Monitoring my Tenant - Audit Logs and Records

While leveraging your tenant within the HID Authentication Service, you can view the API activity audit (for example, to get reliable information about events that happen for your users).

The HID Authentication Service implements a secure auditing mechanism that records all API events within your tenant.

Each audited entry is:

  • Non-repudiable (signed)

  • Tamper-resistant (verification of the signature)

  • Available (redundant with backups)

An event is an atomic line in the Audit logs stored in the HID Authentication Service. The Audit logs keep a trace of any event occurring within your tenant, including authentications, transactions, user creations, and role assignments.

The Audit logs protect PII (Personally Identifying Information - end user's personal data) by leveraging the Tokenization concept.

Tokenization means that each sensitive personal piece of data is replaced by a randomly generated token (pseudonymization). This token is kept on the HID Authentication Service-side in a mapping table, the Token Vault, allowing to trace back to the real user for whom the log line concerns.

The Token Vault API allows searching for pseudonymization tokens in an human-readable version of the exported audit log to get their original value.

Note:  
  • PII pseudonymization using tokens should not be confused with OpenID authentication tokens as they are completely different concepts.

  • Pseudonymization and Tokenization enable compliance with the European GDPR (General Data Protection Regulation).

Prerequisites:  
  • The URL of the HID Authentication Service platform (see HID Authentication Service Platforms around the World)

  • Your tenant ID (the identifier of your tenant, starting with the letter "t", for example, t987198273d986w9869) 

  • A bearer token (Access token) obtained by authenticating a privileged user (Organization Administrator, Client ID M2M) through an Authentication flow

    You need a privileged user to perform the actions listed below

    Using a bearer token from an non-privileged user/Client ID will result in 401/403 HTTP responses from the HID Authentication Service APIs (see Enabling User Authentication)

Searching for Audited Records

Searching for records is performed by calling the AuditRecords endpoint with the bearer token of your privileged user (Organization Administrator). This will fetch all records.

Note:
  • The record is detokenized, and the field "jws" is not returned in the response as it cannot be read.

  • In Basic Concepts for Integration, we said that the Client ID is also called the direct user while the end user is called the indirect user. This explains the name pf the parameters indirectUserExtId and directUserExtId .

Copy

Sample request

POST /scim/{tenant}/v2/AuditRecords/.search
{
    "filter": "created gt 2022-11-27T12:00:00Z and verify eq true",
    "count": 10,
    "startIndex": 1,
    "sortBy": "created",
    "sortOrder": "ascending"
}

Where:

  • The filter attribute can be used to check the integrity of the records and reduce the number of records you want to see:

    You can use the and operator between filters and use parentheses between conditions.

    • Records should be checked for integrity:

      verify eq true

    • Successful or failed authentications:

      result eq RESPONSE_SUCCESS
      result eq RESPONSE_FAILURE
    • Records between two dates:

      created gt 2022-11-27T09:00:00Z and created lt 2022-11-28T12:00:00Z
  • Note: All filters support the 'eq' operator with an exact search or with the '*' wildcard character except 'created'.
  • The following attributes can be used for a paginated search:

    • count can be used to limit the size of the search results

    • startIndex specifies the index of the first result returned (where 0 will returned the same paginated result as 1)

    The result will contain a totalResults attribute to allow you to compute the number of pages.

    Important:

    The maximum number of rows returned per request is 100, even if you specify a higher count value. Therefore, for lists that are longer than 100 elements, it is mandatory for you to paginate the results.

  • The search results can be sorted using:

    • sortBy - the created filter (the record's timestamp)

    • sortOrder - either ascending or descending (or asc or desc)

Note: For further information, see Searching with the SCIM API.
Copy

Sample response

HTTP/1.1 200 OK
Date: Wed, 04 Jan 2023 16:05:52 GMT
Content-Type: application/scim+json;charset=utf-8
{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 162,
    "resources": [
        {
            "schemas": ["urn:hid:scim:api:idp:2.0:AuditRecord"],
            "id": "IDP-test-company",
            "targetUserId": {
                "id": "admin@company.com",
                "immutableId": "11092",
                "session": {
                    "id": "1ea9ac7d7236aa0dce70d63fccb2779411c29478b0ea66cef815bb758479c1cf",
                    "authenticationMethod": "AT_STDPWD"
                }
            },
            "action": {
                "actionName": "indirectPrimaryAuthenticateUP",
                "actionParameters": {
                    "ATC": "AT_STDPWD",
                    "USN": "null",
                    "Action": "indirectPrimaryAuthenticateUP",
                    "ANS": "false",
                    "ARP": "CONTEXT[{\"OPENID\":{\"clientid\":\"r7wcHxsAGjT7jweAjtQCwMw6\",\"scope\":\"openid profile\"}}]",
                    "AUS": "ENABLED",
                    "CHC": "CH_EXTRAPP"
                }
            },
            "result": "RESPONSE_SUCCESS",
            "return_value": {
                "response": "SUCCESS"
            },
            "tenantId": "tdf1808f3d368517208759",
            "actingUserId": {
                "id": "r7wcHxsAGjT7jweAjtQCwMw6",
                "immutableId": "200",
                "session": {
                    "id": "16c52d7ae20de197ca8eecf9bb6ec566e5d8b21e03538632e9fdf3d84b6e1f73"
                }
            },
            "integrityStatus": "validated",
            "created": "2023-01-04T16:04:34.678Z",
            "host": "<host-ip>"
        },
        {
            "schemas": ["urn:hid:scim:api:idp:2.0:AuditRecord"],
            "id": "IDP-test-company",
            "targetUserId": {
                "id": "r7wcHxsAGjT7jweAjtQCwMw6",
                "immutableId": "200",
                "session": {
                    "authenticationMethod": "AT_SYSLOG"
                }
            },
            "action": {
                "actionName": "primaryAuthenticateUP",
                "actionParameters": {
                    "ATC": "AT_SYSLOG",
                    "USN": "null",
                    "Action": "primaryAuthenticateUP",
                    "ANS": "false",
                    "ARP": "CONTEXT[{\"OPENID\":{\"clientid\":\"r7wcHxsAGjT7jweAjtQCwMw6\",\"scope\":\"openid profile\"}}],HOSTADDRESS[10.7.252.38]",
                    "AUS": "ENABLED",
                    "CHC": "CH_EXTRAPP"
                }
            },
            "result": "RESPONSE_SUCCESS",
            "return_value": {
                "response": "SUCCESS"
            },
            "tenantId": "tdf1808f3d368517208759",
            "actingUserId": {
                "id": "r7wcHxsAGjT7jweAjtQCwMw6",
                "immutableId": "200",
                "session": {
                    "id": "16c52d7ae20de197ca8eecf9bb6ec566e5d8b21e03538632e9fdf3d84b6e1f73"
                }
            },
            "integrityStatus": "validated",
            "created": "2023-01-04T16:04:23.268Z",
            "host": "<host-ip>"
        },
        {
            "schemas": ["urn:hid:scim:api:idp:2.0:AuditRecord"],
            "id": "API-test-company",
            "targetUserId": {
                "id": "afiuser1",
                "immutableId": "11072",
                "session": {
                    "authenticationMethod": "AT_EMPOOB"
                }
            },
            "action": {
                "actionName": "registerUserForOutOfBand",
                "actionParameters": {
                    "ATC": "AT_EMPOOB",
                    "Action": "registerUserForOutOfBand",
                    "DSN": "11297",
                    "DID": "11294",
                    "CHC": "OPERATOR"
                }
            },
            "message": "Registration successful",
            "result": "RESPONSE_SUCCESS",
            "return_value": {
                "response": "SUCCESS"
            },
            "tenantId": "tdf1808f3d368517208759",
            "actingUserId": {
                "id": "SAXLGROUU9npqp4M5A1gO4kE",
                "immutableId": "10033",
                "session": {
                    "id": "9c21b4689c0e59196660c8af60d1c195413ce8fcc68c532fb5c5337b6f5093be"
                }
            },
            "integrityStatus": "validated",
            "created": "2022-12-15T15:18:46.983Z",
            "host": "<host-ip>"
        }
    ],
    "startIndex": 1,
    "itemsPerPage": 100
}

Where:

  • resources is an array of audited records

  • Each record in the response includes the integrityStatus property with one of the following values:

    • validated

    • tainted

    • unverified

Important:

If you detect a tampered record on your tenant, contact the HID Global Technical Support immediately.

Event Types

The following is a list of recorded event types (actionName):

Type Description

addCredentialToDevice

A credential (for example, a certificate) is associated to a device

addDevice

A device is added

addRoleToUser

A user is assigned a role

assignDeviceToUser

A device is assigned to a user

changeUserPassword

A user's password changed

createAuthenticationType

A custom authentication policy is created

createAuthenticator

A (non-password) authenticator is created

createCredential

A new credential (for example, a certificate) is created

createDatasource

A new external source of users is created (for example, LDAP)

createDeviceIssuanceRequest

A new device provisioning request (invitation) is created

createRole

A new role is created

createUPAuthenticator

A password-based authenticator is created

createUser

A new user is added

createUserGroup

A new user group is created

createUserSubGroup

A new user group is created, within a hierarchy

deleteAuthenticators

An authenticator is deleted

deleteChannel

A channel is deleted

deleteCredential

A credential is deleted

deleteDatasource

A source of external users is deleted

deleteDeviceIssuanceRequests

A device provisioning request (invitation) is deleted

deleteDevices

A device is deleted

deleteRole

A role is deleted

deleteUser

A user is deleted

deleteUserGroup

A user group is deleted

deleteUserSubGroup

A user group (in a hierarchy) is deleted

deleteUsers

Multiple users are deleted

importDevices

Batch import of devices

indirectDeliverChallenge

Authentication event (success or failure) concerning OOB (Out Of Band) authentication for an end user

indirectPrimaryAuthenticateDevice

Authentication event (success or failure) concerning a device-based authentication for an end user

indirectPrimaryAuthenticateUP

Authentication event (success or failure) concerning a password-based authentication for an end user

logout

An explicit logout action

moveUserSubGroup

A user group is moved from one group to another

moveUserToSubGroup

A user is moved from one group to another

primaryAuthenticateDevice

Authentication event (success or failure) concerning a device-based authentication for a Client ID

primaryAuthenticateUP

Authentication event (success or failure) concerning a password-based authentication for a Client ID

registerUserForOutOfBand

A user is onboarded for OOB (Out Of Band) authentication

resetActivationCode

The activation code of an OOB (Out Of Band) credential is reset

resetAuthenticatorFailedAuthenticationCount

The number of failed authentications statistic, stored for the authenticator, is reset to zero

resetOOBCounter

The number of OOB (Out Of Band) challenges sent to a user is reset to zero

synchroniseDeviceAuto

A device is automatically synchronized (OTP)

synchroniseDeviceManual

A device is manually synchronized (OTP)

unassignDevice

A device is unassigned from a user

unregisterUserForOutOfBand

An OOB (Out Of Band) credential is removed from the user

updateAuthenticatorValidPeriod

The period of validity of an authenticator (non-password-based) is updated

updateDevice

A device is updated

updateDeviceIssuanceRequest

A device provisioning request (invitation) is updated

updateUPAuthenticatorValidPeriod

The period of validity of an authenticator (password-based) is updated

updateUserAttributes

A user's attributes are updated

updateUserExternalReference

A user's external ID is updated

updateUserGroupDetails

A user group is updated

updateUserStatus

The status of a user (active / inactive) is updated

updateUserSubGroupDetails

A user group in a hierarchy is updated

updateAuthenticatorStatus

The status of an authenticator (enabled / disabled) is updated

Event Codes

The following is a list of recorded event codes (actionParameters):

Note: Use the column headings to sort the data.
Audit Code Audit Code Description Notes
ALS ALSI Authenticated Login Session Identifier
AMT Amount Amount
ATA Attribute Type Code Code to identify the Attribute Type
ATC AuthenticationType Code Code to identify the AuthenticationType
ATV Attribute Value Value of the Attribute
AUS Authenticator Status The status 'enabled/disabled' of an authenticator
AVF Authenticator Valid From Date Valid from date for an authenticator
AVT Authenticator Valid To Date Valid to date for an authenticator
BAC Batch Code Code to identify the Batch
BCC Batch Control Code Batch control code, for controlling initiated batch processes
BPC Batch Process Code Unique code that identifies a batch process
BPI Batch process ID Process Id for initiated batch process
BPO Batch process outcome Outcome of a batch process.
BPP Batch Process Parameters Batch process parameters used to call a batch process
BPS Batch Process Status Status of an initiated batch process. Used where the status is explicitly set
CCO Credential Code Code to identify the credential
CHC Channel Code Code to identify the Channel
CHI Challenge ID ID to identify the challenge
COI Correlation ID Correlation ID returned in the response
DAM Device Authentication Mode Used to specify Synchronous or Asynchronous authentication
DAT Device Type Algorithm Algorithm of the device type
DIF Transaction Device Information Information about the device used for the transaction
DIR Device Issuance Request Identifier of the device issue request
DOM Security Domain Name or code of the security domain (tenant)
DSC Datasource Code Code to identify the datasource
DSN Device Serial Number Serial number of the device
DUA Device Update Action Action performed when the device is updated
EIA External Identifier for Algorithm Code Used in the automatic generation of the External Reference ID to identify the Algorithm Used
EXP Expiry Period Period for which as session or other value is valid
EXT Expiry Threshold Threshold for the session validity
FBN Form Batch Number For the maintenance of Form Batches
FNA Function Name Added For maintenance of function sets - defines which function was added to a set
FNR Function Name Removed For maintenance of function sets - defines which function was removed from a set
FPI Function Privilege Identifier The ID to identify a Function Privilege
FPS Function Privilege Subgroup The subgroup contained as part of the privilege (Function Set/AuthType/Subgroup)
FSC Function Set Code Code to identify a Function Set
FSN Function Set Name Name of a Function Set
FTC Form Type Code Code to identify a Form Type
FUN Function Name Name of a Function
GRC Group Code Code to identify a Group
GRN Group Name Name of a Group
LEN Length Length
LHT Login Hint Token Push transaction payload
MSG Transaction Audit Message Push device activation failure reason
MTC Mobile Transaction Context Transaction context for push authentication
NOA Number of Authorisations Required Number of Authorizations Required
PAT Parent Authentication Type Code Used for clone authenticator to identify the parent (source) authenticator type code
PCA Primary Channel Block Added Contains the channel codes for the channel blocks added
PCB Primary Channel Block Removed Contains the channel codes for the channel blocks removed
PGC Parent Group Code Used for updating user group hierarchies
PGN Parent Group Name Used for updating user group hierarchies
ROC Role Code Code for a role
RON Role Name Name of a role
STD Start Date Start Date
STS Device status Status of the device
TCT TransferCodeType Type of session transfer code (see TCA)
TGC Target Group Code Used to specify the group which a user has been moved to.
THR Threshold Returned Records threshold returned in a transaction authorisation when status = CONDITIONAL
TPI Transaction Privilege Identifier The ID to identify a Transaction Privilege
TPT Transaction Privilege Threshold This is the threshold on a transaction privilege. It is used for both user level privileges and transaction sets
TRA Transfer Code One time code used to transfer a session between two users
TXC Transaction Context Transaction context for push authentication at transaction creation (from the Bcauthorize endpoint)
UPT User Privilege Type Code Code to identify a User Privilege Type
UGC User Group Code Code to identify a User Group
USC User Code Code to identify a User
USN Username Username value for the user in the process
VAF Valid From Valid From
DAC Device Authentication Challenge The challenge for any asynchronous device authentication
DAR Device Authentication Response Any response given during device authentication
ARP Authentication Request Parameter This is used to audit parameters associated with authentication adapters
FAC Failure Code Used for all method calls to capture the error message on exception
OGN Old Group Name Stores the old name of the group when the name is being updated
FUC Function Code Code to identify a Function
FUP Function Parameter Function parameter
TRT Transaction Threshold Threshold on a transaction
AUA Authentication Service The authentication service called (based on the authentication adapter used) e.g. CAP for the ActivKernal EMV adapter
ERI External Reference Identifier A User's External Reference is audited on creation and updates
UER Updated External Reference The new value of an External Reference after update
ISN Issue Number Issue number on a device (part of the device search criteria)
DTC Device Type code Code to identify a Device Type
EXD Expiry Date Device Expiry date
DID Device ID Internal id assigned to the device. Not to be mistaken with device serial number
ANS Authentication No Session Indicates whether the session creation was suppressed for authentication
SIN Search Issue Number Issue number specified in device search criteria
SDT Search Device Type Device Type specified in device search criteria
DSD Device Start Date Valid from date for a device
SDX Search Device Expiry Date Device expiry date specified in search criteria
SSN Search Serial Number Device serial number specified in search criteria
PUK Public Key The public component of an RSA key X.509 encoded Base64
JWS JSON Web Signature The JSON Web Signature contains the data, algorithm and signature. Along with a PUK the JWS can be verified
CTC Credential Type Code The code of the type of credential used in during the process
CID Credential ID The Id of the credential used during the process
STP Step In Process The step used within the current process