Audit Event REST API
The audit Event endpoint allows retrieving the audit logs stored in ActivID Appliance. The Audit logs keep a record of any API event, including authentication, transactions, user creations, role assignments etc.
A typical Event is:
{
"schemas":["urn:ietf:params:scim:schemas:notify:2.0:Event"],
"publisherUri":"https://scim.example.com",
"resourceUris":[
#maps to EntityIdentifier & targetUserID
#if not a user object (as a separate entry)
"https://scim.example.com/Users/123"
],
"type":"CREATE", #maps to EventIdentifier e.g."4TRESS.CREATE_USER"
"attributes":["alsi", "authenticationType", "channel", "correlationId",
"correlationType", "directUser", "eventId", "eventType",
"hostAddress", "message", "palsi", "parameters",
"response", "serialNumber", "status", "texts"],
"values":{
"alsi":"",
"authenticationType":"",
"channel":"",
"correlationId":"",
"correlationType":"",
"directUser":"<id>";
"eventId":"";
"eventType":"",
"hostAddress":"",
"message":"",
"palsi":"",
"parameters":"", #May have to encode as base64
"response":"",
"serialNumber":"",
"status":"",
"texts":""
}
}
This is encoded in an unsigned/unencrypted JWT and POST to the endpoint:
{
"schemas":["urn:ietf:params:scim:schemas:notify:2.0:Feed"]
"eventToken":
"eyJhbGciOiJub25lIn0.eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWVkVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0NjFmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZhYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dGVzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiXSwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmFtZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ."
}
To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.
Previous versions of the API are also supported with the corresponding functionality.
HTTPS Methods
HTTPS Method | Entity Action | Request URI | Description |
---|---|---|---|
POST |
Create |
/scim/{tenant}/v2/Event/ |
Create new external audit event |
POST |
Search |
/scim/{tenant}/v2/Event/.search |
Search for audit event |
Required Permissions
Function | Required Permissions |
---|---|
CREATE |
|
SEARCH |
|
Create Event
[POST] /Event
Accept: application/scim+json
Sample Request
{
"schemas":["urn:ietf:params:scim:schemas:notify:2.0:Feed"]
"eventToken":
"eyJhbGciOiJub25lIn0.eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWVkVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0NjFmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZhYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dGVzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiXSwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmFtZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ."
}
Sample response, if the event token is validated, the server WILL indicate successful submission by responding with:
HTTP/1.1 204 No Content
Search Event
Supported search criteria are:
SCIM Attribute | Operators supported | Description |
---|---|---|
type |
eq, co, ew, sw |
Action name (for example, primaryAuthenticateDevice) |
meta.created |
lt,gt |
meta data |
directUserExtId |
eq |
Direct user's external Id used for this event (for example, spl-contractor) |
indirectUserExtId |
eq |
Indirect user's external Id used for this event (for example, spl-contractor) |
authenticationType |
eq |
Authentication policy (for example, AT_EMPPWD) |
resourceUris |
eq |
Only works for users |
eventId |
eq |
Action name (for example, indirectPrimaryAuthenticateUP) |
correlationId |
eq |
Correlation ID for the event |
status |
eq |
Can be RESPONSE_SUCCESS or RESPONSE_FAILURE |
verify |
eq true |
Used to verify the audit. |
Add "verify eq true" in filter to activate the verification. For example:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
"filter": "type eq indirectP* and meta.created gt 2018-05-21T12:00:00Z and verify eq true",
"count": 3
}
If tainted is set as true in the response, one of the records (= one event) is unsafe. For example:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:EventList"],
"eventTokens": [
"eyJhbGciOiJub25lIn0.eyJzY2hl (......) lNFX1NVQ0NFU1MifX0.",
"eyJhbGciOiJub25lIn0.eyJzY2hl (......) In19.",
"eyJhbGciOiJub25lIn0.eyJzY2hl (......) TIn19."
],
"tainted": true
}
-
The only logical operator supported is 'and'.
-
Supported output:
-
count
-
-
Not supported:
-
startIndex
-
sortBy
-
sortOrder
-
attributes
-
excludedAttributes
-
Sample Request
{
schemas: ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
filter: "resourceUris eq https://scim.example.com/Users/123",
count: 100
}
Sample Response
HTTP/1.1 200 OK
Content-Type: application/json+scim,
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:EventList"],
"eventTokens":[ #unencrypted/unsigned JWTs
"eyJhbGciOiJub25lIn0.eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWVkVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0NjFmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZhYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dGVzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiXSwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmFtZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ.]"
}