Introduction

Audit events enable organization administrators to review the actions performed by members of your organization using details provided by the Audit logs - who performed the action, performed it, and what the action was.  Before getting into the article I want to mention this blog was written by Abhishek Juneja, a Principal Product Manager of Identity & FA Security - Cloud. This blog helps expand on some blogs I wrote on IDCS Audit --- Identity Cloud Services Audit Event REST API and Identity Cloud Services Audit Reports using Visual Analyzer.

Oracle Identity Cloud Service (IDCS), being the Identity and Access Management platform, is the central point of control for all activities happening in the system. It generates Audit data in response to all administrator and end user’s operations such as User Login, Application Access, Password Reset, User Profile Update, CRUD operations on Users, Group, Applications, etc.
Using the comprehensive IDCS Audit data, customer can:

• Quickly generate comprehensive reports for Administrators or End-users’ activities
• Capture historical user activity for later analysis
• Generate powerful statistics and analytics by ingesting data in Analytics tools

AUDIT Event REST Endpoints

Oracle Identity Cloud Service (IDCS), based on API-first model, provides a rich set of REST endpoints that enable you to manage your resources, including identities, applications, policies and configuration data. The Audit Events REST endpoints enable you to get Audit logs covering significant events, changes or actions. Using these APIs, you can integrate all Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), and Cloud Access Security Broker (CASB) to poll Audit data.

• IDCS Audit Event APIs provide read access to your organization’s Audit records.
• Audit records are stored in IDCS for maximum 90 days, beyond that time period IDCS Audit records are purged
• Audit events related dates and times use the Coordinated Universal Time (UTC) format: YYYY-MM-DDThh:mm:ss.mscZ. For example 2018-03-24T10:24:24.022Z.

Who can access Audit data?

• User in IDCS Domain Administrator or Audit Administrator role
• An application that has authorization to access the IDCS Audit API

IDCS Audit Events

This section provides Event IDs of some of the most crucial events in Oracle Identity Cloud Service.

Single Sign-On -

• User Logins Success - sso.session.create.success
• User Logins Failure - sso.authentication.failure

Application Access events -

• Application Access Success - sso.app.access.success
• Application Access Failure - sso.app.access.failure

Multi-factor Authentication -

• Step-up authentication for User - sso.auth.factor.initiated
• ByPass Code Creation - sso.bypasscode.create.success
• ByPass Code Deletion - sso.bypasscode.delete.success

Self-Registration -

• User Self-Registration success - admin.me.register.success

Self-Service Access Request -

• Access Request Success - admin.myrequest.create.success

Notifications -

• Notification Delivery success          - notification.delivery.success
• Notification Delivery Failure            - notification.delivery.failure

Identity Bridge Sync -

• ID Bridge Sync Success                  - idbridge.sync.success
• ID Bridge Sync Failure                     - idbridge.sync.failure

Forgot/ RESET Password -

• Password Reset success                  - admin.me.password.reset.success

Reset Password initiated by Administrator -

• Password Reset success                  - admin.user.password.reset.success

Change Password -

• Password Change Success              - admin.me.password.change.success
• Password Change Failure                 - admin.me.password.change.failure

User CRUD operations -

• User Create success                         - admin.user.create.success
• User Activate success                       - admin.user.activated.success
• User Update success                        - admin.user.update.success
• User Delete success                         - admin.user.delete.success

GROUP CRUD operations -

• Group Create success                       - admin.group.create.success
• Group Update success                      - admin.group.update.success
• Group Delete success                       - admin.group.delete.success
• Group membership assignment        - admin.group.add.member.success
• Group membership removal              - admin.group.remove.member.success

Application CRUD operations -

• Application Create                             - admin.app.create.success
• Application Update                            - admin.app.update.success
• Application Delete                             - admin.app.delete.success

User provisioning -

• Successful User Provisioning            - admin.account.create.success
• Unsuccessful User Provisioning        - admin.account.delete.success

Event Resources

This section describes a list of crucial event resources.

• eventId                                               - Event ID as defined by IDCS components
• actorName                                         - User name (login name) from security context
• actorDisplayName                             - User display name from security context
• actorId                                                - User GUID from security context
• actorType                                            - "Actor type - User/Client"
• ssoSessionId                                      - Cloud SSO identifier
• ssoIdentityProvider                             - SSO Identity Provider
• ssoAuthFactor                                     - Authentication Factor used for authentication
• ssoApplicationId                                  - Application identifier GUID
• ssoApplicationType                             - SSO Application Type;

Application Type indicating if OPC or NONOPC based on hosting and
If type SAML, OAUTH or SFF based on protocol.

• clientIp                                                 - IP address of the client application making the request
• ssoUserAgent                                      - User's device information
• ssoPlatform                                          - Platform used to perform authentication
• ssoProtectedResource                         - Protected resource URI (Resource host, port, and context)
• ssoMatchedSignOnPolicy                     - Matched Sign-On Policy, added since 18.1.2
• Message                                               - Message for event-specific success or failure
• Timestamp                                            - Timestamp of when the event occurred

Audit Schema

You can find the Audit Schema, where all this information is available, by running /admin/v1/schemas/{id} endpoint with urn:ietf:params:scim:schemas:oracle:idcs:AuditEvent as {id}.

The following screenshot shows how to retrieve AuditEvents schema by submitting a GET request on the REST resource.

Learn by Example

A well-described Oracle Identity Cloud Service REST AUDIT APIs Postman collection is available here in the section Import the Postman Collection and Global Variables that includes some nice audit examples to help get you up to speed. Once you import this collection, you can simply type “audit” in the Postman filter to find all the audit requests.

References

• IDCS Audit Event REST API, a blog on how to execute Identity Cloud Service Audit Event REST API
• Using the Oracle Identity Cloud Service REST APIs with Postman
• IETF SCIM specifications