Sample Cloud Pak for Data CADF Audit Records
Authentication (failed)
{
"action": "security.authenticate",
"attachments": [
{
"content": {
"kubernetes": {
"contain_id": "crio-140f725c303ece65ed72a3325587dbc39241001c9bacaf28473fa2da5a66e39b.scope",
"contain_name": "ibm-nginx-container",
"namespace": "zen",
"pod": "ibm-nginx-6c4ff4d894-gnl6b"
}
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"message": "security.authenticate \"No Credential\" failure",
"name": "ibm-cp-data",
"sourceCrn": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security"
}
],
"eventTime": "2020-03-24T00:30:31.541+0000",
"eventType": "activity",
"id": "icp:73cab988-6b46-4d7c-8e0f-4e81a87e99b9",
"initiator": {
"credential": {
"identity_status": "Denied",
"type": "unknown"
},
"host": {
"address": "9.1.2.3"
},
"id": "unknown",
"name": "unknown",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "unknown",
"outcome": "failure",
"reason": {
"reasonCode": 401,
"type": "HTTP"
},
"requestData": {
"path": "/zen/",
"type": "GET"
},
"severity": "critical",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security",
"name": "ibm-nginx-6c4ff4d894-gnl6b",
"typeURI": "service/security/authentication"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Create user (failed)
{
"action": "users.user.create",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
"container_name": "usermgmt-container",
"namespace": "zen",
"node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
"pod": "usermgmt-758d588874-4jltx"
},
"message": "users.user.create worker4.pptr-wrkr9-4.os.fyre.ibm.com failure",
"sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T01:40:37.984+0000",
"eventType": "activity",
"id": "icp:b8bfd642-b2df-4869-9bbf-c72f372fa6af",
"initiator": {
"credential": {
"identity_status": "Denied",
"type": "token"
},
"host": {
"address": "usermgmt-svc:3443",
"agent": "curl/7.29.0"
},
"id": "1000330999",
"name": "admin",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "api",
"outcome": "failure",
"reason": {
"reasonCode": 400,
"type": "http"
},
"requestData": {
"path": "/v1/user",
"type": "POST"
},
"responseData": {
"error": {
"_messageCode_": "createUser_fail",
"_statusCode_": 400,
"exception": "[object Object]",
"message": "Adding user record failed"
}
},
"severity": "critical",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
"name": "usermgmt-758d588874-4jltx",
"typeURI": "service/security/account/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Delete user (success)
{
"action": "users.user.delete",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
"container_name": "usermgmt-container",
"namespace": "zen",
"node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
"pod": "usermgmt-758d588874-4jltx"
},
"message": "users.user.delete 1000331001 success",
"sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T00:29:29.079+0000",
"eventType": "activity",
"id": "icp:053e4159-8b68-43bd-935c-a3625db9b773",
"initiator": {
"credential": {
"identity_status": "Confirmed",
"type": "cookie"
},
"host": {
"address": "9.1.2.3",
"agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36"
},
"id": "1000330999",
"name": "admin"
},
"observer": {
"id": "target"
},
"origination": "ui",
"outcome": "success",
"reason": {
"reasonCode": 200,
"type": "http"
},
"requestData": {
"path": "/api/v1/usermgmt/v1/user/user1",
"type": "DELETE",
"username": "user1"
},
"responseData": {
"uid": "1000331001"
},
"severity": "critical",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
"name": "usermgmt-758d588874-4jltx",
"typeURI": "service/security/account/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Create connection (success)
{
"action": "connections.create",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "unknown",
"container_name": "zen-core-api-container",
"namespace": "zen",
"pod": "zen-core-api-86f4bbc668-lmn4t"
},
"message": "connections.create success",
"sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"subject": {
"asUser": "user1"
}
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T05:55:14Z",
"eventType": "activity",
"id": "icp:415e49e6-addc-49a2-9d4c-174ea8499ab4",
"initiator": {
"credential": {
"identity_status": "Confirmed",
"type": "cookie"
},
"host": {
"address": "9.1.2.3",
"agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
"name": "francis95294"
},
"id": "1000331005",
"name": "francis95294",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "ui",
"outcome": "success",
"reason": {
"reasonCode": 200,
"reasonType": "HTTP"
},
"requestData": {
"path": "/v2/connections",
"type": "POST"
},
"responseData": {
"post_connection_status": "Success"
},
"severity": "warning",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"name": "zen-core-api-86f4bbc668-lmn4t",
"typeURI": "network/connection"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}
Create service instance user (success)
{
"action": "service_instances.user.add",
"attachments": [
{
"content": {
"kubernetes": {
"container_id": "unknown",
"container_name": "zen-core-api-container",
"namespace": "zen",
"pod": "zen-core-api-86f4bbc668-lmn4t"
},
"message": "service_instances.user.add 1585010153494 1000330999 success",
"sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"subject": {
"asUser": "admin"
}
},
"contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
"name": "ibm-cp-data"
}
],
"eventTime": "2020-03-24T08:35:03Z",
"eventType": "activity",
"id": "icp:d9270412-1199-43c9-9221-cf631102d09c",
"initiator": {
"credential": {
"identity_status": "Confirmed",
"type": "cookie"
},
"host": {
"address": "9.1.2.3",
"agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
"name": "admin"
},
"id": "1000330999",
"name": "admin",
"typeURI": "security/account/user"
},
"observer": {
"id": "target"
},
"origination": "ui",
"outcome": "success",
"reason": {
"reasonCode": 200,
"reasonType": "HTTP"
},
"requestData": {
"instance_id": "1585010153494",
"path": "/v2/serviceInstance/currentUser",
"type": "POST"
},
"responseData": {
"user_id": "1000330999",
"user_name": "admin"
},
"severity": "warning",
"target": {
"host": {
"address": "10.1.2.3"
},
"id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
"name": "zen-core-api-86f4bbc668-lmn4t",
"typeURI": "service/security/instance/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
}