IBM_SECURITY_CBA_AUDIT

IBM_SECURITY_CBA_AUDIT_MGMT events

This event type identifies the security context-based management events, such as the creation of risk profiles.
The following table lists the elements that can be displayed in the output of a IBM_SECURITY_CBA_AUDIT_MGMT event. All elements are included in the output, unless indicated otherwise.
--> -->
Element Description

creationTime Date and time when the event was issued.
For example: 2013-09-11T19:18:04.140Z
The letter Z in the sample that is shown indicates the UTC format. All time stamps are issued in UTC format. There is no provision for specifying local time.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

actionInfo Provides information about the management action that is performed on a resource.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

actionInfo action-id Action that caused this management event. Possible actions include:

API protection client related events

API_PROTECTION_CLIENT_CREATE_EVENT, API_PROTECTION_CLIENT_DELETE_EVENT, API_PROTECTION_CLIENT_SEARCH_EVENT, API_PROTECTION_CLIENT_SECRET_GENERATE_EVENT, API_PROTECTION_CLIENT_UPDATE_EVENT

API protection definition related events

API_PROTECTION_DEFINITION_CREATE_EVENT, API_PROTECTION_DEFINITION_DELETE_EVENT, API_PROTECTION_DEFINITION_SEARCH_EVENT, API_PROTECTION_DEFINITION_UPDATE_EVENT

Attribute matcher related events

ATTRIBUTE_MATCHER_CREATE_EVENT, ATTRIBUTE_MATCHER_DELETE_EVENT, ATTRIBUTE_MATCHER_SEARCH_EVENT, ATTRIBUTE_MATCHER_UPDATE_EVENT

Attribute related events

ATTRIBUTE_CREATE_EVENT, ATTRIBUTE_DELETE_EVENT, ATTRIBUTE_SEARCH_EVENT, ATTRIBUTE_UPDATE_EVENT

Audit related events

AUDIT_SEARCH_EVENT, AUDIT_UPDATE_EVENT

Authentication mechanism instances related events

AUTH_MECH_INSTANCE_UPDATE_EVENT, AUTH_MECH_INSTANCE_SEARCH_EVENT

Authentication mechanism types related events

AUTH_MECH_TYPE_SEARCH_EVENT

Authentication policy related events

AUTH_POLICY_CREATE_EVENT, AUTH_POLICY_UPDATE_EVENT, AUTH_POLICY_DELETE_EVENT, AUTH_POLICY_SEARCH_EVENT

Bundle related events

BUNDLE_SEARCH_EVENT, BUNDLE_CREATE_EVENT, BUNDLE_UPDATE_EVENT, BUNDLE_DELETE_EVENT, BUNDLE_EXPORT_EVENT, BUNDLE_IMPORT_EVENT

Device related events

DEVICE_DELETE_EVENT, DEVICE_SEARCH_EVENT, DEVICES_FOR_USER_SEARCH_EVENT, DEVICE_USER_ID_SEARCH_EVENT

Extension instances related events

EXTENSION_INSTANCE_SEARCH_EVENT, EXTENSION_INSTANCE_CREATE_EVENT, EXTENSION_INSTANCE_UPDATE_EVENT, EXTENSION_INSTANCE_DELETE_EVENT

Extension related events

EXTENSION_SEARCH_EVENT

Geolocation data related events

GEOLOCATION_DATA_CANCEL_IMPORT_EVENT, GEOLOCATION_DATA_IMPORT_EVENT, GEOLOCATION_DATA_STATUS_IMPORT_EVENT

HVDB related events

HVDB_DELETE_ALL_DATA_EVENT, HVDB_DELETE_USER_DATA_EVENT, HVDB_CANCEL_DELETE_DATA_EVENT, HVDB_DELETE_DEVICES_EVENT, HVDB_STATUS_DELETE_DATA_EVENT, HVDB_DELETE_USER_FROM_DB

Map rule related events

MAPPING_RULE_EXPORT_EVENT, MAPPING_RULE_IMPORT_EVENT , MAPPING_RULE_SEARCH_EVENT, MAPPING_RULE_UPDATE_EVENT, MAPPING_RULE_CREATE_EVENT, MAPPING_RULE_DELETE_EVENT

Obligation related events

OBLIGATION_CREATE_EVENT, OBLIGATION_DELETE_EVENT, OBLIGATION_SEARCH_EVENT, OBLIGATION_UPDATE_EVENT

Override configuration related events

OVERRIDE_CONFIG_SEARCH_EVENT, OVERRIDE_CONFIG_UPDATE_EVENT

Policy information point instances related events

PIP_INSTANCE_EXPORT_EVENT, PIP_INSTANCE_IMPORT_EVENT, PIP_INSTANCE_CREATE_EVENT, PIP_INSTANCE_UPDATE_EVENT, PIP_INSTANCE_DELETE_EVENT, PIP_INSTANCE_SEARCH_EVENT

Policy information point types related events

PIP_TYPE_SEARCH_EVENT

Policy attachment related events

POLICY_ATTACHMENT_CREATE_EVENT, POLICY_ATTACHMENT_DELETE_EVENT, POLICY_ATTACHMENT_PDADMIN_EVENT, POLICY_ATTACHMENT_POLICIES_ SEARCH_EVENT, POLICY_ATTACHMENT_POLICIES_UPDATE _EVENT, POLICY_ATTACHMENT_PUBLISH_EVENT, POLICY_ATTACHMENT_SEARCH_EVENT, POLICY_ATTACHMENT_UNPUBLISH_EVENT, POLICY_ATTACHMENT_UPDATE_EVENT, POLICY_ATTACHMENT_UPDATE_PROPERTIES _EVENT

Policy related events

POLICY_CREATE_EVENT POLICY_DELETE_EVENT, POLICY_SEARCH_EVENT, POLICY_UPDATE_EVENT

Policy set related events

POLICY_SET_CREATE_EVENT, POLICY_SET_DELETE_EVENT, POLICY_SET_POLICIES_SEARCH_EVENT, POLICY_SET_POLICIES_UPDATE_EVENT, POLICY_SET_SEARCH_EVENT, POLICY_SET_UPDATE_EVENT

Risk profile related events

RISK_PROFILE_CREATE_EVENT, RISK_PROFILE_DELETE_EVENT, RISK_PROFILE_SEARCH_EVENT, RISK_PROFILE_UPDATE_EVENT

Runtime policy related events

RUNTIME_POLICY_DEPLOY_EVENT, RUNTIME_POLICY_IS_DEPLOYED_EVENT, RUNTIME_POLICY_SEARCH_EVENT, RUNTIME_POLICY_UNDEPLOY_EVENT

User knowledge questions related events

KNOWLEDGE_QUESTIONS_UPDATE_EVENT, KNOWLEDGE_QUESTIONS_DELETE_EVENT, KNOWLEDGE_QUESTIONS_SEARCH_EVENT

XPath: CommonBaseEvent/extendedDataElements /[@name= ’ actionInfo’]/children[@name=’ urn:oasis:names:tc:xacml:1.0:action:action-id’]/values

outcome Specifies the outcome of the action for which the security event is generated.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type

outcome.failureReason Provides more information about the outcome.
This element is included in the output when the result is FAILURE.
XPath: CommonBaseEvent/extendedDataElements /[@name=’outcome’]/children[@name=’failureReason’ ]/values

outcome result Specifies the overall status of the event that is commonly used for filtering. The following values are possible for the status of this element:

FAILURE
SUCCESSFUL
XPath: CommonBaseEvent/extendedDataElements /[@name=’outcome’]/children[@name=’result’]/values

userInfoList Provides information about the user who accesses the resource.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

userInfoList appUserName Name of the user.
XPath: CommonBaseEvent/extendedDataElements /[@name=’userInfoList’]/children[@name=’appUserName’]/values

resourceInfo Provides information about the resource that is accessed.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

resourceInfo RESTInvocationURI URI of the REST interface that is accessed for this management event.
XPath: CommonBaseEvent/extendedDataElements /[@name=’resourceInfo’]/children[@name=’RESTInvocationURI’]/values

resourceInfo nameOfPolicy Policies and policy sets associated with the policy attachment for the resource as specified by the nameOfResource property.
This element is included in the output for policy attachment action-ids.
XPath: CommonBaseEvent/extendedDataElements /[@name=’resourceInfo’]/children[@name=’nameOfPolicy’]/values

resourceInfo nameOfResource Name of the resource for a policy attachment. For example: /WebSEAL/security-default/index.html
This element is included in the output for policy attachment action-ids.
XPath: CommonBaseEvent/extendedDataElements /[@name=’resourceInfo’]/children[@name=’nameOfResource’]/values

restManagement Provides optional information regarding the input JSON for this management request.
This element is included in the output for some management audit events.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

restManagement json JSON for this management request. This element is included in the output for some management audit events. To enable the inclusion of additional data in an audit event, the administrator must select Enable verbose audit events in the Audit Configuration panel.
XPath: CommonBaseEvent/extendedDataElements /[@name=’restManagement’]/children[@name=’json’]/values

extensionName Name of the event class that this event represents. The name indicates any additional elements that are expected to be present within the event. The value for context-based authorization management events is IBM_SECURITY_CBA_AUDIT_MGMT.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

globalInstanceId Primary identifier for the event. This property must be globally unique and can be used as the primary key for the event.
For example: f0c93637-ada2-4afb-9687-47a7ec1fa3a7
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

msg Specifies more information when the outcome is SUCCESSFUL. This element:

Is optional.
Is a container element.
Does not have a valid XPath. A valid XPath requires a values declaration.
Uses the children of the ComponentIdentification element type.

reporterComponentId This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

reporterComponentId application Name of the application that reports the event. For context-based authorization events, the value is set to IBM Security Verify Access.

reporterComponentId component Logical identity of a component. For context-based authorization events, the value is set to Context-Based Authorization.

reporterComponentId componentIdType Format and meaning of the component that is identified by this component identification.
For example: ProductName

reporterComponentId location Physical address corresponding to the location of a component.
For example: host name, IP address, or MAC address.

reporterComponentId locationType Format and meaning of the value in the location property. For context-based authorization events, the value is set to FQHostname.

sourceComponentId Identifies the component that is affected or was impacted by the event.
This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.

sourceComponentId component Logical identity of a component.

sourceComponentId componentIdType Format and meaning of the component that is identified by this component identification.
For example: ProductName

sourceComponentId location Physical address corresponding to the location of a component.
For example: host name, IP address, or MAC address.

sourceComponentId locationType Format and meaning of the value in the location property. For context-based authorization events, the value is set to FQHostname.

Parent topic: Audit Advanced Access Control

Element	Description
creationTime	Date and time when the event was issued. For example: 2013-09-11T19:18:04.140Z The letter Z in the sample that is shown indicates the UTC format. All time stamps are issued in UTC format. There is no provision for specifying local time. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
actionInfo	Provides information about the management action that is performed on a resource. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
actionInfo action-id	Action that caused this management event. Possible actions include: API protection client related events API_PROTECTION_CLIENT_CREATE_EVENT, API_PROTECTION_CLIENT_DELETE_EVENT, API_PROTECTION_CLIENT_SEARCH_EVENT, API_PROTECTION_CLIENT_SECRET_GENERATE_EVENT, API_PROTECTION_CLIENT_UPDATE_EVENT API protection definition related events API_PROTECTION_DEFINITION_CREATE_EVENT, API_PROTECTION_DEFINITION_DELETE_EVENT, API_PROTECTION_DEFINITION_SEARCH_EVENT, API_PROTECTION_DEFINITION_UPDATE_EVENT Attribute matcher related events ATTRIBUTE_MATCHER_CREATE_EVENT, ATTRIBUTE_MATCHER_DELETE_EVENT, ATTRIBUTE_MATCHER_SEARCH_EVENT, ATTRIBUTE_MATCHER_UPDATE_EVENT Attribute related events ATTRIBUTE_CREATE_EVENT, ATTRIBUTE_DELETE_EVENT, ATTRIBUTE_SEARCH_EVENT, ATTRIBUTE_UPDATE_EVENT Audit related events AUDIT_SEARCH_EVENT, AUDIT_UPDATE_EVENT Authentication mechanism instances related events AUTH_MECH_INSTANCE_UPDATE_EVENT, AUTH_MECH_INSTANCE_SEARCH_EVENT Authentication mechanism types related events AUTH_MECH_TYPE_SEARCH_EVENT Authentication policy related events AUTH_POLICY_CREATE_EVENT, AUTH_POLICY_UPDATE_EVENT, AUTH_POLICY_DELETE_EVENT, AUTH_POLICY_SEARCH_EVENT Bundle related events BUNDLE_SEARCH_EVENT, BUNDLE_CREATE_EVENT, BUNDLE_UPDATE_EVENT, BUNDLE_DELETE_EVENT, BUNDLE_EXPORT_EVENT, BUNDLE_IMPORT_EVENT Device related events DEVICE_DELETE_EVENT, DEVICE_SEARCH_EVENT, DEVICES_FOR_USER_SEARCH_EVENT, DEVICE_USER_ID_SEARCH_EVENT Extension instances related events EXTENSION_INSTANCE_SEARCH_EVENT, EXTENSION_INSTANCE_CREATE_EVENT, EXTENSION_INSTANCE_UPDATE_EVENT, EXTENSION_INSTANCE_DELETE_EVENT Extension related events EXTENSION_SEARCH_EVENT Geolocation data related events GEOLOCATION_DATA_CANCEL_IMPORT_EVENT, GEOLOCATION_DATA_IMPORT_EVENT, GEOLOCATION_DATA_STATUS_IMPORT_EVENT HVDB related events HVDB_DELETE_ALL_DATA_EVENT, HVDB_DELETE_USER_DATA_EVENT, HVDB_CANCEL_DELETE_DATA_EVENT, HVDB_DELETE_DEVICES_EVENT, HVDB_STATUS_DELETE_DATA_EVENT, HVDB_DELETE_USER_FROM_DB Map rule related events MAPPING_RULE_EXPORT_EVENT, MAPPING_RULE_IMPORT_EVENT , MAPPING_RULE_SEARCH_EVENT, MAPPING_RULE_UPDATE_EVENT, MAPPING_RULE_CREATE_EVENT, MAPPING_RULE_DELETE_EVENT Obligation related events OBLIGATION_CREATE_EVENT, OBLIGATION_DELETE_EVENT, OBLIGATION_SEARCH_EVENT, OBLIGATION_UPDATE_EVENT Override configuration related events OVERRIDE_CONFIG_SEARCH_EVENT, OVERRIDE_CONFIG_UPDATE_EVENT Policy information point instances related events PIP_INSTANCE_EXPORT_EVENT, PIP_INSTANCE_IMPORT_EVENT, PIP_INSTANCE_CREATE_EVENT, PIP_INSTANCE_UPDATE_EVENT, PIP_INSTANCE_DELETE_EVENT, PIP_INSTANCE_SEARCH_EVENT Policy information point types related events PIP_TYPE_SEARCH_EVENT Policy attachment related events POLICY_ATTACHMENT_CREATE_EVENT, POLICY_ATTACHMENT_DELETE_EVENT, POLICY_ATTACHMENT_PDADMIN_EVENT, POLICY_ATTACHMENT_POLICIES_ SEARCH_EVENT, POLICY_ATTACHMENT_POLICIES_UPDATE _EVENT, POLICY_ATTACHMENT_PUBLISH_EVENT, POLICY_ATTACHMENT_SEARCH_EVENT, POLICY_ATTACHMENT_UNPUBLISH_EVENT, POLICY_ATTACHMENT_UPDATE_EVENT, POLICY_ATTACHMENT_UPDATE_PROPERTIES _EVENT Policy related events POLICY_CREATE_EVENT POLICY_DELETE_EVENT, POLICY_SEARCH_EVENT, POLICY_UPDATE_EVENT Policy set related events POLICY_SET_CREATE_EVENT, POLICY_SET_DELETE_EVENT, POLICY_SET_POLICIES_SEARCH_EVENT, POLICY_SET_POLICIES_UPDATE_EVENT, POLICY_SET_SEARCH_EVENT, POLICY_SET_UPDATE_EVENT Risk profile related events RISK_PROFILE_CREATE_EVENT, RISK_PROFILE_DELETE_EVENT, RISK_PROFILE_SEARCH_EVENT, RISK_PROFILE_UPDATE_EVENT Runtime policy related events RUNTIME_POLICY_DEPLOY_EVENT, RUNTIME_POLICY_IS_DEPLOYED_EVENT, RUNTIME_POLICY_SEARCH_EVENT, RUNTIME_POLICY_UNDEPLOY_EVENT User knowledge questions related events KNOWLEDGE_QUESTIONS_UPDATE_EVENT, KNOWLEDGE_QUESTIONS_DELETE_EVENT, KNOWLEDGE_QUESTIONS_SEARCH_EVENT XPath: CommonBaseEvent/extendedDataElements /[@name= ’ actionInfo’]/children[@name=’ urn:oasis:names:tc:xacml:1.0:action:action-id’]/values
outcome	Specifies the outcome of the action for which the security event is generated. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type
outcome.failureReason	Provides more information about the outcome. This element is included in the output when the result is FAILURE. XPath: CommonBaseEvent/extendedDataElements /[@name=’outcome’]/children[@name=’failureReason’ ]/values
outcome result	Specifies the overall status of the event that is commonly used for filtering. The following values are possible for the status of this element: FAILURE SUCCESSFUL XPath: CommonBaseEvent/extendedDataElements /[@name=’outcome’]/children[@name=’result’]/values
userInfoList	Provides information about the user who accesses the resource. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
userInfoList appUserName	Name of the user. XPath: CommonBaseEvent/extendedDataElements /[@name=’userInfoList’]/children[@name=’appUserName’]/values
resourceInfo	Provides information about the resource that is accessed. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
resourceInfo RESTInvocationURI	URI of the REST interface that is accessed for this management event. XPath: CommonBaseEvent/extendedDataElements /[@name=’resourceInfo’]/children[@name=’RESTInvocationURI’]/values
resourceInfo nameOfPolicy	Policies and policy sets associated with the policy attachment for the resource as specified by the nameOfResource property. This element is included in the output for policy attachment action-ids. XPath: CommonBaseEvent/extendedDataElements /[@name=’resourceInfo’]/children[@name=’nameOfPolicy’]/values
resourceInfo nameOfResource	Name of the resource for a policy attachment. For example: /WebSEAL/security-default/index.html This element is included in the output for policy attachment action-ids. XPath: CommonBaseEvent/extendedDataElements /[@name=’resourceInfo’]/children[@name=’nameOfResource’]/values
restManagement	Provides optional information regarding the input JSON for this management request. This element is included in the output for some management audit events. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
restManagement json	JSON for this management request. This element is included in the output for some management audit events. To enable the inclusion of additional data in an audit event, the administrator must select Enable verbose audit events in the Audit Configuration panel. XPath: CommonBaseEvent/extendedDataElements /[@name=’restManagement’]/children[@name=’json’]/values
extensionName	Name of the event class that this event represents. The name indicates any additional elements that are expected to be present within the event. The value for context-based authorization management events is IBM_SECURITY_CBA_AUDIT_MGMT. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
globalInstanceId	Primary identifier for the event. This property must be globally unique and can be used as the primary key for the event. For example: f0c93637-ada2-4afb-9687-47a7ec1fa3a7 This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
msg	Specifies more information when the outcome is SUCCESSFUL. This element: Is optional. Is a container element. Does not have a valid XPath. A valid XPath requires a values declaration. Uses the children of the ComponentIdentification element type.
reporterComponentId	This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
reporterComponentId application	Name of the application that reports the event. For context-based authorization events, the value is set to IBM Security Verify Access.
reporterComponentId component	Logical identity of a component. For context-based authorization events, the value is set to Context-Based Authorization.
reporterComponentId componentIdType	Format and meaning of the component that is identified by this component identification. For example: ProductName
reporterComponentId location	Physical address corresponding to the location of a component. For example: host name, IP address, or MAC address.
reporterComponentId locationType	Format and meaning of the value in the location property. For context-based authorization events, the value is set to FQHostname.
sourceComponentId	Identifies the component that is affected or was impacted by the event. This element is a container element and has no valid XPath. A valid XPath requires a values declaration. This container element uses the children of the ComponentIdentification element type.
sourceComponentId component	Logical identity of a component.
sourceComponentId componentIdType	Format and meaning of the component that is identified by this component identification. For example: ProductName
sourceComponentId location	Physical address corresponding to the location of a component. For example: host name, IP address, or MAC address.
sourceComponentId locationType	Format and meaning of the value in the location property. For context-based authorization events, the value is set to FQHostname.