Audit Event Details
This Document provides details of each audit event and its attributes.
First the attributes that are present in all audits are provided. Next the attributes that are repeated with each audit of a microservice are provided. Finally, every audit specific argument is presented.
Common attributes:
The following are common attributes in all audit events.
attributes:
SSH-PrivX-service: microservice that the Audit originates form
audit-exposure: for normal audits "SSH-PRIVX-AUDIT" and for sensitive audits "SSH-PRIVX-SENSITIVE-AUDIT"
instanceName: instance name
severity: event Severity (Critical(2), Alert(1), Warning(4), Info(6))
userID: PrivX user ID
username: PrivX username
sessionID: session ID
timestamp: timestamp of event
version: PrivX version number
Microservice specific attributes:
Depending on what Microservice the audit originates form it will have some additional attributes that will always be present.
SSH Proxy
The following are common attributes in all audit events originating from SSH Proxy microservice.
attributes:
- connectionID: connection ID
- accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
- hostID: host ID (if target available)
- hostAddress: target hostname and port if non-standard
- remoteAddress: connection client address
- targetUsername: target username
- connectionType: "SSH"
- connectionMode: "UI"
- tags: tags (if available)
SSH Bastion
The following are common attributes in all audit events originating from SSH Bastion microservice.
attributes:
- connectionID: connection ID,
- accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
- hostID: host ID (if target available)
- hostAddress: target hostname and port if non-standard
- remoteAddress: connection client address
- targetUsername: target username
- connectionType: "SSH"
- connectionMode: "TUNNEL" or "MITM"
- tags: tags (if available)
RDP Proxy
The following are common attributes in all audit events originating from RDP Proxy microservice.
attributes:
- connectionID: connection ID
- accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
- hostID: host ID
- hostAddress: target hostname and port if non-standard
- remoteAddress: connection client address
- targetUsername: target username
- connectionType: "RDP"
- connectionMode: "UI"
- tags: tags (if available)
RDP Bastion
The following are common attributes in all audit events originating from RDP Bastion microservice.
attributes:
connectionID: connection ID
accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
hostID: host ID
hostAddress: target hostname and port if non-standard
remoteAddress: connection client address
targetUsername: target username
connectionType: "RDP"
connectionMode: "MITM"
tags: tags (if available)
Audit events
This section describes the attributes for each audit event.
API-client-added
attributes:
- clientID: ID of the api client being added
- message: description of the event
- name: api client name
- roles: ID of roles separated by comma
API-client-modified
attributes:
- clientID: ID of the api client being modified
- message: description of the event
- modifications: a json data containing the old and new value of modified fields
- name: api client name
API-client-removed
attributes:
- clientID: ID of the api client being deleted
- message: description of the event
- name: api client name
Access-group-created
attributes:
- accessGroupID: ID of the access group being created
- message: description of the event
Access-group-deleted
attributes:
- accessGroupID: ID of the access group being deleted
- message: description of the event
Access-group-modified
attributes:
- accessGroupID: ID of the access group being modified
- message: description of the event
- modifications: a json data containing the old and new value of modified fields
Access-role-granted
This event is logged when a closed connection is granted a role for auditing
attributes:
- connectionID: ID of the connection
- roleID: ID of the role granted to audit the connection
Access-role-revoked
attributes:
- connectionID: ID of the connection
- connectionIDs: ID of the connections
- roleID: ID of the role revoked from auditing the connection
Access-token-granted
This event is logged when access to PrivX is granted
attributes:
Auditevent-removed
This event is logged when audit events that are out of retention period are removed by a housekeeping task
attributes:
- appID: the UUID of the monitor-service instance
- message: internally logged message, contains number of events that are removed
Authorization-certificate-granted
attributes:
- accessGroupID
- authority-keyid
- connectionID: ID of the connection
- criticalOptions: certificate critical options
- extensions: certificate extensions
- hostAddress: targer host address
- issuer: certificate issuer
- keyID
- key-usage
- message: description of the event and type of certificate
- principals
- public-key
- serial: certificate serial
- sha1-fingerprint
- sha256-fingerprint
- signature-algorithm
- signature-key
- subject
- subject-keyid
- target: user remote address
- upn: The User Principal Name (UPN) and generally takes the form of user@domain.com
- valid: provides the validity period using not before and not after values
Authorization-passphrase-returned
attributes:
- accessGroupID
- connectionID: ID of the connection
- hostAddress: targer host address
- hostID
- message: description of the event
- target: user remote address
- targetUsername
Authorization-rejected
attributes:
- address: client remote address
Authorization-requested
attributes:
- accessGroupID
- fingerprint
- hostAddress: targer host address
- hostID
- message
- target: user remote address
Authorization-role-key-granted
attributes:
- accessGroupID
- connectionID: ID of the connection
- hostAddress: targer host address
- keyID
- message
- roleID
- target: user remote address
Authorization-role-key-sign-operation-accepted
attributes:
- keyID
- message
- principalID
- target: user remote address
- user: username
Authorization-role-key-sign-operation-rejected
attributes:
- keyID
- message
- principalID
- target: user remote address
- user: username
Authorized-key-added
attributes:
- fingerprint
- keyID
- keyUserID: user ID that the authorized key that is about to expire belongs to
- keyUsername
- message
- name: key name
- notAfter: not valid after this date
- notBefore: not valid before this date
Authorized-key-modified
attributes:
- fingerprint
- keyID
- keyUserID: user ID that the authorized key that is about to expire belongs to
- keyUsername
- message
- modifications: a json data containing the old and new value of modified fields
- name
- notAfter: not valid after this date
- notBefore: not valid before this date
Authorized-key-removed
attributes:
- keyID
- keyUserID: user ID that the authorized key that is about to expire belongs to
- message
AWS-token-grant-failed
attributes:
- arn: Amazon Resource Name specifying the role
- awsRoleID
- message: description of the event
- reason: reason for failure or the error message
- TTL: TTL for the token
AWS-token-granted
attributes:
- arn: Amazon Resource Name specifying the role
- awsRoleID
- message: description of the event
- TTL: TTL for the token
- type: values, such as "assume-role" and "federation"
Background-migration-completed
attributes:
- message: description of the event and specifying which microservice the event belongs to
Background-migration-started
attributes:
- message: description of the event and specifying which microservice the event belongs to
CA-certificate-created
attributes:
- id
- keyID
- notAfter: not valid after this date
- notBefore: not valid before this date
- serial: certificate serial
- subject
- type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"
CA-certificate-deleted
attributes:
- id
- keyID
- notAfter: not valid after this date
- notBefore: not valid before this date
- serial: certificate serial
- subject
- type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"
CA-certificate-enrolled
attributes:
- caKeyID
- id
- issuer: certificate issuer
- notAfter: not valid after this date
- notBefore: not valid before this date
- serial: certificate serial
- subject
- type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"
CA-certificate-revoked
attributes:
- id
- issuer: certificate issuer
- notAfter: not valid after this date
- notBefore: not valid before this date
- reason: revocation reason
- serial: certificate serial
- subject
- type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"
Client-authenticated
attributes:
- key
- keyID
- method: authication method such as, "Password", "Public key" and "SSH Certificate"
- remoteAddress: client remote address
Client-authentication-warning
attributes:
- connectionID: ID of the connection
- connectionMode: values, such as "TUNNEL", "MITM" and "UI"
- connectionType: values, such as "SSH" and "RDP"
- key
- keyID
- message
- method: authication method such as, "Password", "Public key" and "SSH Certificate"
- remoteAddress: client remote address
Component-CA-config-modified
attributes:
- componentName
- message
- modifications: a json data containing the old and new value of modified fields
Config-checksum-added
This event is logged when a config file is added and the checksum for validation of that file is stored
attributes:
- filename: name of the config file
- hash-value: hash value of the config file
- message: description of the event
Config-checksum-changed
This event is logged when a change to a config file is detected
attributes:
- filename: name of the config file
- message: description of the event
- new-hash-value: new hash value of the config file
- old-hash-value: old hash value of the config file
Configuration-error
attributes:
- accessGroupID
- appID
- error
- hostAddress: targer host address
- hostID
- hostName
- id
- issuer: certificate issuer
- key
- keyID
- message
- notAfter: not valid after this date
- notBefore: not valid before this date
- principalID
- serial: certificate serial
- subject
- target: user remote address
- targetUsername
- type
- user: username
- whitelist-id
- whitelist-name
Connection-accepted
attributes:
Connection-marked-anomaly-by-ueba
attributes:
- connectionID: ID of the connection
- connectionType: values, such as "SSH" and "RDP"
- hostAddress: targer host address
- remoteAddress: client remote address
- ueba-confidence-level: detection confidence of ueba machine learning agent
- user-agent
Connection-audit-failed
attributes:
- accessGroupID
- appID: the UUID of the monitor-service instance
- connectionID: ID of the connection
- error
- hostAddress: targer host address
- hostID
- message: description of the event and specifying whether the connection is to a database
- protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Connection-audit-started
attributes:
- accessGroupID
- appID: the UUID of the monitor-service instance
- connectionID: ID of the connection
- hostAddress: targer host address
- hostID
- message: description of the event and specifying whether the connection is to a database
- protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Connection-authenticated
attributes:
- app-restriction-app
- app-restriction-name
- capublickey: certificate authority public key
- capublickey-data
- method: authication method such as, "Password", "Public key" and "SSH Certificate"
- public-key
- public-key-data
Connection-blocked-by-ueba
attributes:
- connectionType: values, such as "SSH" and "RDP"
- hostAddress: targer host address
- remoteAddress: client remote address
- ueba-confidence-level: detection confidence of ueba machine learning agent
- user-agent
Connection-closed
attributes:
- duration: connection duration in seconds
Licensed-connection-count-exceeded
attributes:
- message: description of the event
Connection-failed
attributes:
- error: error causing failure
Connection-rejected
attributes:
- error: error causing rejection
Connection-requested
attributes:
Connection-terminated
attributes:
- accessGroupID
- connectionID: ID of the connection
- message
Connection-terminated-for-host
attributes:
- hostID
- message
Connection-terminated-for-user
attributes:
- message
- targetUserID
Connection-unusual-behavior-by-ueba
attributes:
- connectionID: ID of the connection
- connectionType: values, such as "SSH" and "RDP"
- hostAddress: targer host address
- remoteAddress: client remote address
- ueba-confidence-level: detection confidence of ueba machine learning agent
- user-agent
Connections-detached
attributes:
- appID
- message
Connections-meta-removed
attributes:
- connectionIDs: ID of the connections
Database-session-closed
attributes:
- accessGroupID
- appID
- connectionID: ID of the connection
- error
- hostAddress: targer host address
- hostID
- message: description of the event
- protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Database-session-failure
attributes:
- accessGroupID
- appID
- connectionID: ID of the connection
- error: error message for the reason of failure
- hostAddress: targer host address
- hostID
- message: description of the event
- protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Database-session-rejected
attributes:
- accessGroupID
- appID
- connectionID: ID of the connection
- hostAddress: targer host address
- hostID
- message: error message for the reason of rejection
- protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Database-session-started
attributes:
- accessGroupID
- appID
- connectionID: ID of the connection
- hostAddress: targer host address
- hostID
- message: description of the event
- protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Database-session-terminated
attributes:
- accessGroupID
- appID
- connectionID: ID of the connection
- error
- hostAddress: targer host address
- hostID
- message
- protocol
- remoteAddress: client remote address
- server-mode: values, such as "default", "server-only" and "worker-only"
Decision-made
attributes:
- decision
- message
- requestID
- server-mode: values, such as "default", "server-only" and "worker-only"
Directory-added
attributes:
- directoryID
- message
- name
Directory-authentication-failed
attributes:
- message
- sourceID: UUID of the Directory
- userDN: LDAP user distinguished name (DN) that is used when binding (signing on) to the LDAP server
Directory-modified
attributes:
- directoryID
- message
- modifications: a json data containing the old and new value of modified fields
- name
Directory-removed
attributes:
- directoryID
- message
- name
EE-certificate-deleted
attributes:
- id
- issuer: certificate issuer
- keyID
- notAfter: not valid after this date
- notBefore: not valid before this date
- serial: certificate serial
- subject
- type: certificate type with values, such as "TLS_EE", "EXTENDER_EE", "TLS_WEB_SERVER_EE" and "TLS_DB_SERVER_EE"
EE-certificate-enrolled
attributes:
- caKeyID
- id
- issuer: certificate issuer
- notAfter: not valid after this date
- notBefore: not valid before this date
- serial: certificate serial
- subject
- type: certificate type with values, such as "TLS_EE", "EXTENDER_EE", "TLS_WEB_SERVER_EE" and "TLS_DB_SERVER_EE"
EE-certificate-revoked
attributes:
- id
- issuer: certificate issuer
- notAfter: not valid after this date
- notBefore: not valid before this date
- reason: revocation reason
- serial: certificate serial
- subject
- type: certificate type with values, such as "TLS_EE", "EXTENDER_EE", "TLS_WEB_SERVER_EE" and "TLS_DB_SERVER_EE"
Email-configuration-modified
attributes:
- message: description of the event
- modifications: a json data containing the old and new value of modified fields
- server-mode: values, such as "default", "server-only" and "worker-only"
Email-not-sent
attributes:
- error: error message causing failure in sending the email
- from: the sender of email
- message: description of the event
- server-mode: values, such as "default", "server-only" and "worker-only"
- subject: subject of email
- to: list of receivers of the email separated by comma
Email-sent
attributes:
- from: the sender of email
- message: description of the event
- server-mode: values, such as "default", "server-only" and "worker-only"
- subject: subject of email
- to: list of receivers of the email separated by comma
Extender-connected
attributes:
- message: description of the event and specifying client type
Extender-disconnected
attributes:
- message: description of the event and specifying client type
PrivX-extender-remote-update-triggered
attributes:
- appID
- componentName
- filename
- message
PrivX-external-component-hard-disk-full
attributes:
- appID
- free
- name
- path
- threshold
- used
File-download
attributes:
- path: path of downloaded file
- size: size of file in bytes
File-download-blocked
This event happens when the downloaded file is blocked by virus scanner
attributes:
- error: virus scan result or the encountered error
- filename
- path: path of blocked file
- size: size of file in bytes
File-download-rejected
attributes:
- error: error message causing rejection of download operation
File-move-rejected
attributes:
- error: error message causing rejection of move operation
- new_path: path that the file was attempted to be moved there
- path: path of file that was attempted to moved
File-moved
attributes:
- new_path: new path that the file was moved to
- path: old path of file that was moved
File-remove-rejected
attributes:
- error: error message causing rejection of delete operation
- path: path of file that was attempted to be removed
File-removed
attributes:
- path: path of file that was removed
File-upload
attributes:
- path: path of file that was uploaded
- size: size of file in bytes
File-upload-blocked
This event happens when the uploaded file is blocked by virus scanner
attributes:
- error: virus scan result or the encountered error
- filename: name of the file that was attempted to upload
- path: path of blocked file
- size: size of file in bytes
File-upload-rejected
attributes:
- error: error message causing rejection of upload operation
Folder-create-rejected
attributes:
- error: error message causing rejection
- path: path of folder that was attempted to be created
Folder-created
attributes:
- path: path of folder that was created
Folder-remove-rejected
attributes:
- error: error message causing rejection of delete operation
- path: path of folder that was attempted to be removed
Folder-removed
attributes:
- path: path of folder that was removed
Disk-full
attributes:
- appID: the UUID of the monitor-service instance
- path: path of directory that is causing the event
- used: percentage of hard disk space used
Host-added
attributes:
- accessGroupID
- cloudProvider
- count: number of hosts added
- hostID
- hostName
- message: description of the event
- sourceID: UUID of the Directory
Host-certificate-accepted
attributes:
- authority-keyid
- extensions: certificate extensions
- issuer: certificate issuer
- key-usage
- serial: certificate serial
- sha1-fingerprint
- sha256-fingerprint
- subject
- subject-keyid
- valid: provides the validity period using not before and not after values
Host-certificate-denied
attributes:
- authority-keyid
- extensions: certificate extensions
- issuer: certificate issuer
- key-usage
- serial: certificate serial
- sha1-fingerprint
- sha256-fingerprint
- subject
- subject-keyid
- valid: provides the validity period using not before and not after values
Host-certificate-matched
attributes:
- authority-keyid
- extensions: certificate extensions
- issuer: certificate issuer
- key-usage
- serial: certificate serial
- sha1-fingerprint
- sha256-fingerprint
- subject
- subject-keyid
- valid: provides the validity period using not before and not after values
Host-certificate-saved
attributes:
- authority-keyid
- extensions: certificate extensions
- issuer: certificate issuer
- key-usage
- serial: certificate serial
- sha1-fingerprint
- sha256-fingerprint
- subject
- subject-keyid
- valid: provides the validity period using not before and not after values
Host-certificate-trusted
attributes:
- authority-keyid
- extensions: certificate extensions
- issuer: certificate issuer
- key-usage
- serial: certificate serial
- sha1-fingerprint
- sha256-fingerprint
- subject
- subject-keyid
- valid: provides the validity period using not before and not after values
Host-disabled-state-changed
attributes:
- disabled: shows if state is disabled, such as "BY_ADMIN", "BY_LICENSE", "FALSE"
- hostID
Host-key-accepted
attributes:
- key
Host-key-denied
attributes:
- error
- key
Host-key-matched
attributes:
- key
Host-key-saved
attributes:
- key
Host-modified
attributes:
- accessGroupID
- cloudProvider: name of the cloud provider
- count: number of hosts updated in host store
- hostID
- hostName
- message: description of the event
- modifications: a json data containing the old and new value of modified fields
- sourceID: UUID of the Directory
Host-removed
attributes:
- accessGroupID
- cloudProvider
- count: number of hosts removed
- hostID
- hostName
- message
- sourceID: UUID of the Directory
Host-service-connection-failure
attributes:
- accessGroupID
- appID
- error
- hostID
- hostName
- serviceAddress
- servicePort
- serviceSource
- serviceType: values, such as "SSH", "RDP" and "WEB"
Host-service-connection-re-established
attributes:
- accessGroupID
- appID
- hostID
- hostName
- latency-in-ms
- serviceAddress
- servicePort
- serviceSource: source of service with values, such as "UI" and "SCIM"
- serviceType: values, such as "SSH", "RDP" and "WEB"
Housekeeping-authorized-keys
This event is logged when an authorized key is expired and removed or when a key is about to expire
attributes:
- count: number of expired authorized keys removed
- keyID: ID of the authorized key that is about to expire
- keyUserID: user ID that the authorized key that is about to expire belongs to
- message: specifying how many days until expiration of key remains or that keys have been removed
- notAfter: the date that the authorized key that is about to expire is not valid after
Housekeeping-OIDC-user-cache
This event is logged when removing expired OIDC users from user cache
attributes:
- count: number of expired OIDC users that were removed from user cache
- message: description of the event
Housekeeping-SCIM-roles
This event is logged when delete SCIM created roles not currently in use by any host
attributes:
- message: description of the event
- roles: ID of roles separated by comma
Housekeeping-user-data
This event is logged when removing data (secrets, keys, roles, ...) of users that have been inactive
attributes:
- message: description of the event
- userIDs: list of userIDs separated by comma
IDP-client-config-created
attributes:
- clientID
- id
- message
- signature-algorithm
- type
IDP-client-config-modified
attributes:
- id
- message
- modifications: a json data containing the old and new value of modified fields
- signature-algorithm
- type
IDP-client-config-removed
attributes:
- id
- message
IDP-client-credentials-regenerated
attributes:
- id
- message
Identity-provider-added
attributes:
- identity-provider-id
- message
Identity-provider-modified
attributes:
- identity-provider-id
- message
- modifications: a json data containing the old and new value of modified fields
Identity-provider-removed
attributes:
- identity-provider-id
- message
Invalidated-session-cache-full
attributes:
License-error
attributes:
- error
- message
License-updated
attributes:
- message
LogConf-collector-created
attributes:
- collectorID: log collector ID
- message
- name
- type: values, such as "AWS", "AZURE" and "GOOGLE"
LogConf-collector-modified
attributes:
- collectorID: log collector ID
- message
- modifications: a json data containing the old and new value of modified fields
- name
- type: values, such as "AWS", "AZURE" and "GOOGLE"
LogConf-collector-removed
attributes:
- collectorID: log collector ID
- message
- name
Managed-account-batch-created
attributes:
- batch-size
- disable-rdp-cert-auth
- enabled
- explicit-checkout
- initial-rotation
- password-policy-id
- password-policy-name
- rotation-enabled
- target-domain-id
- target-domain-name
Managed-account-batch-deleted
attributes:
- batch-size
- target-domain-id
- target-domain-name
Managed-account-batch-modified
attributes:
- batch-size
- disable-rdp-cert-auth
- enabled
- explicit-checkout
- password-policy-id
- password-policy-name
- rotation-enabled
- target-domain-id
- target-domain-name
Managed-account-created
attributes:
- account-email
- account-full-name
- account-username
- disable-rdp-cert-auth
- enabled
- explicit-checkout
- external-id
- id
- password-policy-id
- password-policy-name
- rotation-enabled
- security-id
- target-domain-id
- target-domain-name
Managed-account-deleted
attributes:
- account-email
- account-full-name
- account-username
- external-id
- id
- security-id
- target-domain-id
- target-domain-name
Managed-account-modified
attributes:
- account-email
- account-full-name
- account-username
- external-id
- id
- message
- modifications: a json data containing the old and new value of modified fields
- security-id
- target-domain-id
- target-domain-name
Monitoring-session-ended
attributes:
Monitoring-session-started
attributes:
Multi-factor-authentication-configured
attributes:
- message
- user-mfa-action: actions, such as "enable", "disable" and "reset"
Multi-factor-authentication-generated
attributes:
- message
Network-session-closed
attributes:
Network-session-failure
attributes:
- clientip
- error
- id
- targetid
- targetname
Network-session-fatal-failure
attributes:
- clientip
- error
- id
- targetid
- targetname
Network-session-opened
attributes:
Network-target-created
attributes:
- id
- message
- name
Network-target-disabled-state-changed
attributes:
- disabled: shows if state is disabled, such as "BY_ADMIN", "BY_LICENSE", "FALSE"
- id
- message
Network-target-modified
attributes:
- id
- message
- modifications: a json data containing the old and new value of modified fields
Network-target-removed
attributes:
- id
- message
OAuth-client-authenticated
attributes:
- clientID
OAuth-client-authentication-failed
attributes:
- clientID
Password-rotation-failure
attributes:
- account-username
- error
- hostID
- id
- principal
- target-domain-id
- target-domain-name
- trigger
Password-rotation-policy-created
attributes:
- id
- name
Password-rotation-policy-modified
attributes:
- id
- modifications: a json data containing the old and new value of modified fields
Password-rotation-policy-removed
attributes:
- id
Password-rotation-script-created
attributes:
- id
- name
Password-rotation-script-modified
attributes:
- id
- modifications: a json data containing the old and new value of modified fields
Password-rotation-script-removed
attributes:
- id
Password-rotation-success
attributes:
- account-username
- id
- target-domain-id
- target-domain-name
- trigger
Principal-added
attributes:
- keyID
- message
- principalID
Principal-removed
attributes:
- keyID
- message
- principalID
PrivX-db-clock-out-of-sync
attributes:
- appID
- database-time
- message
- privx-time
PrivX-restarted
attributes:
- appID
- message
MobileGW-privx-registration-failure
attributes:
- appID
- server-mode: values, such as "default", "server-only" and "worker-only"
MobileGW-privx-registration-success
attributes:
- appID
- server-mode: values, such as "default", "server-only" and "worker-only"
MobileGW-privx-registration-terminated
attributes:
- appID
- server-mode: values, such as "default", "server-only" and "worker-only"
MobileGW-user-paired-device
attributes:
MobileGW-user-unpaired-device
attributes:
- domain
- user-mobile-device
Request-added
attributes:
- message
- requestID
- server-mode: values, such as "default", "server-only" and "worker-only"
Request-removed
attributes:
- message
- requestID
- server-mode: values, such as "default", "server-only" and "worker-only"
Role-added
attributes:
- accessGroupID
- message
- modifications: a json data containing the old and new value of modified fields
- roleID
- roleName
RoleContext-role-blocked
attributes:
- accessGroupID
- appID
- endTime
- ipAddr
- ipMasks
- message
- principal
- roleID
- roleName
- startTime
- timeZone
- type: values, such as "SUSPICIOUS_TIME_ROLE_BLOCKED" and "SUSPICIOUS_IP_ADDRESS_ROLE_BLOCKED"
- weekdays
RoleContext-usage-alert
This event is logged when there is an access with suspicious IP address or suspicious usage time
attributes:
- accessGroupID
- appID
- endTime
- ipAddr
- ipMasks
- message: description of type of suspicious activity
- principal
- roleID
- roleName
- startTime
- timeZone
- type: values, such as "SUSPICIOUS_TIME_WARNING" and "SUSPICIOUS_IP_ADDRESS_WARNING"
- weekdays
Role-modified
attributes:
- accessGroupID
- message
- modifications: a json data containing the old and new value of modified fields
- roleID
- roleName
Role-removed
attributes:
- accessGroupID
- message
- modifications: a json data containing the old and new value of modified fields
- roleID
- roleName
Router-init-failed
attributes:
- type: router type with values, such as "linux-iptables", "sshexec" and "logger"
Router-initialized
attributes:
- type: router type with values, such as "linux-iptables", "sshexec" and "logger"
SSH-command-blocked
attributes:
- channelID
- command
- connectionID: ID of the connection
- sessionType: session channel type with values, such as "exec" and "shell"
SSH-live-event
attributes:
- channelID
- connectionID: ID of the connection
- ssh-live-event: a json data with the following fields: TimeStamp, ConnectionID, ChannelID, Protocol, Mode, Direction, Type, Data
SSH-non-whitelisted-command-allowed
attributes:
- channelID
- command
- connectionID: ID of the connection
- sessionType: session channel type with values, such as "exec" and "shell"
SSH-whitelisted-command-allowed
attributes:
- channelID
- command
- connectionID: ID of the connection
- sessionType: session channel type with values, such as "exec" and "shell"
Secret-accessed
attributes:
- secret
Secret-changed
attributes:
- secret
Secret-checked-out
attributes:
- account-email
- account-full-name
- account-username
- expires
- explicit-checkout
- id
- target-domain-id
- target-domain-name
- type
Secret-checkout-expired
attributes:
- account-email
- account-full-name
- account-username
- duration: connection duration in seconds
- explicit-checkout
- id
- target-domain-id
- target-domain-name
- type
Secret-created
attributes:
- secret
Secret-metadata-changed
attributes:
- modifications: a json data containing the old and new value of modified fields
- secret
Secret-released
attributes:
- account-email
- account-full-name
- account-username
- duration: connection duration in seconds
- explicit-checkout
- id
- target-domain-id
- target-domain-name
- type
Secret-removed
attributes:
- deletedCount
- owners
- secret
- sourceID: UUID of the Directory
Service-running
attributes:
- appID
- message
- server-mode: values, such as "default", "server-only" and "worker-only"
Service-starting
attributes:
- appID
- error
- message
- server-mode: values, such as "default", "server-only" and "worker-only"
Service-stopped
attributes:
- appID
- error
- message
- server-mode: values, such as "default", "server-only" and "worker-only"
Session-added
attributes:
- channelID
- sessionType: session channel type with values, such as "exec" and "shell"
Session-password-generated
attributes:
- backend-name
Session-rejected
attributes:
- message
- sessionType: session channel type with values, such as "exec" and "shell"
Session-removed
attributes:
- channelID
- sessionType: session channel type with values, such as "exec" and "shell"
Session-terminated
attributes:
Settings-modified
attributes:
- appID
- modifications: a json data containing the old and new value of modified fields
- scope: values such as, name of microservice, "PRIVX-CARRIER" and "EXTENDER-SERVICE"
- server-mode: values, such as "default", "server-only" and "worker-only"
Target-domain-account-modified
attributes:
- account-username
- id
- modifications: a json data containing the old and new value of modified fields
- target-domain-id
- target-domain-name
Target-domain-account-onboarding-failure
attributes:
- batch-size
- error
- target-domain-id
- target-domain-name
Target-domain-account-scan-failure
attributes:
- error
- target-domain-endpoint
- target-domain-id
- target-domain-name
Target-domain-account-scan-success
attributes:
- target-domain-endpoint
- target-domain-id
- target-domain-name
Target-domain-created
attributes:
- auto-onboarding
- auto-onboarding-policy-id
- auto-onboarding-policy-name
- enabled
- id
- name
- periodic-scan
- periodic-scan-interval
- target-domain-endpoints
Target-domain-deleted
attributes:
- id
- name
Target-domain-modified
attributes:
- id
- modifications: a json data containing the old and new value of modified fields
- name
Trail-file-downloaded
attributes:
- accessGroupID
- connectionID: ID of the connection
- filename
- message: description of the event
Trail-file-integrity-failed
attributes:
- accessGroupID
- connectionID: ID of the connection
- message: description of the event
Trail-file-open-failed
attributes:
- accessGroupID
- connectionID: ID of the connection
- error: error causing failure
- message: description of the event
Trail-file-read-failed
attributes:
- error: error causing failure
Trail-open-failed
attributes:
- accessGroupID
- connectionID: ID of the connection
- error: error message causing failure
- message: description of the event or reason for oppening trail
Trail-opened
attributes:
- accessGroupID
- connectionID: ID of the connection
- message: description of the event or reason for oppening trail
- remoteAddress: client remote address
Trail-remove-failed
attributes:
- accessGroupID
- connectionID: ID of the connection
- message: description of the event
Trail-removed
attributes:
- accessGroupID
- connectionID: ID of the connection
- message: description of the event
Transcript-opened
attributes:
- connectionID: ID of the connection
- message
- searchKeywords
Transcript-status-error
attributes:
- connectionID: ID of the connection
- message
- protocol: protocol name, such as "SSH"
Transcript-status-indexed
attributes:
- connectionID: ID of the connection
- message
- protocol: protocol name, such as "SSH"
Transcript-status-indexing
attributes:
- connectionID: ID of the connection
- message
- protocol: protocol name, such as "SSH"
Transcript-status-scheduled
attributes:
- connectionID: ID of the connection
- message
- protocol: protocol name, such as "SSH"
Transcript-trail-removed
attributes:
- connectionID: ID of the connection
- message
Trusted-client-added
attributes:
- accessGroupID
- clientID
- extender-address
- message
- name
- permissions
- routingPrefix
- subnets
Trusted-client-modified
attributes:
- accessGroupID
- clientID
- enabled
- extender-address
- groupID
- message
- modifications: a json data containing the old and new value of modified fields
- name
- permissions
- registered
- routingPrefix
- subnets
- web-proxy-address
Trusted-client-removed
attributes:
- accessGroupID
- clientID
- message
- name
User-added
attributes:
- targetUserID: ID of added user
- targetUsername: username of added user
User-logged-in
attributes:
- authentication-method: methods, such as "Password", "Single Sign-On", "Client Certificate" and "Authorized Key"
- authenticator
- backend-name
- fingerprint
- identity-provider-id
- identity-provider-name
- identity-provider-public-key-method
- ipAddr
- issuer: identity provider issuer
- keyID
- sourceID: UUID of the Directory
User-logged-out
attributes:
User-login-attempt-rate-limited
attributes:
- message: reason for rate limit
- remoteAddress: IP address that login was attempted from
User-login-failed
attributes:
User-MFA-challenge-sent
attributes:
User-MFA-challenge-setup-sent
attributes:
User-Mobile-MFA-challenge-sent
attributes:
User-Mobile-MFA-challenge-setup-sent
attributes:
User-modified
attributes:
- modifications: a json data containing the old and new value of modified fields
- targetUserID
- targetUsername
User-password-modified
attributes:
- targetUserID
- targetUsername
User-access-token-refresh-failed
attributes:
User-access-token-refreshed
attributes:
User-removed
attributes:
- targetUserID
- targetUsername
User-roles-modified
attributes:
- message
- modifications: a json data containing the old and new value of modified fields
- principal
- targetUserID
Users-blocked-by-license
attributes:
- message
Users-license-grace-period-started
attributes:
- message
Users-license-ok
attributes:
- message
WebAuthn-Credential-added
attributes:
- keyUserID: user ID that the authorized key that is about to expire belongs to
- message
- name
- webauthn-credential-id
- id
WebAuthn-Credential-modified
attributes:
- keyID
- message
- modifications: a json data containing the old and new value of modified fields
- name
- webauthn-credential-comment
WebAuthn-Credential-removed
attributes:
- keyUserID: user ID that the authorized key that is about to expire belongs to
- message
- id
White-list-added
attributes:
- id: ID of white list added
- message: description of the event
- name: name of the white list added
White-list-modified
attributes:
- id: ID of white list modified
- message: description of the event
- modifications: a json data containing the old and new value of modified fields
- name: name of the white list modified
White-list-removed
attributes:
- id: ID of white list removed
- message: description of the event
Workflow-added
attributes:
- message: description of the event
- server-mode: values, such as "default", "server-only" and "worker-only"
- workflowID: ID of added workflow
Workflow-modified
attributes:
- message: description of the event
- modifications: a json data containing the old and new value of modified fields
- name: name of modified workflow
- server-mode: values, such as "default", "server-only" and "worker-only"
- workflowID: ID of modified workflow
Workflow-removed
attributes:
- message
- server-mode: values, such as "default", "server-only" and "worker-only"
- workflowID