IBM Cloud Activity Tracker¶
About¶
Compliance with internal policies and industry regulations is a key requirement in any organization's strategy, regardless of where applications run: on-premises, in a hybrid cloud, or in a public cloud. The IBM Cloud Activity Tracker service provides the framework and functionality to monitor API calls to services on the IBM Cloud and produces the evidence to comply with corporate policies and market industry-specific regulations. When you work in a cloud environment, such as the IBM Cloud, you must plan the cloud strategy for auditing and monitoring workloads and data in accordance with your internal policies and with industry and country-based compliance requirements. You can use the information that is registered through the IBM Cloud Activity Tracker service to identify security incidents, detect unauthorized access, and comply with regulatory and internal auditing requirements.
Product Details¶
Product Type: SaaS
Product Tier: Tier III
Integration URL: IBM Cloud Activity Tracker Technical Documentation
Integration Method: S3 Bucket
Log Guide: Event Fields
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 99%-100%
Data Label: IBM_CLOUD_ACTIVITY_TRACKER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | metadata.product_event_type |
| correlationId | principal.user.attribute.labels |
| env | principal.location.name |
| eventTime | metadata.event_timestamp |
| initiator.authnName | principal.hostname |
| initiator.credential.type | principal.user.attribute.labels |
| initiator.host.address | principal.ip |
| initiator.id | principal.user.userid |
| initiator.name | principal.hostname |
| logSourceCRN | observer.resource_ancestors.name |
| message | metadata.description |
| observer.name | observer.resource.name |
| outcome | security_result.action |
| reason.reasonCode | network.http.response_code |
| reasonForFailure | security_result.action_details |
| requestData.request_body.method | network.http.method |
| requestId | additional.fields |
| responseData.CRNs | target.resource_ancestors.name |
| responseData.VolumeAttachments.Server.ServerIdentity | target.resource_ancestors.product_object_id |
| responseData.VolumeAttachments.Server.ServerIdentityByName | target.resource_ancestors.name |
| severity | security_result.severity |
| target.id | target.resource.name |
| target.name | target.hostname |
| target.resourceGroupId | target.group.attribute.labels |
| vtime | metadata.collected_timestamp |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| .create | USER_RESOURCE_CREATION |
| .read | USER_RESOURCE_ACCESS |
| .update | USER_RESOURCE_UPDATE_CONTENT |
| .detach | USER_RESOURCE_DELETION |
| all others | GENERIC_EVENT |
Log Sample¶
{"action":"is.instance.network-interface.read","correlationId":"12345678-b510-41b5-aca0-44b0e62e301c","dataEvent":false,"env":"env-prod","eventTime":"2024-07-08T08:01:52.38+0000","initiator":{"authnId":"iam-ServiceId-12345678-f0e4-483e-a48c-16758fae3078","authnName":"hostname1","credential":{"type":"token"},"host":{"address":"10.60.115.44","addressType":"IPv4","agent":"terraform-provider-ibm/1.67.1"},"id":"iam-ServiceId-12345678-f0e4-483e-a48c-16758fae3078","name":"ServiceId-12345678-f0e4-483e-a48c-16758fae3078","typeURI":"service/security/account/serviceid"},"logSourceCRN":"crn:v1:resource2","message":"Virtual Server for VPC: read network-interface hostname2","observer":{"name":"ActivityTracker"},"outcome":"success","reason":{"reasonCode":200,"reasonType":"OK"},"requestData":{"generation":"2"},"responseData":{"responseURI":"/v1/instances/0717_17e31d58-faea-4543-9a0c-f61036f68e82/network_interfaces/0717-1d7c3b59-0786-4b26-9112-d9074a34df45"},"saveServiceCopy":true,"severity":"normal","source":"ibm_activity_tracker","target":{"id":"crn:v1:resource1","name":"hostname2","resourceGroupId":"","typeURI":"is.instance/network-interface"},"vtime":"2024-07-08T08:01:57.768859362Z"}
Sample Parsing¶
metadata.event_timestamp = "2024-07-08T08:01:52.38+0000"
metadta.collected_timestamp = "2024-07-08T08:01:57.768859362Z"
metadata.vendor_name = "IBM"
metadata.product_name = "IBM Cloud Activity Tracker"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.description = "Virtual Server for VPC: read network-interface hostname2"
principal.hostname = "hostname1"
principal.user.product_object_id = "12345678-f0e4-483e-a48c-16758fae3078"
principal.user.userid = "iam-ServiceId-12345678-f0e4-483e-a48c-16758fae3078"
principal.user.attribute.labels.key = "credentialType"
principal.user.attribute.labels.value = "token"
principal.user.attribute.labels.key = "correlationId"
principal.user.attribute.labels.value = "12345678-b510-41b5-aca0-44b0e62e301c"
principal.ip = "10.60.115.44"
principal.location.name = "env-prod"
target.hostname = "hostname2"
target.resource.name = "crn:v1:resource1"
observer.resource.name = "ActivityTracker"
observer.resource_ancestors.name = "crn:v1:resource2"
security_result.action = "ALLOW"
security_result.severity = "LOW"
network.http.user.agent = "terraform-provider-ibm/1.67.1"
network.http.response_code = "200"
Rules¶
Coming Soon