9.0 Custom Audit Events

This section contains a list of the custom audit events that are generated by policies in each driver. These events are sent to the Identity Manager Collector. It parses the events and stores this information in the Sentinel data store.

These events are used to inject business relevance instead of the sending raw data events. This allows you to verify that your business policies and processes are being enforced.

In the past, Sentinel tracked Add, Delete, and Modify events. Sentinel could report on how many events occurred, but not if that event was supposed to occur. The custom events track granting and revoking of entitlements. The entitlements generate Add, Delete, or Modify events. Sentinel tracks which entitlement generated the Add event, and the reports show when and why an Add event occurred, instead of just when an Add event occurred.

Figure 9-1 represents the common components that make up the event structure. Each item in the illustration is part of an event. The different items are tracked to verify the uniqueness of the event.

Figure 9-1 Components of the Event Structure

Table 9-1 contains the general event structure. The defined events are in the dirxml_custom.lsc file that is on the Identity Manager 3.6 media.

Table 9-1 General Event Structure

Descriptive Name	Description	Format	Audit Field Name	Sample Data
Audit Event ID	1200-1299	Int/Hex
Version	Sequential number incremented by one whenever the event structure changes.	Int	Value 3 (3)
Originator	Always the driver DN.	String	Originator (B)
Target	Object (account) in the connected application.	String	Target (U)
Target Type	0=None 1=DN in Slash Notation 2=DN in Dot Notation 3=DN in LDAP Notation 4=Association	Int	targetType (V)
Sub Target	Entitlements/attribute name.	String	Sub-Target (Y)
Status	Identity Manager status.	Int	value (1)	0=success 1=retry 2=warning 3=error 4=fatal
IDM Event ID	@event-id from XDS document	String	Text 3 (F)
Identity	GUID	B64 encoded octet string value	Text 1 (S)

The following events are defined:

EventID 000304B0

This is the Account Create By Entitlements Grant. The following table contains the fields of this EventID, with the proper values.

Table 9-2 Account Create By Entitlements Grant

Fields	Values
Originator (B) Title	Driver DN
Target (U) Title	Target account DN or the association
Subtarget (V) Title	Entitlement
Text1 (S) Title	Source Identity DN or GUID
Text2 (T) Title	Detail
Text3 (F) Title	Identity Manager EventID
Value1 (1) Title	Status
Value1 Type	N
Value2 (2) Title
Value2 Type
Value3 (3) Title	Version
Value3 Type	N
Group (G) Title
Group Type
Data (D) Title	XML Document
Data Type	S
Display Schema	[$TC] $SO: Account $SU created by entitlement $SV; Status:$N1 Driver:$SB from $iR\n

EventID 000304B1

This is the Account Delete By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.

Table 9-3 Account Delete By Entitlements Revoke

Fields	Values
Originator (B) Title	Driver DN
Target (U) Title	Target account DN or the association
Subtarget (V) Title	Entitlement
Text1 (S) Title	Source Identity DN or GUID
Text2 (T) Title	Detail
Text3 (F) Title	Identity Manager EventID
Value1 (1) Title	Status
Value1 Type	N
Value2 (2) Title
Value2 Type
Value3 (3) Title	Version
Value3 Type	N
Group (G) Title
Group Type
Data (D) Title	XML Document
Data Type	S
Display Schema	[$TC] $SO: Account $SU deleted by entitlement $SV; Status:$N1 Driver:$SB from $iR\n

EventID 000303B2

This is the Account Disabled By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.

Table 9-4 Account Disabled By Entitlements Revoke

Fields	Values
Originator (B) Title	Driver DN
Target (U) Title	Target account DN or the association
Subtarget (V) Title	Entitlement
Text1 (S) Title	Source Identity DN or GUID
Text2 (T) Title	Detail
Text3 (F) Title	Identity Manager EventID
Value1 (1) Title	Status
Value1 Type	N
Value2 (2) Title
Value2 Type
Value3 (3) Title	Version
Value3 Type	N
Group (G) Title
Group Type
Data (D) Title	XML Document
Data Type	S
Display Schema	[$TC] $SO: Account $SU disabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n

EventID 000304B3

This is the Account Enable By Entitlements Grant. The following table contains the fields of this EventID with the proper values.

Table 9-5 Account Enable By Entitlements Grant

Fields	Values
Originator (B) Title	Driver DN
Target (U) Title	Target account DN or the association
Subtarget (V) Title	Entitlement
Text1 (S) Title	Source Identity DN or GUID
Text2 (T) Title	Detail
Text3 (F) Title	Identity Manager EventID
Value1 (1) Title	Status
Value1 Type	N
Value2 (2) Title
Value2 Type
Value3 (3) Title	Version
Value3 Type	N
Group (G) Title
Group Type
Data (D) Title	XML Document
Data Type	S
Display Schema	[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n

EventID 000304CE

This is the Driver Health State Change. The following table contains the fields of this EventID, with the proper values.

Table 9-6 Driver Health State Change

Fields	Values
Originator (B) Title	Driver DN
Target (U) Title
Subtarget (V) Title
Text1 (S) Title
Text2 (T) Title
Text3 (F) Title
Value1 (1) Title	Status
Value1 Type	N
Value2 (2) Title
Value2 Type
Value3 (3) Title	Version
Value3 Type	N
Group (G) Title
Group Type
Data (D) Title
Data Type
Display Schema	[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n

EventID 000304D9

This is a Generic Event. The following table contains the fields of this EventID with the proper values.

Table 9-7 Generic Event

Fields	Values
Originator (B) Title	Driver DN
Target (U) Title	Target Object DN
Subtarget (V) Title	Object Class
Text1 (S) Title	Source Identity DN
Text2 (T) Title	Detail
Text3 (F) Title	Identity Manager EventID
Value1 (1) Title	Status
Value1 Type	N
Value2 (2) Title
Value2 Type
Value3 (3) Title	Version
Value3 Type	N
Group (G) Title
Group Type
Data (D) Title	XML Document
Data Type	S
Display Schema	[$TC] $SO: Event: $ST; Src DN: $SS; Object: $SU