Audit Event REST API

The audit Event endpoint allows retrieving the audit logs stored in ActivID Appliance. The Audit logs keep a record of any API event, including authentication, transactions, user creations, role assignments etc.

A typical Event is:

Copy
{
     "schemas":["urn:ietf:params:scim:schemas:notify:2.0:Event"],
     "publisherUri":"https://scim.example.com",
     "resourceUris":[
        #maps to EntityIdentifier & targetUserID
        #if not a user object (as a separate entry)
        "https://scim.example.com/Users/123"
        ],
    "type":"CREATE",  #maps to EventIdentifier e.g."4TRESS.CREATE_USER"
    "attributes":["alsi", "authenticationType", "channel", "correlationId",
                   "correlationType", "directUser", "eventId", "eventType",
                   "hostAddress", "message", "palsi", "parameters", 
                   "response", "serialNumber", "status", "texts"],
    "values":{
        "alsi":"",
        "authenticationType":"",
        "channel":"",
        "correlationId":"",
        "correlationType":"",
        "directUser":"<id>";
        "eventId":"";
        "eventType":"",
        "hostAddress":"",
        "message":"",
        "palsi":"",
        "parameters":"", #May have to encode as base64
        "response":"",
        "serialNumber":"",
        "status":"",
        "texts":""
        }
}

This is encoded in an unsigned/unencrypted JWT and POST to the endpoint:

Copy
{
    "schemas":["urn:ietf:params:scim:schemas:notify:2.0:Feed"]
    "eventToken":
        "eyJhbGciOiJub25lIn0.eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWVkVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0NjFmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZhYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dGVzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiXSwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmFtZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ."
}
Note: The API version supported by ActivID Appliance 8.5 is 3.0.

To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.

Previous versions of the API are also supported with the corresponding functionality.

HTTPS Methods

HTTPS Method Entity Action Request URI Description

POST

Create

/scim/{tenant}/v2/Event/

Create new external audit event

POST

Search

/scim/{tenant}/v2/Event/.search

Search for audit event

Required Permissions

Function Required Permissions

CREATE

  • Create external audit

SEARCH

  • Read user details

  • Read audit log

Create Event

[POST] /Event

Accept: application/scim+json

Copy

Sample Request URI

[POST] /scim/{tenant}/v2/Event
Copy

Sample Request

{
    "schemas":["urn:ietf:params:scim:schemas:notify:2.0:Feed"]
    "eventToken":
        "eyJhbGciOiJub25lIn0.eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWVkVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0NjFmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZhYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dGVzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiXSwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmFtZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ."
}
Copy

Sample response, if the event token is validated, the server WILL indicate successful submission by responding with:

HTTP/1.1 204 No Content

Search Event

Supported search criteria are:

SCIM Attribute Operators supported Description

type

eq, co, ew, sw

Action name (for example, primaryAuthenticateDevice)

meta.created

lt,gt

meta data

directUserExtId

eq

Direct user's external Id used for this event (for example, spl-contractor)

indirectUserExtId

eq

Indirect user's external Id used for this event (for example, spl-contractor)

authenticationType

eq

Authentication policy (for example, AT_EMPPWD)

resourceUris

eq

Only works for users

eventId

eq

Action name (for example, indirectPrimaryAuthenticateUP)

correlationId

eq

Correlation ID for the event

status

eq

Can be RESPONSE_SUCCESS or RESPONSE_FAILURE

verify

eq true

Used to verify the audit.

Add "verify eq true" in filter to activate the verification. For example:

Copy
{ 
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"], 
    "filter": "type eq indirectP* and meta.created gt 2018-05-21T12:00:00Z and verify eq true",
    "count": 3
}

If tainted is set as true in the response, one of the records (= one event) is unsafe. For example:

Copy
{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:EventList"],
    "eventTokens": [
        "eyJhbGciOiJub25lIn0.eyJzY2hl (......) lNFX1NVQ0NFU1MifX0.",
        "eyJhbGciOiJub25lIn0.eyJzY2hl (......) In19.",
        "eyJhbGciOiJub25lIn0.eyJzY2hl (......) TIn19."
    ],
    "tainted": true
}
  • The only logical operator supported is 'and'.

  • Supported output:

    • count

  • Not supported:

    • startIndex

    • sortBy

    • sortOrder

    • attributes

    • excludedAttributes

Copy

Sample Request URI

[POST] /scim/{tenant}/v2/Event/.search
Copy

Sample Request

{    
    schemas: ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
    filter: "resourceUris eq https://scim.example.com/Users/123",
    count: 100
}
Copy

Sample Response

HTTP/1.1 200 OK
Content-Type: application/json+scim, 
 
{
    "schemas":["urn:ietf:params:scim:api:messages:2.0:EventList"],
    "eventTokens":[ #unencrypted/unsigned JWTs
        "eyJhbGciOiJub25lIn0.eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWVkVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0NjFmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZhYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dGVzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiXSwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmFtZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ.]"
}