The audit Event endpoint allows retrieving the audit logs stored in ActivID Appliance. The Audit logs keep a record of any API event, including authentication, transactions, user creations, role assignments etc.
An Audit Event in SCIM follows the standard core class urn:ietf:params:scim:schemas:notify:2.0:Event.
A typical Event is:
{
"schemas":["urn:ietf:params:scim:schemas:notify:2.0:Event"],
"publisherUri":"https://scim.example.com",
"resourceUris":[
#maps to EntityIdentifier & targetUserID
#if not a user object (as a separate entry)
"https://scim.example.com/Users/123" ],
"type":"CREATE", #maps to EventIdentifier e.g."4TRESS.CREATE_USER"
"attributes":["alsi", "authenticationType", "channel", "correlationId",
"correlationType", "directUser", "eventId", "eventType",
"hostAddress", "message", "palsi", "parameters",
"response", "serialNumber", "status", "texts"],
"values":{
"alsi":"",
"authenticationType":"",
"channel":"",
"correlationId":"",
"correlationType":"",
"directUser":"<id>";
"eventId":"";
"eventType":"",
"hostAddress":"",
"message":"",
"palsi":"",
"parameters":"", #May have to encode as base64
"response":"",
"serialNumber":"",
"status":"",
"texts":""
}
}This is encoded in an unsigned/unencrypted JWT and POST to the endpoint:
{
"schemas":["urn:ietf:params:scim:schemas:notify:2.0:Feed"]
"eventToken":
"eyJhbGciOiJub25lIn0
.
eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
."
}HTTPS Methods
| HTTPS Method | Entity Action | Request URI | Description |
|---|---|---|---|
|
POST |
Create |
/scim/{tenant}/v2/Event/ |
Create new external audit event |
|
POST |
Search |
/scim/{tenant}/v2/Event/.search |
Search for audit event |
Required Permissions
| Function | Required Permissions |
|---|---|
|
CREATE |
|
|
SEARCH |
|
Create Event
[POST] /Event
Accept: application/scim+json
Sample Request
{
"schemas":["urn:ietf:params:scim:schemas:notify:2.0:Feed"]
"eventToken":
"eyJhbGciOiJub25lIn0
.
eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
."
}Sample response, if the event token is validated, the server WILL indicate successful submission by responding with:
HTTP/1.1 204 No ContentSearch Event
Supported search criteria are:
| SCIM Attribute | Operators supported | Description |
|---|---|---|
|
type |
eq, co, ew, sw |
Action name (for example, primaryAuthenticateDevice) |
|
meta.created |
lt,gt |
meta data |
|
directUserExtId |
eq |
Direct user's external Id used for this event (for example, spl-contractor) |
|
indirectUserExtId |
eq |
Indirect user's external Id used for this event (for example, spl-contractor) |
|
authenticationType |
eq |
Authentication policy (for example, AT_EMPPWD) |
|
resourceUris |
eq |
Only works for users |
|
eventId |
eq |
Action name (for example, indirectPrimaryAuthenticateUP) |
|
correlationId |
eq |
Correlation ID for the event |
|
status |
eq |
Can be RESPONSE_SUCCESS or RESPONSE_FAILURE |
|
verify |
eq true |
Used to verify the audit. |
Add "verify eq true" in filter to activate the verification. For example:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
"filter": "type eq indirectP* and meta.created gt 2018-05-21T12:00:00Z and verify eq true",
"count": 3
}If tainted is set as true in the response, one of the records (= one event) is unsafe. For example:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:EventList"],
"eventTokens": [
"eyJhbGciOiJub25lIn0.eyJzY2hl (......) lNFX1NVQ0NFU1MifX0.",
"eyJhbGciOiJub25lIn0.eyJzY2hl (......) In19.",
"eyJhbGciOiJub25lIn0.eyJzY2hl (......) TIn19."
],
"tainted": true
}-
The only logical operator supported is 'and'.
-
Supported output:
-
count
-
-
Not supported:
-
startIndex
-
sortBy
-
sortOrder
-
attributes
-
excludedAttributes
-
Sample Request
{
schemas: ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
filter: "resourceUris eq https://scim.example.com/Users/123",
count: 100
}Sample Response
HTTP/1.1 200 OK
Content-Type: application/json+scim,
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:EventList"],
"eventTokens":[ #unencrypted/unsigned JWTs
"eyJhbGciOiJub25lIn0
.
eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
."]
}
