data meeting evaluation criteria is sent to a configured IBM Event Streams instance.
The combination of event routing for locational control and streaming for data-level control provides a high degree of flexibility. Enterprise customers can solve for more complex data management needs and may create highly customized solutions.
Sending data to data lakes
Whether your environments have data puddles, ponds, lakes or oceans, IBM Cloud Activity Tracker events can be routed to the right target. Targets may include sending data to COS and using Data Engine.
Configuring data for IBM Cloud for Financial Services compliance with service-to-service authorization
Clients seeking IBM Cloud for Financial Services compliance may continue to send data directly and exclusively to IBM Cloud Object Storage (COS). Service-to-service authorization between IBM Cloud Activity Tracker Event Routing and COS is now possible. This authorization simplifies IP allow list and key management and can be configured from either the CLI or API. Account admins only need to set up the authorization once per account.
Configuring Event Routing
IBM Cloud Activity Tracker Event Routing is configurable by API, CLI or Terraform. First-time users of the Event Routing features should begin with the Event Routing getting-started section. When ready to enable the new routing features shared in this blog, plan where data will be routed. Several key configuration decisions include the following:
- Will data be forwarded exclusively to a Cloud Object Storage bucket or to an Activity Tracker event search instance? Data can also be configured to go to both at the same time.
- Which COS bucket or hosted event search instance will store the consolidated data?
- Which admins have the ability to manage the routes and from where will admins be able to manage them?
- Where will routing configurations be stored?
Increase your IBM Cloud activity awareness today
IBM Cloud Activity Tracker captures a record of your IBM Cloud activities. The new Event Routing features enable you to optimize where your activity event data lands. A comprehensive list of cloud services and the events generated is available here:
- IBM Cloud Activity Tracker events increase your visibility to IBM Cloud configuration changes so you can manage the risk of incorrectly configured services more effectively.
- Activity events simplify your understanding of IT complexity and agile development actions in the cloud. The combination of events provides a holistic view of what happened.
- Insights from the event data help accelerate identification of abnormal activities. For example, track the frequency and volume of access management events or multi-factor authentication configuration changes.
Learn more about the IBM Cloud Activity Tracker service and configure event routing to best meet your needs.