Audit Events

API call (method name is same eventid)

AER="ASSET02" ASA="AS_1105"Action=addAssetToAssetSet

API call: associates a credential to a device.

DID="11178" CID="11179"Action=addCredentialToDevice

Server internal: generated by importdevices for each added device. Correlation ID matches the imports device correlation ID.

API call

ROC="R_1153" AGC="null" FPI="0" ATC="null" FSC="FS_SSPAADM"Action=addRoleAssetGroupFunctionSetPrivilege

API call

ROC="RL_HELPDESKTOP" FPI="0" ATC="OP_ATCODE" GRC="USG_SYS" FSC="FS_HELPDSK"Action=addRoleFunctionSetPrivilege

API call

ROC="RL_USERADM"Action=addRoleToUser

API call

PID="0" ATC="AT_SYSLOG" GRC="UG_TEST" FUC="D_USERATT"Action=addUserFunctionPrivilege

API call

GRC="REQAG003" FPI="0" ATC="OP_ATCODE" GRC="null" FSC="FS_ADFSA" GRC="REQAG003"Action=addUserSubGroupFunctionSetPrivileges

API call: assignDevicetoUser with failure

DID="11256"Action=assignDeviceToUser

API call: assignDevicetoUser with success

DID="11274"Action=assignDeviceToUser

API call: user changes its own password

ATC="OP_ATCODE" ANS="false" ARP="" USN="null"Action=changeOwnExpiredPassword

DID="11145" DTC="DT_MIN_OTP" ISN="null" DSD="04/06/2015" EXD="03/06/2017"Action=changeSoftPinDevice

API call: direct user changes the expired password for a specified user

ATC="OP_ATCODE" ANS="true" ARP="" USN="ftadmin"Action=changeUserExpiredPassword

API call: direct user changes the password for a specified user

ATC="AT_EMPEPWD"Action=changeUserPassword

API call: used by setup to define authentication process adapter parameters

Action=createAdapterConfiguration

API call

AER="UG_1102_HW_DT" ASB="UG_1102_HW_DT" AGC="GroupConfig"Action=createAsset

API call

AGC="AG_1145" AGN="Copy of AG_ADD"Action=createAssetGroup

API call

ASA="AS_1105" ASN="testassetset" AGC="AG_ASSETTYPE1"Action=createAssetSet

API call

Action=createAttributeType

API call

Action=createAuthenticationType

API call

ATC="AT_EMPOTP" AUS="ENABLED" AVF="04/06/2015" AVT="04/06/2022"Action=createAuthenticator

API call: assign a delivery gateway to authentication policy. For example, in the ActivID Management Console authentication policy definition screens.

Action=createBindingOfEntityToAdapters

API call: channel definition

Action=createChannel

API call: creation of new credential.

CTC="CT_CRTCHK1" CCO="INDIRECT_PKICERT" ATA="X509CERT" ATV="MIIB8TCCAVoCCQDOHCW5SCFFnzANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMR8wHQYDVQQDExZ3d3cuY2Fycy5leGFtcGxlLmNvLnVrMB4XDTExMDcxMzEyNDYxMFoXDTIxMDcxMDEyNDYxMFowFDESMBAGA1UEAxMJc2ViYXN0aWVuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4+gDvQFSsf7LSrsW7KQKJk26daAkwvqNGHAbIbrJcgMkdgYFRwNhyw5Uh8AUNvNUn4VJ7JN/syms4nzNMnns0tlxwDYmdTZ1AYgR1q6El5aMJJgdsxwmcPHQp5a5C+40pUbea8k7jhAmhxZjZVrULGp6rbGJW1ZsgPJikxCag3QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALjEWZpoHm4MFR+dEDeaSokX1rfRg1cKGrH5HEIRj9wQ1sjypFh/zOZm32VhmXpy0Mob3mPXylqVXecxvZTho7SU/YZCqk9ZMU07M+arr9qB5gOhyBdLMwPA0s74pIZ93uEKDdTgAxWFVJw/3cOEmLJSCFMcnpg7A6XBWtH5x/qX" DSD="13/07/2011" EXD="10/07/2021"Action=createCredential

API call: definition of a new credential type. For example, in the ActivID Management Console credential type definition screens.

Action=createCredentialType

Action=createDatasource

API call: Definition of new user repository. For example, used by the ActivID Management Console on user repositories definition screen.

DTC="DT_TDS"Action=createDeviceIssuanceRequest

API call: Definition of a new device type. For example, ActivID Management Console on configuration device type definition screens.

Action=createDeviceType

API call: definition of new permission set.

FSC="FS_USRREAD" FSN="myPermSet02" FUC="R_AS" FUC="R_AUDIT" FUC="R_CR" FUC="R_DEVICE" FUC="I_REF_DATA" FUC="R_ROLE" FUC="R_TRANS_USERS" FUC="R_TA_U_BY_GRP" FUC="R_USER_ASSET" FUC="R_USER_DETAILS" FUC="R_UG_AS_TS_PRV" FUC="R_UG_AG_FS_PRV" FUC="R_UG_TS_PRIVS" FUC="R_UG_FS_PRIVS"Action=createFunctionSet

API call: creation of security questions authenticator for a user.

ATC="AT_EMPQA" AUS="ENABLED" AVF="04/06/2012" AVT="04/06/2022" AVF="04/06/2015" AVT="02/06/2020" MDP="PR_1ST_JOB" MDP="PR_MEMWRD" MDP="PR_PLACE" MDP="PR_PHONE" MDP="PR_NICK" MDP="PR_E_SCHL" MDP="PR_TOWN" MDP="PR_CAR_CLR" MDP="PR_MEET" MDP="PR_BR_BDAY"Action=createMDAuthenticator

API call: definition of new security question.

Action=createMemorableDataPrompt

API call: definition of new authorization profile

Action=createProfile

API call: definition of new RADIUS server

Action=createRadiusServer

API call: definition of new role

ROC="R_1103" RON="TEST_ROLE"Action=createRole

EXP="null" LEN="null" VAF="null" TRA="wyJUexvN"Action=createSessionTransferCode

API call :definition of new external permission

Action=createTransaction

API call :definition of new external permission set

TSC="REQPERM003" TSN="REQPERM003_Name" TSN="REQPERM003_Name"Action=createTransactionSet

API call :creation of login authenticator for a user

ATC="OP_ATCODE" AUS="ENABLED" AVF="04/06/2015" AVT="02/06/2020" USN="ou1user1"Action=createUPAuthenticator

API call :add new user

GRC="FTINIT" STD="null"Action=createUser

API call :add new user group

GRN="TESTUT001_Name" GRC="TESTUT001" PGC="null" ATC="AT_EMPQA" ATC="AT_EMPEPWD" ATC="AT_EMPOTP" ATC="AT_EMPSMS" ATC="AT_EMPPKI" ATC="AT_EMPPWD" ATC="AT_LDAP" ATC="AT_MCOTP" ATC="AT_MCPKI" ATC="AT_MCQA" ATC="OP_ATCODE"Action=createUserGroup

GRN="Test_Group" GRC="UG_1102" PGC="USG_CUST2"Action=createUserSubGroup

Action=deleteAdapterConfiguration

AER="UG_1102_HW_AT"Action=deleteAsset

AGC="AG_1145" AGN="Copy of AG_ADD"Action=deleteAssetGroup

ASA="AS_1146" ASN="AS_NEW"Action=deleteAssetSet

Action=deleteAttributeType

ATC="AT_DEVICE"Action=deleteAuthenticationTypes

ATC="AT_LDAP"Action=deleteAuthenticators

CHC="CH_1140"Action=deleteChannel

CID="11179"Action=deleteCredential

CTC="CT_TEST"Action=deleteCredentialType

Action=deleteDatasource

Action=deleteDeviceIssuanceRequests

DTC="DT_TEST"Action=deleteDeviceType

DID="11240"Action=deleteDevices

FSC="FS_USRREAD" FSC="FS_USRREAD" FSN="myPermSet02"Action=deleteFunctionSet

Action=deleteMemorableDataPrompt

Action=deleteProfile

Action=deleteRadiusServer

ROC="RL_HELPDESKTOP"Action=deleteRole

TRC="T_TEST"Action=deleteTransaction

TSC="REQPERM003" TSN="REQPERM003_Name"Action=deleteTransactionSet

Action=deleteUser

GRC="TESTUT001" GRN="TESTUT001_Name" PGC="null"Action=deleteUserGroup

GRC="UG_1102" GRN="Test_Group" PGC="USG_CUST1"Action=deleteUserSubGroup

Action=deleteUsers

API call: imports a set of devices using an import file. For example used by MC on help desk import device screen. An event "addDevice" is generated internally for each device and correlationID is used to link devices on same batch.

Action=importDevices

API call: synchronization of a device

DID="11240" DTC="DT_MIN_OT" ISN="null" DSD="04/06/2015" EXD="03/06/2017"Action=synchroniseDeviceAuto

DID="11139" DTC="DT_TK1V2" ISN="null" DSD="04/06/2015" EXD="03/06/2017"Action=synchroniseDeviceAuto

DID="11139" DTC="DT_TK1V2" ISN="null" DSD="04/06/2015" EXD="03/06/2017"Action=synchroniseDeviceManual

API call: unassign a device from a user.

DID="11145"Action=unassignDevice

API call: used by external application to check external permissions for specific user and asset. Also used by SSP for user token activation process.

TRC="TC_HW"Action=indirectAuthoriseTransaction

API call: used by Banking application to deliver transactions to mobiles devices (Transaction signing)

DID="12332" ATC="AT_TDS"Action=indirectDeliverChallenge

API call: indirectDeliverChallenge failed, here delivery gateway to send transaction to mobile device is missing.

DID="11274" ATC="AT_TDS" FAC="Unable to find valid delivery adapter for this authentication type:<Domain: ONLINEBANK>"Action=indirectDeliverChallenge

API call: direct user verifying authentication for a user using a device. Here indirectPrimaryAuthenticateDevice failed. Parameters indicate reason of failure

ATC="AT_EMPSMS" ANS="true" ARP="HOSTADDRESS[xx.xx.xxx.xx]" DAM="1" DTC="DT_OOB" ISN="null" DSD="null" FAC="Reason indicating that PIN did not match"Action=indirectPrimaryAuthenticateDevice

API call: indirectPrimaryAuthenticateDevice success

ATC="AT_EMPSMS" ANS="true" ARP="HOSTADDRESS[xx.xx.xxx.xx]" DAM="1" DTC="DT_OOB" ISN="null" DSD="null"Action=indirectPrimaryAuthenticateDevice

API call: direct user verifying security questions answers for a user.

ATC="AT_EMPQA" ANS="false" ARP="" PSA="PR_1ST_JOB PR_MEMWRD PR_PLACE"Action=indirectPrimaryAuthenticateMD

API call: direct user verifying authentication for a user using his password.indirectPrimaryAuthenticateUP success.

ATC="DYNMC_AUTH" ANS="false" ARP="HOSTADDRESS[xx.xx.xxx.xx]" USN="null"Action=indirectPrimaryAuthenticateUP

API call: direct user verifying authentication for a user using his password. indirectPrimaryAuthenticateUP failed. Parameters indicate reason of failure (here "Password does not match")

ATC="DYNMC_AUTH" ANS="false" ARP="HOSTADDRESS[xx.xx.xxx.xx]" USN="null" FAC="Password does not match"Action=indirectPrimaryAuthenticateUP

Server internal: Audit of security keys used on this security domain, following events are generated internally by ActivID authentication server. Current Key used for AUDIT signature on this domain.

KEY=HID-IA-4T.AUDIT.1 Action=auditKeys

Current Key used for credentials encryption on this domain.

KEY=HID-IA-4T.CREDS.1 Action=auditKeys

Current Key used for DB rows signature on this domain.

KEY=HID-IA-4T.DSIGN.1 Action=auditKeys

Current Key used for Sessions (ALSI transfer) encryption on this domain.

KEY=HID-IA-4T.SESSION.1 Action=auditKeys

Current Key used for Configuration entries encryption on this domain.

KEY=HID-IA-4T.SYS.1 Action=auditKeys

When user is moved from one group to another.

GRC="UG_1102" GRC="USG_CUST1" GRN="Test_Group"Action=moveUserSubGroup

GRC="USG_CUST1"Action=moveUserToSubGroup

API call: register an OOB.

ATC="AT_EMPSMS"Action=registerUserForOutOfBand

API call: remove OOB credential and device from a user.

ATC="AT_EMPSMS"Action=unregisterUserForOutOfBand

param=NOTMatched

Action=audit

Action=executeProcessWithAdapterConfiguration

Action=generateEntityCode

By default, getXXX with success are not audited, in case of no function privilege exception, event is audited

Action=getUser

Search User in LDAP found user with invalid attribute, to avoid return user with suspicious attribute, user is removed from list of users found.

UGC="USG_FTEMP" ERI="DS_1101" USN="cd c__" Action=searchUsers

Action=logout

This event comes from Feedback Service of delivery gateway. When found invalid tokens, the token are automatically revoked. This event is generated for each token revoked.

STS="REVOKED" DID="12162" DTC="DT_TDS" Action=setDeviceStatus

AER="A_1103" ASA="AS_1102"Action=removeAssetFromAssetSet

API call: (Direct) user authentication using a device credential. Here API primaryAuthenticateDevice failed. Parameters indicate reason of failure. (This is case of transaction signing, cannot verify signature from client mobile, or wrong counter from client mobile.)

ATC="AT_TDS" ANS="true" ARP="HOSTADDRESS[xx.xx.xxx.xx]" DAM="4" DID="11274" FAC="Response is incorrect"Action=primaryAuthenticateDevice

API call: (Direct) user authentication using a device credential: success. Here ActivID Application (MC) direct user performing PKI authentication to ActivID authentication server.

ATC="AT_SYSPKI" ANS="false" ARP="" DAM="2" DAC="39511351" DTC="DT_SERVER" ISN="null" DSD="02/06/2015" EXD="02/06/2020"Action=primaryAuthenticateDevice

API call: (Direct) user authentication using a login credential (password). Here user "spl-api" authenticates by CH_DIRECT channel using AT_SYSLOG authentication policy.

ATC="AT_SYSLOG" ANS="false" ARP="" USN="null"Action=primaryAuthenticateUP

primaryAuthenticateUP success.

ATC="OP_ATCODE" ANS="false" ARP="" USN="null" FAC="Password does not match"Action=primaryAuthenticateUP

primaryAuthenticateUP failed. Parameters indicate reason of failure.

ATC="AT_SYSLOG" ANS="false" ARP="" USN="null"Action=primaryAuthenticateUP

API call: registerUserForOutOfBand specific call to reset the activation code of an OOB credential.

ATC="AT_EMPSMS"Action=registerUserForOutOfBand

ATC="AT_EMPSMS"Action=resetAuthenticatorFailedAuthenticationCount

API call: registerUserForOutOfBand specific call to reset counter of an OOB credential.

ATC="AT_EMPSMS"Action=registerUserForOutOfBand

TRA="0194951045786064656351831456325940730319"Action=retrieveALSIBySessionTransferCode

Action=retrieveDeviceIssuanceRequests

By default (but configurable), search methods are now audited, except in case of privilege escalation.

CTC="CT_SST_BB"Action=searchCredentials

CTC="CT_SST_BB"Action=searchCredentialsPaginated

API call: definition of user attributes for a group.

GRC="UT_CUST"Action=setGroupAttributes

API call: set security question answers for a user.

MDP="PR_MEET" MDP="PR_LICENCE" MDP="PR_NICK" MDP="PR_TOWN" MDP="PR_FRIEND" MDP="PR_E_SCHL" MDP="PR_CHILD" MDP="PR_SIBLING" MDP="PR_MEMWRD" MDP="PR_1ST_JOB" MDP="PR_SECRET" MDP="PR_ANIMAL" MDP="PR_MEMPHR" MDP="PR_BR_BDAY" MDP="PR_CAR_CLR" MDP="PR_PHONE" MDP="PR_PLACE"Action=setUserMDAnswers

Action=updateAdapterConfiguration

AER="ASSET02"Action=updateAssetDetails

AGC="AG_ASSETTYPE1" AGN="Asset Type 1"Action=updateAssetGroupDetails

ASA="AS_1105" ASN="testassetset" AGC="AG_ASSETTYPE1"Action=updateAssetSetDetails

Action=updateAttributeType

Action=updateAuthenticationType

ATC="AT_EMPPWD" CHC="CH_IIS"Action=updateAuthenticatorPrimaryBlockedChannels

ATC="AT_EMPSMS" AVF="04/06/2015" AVT="02/06/2020"Action=updateAuthenticatorValidPeriod

Action=updateChannel

Action=updateCredentialType

Action=updateDatasource

DTC="DT_STW_OE" ISN="null" DSD="20/05/2015" EXD="20/05/2017"Action=updateDevice

STP="setDeviceStatus" DTC="DT_TDS" DID="11274" STP="createAuthenticator" ATC="AT_TDS"Action=updateDeviceIssuanceRequest

Action=updateDeviceType

Action=updateMemorableDataPrompt

ROC="RL_HELPDSK" RON="Help Desk"Action=updateRoleDetails

Action=updateTransaction

ATC="AT_EMPEPWD" AVF="04/06/2015" AVT="02/06/2020"Action=updateUPAuthenticatorValidPeriod

ATA="FIRSTNAME" ATV="test" ATA="LASTNAME" ATV="OOB" ATA="TITLE" ATV="" ATA="ATR_EMAIL" ATV="test@company.com"Action=updateUserAttributes

UER="REQUSER055_2"Action=updateUserExternalReference

GRN="Customers User Type" GRC="UT_CUST" PGC="null" ATC="AT_CSTEPWD" ATC="AT_CUSTDID" ATC="AT_CUSTMW" ATC="AT_CUSTOTP" ATC="AT_CUSTPIN" ATC="AT_CUSTPKI" ATC="AT_CUSTPW" ATC="AT_CUSTQA" ATC="AT_CUSTSGN" ATC="AT_CUSTSMS" ATC="AT_LDAP"Action=updateUserGroupDetails

When performing searchUser or getUser, if user is LDAP user, his enable status in LDAP and DN, and his corresponding roles in ActivID AS are checked, if there's change, his information will be automatically updated. This event is audited when update succeed.

UGC="USG_CUST1" ERI="DS_1101" USN="ou1user1" ULS="ENABLED" ROC="Size 2 [0]=RL_HELPDSK [1]=R_1103" Action=getUser

GRC="REQAG000" STD="04/06/2015"Action=updateUserStatus

GRN="Consumer Online Banking" GRC="USG_CUST1" PGC="UT_CUST"Action=updateUserSubGroupDetails