Management event payload

Edit online

The following IBM® Verify admin activity event attributes are available when generating reports.

Table 1.
Name Data type Description
data.action String The action performed by a user for the resource
data.added long For the resource group, number of users added
data.api_grant_type String The grant-type in the JWT
data.applicationid String Supplemental information to define the target of the action. Used by resources: application, entitlement
data.applicationname

data.applicationtype

 String The application name is the target for the resources: application, entitlement
data.authenticatorattachment String (Optional) Describes the authenticator's attachment modalities. This attribute is only present for FIDO based events and when known.
data.cause String The message describing the action
data.context String Additional information about the action. Used by resource: flow
data.deleted long For the resource group, number of users deleted
data.devicetype String Browser user agent
data.dict_enabled String Examples - “LOCAL”, “GLOBAL”, "LOCAL, GLOBAL"
data.dict_op String Examples - “NONE”, “CHANGE”, “AUTH”
data.dict_result String Examples - “NONE”, “SUCCESS”, “WARNING”, “ENFORCED”, "AUDIT"
data.dict_type String Examples - “NONE”, “LOCAL”, “GLOBAL”
data.fido2_attestationobject String This attribute contains an attestation object which is opaque to, and cryptographically protected against tampering, by the client.
data.fido2_clientdatajson String This attribute contains the JSON-compatible serialization of the client data passed to the authenticator by the client to generate this credential.
data.fido2_credentialid String A probabilistically-unique byte sequence that identifies a public key credential source and its authentication assertions.
data.fido2_publickey String The Base64 encoded CBOR bytes of the COSE public key that is issued by the authenticator.
data.fido2_relyingparty String The unique identifier of the associated relying party.
data.messageid String The messageid for the message in data.cause
data.modified String What was changed
data.origin String IP address of system that caused event to be generated
data.performedby String Cloud directory userid or the UUID of the API Client
data.performedby_clientname String API client name
data.performedby_realm

data.perfomedby_username

 String User name and realm of the person who performed the action.
data.performedby_type String API, Device, System, or User
data.purpose_id String Purpose ID
data.purpose_version Number Purpose version
data.reference String Unique reference of the target. Used by resource: flow
data.resource String
  • access_policy - Access policy selections: modified
  • api_client - API client created, deleted, modified
  • app_consent - Application consent: deleted
  • application - Application: created, deleted, modified
  • auth_factor - Authentication factor: created, deleted, modified
  • authenticator_profile - Registration profiles: created, deleted, modified
  • certificate Certificate: created, deleted, modified
  • device_manager - Device manager: created, deleted, modified
  • domain - Domain: created, deleted
  • entitlement - Entitlement: granted, revoked
  • fido2_metadata - FIDO2 device metadata: created, deleted, modified
  • fido2_relying_party - FIDO2 relying party: created, deleted, modified
  • flow - Flow: created, modified, exported, imported, published, deleted, traceURLGenerated
  • group - Group: created, deleted, modified
  • identity_feed: created, deleted,modified
  • identity_source: created, deleted, modified
  • identity_source_global_config: modified
  • mfa_device: created, deleted, modified
  • notification - Notification configuration: modified
  • password_policy - Policy: created, deleted, modified
  • password_vault - Resources
  • privacy_eula - Eula: created, deleted, modified
  • privacy_policy - Policy: modified
  • privacy_rule - Rule: created, deleted, modified
  • purpose - Purpose: modified
  • theme - Theme: created, deleted, modified
  • token - Token: revoked, reactivated
  • user - User: created, deleted, modified, reset password, expiration
data.target String Target of the event
data.targetid String Supplemental information to define the target of the action. Used by resources: user, group
data.targetid_realm

data.targetid_username

user_info.targetid.realm

user_info.targetid.username

 String User name and realm of the target. Used by resources: user, group
data.themeid String The theme ID that is used by resources: theme.
data.userinfo_lookup_field String Supplemental information to define the user who performed the action
geoip.city_name

geoio.continent_name

geoip.country_iso_code

geoip.country_name

geoip.location

geoip.region_name

 String Augmented by Event service by using data.origin.

Example

The following code is a sample payload. Use the Events APIs to get the actual attributes. See https://docs.verify.ibm.com/verify/reference/getallevents and https://docs.verify.ibm.com/verify/docs/pulling-event-data.

{
    "geoip": {
      "continent_name": "Europe",
      "as_org": "AMAZON-02",
      "city_name": "Frankfurt am Main",
      "country_iso_code": "DEU",
      "ip": "1.11.1.111",
      "country_name": "Germany",
      "region_name": "Hesse",
      "location": {
        "lon": "8.6843",
        "lat": "50.1188"
      },
      "asn": 16509
    },
    "data": {
      "api_grant_type": "client_credentials",
      "performedby_type": "api",
      "targetid": "a2a22222-2222-2222-a2feaa-a2aa2222a222",
      "resource": "mfa_device",
      "subject": "610000CTLT",
      "origin": "1.11.1.111",
      "intraservice": "false",
      "target": "Monitor'''s iPhone",
      "result": "success",
      "performedby": "b333b3b3-b3bb-33b3-33bb-bbb33bbb33333",
      "mfamethod": "IBM Verify Push",
      "action": "deleted",
      "realm": "cloudIdentityRealm",
      "mfadevice": "Monitor'''s iPhone",
      "performedby_clientname": "MonitorsApiClient",
      "username": "scott"
    },
    "year": 2023,
    "event_type": "management",
    "month": 7,
    "indexed_at": 1690219053759,
    "tenantid": "cc444cc4-cc44-44cc-c444-4444ccc4444c",
    "tenantname": "tenant_name",
    "correlationid": "CORR_ID-DD5d555d55-555-555-dd5d-5555555ddd5d",
    "servicename": "factors",
    "id": "6ee66e66-4d80-6e66-6e6e-6e6e-666e6666e66e",
    "time": 1690219053309,
    "day": 24
  }