Audit Event Details

This Document provides details of each audit event and its attributes.
First the attributes that are present in all audits are provided. Next the attributes that are repeated with each audit of a microservice are provided. Finally, every audit specific argument is presented.

Common attributes:

The following are common attributes in all audit events.
attributes:

  • SSH-PrivX-service: microservice that the Audit originates form

  • audit-exposure: for normal audits "SSH-PRIVX-AUDIT" and for sensitive audits "SSH-PRIVX-SENSITIVE-AUDIT"

  • instanceName: instance name

  • severity: event Severity (Critical(2), Alert(1), Warning(4), Info(6))

  • userID: PrivX user ID

  • username: PrivX username

  • sessionID: session ID

  • timestamp: timestamp of event

  • version: PrivX version number

Microservice specific attributes:

Depending on what Microservice the audit originates form it will have some additional attributes that will always be present.

SSH Proxy

The following are common attributes in all audit events originating from SSH Proxy microservice.
attributes:

  • connectionID: connection ID
  • accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
  • hostID: host ID (if target available)
  • hostAddress: target hostname and port if non-standard
  • remoteAddress: connection client address
  • targetUsername: target username
  • connectionType: "SSH"
  • connectionMode: "UI"
  • tags: tags (if available)

SSH Bastion

The following are common attributes in all audit events originating from SSH Bastion microservice.
attributes:

  • connectionID: connection ID,
  • accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
  • hostID: host ID (if target available)
  • hostAddress: target hostname and port if non-standard
  • remoteAddress: connection client address
  • targetUsername: target username
  • connectionType: "SSH"
  • connectionMode: "TUNNEL" or "MITM"
  • tags: tags (if available)

RDP Proxy

The following are common attributes in all audit events originating from RDP Proxy microservice.
attributes:

  • connectionID: connection ID
  • accessGroupID: target AccessGroupID or default AccessGroupID (if no target)
  • hostID: host ID
  • hostAddress: target hostname and port if non-standard
  • remoteAddress: connection client address
  • targetUsername: target username
  • connectionType: "RDP"
  • connectionMode: "UI"
  • tags: tags (if available)

RDP Bastion

The following are common attributes in all audit events originating from RDP Bastion microservice.
attributes:

  • connectionID: connection ID

  • accessGroupID: target AccessGroupID or default AccessGroupID (if no target)

  • hostID: host ID

  • hostAddress: target hostname and port if non-standard

  • remoteAddress: connection client address

  • targetUsername: target username

  • connectionType: "RDP"

  • connectionMode: "MITM"

  • tags: tags (if available)

Audit events

This section describes the attributes for each audit event.

API-client-added

attributes:

  • clientID: ID of the api client being added
  • message: description of the event
  • name: api client name
  • roles: ID of roles separated by comma

API-client-modified

attributes:

  • clientID: ID of the api client being modified
  • message: description of the event
  • modifications: a json data containing the old and new value of modified fields
  • name: api client name

API-client-removed

attributes:

  • clientID: ID of the api client being deleted
  • message: description of the event
  • name: api client name

Access-group-created

attributes:

  • accessGroupID: ID of the access group being created
  • message: description of the event

Access-group-deleted

attributes:

  • accessGroupID: ID of the access group being deleted
  • message: description of the event

Access-group-modified

attributes:

  • accessGroupID: ID of the access group being modified
  • message: description of the event
  • modifications: a json data containing the old and new value of modified fields

Access-role-granted

This event is logged when a closed connection is granted a role for auditing

attributes:

  • connectionID: ID of the connection
  • roleID: ID of the role granted to audit the connection

Access-role-revoked

attributes:

  • connectionID: ID of the connection
  • connectionIDs: ID of the connections
  • roleID: ID of the role revoked from auditing the connection

Access-token-granted

This event is logged when access to PrivX is granted

attributes:

Auditevent-removed

This event is logged when audit events that are out of retention period are removed by a housekeeping task

attributes:

  • appID: the UUID of the monitor-service instance
  • message: internally logged message, contains number of events that are removed

Authorization-certificate-granted

attributes:

  • accessGroupID
  • authority-keyid
  • connectionID: ID of the connection
  • criticalOptions: certificate critical options
  • extensions: certificate extensions
  • hostAddress: targer host address
  • issuer: certificate issuer
  • keyID
  • key-usage
  • message: description of the event and type of certificate
  • principals
  • public-key
  • serial: certificate serial
  • sha1-fingerprint
  • sha256-fingerprint
  • signature-algorithm
  • signature-key
  • subject
  • subject-keyid
  • target: user remote address
  • upn: The User Principal Name (UPN) and generally takes the form of user@domain.com
  • valid: provides the validity period using not before and not after values

Authorization-passphrase-returned

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • hostAddress: targer host address
  • hostID
  • message: description of the event
  • target: user remote address
  • targetUsername

Authorization-rejected

attributes:

  • address: client remote address

Authorization-requested

attributes:

  • accessGroupID
  • fingerprint
  • hostAddress: targer host address
  • hostID
  • message
  • target: user remote address

Authorization-role-key-granted

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • hostAddress: targer host address
  • keyID
  • message
  • roleID
  • target: user remote address

Authorization-role-key-sign-operation-accepted

attributes:

  • keyID
  • message
  • principalID
  • target: user remote address
  • user: username

Authorization-role-key-sign-operation-rejected

attributes:

  • keyID
  • message
  • principalID
  • target: user remote address
  • user: username

Authorized-key-added

attributes:

  • fingerprint
  • keyID
  • keyUserID: user ID that the authorized key that is about to expire belongs to
  • keyUsername
  • message
  • name: key name
  • notAfter: not valid after this date
  • notBefore: not valid before this date

Authorized-key-modified

attributes:

  • fingerprint
  • keyID
  • keyUserID: user ID that the authorized key that is about to expire belongs to
  • keyUsername
  • message
  • modifications: a json data containing the old and new value of modified fields
  • name
  • notAfter: not valid after this date
  • notBefore: not valid before this date

Authorized-key-removed

attributes:

  • keyID
  • keyUserID: user ID that the authorized key that is about to expire belongs to
  • message

AWS-token-grant-failed

attributes:

  • arn: Amazon Resource Name specifying the role
  • awsRoleID
  • message: description of the event
  • reason: reason for failure or the error message
  • TTL: TTL for the token

AWS-token-granted

attributes:

  • arn: Amazon Resource Name specifying the role
  • awsRoleID
  • message: description of the event
  • TTL: TTL for the token
  • type: values, such as "assume-role" and "federation"

Background-migration-completed

attributes:

  • message: description of the event and specifying which microservice the event belongs to

Background-migration-started

attributes:

  • message: description of the event and specifying which microservice the event belongs to

CA-certificate-created

attributes:

  • id
  • keyID
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"

CA-certificate-deleted

attributes:

  • id
  • keyID
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"

CA-certificate-enrolled

attributes:

  • caKeyID
  • id
  • issuer: certificate issuer
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"

CA-certificate-revoked

attributes:

  • id
  • issuer: certificate issuer
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • reason: revocation reason
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "AUTHORIZER_CA", "TLS_CA", "EXTENDER_CA", "ICAP_CA" and "DB_PROXY_CA"

Client-authenticated

attributes:

  • key
  • keyID
  • method: authication method such as, "Password", "Public key" and "SSH Certificate"
  • remoteAddress: client remote address

Client-authentication-warning

attributes:

  • connectionID: ID of the connection
  • connectionMode: values, such as "TUNNEL", "MITM" and "UI"
  • connectionType: values, such as "SSH" and "RDP"
  • key
  • keyID
  • message
  • method: authication method such as, "Password", "Public key" and "SSH Certificate"
  • remoteAddress: client remote address

Component-CA-config-modified

attributes:

  • componentName
  • message
  • modifications: a json data containing the old and new value of modified fields

Config-checksum-added

This event is logged when a config file is added and the checksum for validation of that file is stored

attributes:

  • filename: name of the config file
  • hash-value: hash value of the config file
  • message: description of the event

Config-checksum-changed

This event is logged when a change to a config file is detected

attributes:

  • filename: name of the config file
  • message: description of the event
  • new-hash-value: new hash value of the config file
  • old-hash-value: old hash value of the config file

Configuration-error

attributes:

  • accessGroupID
  • appID
  • error
  • hostAddress: targer host address
  • hostID
  • hostName
  • id
  • issuer: certificate issuer
  • key
  • keyID
  • message
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • principalID
  • serial: certificate serial
  • subject
  • target: user remote address
  • targetUsername
  • type
  • user: username
  • whitelist-id
  • whitelist-name

Connection-accepted

attributes:

Connection-marked-anomaly-by-ueba

attributes:

  • connectionID: ID of the connection
  • connectionType: values, such as "SSH" and "RDP"
  • hostAddress: targer host address
  • remoteAddress: client remote address
  • ueba-confidence-level: detection confidence of ueba machine learning agent
  • user-agent

Connection-audit-failed

attributes:

  • accessGroupID
  • appID: the UUID of the monitor-service instance
  • connectionID: ID of the connection
  • error
  • hostAddress: targer host address
  • hostID
  • message: description of the event and specifying whether the connection is to a database
  • protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Connection-audit-started

attributes:

  • accessGroupID
  • appID: the UUID of the monitor-service instance
  • connectionID: ID of the connection
  • hostAddress: targer host address
  • hostID
  • message: description of the event and specifying whether the connection is to a database
  • protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Connection-authenticated

attributes:

  • app-restriction-app
  • app-restriction-name
  • capublickey: certificate authority public key
  • capublickey-data
  • method: authication method such as, "Password", "Public key" and "SSH Certificate"
  • public-key
  • public-key-data

Connection-blocked-by-ueba

attributes:

  • connectionType: values, such as "SSH" and "RDP"
  • hostAddress: targer host address
  • remoteAddress: client remote address
  • ueba-confidence-level: detection confidence of ueba machine learning agent
  • user-agent

Connection-closed

attributes:

  • duration: connection duration in seconds

Licensed-connection-count-exceeded

attributes:

  • message: description of the event

Connection-failed

attributes:

  • error: error causing failure

Connection-rejected

attributes:

  • error: error causing rejection

Connection-requested

attributes:

Connection-terminated

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • message

Connection-terminated-for-host

attributes:

  • hostID
  • message

Connection-terminated-for-user

attributes:

  • message
  • targetUserID

Connection-unusual-behavior-by-ueba

attributes:

  • connectionID: ID of the connection
  • connectionType: values, such as "SSH" and "RDP"
  • hostAddress: targer host address
  • remoteAddress: client remote address
  • ueba-confidence-level: detection confidence of ueba machine learning agent
  • user-agent

Connections-detached

attributes:

  • appID
  • message

Connections-meta-removed

attributes:

  • connectionIDs: ID of the connections

Database-session-closed

attributes:

  • accessGroupID
  • appID
  • connectionID: ID of the connection
  • error
  • hostAddress: targer host address
  • hostID
  • message: description of the event
  • protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Database-session-failure

attributes:

  • accessGroupID
  • appID
  • connectionID: ID of the connection
  • error: error message for the reason of failure
  • hostAddress: targer host address
  • hostID
  • message: description of the event
  • protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Database-session-rejected

attributes:

  • accessGroupID
  • appID
  • connectionID: ID of the connection
  • hostAddress: targer host address
  • hostID
  • message: error message for the reason of rejection
  • protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Database-session-started

attributes:

  • accessGroupID
  • appID
  • connectionID: ID of the connection
  • hostAddress: targer host address
  • hostID
  • message: description of the event
  • protocol: protocol used for the connection with values, such as "postgres", "mysql", "passthrough" and "tls"
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Database-session-terminated

attributes:

  • accessGroupID
  • appID
  • connectionID: ID of the connection
  • error
  • hostAddress: targer host address
  • hostID
  • message
  • protocol
  • remoteAddress: client remote address
  • server-mode: values, such as "default", "server-only" and "worker-only"

Decision-made

attributes:

  • decision
  • message
  • requestID
  • server-mode: values, such as "default", "server-only" and "worker-only"

Directory-added

attributes:

  • directoryID
  • message
  • name

Directory-authentication-failed

attributes:

  • message
  • sourceID: UUID of the Directory
  • userDN: LDAP user distinguished name (DN) that is used when binding (signing on) to the LDAP server

Directory-modified

attributes:

  • directoryID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • name

Directory-removed

attributes:

  • directoryID
  • message
  • name

EE-certificate-deleted

attributes:

  • id
  • issuer: certificate issuer
  • keyID
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "TLS_EE", "EXTENDER_EE", "TLS_WEB_SERVER_EE" and "TLS_DB_SERVER_EE"

EE-certificate-enrolled

attributes:

  • caKeyID
  • id
  • issuer: certificate issuer
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "TLS_EE", "EXTENDER_EE", "TLS_WEB_SERVER_EE" and "TLS_DB_SERVER_EE"

EE-certificate-revoked

attributes:

  • id
  • issuer: certificate issuer
  • notAfter: not valid after this date
  • notBefore: not valid before this date
  • reason: revocation reason
  • serial: certificate serial
  • subject
  • type: certificate type with values, such as "TLS_EE", "EXTENDER_EE", "TLS_WEB_SERVER_EE" and "TLS_DB_SERVER_EE"

Email-configuration-modified

attributes:

  • message: description of the event
  • modifications: a json data containing the old and new value of modified fields
  • server-mode: values, such as "default", "server-only" and "worker-only"

Email-not-sent

attributes:

  • error: error message causing failure in sending the email
  • from: the sender of email
  • message: description of the event
  • server-mode: values, such as "default", "server-only" and "worker-only"
  • subject: subject of email
  • to: list of receivers of the email separated by comma

Email-sent

attributes:

  • from: the sender of email
  • message: description of the event
  • server-mode: values, such as "default", "server-only" and "worker-only"
  • subject: subject of email
  • to: list of receivers of the email separated by comma

Extender-connected

attributes:

  • message: description of the event and specifying client type

Extender-disconnected

attributes:

  • message: description of the event and specifying client type

PrivX-extender-remote-update-triggered

attributes:

  • appID
  • componentName
  • filename
  • message

PrivX-external-component-hard-disk-full

attributes:

  • appID
  • free
  • name
  • path
  • threshold
  • used

File-download

attributes:

  • path: path of downloaded file
  • size: size of file in bytes

File-download-blocked

This event happens when the downloaded file is blocked by virus scanner

attributes:

  • error: virus scan result or the encountered error
  • filename
  • path: path of blocked file
  • size: size of file in bytes

File-download-rejected

attributes:

  • error: error message causing rejection of download operation

File-move-rejected

attributes:

  • error: error message causing rejection of move operation
  • new_path: path that the file was attempted to be moved there
  • path: path of file that was attempted to moved

File-moved

attributes:

  • new_path: new path that the file was moved to
  • path: old path of file that was moved

File-remove-rejected

attributes:

  • error: error message causing rejection of delete operation
  • path: path of file that was attempted to be removed

File-removed

attributes:

  • path: path of file that was removed

File-upload

attributes:

  • path: path of file that was uploaded
  • size: size of file in bytes

File-upload-blocked

This event happens when the uploaded file is blocked by virus scanner

attributes:

  • error: virus scan result or the encountered error
  • filename: name of the file that was attempted to upload
  • path: path of blocked file
  • size: size of file in bytes

File-upload-rejected

attributes:

  • error: error message causing rejection of upload operation

Folder-create-rejected

attributes:

  • error: error message causing rejection
  • path: path of folder that was attempted to be created

Folder-created

attributes:

  • path: path of folder that was created

Folder-remove-rejected

attributes:

  • error: error message causing rejection of delete operation
  • path: path of folder that was attempted to be removed

Folder-removed

attributes:

  • path: path of folder that was removed

Disk-full

attributes:

  • appID: the UUID of the monitor-service instance
  • path: path of directory that is causing the event
  • used: percentage of hard disk space used

Host-added

attributes:

  • accessGroupID
  • cloudProvider
  • count: number of hosts added
  • hostID
  • hostName
  • message: description of the event
  • sourceID: UUID of the Directory

Host-certificate-accepted

attributes:

  • authority-keyid
  • extensions: certificate extensions
  • issuer: certificate issuer
  • key-usage
  • serial: certificate serial
  • sha1-fingerprint
  • sha256-fingerprint
  • subject
  • subject-keyid
  • valid: provides the validity period using not before and not after values

Host-certificate-denied

attributes:

  • authority-keyid
  • extensions: certificate extensions
  • issuer: certificate issuer
  • key-usage
  • serial: certificate serial
  • sha1-fingerprint
  • sha256-fingerprint
  • subject
  • subject-keyid
  • valid: provides the validity period using not before and not after values

Host-certificate-matched

attributes:

  • authority-keyid
  • extensions: certificate extensions
  • issuer: certificate issuer
  • key-usage
  • serial: certificate serial
  • sha1-fingerprint
  • sha256-fingerprint
  • subject
  • subject-keyid
  • valid: provides the validity period using not before and not after values

Host-certificate-saved

attributes:

  • authority-keyid
  • extensions: certificate extensions
  • issuer: certificate issuer
  • key-usage
  • serial: certificate serial
  • sha1-fingerprint
  • sha256-fingerprint
  • subject
  • subject-keyid
  • valid: provides the validity period using not before and not after values

Host-certificate-trusted

attributes:

  • authority-keyid
  • extensions: certificate extensions
  • issuer: certificate issuer
  • key-usage
  • serial: certificate serial
  • sha1-fingerprint
  • sha256-fingerprint
  • subject
  • subject-keyid
  • valid: provides the validity period using not before and not after values

Host-disabled-state-changed

attributes:

  • disabled: shows if state is disabled, such as "BY_ADMIN", "BY_LICENSE", "FALSE"
  • hostID

Host-key-accepted

attributes:

  • key

Host-key-denied

attributes:

  • error
  • key

Host-key-matched

attributes:

  • key

Host-key-saved

attributes:

  • key

Host-modified

attributes:

  • accessGroupID
  • cloudProvider: name of the cloud provider
  • count: number of hosts updated in host store
  • hostID
  • hostName
  • message: description of the event
  • modifications: a json data containing the old and new value of modified fields
  • sourceID: UUID of the Directory

Host-removed

attributes:

  • accessGroupID
  • cloudProvider
  • count: number of hosts removed
  • hostID
  • hostName
  • message
  • sourceID: UUID of the Directory

Host-service-connection-failure

attributes:

  • accessGroupID
  • appID
  • error
  • hostID
  • hostName
  • serviceAddress
  • servicePort
  • serviceSource
  • serviceType: values, such as "SSH", "RDP" and "WEB"

Host-service-connection-re-established

attributes:

  • accessGroupID
  • appID
  • hostID
  • hostName
  • latency-in-ms
  • serviceAddress
  • servicePort
  • serviceSource: source of service with values, such as "UI" and "SCIM"
  • serviceType: values, such as "SSH", "RDP" and "WEB"

Housekeeping-authorized-keys

This event is logged when an authorized key is expired and removed or when a key is about to expire

attributes:

  • count: number of expired authorized keys removed
  • keyID: ID of the authorized key that is about to expire
  • keyUserID: user ID that the authorized key that is about to expire belongs to
  • message: specifying how many days until expiration of key remains or that keys have been removed
  • notAfter: the date that the authorized key that is about to expire is not valid after

Housekeeping-OIDC-user-cache

This event is logged when removing expired OIDC users from user cache

attributes:

  • count: number of expired OIDC users that were removed from user cache
  • message: description of the event

Housekeeping-SCIM-roles

This event is logged when delete SCIM created roles not currently in use by any host

attributes:

  • message: description of the event
  • roles: ID of roles separated by comma

Housekeeping-user-data

This event is logged when removing data (secrets, keys, roles, ...) of users that have been inactive

attributes:

  • message: description of the event
  • userIDs: list of userIDs separated by comma

IDP-client-config-created

attributes:

  • clientID
  • id
  • message
  • signature-algorithm
  • type

IDP-client-config-modified

attributes:

  • id
  • message
  • modifications: a json data containing the old and new value of modified fields
  • signature-algorithm
  • type

IDP-client-config-removed

attributes:

  • id
  • message

IDP-client-credentials-regenerated

attributes:

  • id
  • message

Identity-provider-added

attributes:

  • identity-provider-id
  • message

Identity-provider-modified

attributes:

  • identity-provider-id
  • message
  • modifications: a json data containing the old and new value of modified fields

Identity-provider-removed

attributes:

  • identity-provider-id
  • message

Invalidated-session-cache-full

attributes:

License-error

attributes:

  • error
  • message

License-updated

attributes:

  • message

LogConf-collector-created

attributes:

  • collectorID: log collector ID
  • message
  • name
  • type: values, such as "AWS", "AZURE" and "GOOGLE"

LogConf-collector-modified

attributes:

  • collectorID: log collector ID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • name
  • type: values, such as "AWS", "AZURE" and "GOOGLE"

LogConf-collector-removed

attributes:

  • collectorID: log collector ID
  • message
  • name

Managed-account-batch-created

attributes:

  • batch-size
  • disable-rdp-cert-auth
  • enabled
  • explicit-checkout
  • initial-rotation
  • password-policy-id
  • password-policy-name
  • rotation-enabled
  • target-domain-id
  • target-domain-name

Managed-account-batch-deleted

attributes:

  • batch-size
  • target-domain-id
  • target-domain-name

Managed-account-batch-modified

attributes:

  • batch-size
  • disable-rdp-cert-auth
  • enabled
  • explicit-checkout
  • password-policy-id
  • password-policy-name
  • rotation-enabled
  • target-domain-id
  • target-domain-name

Managed-account-created

attributes:

  • account-email
  • account-full-name
  • account-username
  • disable-rdp-cert-auth
  • enabled
  • explicit-checkout
  • external-id
  • id
  • password-policy-id
  • password-policy-name
  • rotation-enabled
  • security-id
  • target-domain-id
  • target-domain-name

Managed-account-deleted

attributes:

  • account-email
  • account-full-name
  • account-username
  • external-id
  • id
  • security-id
  • target-domain-id
  • target-domain-name

Managed-account-modified

attributes:

  • account-email
  • account-full-name
  • account-username
  • external-id
  • id
  • message
  • modifications: a json data containing the old and new value of modified fields
  • security-id
  • target-domain-id
  • target-domain-name

Monitoring-session-ended

attributes:

Monitoring-session-started

attributes:

Multi-factor-authentication-configured

attributes:

  • message
  • user-mfa-action: actions, such as "enable", "disable" and "reset"

Multi-factor-authentication-generated

attributes:

  • message

Network-session-closed

attributes:

Network-session-failure

attributes:

  • clientip
  • error
  • id
  • targetid
  • targetname

Network-session-fatal-failure

attributes:

  • clientip
  • error
  • id
  • targetid
  • targetname

Network-session-opened

attributes:

Network-target-created

attributes:

  • id
  • message
  • name

Network-target-disabled-state-changed

attributes:

  • disabled: shows if state is disabled, such as "BY_ADMIN", "BY_LICENSE", "FALSE"
  • id
  • message

Network-target-modified

attributes:

  • id
  • message
  • modifications: a json data containing the old and new value of modified fields

Network-target-removed

attributes:

  • id
  • message

OAuth-client-authenticated

attributes:

  • clientID

OAuth-client-authentication-failed

attributes:

  • clientID

Password-rotation-failure

attributes:

  • account-username
  • error
  • hostID
  • id
  • principal
  • target-domain-id
  • target-domain-name
  • trigger

Password-rotation-policy-created

attributes:

  • id
  • name

Password-rotation-policy-modified

attributes:

  • id
  • modifications: a json data containing the old and new value of modified fields

Password-rotation-policy-removed

attributes:

  • id

Password-rotation-script-created

attributes:

  • id
  • name

Password-rotation-script-modified

attributes:

  • id
  • modifications: a json data containing the old and new value of modified fields

Password-rotation-script-removed

attributes:

  • id

Password-rotation-success

attributes:

  • account-username
  • id
  • target-domain-id
  • target-domain-name
  • trigger

Principal-added

attributes:

  • keyID
  • message
  • principalID

Principal-removed

attributes:

  • keyID
  • message
  • principalID

PrivX-db-clock-out-of-sync

attributes:

  • appID
  • database-time
  • message
  • privx-time

PrivX-restarted

attributes:

  • appID
  • message

MobileGW-privx-registration-failure

attributes:

  • appID
  • server-mode: values, such as "default", "server-only" and "worker-only"

MobileGW-privx-registration-success

attributes:

  • appID
  • server-mode: values, such as "default", "server-only" and "worker-only"

MobileGW-privx-registration-terminated

attributes:

  • appID
  • server-mode: values, such as "default", "server-only" and "worker-only"

MobileGW-user-paired-device

attributes:

MobileGW-user-unpaired-device

attributes:

  • domain
  • user-mobile-device

Request-added

attributes:

  • message
  • requestID
  • server-mode: values, such as "default", "server-only" and "worker-only"

Request-removed

attributes:

  • message
  • requestID
  • server-mode: values, such as "default", "server-only" and "worker-only"

Role-added

attributes:

  • accessGroupID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • roleID
  • roleName

RoleContext-role-blocked

attributes:

  • accessGroupID
  • appID
  • endTime
  • ipAddr
  • ipMasks
  • message
  • principal
  • roleID
  • roleName
  • startTime
  • timeZone
  • type: values, such as "SUSPICIOUS_TIME_ROLE_BLOCKED" and "SUSPICIOUS_IP_ADDRESS_ROLE_BLOCKED"
  • weekdays

RoleContext-usage-alert

This event is logged when there is an access with suspicious IP address or suspicious usage time

attributes:

  • accessGroupID
  • appID
  • endTime
  • ipAddr
  • ipMasks
  • message: description of type of suspicious activity
  • principal
  • roleID
  • roleName
  • startTime
  • timeZone
  • type: values, such as "SUSPICIOUS_TIME_WARNING" and "SUSPICIOUS_IP_ADDRESS_WARNING"
  • weekdays

Role-modified

attributes:

  • accessGroupID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • roleID
  • roleName

Role-removed

attributes:

  • accessGroupID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • roleID
  • roleName

Router-init-failed

attributes:

  • type: router type with values, such as "linux-iptables", "sshexec" and "logger"

Router-initialized

attributes:

  • type: router type with values, such as "linux-iptables", "sshexec" and "logger"

SSH-command-blocked

attributes:

  • channelID
  • command
  • connectionID: ID of the connection
  • sessionType: session channel type with values, such as "exec" and "shell"

SSH-live-event

attributes:

  • channelID
  • connectionID: ID of the connection
  • ssh-live-event: a json data with the following fields: TimeStamp, ConnectionID, ChannelID, Protocol, Mode, Direction, Type, Data

SSH-non-whitelisted-command-allowed

attributes:

  • channelID
  • command
  • connectionID: ID of the connection
  • sessionType: session channel type with values, such as "exec" and "shell"

SSH-whitelisted-command-allowed

attributes:

  • channelID
  • command
  • connectionID: ID of the connection
  • sessionType: session channel type with values, such as "exec" and "shell"

Secret-accessed

attributes:

  • secret

Secret-changed

attributes:

  • secret

Secret-checked-out

attributes:

  • account-email
  • account-full-name
  • account-username
  • expires
  • explicit-checkout
  • id
  • target-domain-id
  • target-domain-name
  • type

Secret-checkout-expired

attributes:

  • account-email
  • account-full-name
  • account-username
  • duration: connection duration in seconds
  • explicit-checkout
  • id
  • target-domain-id
  • target-domain-name
  • type

Secret-created

attributes:

  • secret

Secret-metadata-changed

attributes:

  • modifications: a json data containing the old and new value of modified fields
  • secret

Secret-released

attributes:

  • account-email
  • account-full-name
  • account-username
  • duration: connection duration in seconds
  • explicit-checkout
  • id
  • target-domain-id
  • target-domain-name
  • type

Secret-removed

attributes:

  • deletedCount
  • owners
  • secret
  • sourceID: UUID of the Directory

Service-running

attributes:

  • appID
  • message
  • server-mode: values, such as "default", "server-only" and "worker-only"

Service-starting

attributes:

  • appID
  • error
  • message
  • server-mode: values, such as "default", "server-only" and "worker-only"

Service-stopped

attributes:

  • appID
  • error
  • message
  • server-mode: values, such as "default", "server-only" and "worker-only"

Session-added

attributes:

  • channelID
  • sessionType: session channel type with values, such as "exec" and "shell"

Session-password-generated

attributes:

  • backend-name

Session-rejected

attributes:

  • message
  • sessionType: session channel type with values, such as "exec" and "shell"

Session-removed

attributes:

  • channelID
  • sessionType: session channel type with values, such as "exec" and "shell"

Session-terminated

attributes:

Settings-modified

attributes:

  • appID
  • modifications: a json data containing the old and new value of modified fields
  • scope: values such as, name of microservice, "PRIVX-CARRIER" and "EXTENDER-SERVICE"
  • server-mode: values, such as "default", "server-only" and "worker-only"

Target-domain-account-modified

attributes:

  • account-username
  • id
  • modifications: a json data containing the old and new value of modified fields
  • target-domain-id
  • target-domain-name

Target-domain-account-onboarding-failure

attributes:

  • batch-size
  • error
  • target-domain-id
  • target-domain-name

Target-domain-account-scan-failure

attributes:

  • error
  • target-domain-endpoint
  • target-domain-id
  • target-domain-name

Target-domain-account-scan-success

attributes:

  • target-domain-endpoint
  • target-domain-id
  • target-domain-name

Target-domain-created

attributes:

  • auto-onboarding
  • auto-onboarding-policy-id
  • auto-onboarding-policy-name
  • enabled
  • id
  • name
  • periodic-scan
  • periodic-scan-interval
  • target-domain-endpoints

Target-domain-deleted

attributes:

  • id
  • name

Target-domain-modified

attributes:

  • id
  • modifications: a json data containing the old and new value of modified fields
  • name

Trail-file-downloaded

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • filename
  • message: description of the event

Trail-file-integrity-failed

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • message: description of the event

Trail-file-open-failed

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • error: error causing failure
  • message: description of the event

Trail-file-read-failed

attributes:

  • error: error causing failure

Trail-open-failed

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • error: error message causing failure
  • message: description of the event or reason for oppening trail

Trail-opened

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • message: description of the event or reason for oppening trail
  • remoteAddress: client remote address

Trail-remove-failed

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • message: description of the event

Trail-removed

attributes:

  • accessGroupID
  • connectionID: ID of the connection
  • message: description of the event

Transcript-opened

attributes:

  • connectionID: ID of the connection
  • message
  • searchKeywords

Transcript-status-error

attributes:

  • connectionID: ID of the connection
  • message
  • protocol: protocol name, such as "SSH"

Transcript-status-indexed

attributes:

  • connectionID: ID of the connection
  • message
  • protocol: protocol name, such as "SSH"

Transcript-status-indexing

attributes:

  • connectionID: ID of the connection
  • message
  • protocol: protocol name, such as "SSH"

Transcript-status-scheduled

attributes:

  • connectionID: ID of the connection
  • message
  • protocol: protocol name, such as "SSH"

Transcript-trail-removed

attributes:

  • connectionID: ID of the connection
  • message

Trusted-client-added

attributes:

  • accessGroupID
  • clientID
  • extender-address
  • message
  • name
  • permissions
  • routingPrefix
  • subnets

Trusted-client-modified

attributes:

  • accessGroupID
  • clientID
  • enabled
  • extender-address
  • groupID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • name
  • permissions
  • registered
  • routingPrefix
  • subnets
  • web-proxy-address

Trusted-client-removed

attributes:

  • accessGroupID
  • clientID
  • message
  • name

User-added

attributes:

  • targetUserID: ID of added user
  • targetUsername: username of added user

User-logged-in

attributes:

  • authentication-method: methods, such as "Password", "Single Sign-On", "Client Certificate" and "Authorized Key"
  • authenticator
  • backend-name
  • fingerprint
  • identity-provider-id
  • identity-provider-name
  • identity-provider-public-key-method
  • ipAddr
  • issuer: identity provider issuer
  • keyID
  • sourceID: UUID of the Directory

User-logged-out

attributes:

User-login-attempt-rate-limited

attributes:

  • message: reason for rate limit
  • remoteAddress: IP address that login was attempted from

User-login-failed

attributes:

User-MFA-challenge-sent

attributes:

User-MFA-challenge-setup-sent

attributes:

User-Mobile-MFA-challenge-sent

attributes:

User-Mobile-MFA-challenge-setup-sent

attributes:

User-modified

attributes:

  • modifications: a json data containing the old and new value of modified fields
  • targetUserID
  • targetUsername

User-password-modified

attributes:

  • targetUserID
  • targetUsername

User-access-token-refresh-failed

attributes:

User-access-token-refreshed

attributes:

User-removed

attributes:

  • targetUserID
  • targetUsername

User-roles-modified

attributes:

  • message
  • modifications: a json data containing the old and new value of modified fields
  • principal
  • targetUserID

Users-blocked-by-license

attributes:

  • message

Users-license-grace-period-started

attributes:

  • message

Users-license-ok

attributes:

  • message

WebAuthn-Credential-added

attributes:

  • keyUserID: user ID that the authorized key that is about to expire belongs to
  • message
  • name
  • webauthn-credential-id
  • id

WebAuthn-Credential-modified

attributes:

  • keyID
  • message
  • modifications: a json data containing the old and new value of modified fields
  • name
  • webauthn-credential-comment

WebAuthn-Credential-removed

attributes:

  • keyUserID: user ID that the authorized key that is about to expire belongs to
  • message
  • id

White-list-added

attributes:

  • id: ID of white list added
  • message: description of the event
  • name: name of the white list added

White-list-modified

attributes:

  • id: ID of white list modified
  • message: description of the event
  • modifications: a json data containing the old and new value of modified fields
  • name: name of the white list modified

White-list-removed

attributes:

  • id: ID of white list removed
  • message: description of the event

Workflow-added

attributes:

  • message: description of the event
  • server-mode: values, such as "default", "server-only" and "worker-only"
  • workflowID: ID of added workflow

Workflow-modified

attributes:

  • message: description of the event
  • modifications: a json data containing the old and new value of modified fields
  • name: name of modified workflow
  • server-mode: values, such as "default", "server-only" and "worker-only"
  • workflowID: ID of modified workflow

Workflow-removed

attributes:

  • message
  • server-mode: values, such as "default", "server-only" and "worker-only"
  • workflowID

Was this page helpful?