Sample Cloud Pak for Data CADF Audit Records


Authentication (failed)
    {
        "action": "security.authenticate",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "contain_id": "crio-140f725c303ece65ed72a3325587dbc39241001c9bacaf28473fa2da5a66e39b.scope",
                        "contain_name": "ibm-nginx-container",
                        "namespace": "zen",
                        "pod": "ibm-nginx-6c4ff4d894-gnl6b"
                    }
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "message": "security.authenticate \"No Credential\" failure",
                "name": "ibm-cp-data",
                "sourceCrn": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security"
            }
        ],
        "eventTime": "2020-03-24T00:30:31.541+0000",
        "eventType": "activity",
        "id": "icp:73cab988-6b46-4d7c-8e0f-4e81a87e99b9",
        "initiator": {
            "credential": {
                "identity_status": "Denied",
                "type": "unknown"
            },
            "host": {
                "address": "9.1.2.3"
            },
            "id": "unknown",
            "name": "unknown",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "unknown",
        "outcome": "failure",
        "reason": {
            "reasonCode": 401,
            "type": "HTTP"
        },
        "requestData": {
            "path": "/zen/",
            "type": "GET"
        },
        "severity": "critical",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security",
            "name": "ibm-nginx-6c4ff4d894-gnl6b",
            "typeURI": "service/security/authentication"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Create user (failed)
   {
        "action": "users.user.create",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
                        "container_name": "usermgmt-container",
                        "namespace": "zen",
                        "node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
                        "pod": "usermgmt-758d588874-4jltx"
                    },
                    "message": "users.user.create worker4.pptr-wrkr9-4.os.fyre.ibm.com failure",
                    "sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T01:40:37.984+0000",
        "eventType": "activity",
        "id": "icp:b8bfd642-b2df-4869-9bbf-c72f372fa6af",
        "initiator": {
            "credential": {
                "identity_status": "Denied",
                "type": "token"
            },
            "host": {
                "address": "usermgmt-svc:3443",
                "agent": "curl/7.29.0"
            },
            "id": "1000330999",
            "name": "admin",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "api",
        "outcome": "failure",
        "reason": {
            "reasonCode": 400,
            "type": "http"
        },
        "requestData": {
            "path": "/v1/user",
            "type": "POST"
        },
        "responseData": {
            "error": {
                "_messageCode_": "createUser_fail",
                "_statusCode_": 400,
                "exception": "[object Object]",
                "message": "Adding user record failed"
            }
        },
        "severity": "critical",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
            "name": "usermgmt-758d588874-4jltx",
            "typeURI": "service/security/account/user"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Delete user (success)
   {
        "action": "users.user.delete",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
                        "container_name": "usermgmt-container",
                        "namespace": "zen",
                        "node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
                        "pod": "usermgmt-758d588874-4jltx"
                    },
                    "message": "users.user.delete 1000331001 success",
                    "sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T00:29:29.079+0000",
        "eventType": "activity",
        "id": "icp:053e4159-8b68-43bd-935c-a3625db9b773",
        "initiator": {
            "credential": {
                "identity_status": "Confirmed",
                "type": "cookie"
            },
            "host": {
                "address": "9.1.2.3",
                "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36"
            },
            "id": "1000330999",
            "name": "admin"
        },
        "observer": {
            "id": "target"
        },
        "origination": "ui",
        "outcome": "success",
        "reason": {
            "reasonCode": 200,
            "type": "http"
        },
        "requestData": {
            "path": "/api/v1/usermgmt/v1/user/user1",
            "type": "DELETE",
            "username": "user1"
        },
        "responseData": {
            "uid": "1000331001"
        },
        "severity": "critical",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
            "name": "usermgmt-758d588874-4jltx",
            "typeURI": "service/security/account/user"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Create connection (success)
  {
        "action": "connections.create",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "unknown",
                        "container_name": "zen-core-api-container",
                        "namespace": "zen",
                        "pod": "zen-core-api-86f4bbc668-lmn4t"
                    },
                    "message": "connections.create success",
                    "sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
                    "subject": {
                        "asUser": "user1"
                    }
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T05:55:14Z",
        "eventType": "activity",
        "id": "icp:415e49e6-addc-49a2-9d4c-174ea8499ab4",
        "initiator": {
            "credential": {
                "identity_status": "Confirmed",
                "type": "cookie"
            },
            "host": {
                "address": "9.1.2.3",
                "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
                "name": "francis95294"
            },
            "id": "1000331005",
            "name": "francis95294",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "ui",
        "outcome": "success",
        "reason": {
            "reasonCode": 200,
            "reasonType": "HTTP"
        },
        "requestData": {
            "path": "/v2/connections",
            "type": "POST"
        },
        "responseData": {
            "post_connection_status": "Success"
        },
        "severity": "warning",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
            "name": "zen-core-api-86f4bbc668-lmn4t",
            "typeURI": "network/connection"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Create service instance user (success)
   {
        "action": "service_instances.user.add",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "unknown",
                        "container_name": "zen-core-api-container",
                        "namespace": "zen",
                        "pod": "zen-core-api-86f4bbc668-lmn4t"
                    },
                    "message": "service_instances.user.add 1585010153494 1000330999 success",
                    "sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
                    "subject": {
                        "asUser": "admin"
                    }
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T08:35:03Z",
        "eventType": "activity",
        "id": "icp:d9270412-1199-43c9-9221-cf631102d09c",
        "initiator": {
            "credential": {
                "identity_status": "Confirmed",
                "type": "cookie"
            },
            "host": {
                "address": "9.1.2.3",
                "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
                "name": "admin"
            },
            "id": "1000330999",
            "name": "admin",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "ui",
        "outcome": "success",
        "reason": {
            "reasonCode": 200,
            "reasonType": "HTTP"
        },
        "requestData": {
            "instance_id": "1585010153494",
            "path": "/v2/serviceInstance/currentUser",
            "type": "POST"
        },
        "responseData": {
            "user_id": "1000330999",
            "user_name": "admin"
        },
        "severity": "warning",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
            "name": "zen-core-api-86f4bbc668-lmn4t",
            "typeURI": "service/security/instance/user"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }