9.0 Custom Audit Events
This section contains a list of the custom audit events that are generated by policies in each driver. These events are sent to the Identity Manager Collector. It parses the events and stores this information in the Sentinel data store.
These events are used to inject business relevance instead of the sending raw data events. This allows you to verify that your business policies and processes are being enforced.
In the past, Sentinel tracked Add, Delete, and Modify events. Sentinel could report on how many events occurred, but not if that event was supposed to occur. The custom events track granting and revoking of entitlements. The entitlements generate Add, Delete, or Modify events. Sentinel tracks which entitlement generated the Add event, and the reports show when and why an Add event occurred, instead of just when an Add event occurred.
Figure 9-1 represents the common components that make up the event structure. Each item in the illustration is part of an event. The different items are tracked to verify the uniqueness of the event.
Table 9-1 contains the general event structure. The defined events are in the dirxml_custom.lsc file that is on the Identity Manager 3.6 media.
Table 9-1 General Event Structure
Audit Event ID |
1200-1299 |
Int/Hex |
|
|
Version |
Sequential number incremented by one whenever the event structure changes. |
Int |
Value 3 (3) |
|
Originator |
Always the driver DN. |
String |
Originator (B) |
|
Target |
Object (account) in the connected application. |
String |
Target (U) |
|
Target Type |
0=None
1=DN in Slash Notation
2=DN in Dot Notation
3=DN in LDAP Notation
4=Association |
Int |
targetType (V) |
|
Sub Target |
Entitlements/attribute name. |
String |
Sub-Target (Y) |
|
Status |
Identity Manager status. |
Int |
value (1) |
0=success
1=retry
2=warning
3=error
4=fatal |
IDM Event ID |
@event-id from XDS document |
String |
Text 3 (F) |
|
Identity |
GUID |
B64 encoded octet string value |
Text 1 (S) |
|
The following events are defined:
EventID 000304B0
This is the Account Create By Entitlements Grant. The following table contains the fields of this EventID, with the proper values.
Table 9-2 Account Create By Entitlements Grant
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU created by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
EventID 000304B1
This is the Account Delete By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.
Table 9-3 Account Delete By Entitlements Revoke
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU deleted by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
EventID 000303B2
This is the Account Disabled By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.
Table 9-4 Account Disabled By Entitlements Revoke
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU disabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
EventID 000304B3
This is the Account Enable By Entitlements Grant. The following table contains the fields of this EventID with the proper values.
Table 9-5 Account Enable By Entitlements Grant
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
EventID 000304CE
This is the Driver Health State Change. The following table contains the fields of this EventID, with the proper values.
Table 9-6 Driver Health State Change
Originator (B) Title |
Driver DN |
Target (U) Title |
|
Subtarget (V) Title |
|
Text1 (S) Title |
|
Text2 (T) Title |
|
Text3 (F) Title |
|
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
|
Data Type |
|
Display Schema |
[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
EventID 000304D9
This is a Generic Event. The following table contains the fields of this EventID with the proper values.
Table 9-7 Generic Event
Originator (B) Title |
Driver DN |
Target (U) Title |
Target Object DN |
Subtarget (V) Title |
Object Class |
Text1 (S) Title |
Source Identity DN |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Event: $ST; Src DN: $SS; Object: $SU |