Logged actions and data for auditing
For audit logging, IBM Cloud Pak for AIOps capabilities log information about numerous user interactions, system processes, and events, which can each return, manage, manipulate, or access sensitive data. The following lists, detail the actions and data that is recorded in audit logs.
IBM Cloud Pak for AIOps
IBM Cloud Pak for AIOps capabilities audit the following types of actions, which can return, manage, manipulate, or access sensitive data:
-
Successful and unsuccessful login attempts
-
Authentication checks These checks run when a user attempts to log in to the UI. The record for these checks includes whether the attempt was successful. These checks do not include checks for internal system service-to-service authentication actions, such as when a secret is used to authenticate to a database.
-
Authorization checks These checks run to determine whether a user has the required role and permission for completing an action.
-
Account management events These events include actions for adding, changing, removing users, and managing credentials and role-based access control.
-
Object access This access includes the access of data objects through the IBM Cloud Pak for AIOps UI or APIs.
-
Policy changes The auditing of these changes includes policy changes for the management of user access controls, such as access policies. This auditing does not include event suppression policies.
-
Privileged functions This auditing records changes for administrator access controls, such as access policies and their ability to run administrator-level tasks.
-
Data access This auditing records the read-access any of data, such as viewing data on a UI page. The viewing of the following data through the UI or API is audited:
- Integrations
- Viewing the set of configured integrations
- Viewing the status of an integration
- Viewing the configuration of an integration
- AIOps Insights
- Viewing aggregate usage information, such as information about the number of resources, events, incidents, runbooks
- AI Models
- Viewing the set of configured AI model definitions
- Viewing a AI model definition's status
- Viewing a AI model definition's configuration
- Viewing the status and details of an AI model version
- Resources
- Viewing the list of resources, resources groups, or applications
- Searching resources, resource groups, or applications
- Viewing the configuration of a resource, resource group, or application
- Viewing the topology of an application
- Incidents and alerts
- Viewing the list of incidents or alerts
- Viewing incident or alert details
- Automations
- Viewing the list of policies
- Viewing a specific policy
- Viewing the list of runbooks
- Viewing a specific runbook
- Viewing the list of automation actions
- Viewing a specific automation action
- Integrations
-
Data changes This auditing records actions for creating or changing data. Changes to the following types of data are recorded:
- Integrations
- Creating or editing an integrations
- AI Models
- Creating or editing an AI model definition
- Creating an AI model version through AI training
- Editing the state of an AI model version
- Resources
- Creating or editing a resource, resource group, or application
- Alerts & Incident
- Changing the state of an alert, including by policies
- Editing an alert journal
- Changing the incident details, such as the incident owner or state
- Automations
- Creating or editing a policy, runbook, or action
- Integrations
-
Data deletions This auditing records the deletion of the following types of data:
- Integrations
- Deleting an integrations
- AI models
- Deleting an AI model definition or AI model version
- Resources
- Deleting a resource, resource group, or application
- Automations
- Deleting a policy, runbook, or action
- Integrations
-
Process tracking This auditing records the action that caused a policy to run. A policy action is not caused by a user interaction. Instead, the action is caused by the policy service, with the data object for which the policy is applied being the target. Audit logs record an entry (policy ID, ID of the entity the policy ran on) whenever a policy runs due to one of the following actions occurring:
- aiops.ibm.com/trigger/event-received
- aiops.ibm.com/trigger/alert-pre-create
- aiops.ibm.com/trigger/alert-created
- aiops.ibm.com/trigger/alert-pre-update
- aiops.ibm.com/trigger/alert-pre-delete
- aiops.ibm.com/trigger/incident-pre-create
- aiops.ibm.com/trigger/incident-created
- aiops.ibm.com/trigger/incident-pre-update
- aiops.ibm.com/trigger/incident-pre-delete
One or more of these actions can occur when one of the following processes run:
- Alert suppression through a policy
- Alert creation through a policy
- Correlating an alert to another alert through a policy
- Creating an incident through a policy
- Assigning or running an action through the UI, API, or policy
- Assigning or running a runbook through the UI, API, or policy
- Running an Ansible, HTTP or SSH automation action on an external system
- Creating or updating an incident ticket through a policy
- Creating or updating a ChatOps message through a policy
- Determining a change risk score through a policy
- Updating a change ticket with a change risk score through a policy
- Providing model feedback
-
System events This auditing records system and maintenance tasks that are not included within the preceding categories, such as the following actions:
- Back up and restore
-
Administrator activities This auditing records activities that require a user with an administrator role, including the following activities:
- Integrations
- Viewing the set of configured integrations
- Viewing the status of an integrations
- Viewing the configuration of an integrations
- Creating, editing, or deleting an integrations
- AI models
- Viewing the set of configured AI model definitions
- Viewing a AI model definition's status
- Viewing a AI model definition's configuration
- Viewing the status and details of an AI model version
- Creating, editing, or deleting an AI model definition
- Creating, editing, or deleting an AI model version
- Resources
- Viewing the configuration of a resource, resource group, or application
- Creating, editing, or deleting a resource, resources group, or application
- Automations
- Viewing a specific runbook
- Viewing the list of automation actions
- Viewing a specific automation action
- Creating, editing, or deleting a policy, runbook, or action
- Integrations
-
Permission changes Records of the changes and management of user permissions.
Infrastructure Automation
Infrastructure Automation capabilities audit the following types of actions and data:
Infrastructure management
Infrastructure management audits UI and API interactions. This logging includes UI privilege checks, invalid session requests through a session timeout or reloading a page after a user logs out.
Managed services
Managed services logging includes records for the following actions:
- Logging in or out of the UI
- Creating, editing, or deleting a cloud connection
- Creating, editing or deleting a DataTypes in shared parameters
- Creating, editing or deleting a DataObjects in shared parameters
- Adding or editing namespace for a DataObjects in shared parameters
- Creating, editing or deleting dynamic parameters
- Deploying a stack
- Modifying an existing stack (plan and apply)
- Modifying an existing stack record attributes
- Destroying or deleting a stack
- Creating, deleting an IAAS resource task
- Creating, editing, or deleting an IAAS resource settings
- Creating, editing, or deleting a template
- Creating, editing, or deleting a template version
- Creating, update or deleting provider engine
- Creating, update or deleting providers plugins
- Creating, editing, duplicating, retiring or deleting a service
- Adding or editing namespaces for a service
- Creating or deleting a service plan
- Creating, editing, or deleting a service category
- Adding or editing a service version
- Publishing, retiring, unretiring, duplicating, or deleting a service version
- Pushing to, or Pulling from, a Git service version
- Deploying a service-instance
- Resuming or Retrying a service-instance
- Terminating or deleting a service-instance
- Invoking or terminating a bind action for a service-instance
- Invoking a custom action for a service-instance
- Generating update plan for a service-instance
- Updating a service-instance
- Getting Upgrade or Downgrade service versions for a service-instance
- Generating service version change plan for a service-instance
- Running service version change for a service-instance
- Creating, editing, or deleting an independent custom action category
- Creating, editing, deleting, or invoking independent custom action
- Set or Unset namespace for independent custom action
- Lock or Unlock an independent custom action
- Creating, editing, or deleting an SMTP connection
- Adding or Deleting subscription store configuration