IBM Support

Export IBM Cloud Pak for Data audit records to your security information and event management solution

How To


Summary

You can configure IBM Cloud Pak for Data Audit Logging to forward audit records to your security information and event management (SIEM) solutions, such as Splunk, LogDNA, or QRadar.

Objective

At a high level, auditing provides accountability, traceability, and regulatory compliance regarding access to and modification of data. Enterprises are often subject to industry requirements for regulatory auditing compliance. Therefore, a holistic auditing solution that works with IBM Cloud Pak for Data requires contributions and coordination of solutions from OpenShift, Guardium, and the IBM Cloud Pak for Data software stack.
Auditing support in IBM Cloud Pak for Data makes a significant step forward by generating, collecting, and forwarding CADF (Cloud Auditing Data Federation) compliant audit records for core platform auditable events. This article guides you through the configuration that is required to forward IBM Cloud Pak for Data audit records to your existing security information and event management (SIEM) solutions.

Environment

IBM Cloud Pak for Data Release 3.0.1 introduced the Audit Logging Service. The Audit Logging Service collects CADF-compliant audit records from services that are deployed across the IBM Cloud Pak for Data instance and forwards those audit records onto any configured SIEM solutions.
The Audit Logging Service is installed in each instance of IBM Cloud Pak for Data and is namespace-scoped. In a multi-tenant configuration, each Audit Logging Service works independently. Each tenant's CADF audit records are isolated from each other and can be forwarded with different SIEM collector configurations. From a security and compliance perspective, the Audit Logging Service ensures that auditors for one tenant have visibility of records for that tenant only.
Similar to other IBM Cloud Pak for Data core platform services, the Audit Logging Service pod deployment (zen-audit) supports multiple replicas. By default, the zen-audit deployment is configured as a single replica with minimal memory and CPU load. This deployment can be scaled up and out when the need arises.
The Audit Logging implementation uses Fluentd Output Plugins to forward and export audit records. After you install IBM Cloud Pak for Data, the Audit Logging Service is configured by default to post ingested audit records only to the zen-audit pod stdout log. External SIEM Configuration can be added to the zen-audit-config Kubernetes configmap to extend where the Audit Logging Service exports all collected audit records.

Steps

The IBM Cloud Pak for Data Audit Logging Service can be configured to forward ingested audit records to an existing external SIEM by adding a <store> configuration section to the zen-audit-config Kubernetes configmap for each external SIEM. You must have OpenShift administrator privileges to edit the zen-audit-config Kubernetes configmap.
The SIEM <store> configuration section typically contains information that must be configured on and gathered from the external SIEM. Therefore, each SIEM sub-section documented below is separated into two portions: actions required on the SIEM interface and actions required on OpenShift hosting the IBM Cloud Pak for Data cluster.
The Audit Logging Service in IBM Cloud Pak for Data explicitly supports forwarding of CADF Audit Record Format compliant records to the following external SIEM solutions:
Other types of external SIEM solutions can be successfully configured if they support base Fluentd Output Plugins or additionally packaged plugins.  For example, TCP/IP @type forward and RSYSLOG @type remote_syslog.
For security, TLS enablement is often required and therefore TLS Certificates are also typically added to the zen-audit-config Kubernetes configmap for reference in the SIEM <store> configuration section. For more information, see TLS Certificates.


Splunk
In Splunk:
  1. In the Splunk dashboard, click Settings > Data inputs.
  2. In the HTTP Event Collector section, click Add new.
  3. Give the IBM Cloud Pak for Data instance a unique name, and optionally configure the source name override, description, and indexer acknowledgment.
  4. Configure source type, create a specific IBM Cloud Pak for Data source, use automatic detecting, or select generic JSON source type.
  5. Configure App Context and Indexes for the specific use case.
  6. Click Review and then click Submit.
  7. Save the Generated Token Value so that it can be used in a later step.
In OpenShift hosting Cloud Pak for Data:
  1. Make a backup of the current zen-audit-config configmap.
  2. Edit the zen-audit-config configmap, either in the OpenShift UI or from a terminal window.  
  3. The IBM Cloud Pak for Data auditing service uses Fluentd to manage audit logging. The zen-audit-config configmap defines log export settings for the instance of IBM Cloud Pak for Data. By default, example configurations are commented out, and stdout is the only output enabled.
  4. To integrate with Splunk, a Splunk HEC-specific plug-in is included.  Additional documentation can be found here.
  5. Add the following <store> configuration section to the configmap inside the <match export export.** records records.** syslog syslog.**> tags, and underneath the line that reads @type copy. Remember to ensure it is correctly indented, and the configuration details replace the placeholders in angled brackets (<>).
    apiVersion: v1
    metadata:
      name: zen-audit-config
    data:
      ca.pem: |
        -----BEGIN CERTIFICATE-----
         <XXXXXXXXX>
        -----END CERTIFICATE-----
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy 
          <store>    
            @type splunk_hec
            host <SPLUNK-HOST>
            port <SPLUNK-PORT, 8088 BY DEFAULT>
            token <SPLUNK-TOKEN>
            flush_interval 10s
            use_ssl true
            ca_file /fluentd/config/ca.pem
          </store>
        </match>
  6. Save the changes to the zen-audit-config configmap.
  7. Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
  8. When correctly configured, new events from IBM Cloud Pak for Data will begin appearing in the Splunk instance. 
Note: Alternatively, you can use the following command to update the zen-audit-config configmap:
>oc patch configmap zen-audit-config -n <CPD-NAMESPACE> --type merge --patch '{"data":{"fluent.conf":"<match export export.** records records.** syslog syslog.**> \n  @type copy \n  <store> \n  @type splunk_hec\n    host <SPLUNK-HOST>\n    port <SPLUNK-PORT, 8088 BY DEFAULT>\n    token <SPLUNK-TOKEN>\n    flush_interval 10s\n    use_ssl true\n    ca_file /fluentd/config/ca.pem\n  </store>\n</match>","ca.pem":"-----BEGIN CERTIFICATE-----\n <XXXXXXXXX>\n-----END CERTIFICATE-----\n"}}'


LogDNA
In LogDNA:
  1. Open the Install Instructions menu, by clicking the question mark icon at the lower left section of the screen.
  2. Under Via Platform, select Fluentd.
  3. Under the If you use Fluentd section, copy the configuration snippet. It should look something like this:
        <match your_match>
          @type logdna
          api_key <API KEY>
          ingester_domain <YOUR HOST>
          hostname "#{Socket.gethostname}"    # your hostname (required)
          app my_app                          # replace with your app name
          #mac C0:FF:EE:C0:FF:EE              # optional Mac address
          #ip 127.0.0.1                       # optional IP address
        </match>

    Note: Some versions of LogDNA show ingestion_host instead of ingester_domain. Check that the configuration has the correct key and change it if it doesn't.
  4. Replace the opening and closing <match> tags with <store> tags, so that the <store> configuration snippet looks something like this (we recommend adding the last two lines for performance).
        <store>
          @type logdna
          api_key (logdna api key)
          ingester_domain (logdna ingester domain address)
          hostname (hostname to send to logdna)
          app (app name to send to logdna)
          # mac C0:FF:EE:C0:FF:EE                     # optional mac address
          # ip 127.0.0.1                              # optional IP address
          buffer_chunk_limit 1m
          flush_at_shutdown true
        </store>
In OpenShift hosting Cloud Pak for Data:
  1. Make a backup of the current zen-audit-config configmap.
  2. Edit the zen-audit-config configmap, either in the OpenShift UI or from a terminal window.
  3. The IBM Cloud Pak for Data auditing service uses Fluentd to manage audit logging. This configmap defines log export settings for the instance of IBM Cloud Pak for Data. By default, example configurations are commented out, and stdout is the only output enabled.
  4. Add the edited <store> configuration snippet to the configmap inside the <match export export.** records records.** syslog syslog.**> tags, and underneath the line that reads @type copy. Remember to ensure it is correctly indented, and the configuration details replace the placeholders in angled brackets (<>).  Optionally, change hostname to something static and configure app, mac, and ip as desired.
    apiVersion: v1
    metadata:
      name: zen-audit-config
    data:
      ca.pem: |
        -----BEGIN CERTIFICATE-----
         <XXXXXXXXX>
        -----END CERTIFICATE-----
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            @type logdna
            api_key <LOGDNA-API-KEY>
            ingester_domain <LOGDNA-INGESTER-DOMAIN-ADDRESS>
            hostname <CPD-HOSTNAME>
            app <CPD-ZEN-AUDIT>
            # mac C0:FF:EE:C0:FF:EE    # optional mac address
            # ip 127.0.0.1             # optional IP address
            buffer_chunk_limit 1m
            flush_at_shutdown true
            tls true
            ca_file /fluentd/config/ca.pem
          </store>
        </match>
  5. Save the changes to the zen-audit-config configmap.
  6. Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
  7. When correctly configured, new events from IBM Cloud Pak for Data will begin appearing in the LogDNA instance.
Note: Alternatively, you can use the following command to update the zen-audit-config configmap:
oc patch configmap zen-audit-config -n <CPD-NAMESPACE> --type merge --patch '{"data":{"fluent.conf":"<match export export.** records records.** syslog syslog.**> \n  @type copy \n <store> \n  @type logdna\n    api_key <LOGDNA-API-KEY>\n    ingester_domain <LOGDNA-INGESTER-DOMAIN-ADDRESS>\n    app <CPD-NAME>\n    # mac C0:FF:EE:C0:FF:EE    # optional mac address\n    # ip 127.0.0.1             # optional IP address\n    buffer_chunk_limit 1m\n    flush_at_shutdown true\n    tls true\n    ca_file /fluentd/config/ca.pem\n </store>\n</match>","ca.pem":"-----BEGIN CERTIFICATE-----\n  <XXXXXXXXX>\n-----END CERTIFICATE-----\n"}}'


QRadar
In QRadar:
  1. Navigate to Admin.
  2. Click Log Sources.
  3. Click Add.
  4. Configure a Name and Description for the new log source.
  5. Under Type, select an ICP CADF Format if configured, or a generic log type.
  6. Change Protocol Configuration to Syslog, or TLS Syslog if TLS is enabled.
  7. Provide a unique Identifier, ensure it is enabled, provide an event collector, and optionally select an Extension.
  8. Click Save.
  9. Navigate back to the Admin menu.
  10. Click Deploy Changes.
In OpenShift hosting Cloud Pak for Data:
  1. Edit the zen-audit-config configmap, either in the OpenShift UI or from a terminal window.  Make a backup of the current configmap before you make changes.
  2. The IBM Cloud Pak for Data auditing service uses Fluentd to manage audit logging. This configmap defines log export settings for the instance of IBM Cloud Pak for Data. By default, example configurations are commented out, and stdout is the only output enabled.
  3. Add the following <store>  configuration section to the configmap inside the <match export export.** records records.** syslog syslog.**> tags, and underneath the line that reads @type copy. Remember to ensure it is correctly indented, and the configuration details replace the placeholders in angled brackets (<>).
    apiVersion: v1
    metadata:
      name: zen-audit-config
    data:
      ca.pem: |
        -----BEGIN CERTIFICATE-----
         <XXXXXXXXX>
        -----END CERTIFICATE-----
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            @type remote_syslog
            host <QRADAR-HOST>
            port <QRADAR-PORT, DEFAULT IS 514>
            hostname <CPD-HOSTNAME>
            protocol tcp
            tls true
            ca_file /fluentd/config/ca.pem
            <format>
              @type json
            </format>
            <buffer>
              flush_thread_count 2
              flush_interval 10s
              chunk_limit_size 2M
              queue_limit_length 32
              retry_max_interval 30
              retry_forever true
            </buffer>
          </store>
        </match>
  4. Save the changes to the zen-audit-config configmap.
  5. Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
  6. When correctly configured, new events from IBM Cloud Pak for Data will begin appearing in the QRadar instance.
Note: Alternatively, you can use the following command to update the zen-audit-config configmap:
oc patch configmap zen-audit-config -n <CPD-NAMESPACE> --type merge --patch '{"data":{"fluent.conf":"<match export export.** records records.** syslog syslog.**> \n @type copy \n <store> \n    @type remote_syslog\n    host <QRADAR_HOST>\n    port <QRADAR-PORT, 514 BY DEFAULT>\n    hostname <CPD-HOSTNAME>\n    protocol tcp\n    tls true\n    ca_file /fluentd/config/ca.pem\n    <format>\n      @type json\n    </format>\n    <buffer>\n      flush_thread_count 2\n      flush_interval 10s\n      chunk_limit_size 2M\n      queue_limit_length 32\n      retry_max_interval 30\n      retry_forever true\n    </buffer>\n </store>\n</match>","ca.pem":"-----BEGIN CERTIFICATE-----\n <XXXXXXXXX>\n-----END CERTIFICATE-----\n"}}'

TLS Certificates

Security compliance typically requires TLS, therefore, TLS certificates are required to send events to external repositories or tools.  The following steps describe how to define and reference TLS Certificates within the SIEM <store> configuration section of the zen-audit-config Kubernetes configmap.
Including certificates in the zen-audit-config configmap:
  1. Edit the zen-audit-config configmap, either in the OpenShift UI or from a terminal window.
  2. Add an entry for each required certificate. See the following example.
     
    apiVersion: v1
    metadata:
      name: zen-audit-config
    data:
      ca.pem: |
        -----BEGIN CERTIFICATE-----
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        -----END CERTIFICATE-----
      fluent.conf: |-
        <match export export.** records records.** syslog syslog.**> 
          @type copy
          <store>
            ...
            ca_file /fluentd/config/ca.pem
          </store> 
        </match>
    
     
  3. Save the changes to the zen-audit-config configmap.
  4. Delete all zen-audit pods to force a restart to pick up changes. To avoid forced restart, implement a manual rolling update.
  5. The entry under the ca.crt key will be mounted at /fluentd/config/ca.crt and can then be referenced in the configuration file.
Note: Unfortunately, there is no standard way to configure TLS across Fluentd plugins, each type of export plugin typically requires unique configuration. See the examples above.

Additional Information

IBM Cloud Pak for Data Platform Audit Events:
The following list describes IBM Cloud Pak for Data platform auditable events that are generated and forwarded via Audit Logging.  The complete list of auditable events that are supported will vary depending on the installed version of IBM Cloud Pak for Data and Services.
Login, Logout, Session, Authentication:
  • security.users.authenticate - success or failure when a user logs in
  • security.users.revoke- record when users log out
  • security.accounts.authenticate- success or failure of SAML2 token validation
  • security.authorization - failure in invoking any privileged action
User Management:
  • users.user.create - authorize user for access to the platform
  • users.user.delete - access for user is removed
  • users.user.update - any changes in user profile - including name, email address
  • users.role.add - grant a specific privilege to a user on the platform
  • users.role.remove - revoke a platform privilege from a user
Service Level:
  • services.service.create - C Service is installed and enabled
  • services.service.delete - a Service is uninstalled
  • services.service.update - a Service is updated
Service Instances:
  • service_instances.instance.create - a service instance is provisioned
  • service_instances.instance.delete - a service instance is unprovisioned
  • service_instances.instance.update - a service instance is changed
  • service_instances.read - the list of service instances is retrieved
  • service_instances.instance.read -  a query for the details of one service instance by ID
  • service_instances.user.add - grant user access, with a particular role, to a service instance
  • service_instances.user.delete - revoke user access from a service instance
  • service_instances.user.get - a query to list users with access to a service instance
  • service_instances.user.update - change a user’s access role for a service instance
Connections:
  • connections.create - add connection
  • connections.update – update connection
  • connections.delete – delete connection
  • connections.read – a query issued to retrieve all connections
  • connections.connection.read – a query issued to retrieve one connection’s details by ID
Deployments:
  • deployments.delete - delete service deployment
  • deployments.read – retrieve service deployment by ID
Sample IBM Cloud Pak for Data CADF Audit Records
Authentication - Failed
    {
        "action": "security.authenticate",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "contain_id": "crio-140f725c303ece65ed72a3325587dbc39241001c9bacaf28473fa2da5a66e39b.scope",
                        "contain_name": "ibm-nginx-container",
                        "namespace": "zen",
                        "pod": "ibm-nginx-6c4ff4d894-gnl6b"
                    }
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "message": "security.authenticate \"No Credential\" failure",
                "name": "ibm-cp-data",
                "sourceCrn": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security"
            }
        ],
        "eventTime": "2020-03-24T00:30:31.541+0000",
        "eventType": "activity",
        "id": "icp:73cab988-6b46-4d7c-8e0f-4e81a87e99b9",
        "initiator": {
            "credential": {
                "identity_status": "Denied",
                "type": "unknown"
            },
            "host": {
                "address": "9.1.2.3"
            },
            "id": "unknown",
            "name": "unknown",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "unknown",
        "outcome": "failure",
        "reason": {
            "reasonCode": 401,
            "type": "HTTP"
        },
        "requestData": {
            "path": "/zen/",
            "type": "GET"
        },
        "severity": "critical",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:cp4d:private:k8:w/worker1.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:security",
            "name": "ibm-nginx-6c4ff4d894-gnl6b",
            "typeURI": "service/security/authentication"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Create User - Failed
   {
        "action": "users.user.create",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
                        "container_name": "usermgmt-container",
                        "namespace": "zen",
                        "node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
                        "pod": "usermgmt-758d588874-4jltx"
                    },
                    "message": "users.user.create worker4.pptr-wrkr9-4.os.fyre.ibm.com failure",
                    "sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T01:40:37.984+0000",
        "eventType": "activity",
        "id": "icp:b8bfd642-b2df-4869-9bbf-c72f372fa6af",
        "initiator": {
            "credential": {
                "identity_status": "Denied",
                "type": "token"
            },
            "host": {
                "address": "usermgmt-svc:3443",
                "agent": "curl/7.29.0"
            },
            "id": "1000330999",
            "name": "admin",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "api",
        "outcome": "failure",
        "reason": {
            "reasonCode": 400,
            "type": "http"
        },
        "requestData": {
            "path": "/v1/user",
            "type": "POST"
        },
        "responseData": {
            "error": {
                "_messageCode_": "createUser_fail",
                "_statusCode_": 400,
                "exception": "[object Object]",
                "message": "Adding user record failed"
            }
        },
        "severity": "critical",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
            "name": "usermgmt-758d588874-4jltx",
            "typeURI": "service/security/account/user"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }


Delete User - Success
   {
        "action": "users.user.delete",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "crio-084b607766871e41384e04512b958eb66fd7b93ca4a0c38a1261bc652382554f.scope",
                        "container_name": "usermgmt-container",
                        "namespace": "zen",
                        "node": "worker4.pptr-wrkr9-4.os.fyre.ibm.com",
                        "pod": "usermgmt-758d588874-4jltx"
                    },
                    "message": "users.user.delete 1000331001 success",
                    "sourceCrn": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt"
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T00:29:29.079+0000",
        "eventType": "activity",
        "id": "icp:053e4159-8b68-43bd-935c-a3625db9b773",
        "initiator": {
            "credential": {
                "identity_status": "Confirmed",
                "type": "cookie"
            },
            "host": {
                "address": "9.1.2.3",
                "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36"
            },
            "id": "1000330999",
            "name": "admin"
        },
        "observer": {
            "id": "target"
        },
        "origination": "ui",
        "outcome": "success",
        "reason": {
            "reasonCode": 200,
            "type": "http"
        },
        "requestData": {
            "path": "/api/v1/usermgmt/v1/user/user1",
            "type": "DELETE",
            "username": "user1"
        },
        "responseData": {
            "uid": "1000331001"
        },
        "severity": "critical",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:cp4d:private:k8:w/worker4.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:usermgmt",
            "name": "usermgmt-758d588874-4jltx",
            "typeURI": "service/security/account/user"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Create Connection - Success
  {
        "action": "connections.create",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "unknown",
                        "container_name": "zen-core-api-container",
                        "namespace": "zen",
                        "pod": "zen-core-api-86f4bbc668-lmn4t"
                    },
                    "message": "connections.create success",
                    "sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
                    "subject": {
                        "asUser": "user1"
                    }
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T05:55:14Z",
        "eventType": "activity",
        "id": "icp:415e49e6-addc-49a2-9d4c-174ea8499ab4",
        "initiator": {
            "credential": {
                "identity_status": "Confirmed",
                "type": "cookie"
            },
            "host": {
                "address": "9.1.2.3",
                "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
                "name": "francis95294"
            },
            "id": "1000331005",
            "name": "francis95294",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "ui",
        "outcome": "success",
        "reason": {
            "reasonCode": 200,
            "reasonType": "HTTP"
        },
        "requestData": {
            "path": "/v2/connections",
            "type": "POST"
        },
        "responseData": {
            "post_connection_status": "Success"
        },
        "severity": "warning",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
            "name": "zen-core-api-86f4bbc668-lmn4t",
            "typeURI": "network/connection"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Create Service Instance User - Success
   {
        "action": "service_instances.user.add",
        "attachments": [
            {
                "content": {
                    "kubernetes": {
                        "container_id": "unknown",
                        "container_name": "zen-core-api-container",
                        "namespace": "zen",
                        "pod": "zen-core-api-86f4bbc668-lmn4t"
                    },
                    "message": "service_instances.user.add 1585010153494 1000330999 success",
                    "sourceCrn": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
                    "subject": {
                        "asUser": "admin"
                    }
                },
                "contentType": "http://schemas.ibm.com/cloud/content/1.0/cloudpak",
                "name": "ibm-cp-data"
            }
        ],
        "eventTime": "2020-03-24T08:35:03Z",
        "eventType": "activity",
        "id": "icp:d9270412-1199-43c9-9221-cf631102d09c",
        "initiator": {
            "credential": {
                "identity_status": "Confirmed",
                "type": "cookie"
            },
            "host": {
                "address": "9.1.2.3",
                "agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/78.0.3882.0 Safari/537.36",
                "name": "admin"
            },
            "id": "1000330999",
            "name": "admin",
            "typeURI": "security/account/user"
        },
        "observer": {
            "id": "target"
        },
        "origination": "ui",
        "outcome": "success",
        "reason": {
            "reasonCode": 200,
            "reasonType": "HTTP"
        },
        "requestData": {
            "instance_id": "1585010153494",
            "path": "/v2/serviceInstance/currentUser",
            "type": "POST"
        },
        "responseData": {
            "user_id": "1000330999",
            "user_name": "admin"
        },
        "severity": "warning",
        "target": {
            "host": {
                "address": "10.1.2.3"
            },
            "id": "crn:v1:ocp:private:k8:w/worker0.pptr-wrkr9-4.os.fyre.ibm.com:n/zen::service:zen-core-api",
            "name": "zen-core-api-86f4bbc668-lmn4t",
            "typeURI": "service/security/instance/user"
        },
        "typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
    }

Document Location

Worldwide

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSHGYS","label":"IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8m50000000ClUzAAK","label":"Administration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.0.1;3.5.0"}]

Document Information

Modified date:
17 February 2021

UID

ibm16201850