Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tutorial:adm:reading_audits [2019/09/02 13:02]
fiserp [Role modified] 		tutorial:adm:reading_audits [2021/10/07 13:39] (current)
fiserp
Line 1: Line 1:
 ====== Audit - Reading audit information ====== ====== Audit - Reading audit information ======
 This article shows how to connect CzechIdM to automated security monitoring system (SIEM). This form of integration is necessary in many organizations. IdM, being the central point where identities and their roles are managed, is just another piece of the security monitoring mosaic. This article shows how to connect CzechIdM to automated security monitoring system (SIEM). This form of integration is necessary in many organizations. IdM, being the central point where identities and their roles are managed, is just another piece of the security monitoring mosaic.
 +
 +<note tip>Starting CzechIdM 11.2.0, we discourage reading audit information using REST as is explained on this page.
 +
 +Please, use specialized [[devel:documentation:audit:dev:audit_logging_for_siem_tools|audit logging functionality]].</note>
  
 ===== Important events to monitor ===== ===== Important events to monitor =====
Line 117: Line 121:
       "id" : 316,       "id" : 316,
       "timestamp" : 1565604153572,       "timestamp" : 1565604153572,
 +      // who created
       "modifierId" : "3eb704d3-c177-4ffa-b889-34926c8e05c2",       "modifierId" : "3eb704d3-c177-4ffa-b889-34926c8e05c2",
       "modifier" : "admin",       "modifier" : "admin",
 +      // login of created identity
       "ownerId" : "a72d5188-8e1b-47dc-b6af-7e44d8ba92c9",       "ownerId" : "a72d5188-8e1b-47dc-b6af-7e44d8ba92c9",
       "ownerCode" : "john_doe",       "ownerCode" : "john_doe",
Line 151: Line 157:
 **Request** **Request**
 <code> <code>
-TODO+GET /idm/api/v1/audits/search/quick 
 +?size=99999 
 +&page=0 
 +&sort=timestamp,desc 
 +&type=eu.bcvsolutions.idm.core.model.entity.IdmIdentity 
 +&changedAttributesList=disabled 
 +&changedAttributesList=state 
 +&withVersion=true 
 +&modification=MOD
 </code> </code>
  
 **Response** **Response**
 <code> <code>
-TODO+
 +      "id" : 330, 
 +      "timestamp" : 1565606400341, 
 +      "modifier" : "admin", 
 +      "ownerCode" : "john_doe", 
 +      ... redacted ... 
 +      "entity" : { 
 +        "lastName" : "Doe", 
 +        "modifier" : "admin", 
 +        "firstName" : "John", 
 +        // current state of identity 
 +        "disabled" : false, 
 +        "state" : "VALID", 
 +        "email" : "john.doe@czechidm.eu", 
 +        "originalModifierId" : "3eb704d3-c177-4ffa-b889-34926c8e05c2", 
 +        "username" : "john_doe" 
 +      }, 
 +      "_embedded" : { 
 +        "entityId" : { 
 +          "modifier" : "admin", 
 +          "username" : "john_doe", 
 +          "firstName" : "John", 
 +          "lastName" : "Doe", 
 +          "email" : "john.doe@czechidm.eu", 
 +          "phone" : null, 
 +          "titleBefore" : null, 
 +          "titleAfter" : null, 
 +          "description" : null, 
 +          // previous state 
 +          "disabled" : true, 
 +          "state" : "DISABLED_MANUALLY", 
 +          ... redacted ... 
 +        } 
 +      } 
 +}
 </code> </code>
 ==== Identity disabled ==== ==== Identity disabled ====
 **Request** **Request**
 <code> <code>
-TODO+GET /idm/api/v1/audits/search/quick 
 +?size=99999 
 +&page=0 
 +&sort=timestamp,desc 
 +&type=eu.bcvsolutions.idm.core.model.entity.IdmIdentity 
 +&changedAttributesList=disabled 
 +&changedAttributesList=state 
 +&withVersion=true 
 +&modification=MOD
 </code> </code>
  
 **Response** **Response**
 <code> <code>
-TODO+
 +      "id" : 330, 
 +      "timestamp" : 1565606400341, 
 +      "modifier" : "admin", 
 +      "ownerCode" : "john_doe", 
 +      ... redacted ... 
 +      "entity" : { 
 +        "lastName" : "Doe", 
 +        "modifier" : "admin", 
 +        "firstName" : "John", 
 +        // current state of identity 
 +        "disabled" : true, 
 +        "state" : "DISABLED_MANUALLY", 
 +        "email" : "john.doe@czechidm.eu", 
 +        "originalModifierId" : "3eb704d3-c177-4ffa-b889-34926c8e05c2", 
 +        "username" : "john_doe" 
 +      }, 
 +      "_embedded" : { 
 +        "entityId" : { 
 +          "modifier" : "admin", 
 +          "username" : "john_doe", 
 +          "firstName" : "John", 
 +          "lastName" : "Doe", 
 +          "email" : "john.doe@czechidm.eu", 
 +          "phone" : null, 
 +          "titleBefore" : null, 
 +          "titleAfter" : null, 
 +          "description" : null, 
 +          // previous state 
 +          "disabled" : false, 
 +          "state" : "VALID", 
 +          ... redacted ... 
 +        } 
 +      } 
 +}
 </code> </code>
 ==== Identity password changed ==== ==== Identity password changed ====
 **Request** **Request**
 <code> <code>
-TODO+GET /idm/api/v1/password-histories/search/quick 
 +?size=99999 
 +&page=0 
 +&sort=created,desc 
 +&changedAttributesList=validFrom 
 +&face=BETWEEN 
 +&from=2019-08-12T12%3A00%3A00.000Z 
 +&till=2019-08-12T12%3A20%3A00.000Z
 </code> </code>
  
 **Response** **Response**
 <code> <code>
-TODO+
 +      "created" : "2019-08-12T12:09:41.260Z", 
 +      "creator" : "john_doe", 
 +      ... redacted ... 
 +      "_embedded" : { 
 +        "identity" : { 
 +          "username" : "john_doe", 
 +          "email" : "john.doe@czechidm.eu", 
 +          ... redacted ... 
 +        } 
 +      } 
 +}
 </code> </code>
 ==== Privilege/role assigned to identity ==== ==== Privilege/role assigned to identity ====
Line 232: Line 340:
 </code> </code>
 ==== Privilege/role revoked from identity ==== ==== Privilege/role revoked from identity ====
 +**Request**
 +<code>
 +GET /idm/api/v1/audits/search/quick
 +?size=99999
 +&page=0
 +&sort=timestamp,desc
 +&face=BETWEEN
 +&from=2019-08-12T12%3A25%3A00.000Z
 +&till=2019-08-12T12%3A32%3A00.000Z
 +&type=eu.bcvsolutions.idm.core.model.entity.IdmIdentityRole
 +&modification=DEL
 +&changedAttributesList=role&changedAttributesList=identityContract
 +</code>
 +
 +**Response**
 +<code>
 +{
 +      "id" : 402,
 +      "timestamp" : 1565612905714,
 +      "modifier" : "admin",
 +      "ownerCode" : "john",
 +      "subOwnerCode" : "manager",
 +      ... redacted ...
 +      "_embedded" : {
 +        "subOwnerId" : {
 +          "code" : "manager",
 +          "baseCode" : "manager",
 +          // name of the role
 +          "name" : "manager",
 +          "roleType" : "TECHNICAL",
 +          ... redacted ...
 +        },
 +        // user the role was removed from
 +        "ownerId" : {
 +          "firstName" : "John",
 +          "lastName" : "Doe",
 +          "email" : "john.doe@bcvsolutions.eu",
 +          ... redacted ...
 +        }
 +      }
 +    } ]
 +  }
 +</code>
 ==== Role request approved ==== ==== Role request approved ====
 +**Request**
 +<code>
 +GET /idm/api/v1/audits/search/quick
 +?size=99999
 +&page=0
 +&sort=timestamp,desc
 +&type=eu.bcvsolutions.idm.core.model.entity.IdmIdentityRole
 +&modification=ADD
 +&changedAttributesList=role
 +&changedAttributesList=identityContract
 +&face=TODAY
 +&from=2019-08-13T22%3A00%3A00.000Z
 +&till=2019-08-14T21%3A59%3A59.999Z
 +</code>
 +
 +**Response**
 +<code>
 +{
 +      "id" : 540,
 +      "timestamp" : 1565770422521,
 +      "modifier" : "admin",
 +      "ownerCode" : "jane",
 +      "subOwnerCode" : "test|development",
 +      ... redacted ...
 +      "_embedded" : {
 +        "entityId" : {
 +          ... redacted ...
 +          "_embedded" : {
 +            ... redacted ...
 +            "identityContract" : {
 +              "_embedded" : {
 +                "identity" : {
 +                  "username" : "jane",
 +                  "firstName" : "Jane",
 +                  "lastName" : "Doe",
 +                  "email" : "jane.doe@bcvsolutions.eu",
 +                  ... redacted ...
 +                }
 +              },
 +              "_eav" : [ ]
 +            },
 +            "role" : {
 +              "creator" : "admin",
 +              "code" : "test|development",
 +              "baseCode" : "test",
 +              "environment" : "development",
 +              "name" : "test",
 +              "roleType" : "TECHNICAL",
 +              ... redacted ...
 +            }
 +          },
 +          "_eav" : [ ]
 +    } ]
 +}
 +</code>
 ==== Role request rejected ==== ==== Role request rejected ====
 **Request** **Request**
Line 306: Line 512:
       "id" : 528,       "id" : 528,
       "timestamp" : 1565769780568,       "timestamp" : 1565769780568,
 +      // who created the role
       "modifier" : "admin",       "modifier" : "admin",
 +      // role name in the form of NAME|environment
       "ownerCode" : "CTO|production",       "ownerCode" : "CTO|production",
       ... redacted ...       ... redacted ...
Line 313: Line 521:
           "creator" : "admin",           "creator" : "admin",
           "code" : "CTO|production",           "code" : "CTO|production",
 +          // implementation name of the role
           "baseCode" : "CTO",           "baseCode" : "CTO",
 +          // deployment environment the role is intended for
           "environment" : "production",           "environment" : "production",
 +          // user friendly name of the role
           "name" : "CTO",           "name" : "CTO",
           "roleType" : "TECHNICAL",           "roleType" : "TECHNICAL",
Line 350: Line 561:
 </code> </code>
 ==== Role deleted ==== ==== Role deleted ====
 +**Request**
 +<code>
 +GET /idm/api/v1/audits/search/quick
 +?size=99999
 +&page=0
 +&sort=timestamp,desc
 +&type=eu.bcvsolutions.idm.core.model.entity.IdmRole
 +&face=BETWEEN
 +&from=2019-08-12T11%3A10%3A00.000Z
 +&till=2019-08-12T11%3A20%3A00.000Z
 +&modification=DEL
 +</code>
 +
 +**Response**
 +<code>
 +{
 +      "id" : 342,
 +      "timestamp" : 1565608213844,
 +      "modifier" : "admin",
 +      "ownerCode" : "manager|test",
 +      ... redacted ...
 +}
 +</code>
  • by fiserp