Audit events enable organization administrators to review the actions performed by members of your organization using details provided by the Audit logs - who performed the action, performed it, and what the action was. Before getting into the article I want to mention this blog was written by Abhishek Juneja, a Principal Product Manager of Identity & FA Security - Cloud. This blog helps expand on some blogs I wrote on IDCS Audit --- Identity Cloud Services Audit Event REST API and Identity Cloud Services Audit Reports using Visual Analyzer.
Oracle Identity Cloud Service (IDCS), being the Identity and Access Management platform, is the central point of control for all activities happening in the system. It generates Audit data in response to all administrator and end user’s operations such as User Login, Application Access, Password Reset, User Profile Update, CRUD operations on Users, Group, Applications, etc.
Using the comprehensive IDCS Audit data, customer can:
• Quickly generate comprehensive reports for Administrators or End-users’ activities
• Capture historical user activity for later analysis
• Generate powerful statistics and analytics by ingesting data in Analytics tools
Oracle Identity Cloud Service (IDCS), based on API-first model, provides a rich set of REST endpoints that enable you to manage your resources, including identities, applications, policies and configuration data. The Audit Events REST endpoints enable you to get Audit logs covering significant events, changes or actions. Using these APIs, you can integrate all Security Information and Event Management (SIEM), User and Entity Behavior Analytics (UEBA), and Cloud Access Security Broker (CASB) to poll Audit data.
• IDCS Audit Event APIs provide read access to your organization’s Audit records.
• Audit records are stored in IDCS for maximum 90 days, beyond that time period IDCS Audit records are purged
• Audit events related dates and times use the Coordinated Universal Time (UTC) format: YYYY-MM-DDThh:mm:ss.mscZ. For example 2018-03-24T10:24:24.022Z.
• User in IDCS Domain Administrator or Audit Administrator role
• An application that has authorization to access the IDCS Audit API
This section provides Event IDs of some of the most crucial events in Oracle Identity Cloud Service.
• User Logins Success - sso.session.create.success
• User Logins Failure - sso.authentication.failure
• Application Access Success - sso.app.access.success
• Application Access Failure - sso.app.access.failure
• Step-up authentication for User - sso.auth.factor.initiated
• ByPass Code Creation - sso.bypasscode.create.success
• ByPass Code Deletion - sso.bypasscode.delete.success
• User Self-Registration success - admin.me.register.success
• Access Request Success - admin.myrequest.create.success
• Notification Delivery success - notification.delivery.success
• Notification Delivery Failure - notification.delivery.failure
• ID Bridge Sync Success - idbridge.sync.success
• ID Bridge Sync Failure - idbridge.sync.failure
• Password Reset success - admin.me.password.reset.success
• Password Reset success - admin.user.password.reset.success
• Password Change Success - admin.me.password.change.success
• Password Change Failure - admin.me.password.change.failure
• User Create success - admin.user.create.success
• User Activate success - admin.user.activated.success
• User Update success - admin.user.update.success
• User Delete success - admin.user.delete.success
• Group Create success - admin.group.create.success
• Group Update success - admin.group.update.success
• Group Delete success - admin.group.delete.success
• Group membership assignment - admin.group.add.member.success
• Group membership removal - admin.group.remove.member.success
• Application Create - admin.app.create.success
• Application Update - admin.app.update.success
• Application Delete - admin.app.delete.success
• Successful User Provisioning - admin.account.create.success
• Unsuccessful User Provisioning - admin.account.delete.success
This section describes a list of crucial event resources.
• eventId - Event ID as defined by IDCS components
• actorName - User name (login name) from security context
• actorDisplayName - User display name from security context
• actorId - User GUID from security context
• actorType - "Actor type - User/Client"
• ssoSessionId - Cloud SSO identifier
• ssoIdentityProvider - SSO Identity Provider
• ssoAuthFactor - Authentication Factor used for authentication
• ssoApplicationId - Application identifier GUID
• ssoApplicationType - SSO Application Type;
Application Type indicating if OPC or NONOPC based on hosting and
If type SAML, OAUTH or SFF based on protocol.
• clientIp - IP address of the client application making the request
• ssoUserAgent - User's device information
• ssoPlatform - Platform used to perform authentication
• ssoProtectedResource - Protected resource URI (Resource host, port, and context)
• ssoMatchedSignOnPolicy - Matched Sign-On Policy, added since 18.1.2
• Message - Message for event-specific success or failure
• Timestamp - Timestamp of when the event occurred
You can find the Audit Schema, where all this information is available, by running /admin/v1/schemas/{id} endpoint with urn:ietf:params:scim:schemas:oracle:idcs:AuditEvent as {id}.
The following screenshot shows how to retrieve AuditEvents schema by submitting a GET request on the REST resource.
A well-described Oracle Identity Cloud Service REST AUDIT APIs Postman collection is available here in the section Import the Postman Collection and Global Variables that includes some nice audit examples to help get you up to speed. Once you import this collection, you can simply type “audit” in the Postman filter to find all the audit requests.
• IDCS Audit Event REST API, a blog on how to execute Identity Cloud Service Audit Event REST API
• Using the Oracle Identity Cloud Service REST APIs with Postman
• IETF SCIM specifications
I started with Oracle in 2005 and been a member of the Oracle A-Team since 2012 though have worked in Identity and Access Management since 1999. My journey with security continues the cloud that heavily includes Oracle Infrastructure Cloud (OCI). I enjoy writing articles built on real life use cases to help in areas where a standard document may not provide. I am a strong believer in learning by example to which I try to incorporate as many helpful tips, excellent diagrams, and instructional steps as I can.