Security Administration Security Event Monitoring

From PegaWiki
This is the approved revision of this page, as well as being the most recent.
Jump to navigation Jump to search

Security Administration Security Event Monitoring

Description Advice for monitoring and interpreting security administration events
Version as of 8.6
Application Pega Platform
Capability/Industry Area Security



Introduction[edit]

This document provides advice for users responsible for ensuring the ongoing security of their Pega applications. It focuses on the security administration events that are written to the security events log whenever an event occurs that concerns changes to the security model configuration, such as access groups, roles, and access control policies. It provides guidance for how to interpret the log's contents. For more information, see Security events log.


Note: Events marked with an asterisk (*) are always enabled.

Security Administration Events[edit]

Fields common to all events[edit]

The following table lists the fields and their values that are the same for all security administration events.

Field Name Value/Description
eventCategory "Security administration event"
ipAddress IP address where the request originated
nodeID Node ID on which the request was processed
operatorID Operator ID issuing the request
timestamp Date & time of the request
appName Name of application

Advice[edit]

The advice is mostly the same for all security administration events. You should monitor these events daily. In a production system, these events should rarely occur. You must evaluate each occurrence to determine if the change was authorized. If not, reverse the modification that was made and block access to the user/IP address from which the request was made. The exception is the event that represents disabling or enabling operators. These can be expected events; however, they should be examined closely to determine their validity.


Because many of these events reflect changes to instances controlled by rule checkout or check-in, a single user operation may generate multiple events. For example, performing a check-in may generate import, update, and delete events.

Every invocation of access manager[edit]

Event message fields[edit]

Field Name Value/Description
eventType "Access manager invoked"

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Access manager invoked","id":"21052b73-0cee-43e6-94f2-f033801d8950","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 19:38:06:995"}

Every BIX form change and execution[edit]

The system generates BIX events when BIX configuration settings are modified and when BIX extraction occurs.

Event message fields[edit]

Field Name Value/Description
eventType BIX extract rule changed”

BIX extract rule executed”

operation “update”, “delete”
outputDirectory BIX configuration setting
outputFormat BIX configuration setting
ruleID Full ID of the BIX extract
ruleName Name of the BIX extract
className Class name of the instance in the BIX extract

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"BIX extract rule changed","id":"7ea3cd72-33ed-4d70-841e-06ab2c8550d6","ipAddress":"10.2.204.143","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","outputDirectory":"C:\\","outputFormat":"CSV","requestorIdentity":"20211103T153639","ruleID":"RULE-ADMIN-EXTRACT PEGASAMPLE SAMPLE #20211105T204433.817 GMT","ruleName":"Sample","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 20:44:34:570"}

Every change to ABAC security policies[edit]

Fields[edit]

Field Name Value/Description
eventType "Access control policy [condition] changed"
operation “update”, “import”, “delete”
policy[Condition]ID Full ID of the access control policy [condition]
policy[Condition]Name Name of the access control policy [condition]

Example 1[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Access control policy changed","id":"1a142555-5f23-40e3-a1c6-cdee51c09287","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","policyID":"RULE-ACCESS-POLICY DATA-ADMIN-OPERATOR-ID UPDATE!OPERATORUPDATECONTROL #20211102T200941.293 GMT","policyName":"Operator update control","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:09:54:686"}

Example 2[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Access control policy condition changed","id":"0b71e0c5-aa58-4fd9-9b99-a6602e1c91c7","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"delete","operatorID":"Companyauthor","policyConditionID":"RULE-ACCESS-POLICYCONDITION OG1ZAA-COMPANY-WORK-SURVEY CANVIEWSURVEY #20211102T203822.621 GMT","policyConditionName":"CanViewSurvey","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:38:48:325"}

Every change to CBAC security policies[edit]

Fields[edit]

Field Name Value/Description
eventType “CBAC policy changed”
operaton “update”, “import”, “delete”
policyID Full ID of the client based access control policy
policyName Name of the client based access control policy
eventType “Done from client registration rule form
Message “client secret regenerated successfully”
outcome “status created”

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"CBAC policy changed","id":"98bb35db-d432-47fd-ab76-49e8af6ae69d","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","policyID":"RULE-ACCESS-CLIENTDATA OG1ZAA-COMPANY-WORK-SURVEY SURVEYDATA #20211102T204838.720 GMT","policyName":"survey data","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:48:57:015"}

Every change to dynamic system setting[edit]

Fields[edit]

Field Name Value/Description
eventType “Dynamic system setting changed”
operation “update”, “delete”
settingID Full ID of the dynamic system setting
settingName Name of the dynamic system setting
settingValue The value of the dynamic system setting

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Dynamic system setting changed","id":"c4541722-ece5-4bdd-b2af-f9db15699b80","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","settingID":"DATA-ADMIN-SYSTEM-SETTINGS PEGA-ENGINE!PRCONFIG/DNODE/CASSANDRA_VERSION/DEFAULT","settingName":"Pega-Engine-prconfig/dnode/cassandra_version/default","settingValue":"3.11.3","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 20:59:01:853"}

Every change to content security policy (CSP)[edit]

Advice[edit]

The system often logs multiple events whenever a CSP is modified. In addition, the delete operation can occur when a checked out instance is discarded or when the instance that is not checked out is deleted. A check-in operation may generate three events: update, import, and delete.

Fields[edit]

Field Name Value/Description
eventType "Content security policy changed"
operation “update”, “import”, “delete”
policyHeader Full content of the CSP in HTTP header form
policyID Instance ID of the CSP
policyName Name of the CSP

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Content security policy changed","id":"4edb5f21-a059-4a46-b955-4252eb8347c9","ipAddress":"10.2.203.48","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","policyHeader":"base-uri *; form-action *; frame-ancestors *; font-src *; frame-src * data: mailto: tel: blob: filesystem: mediastream:; img-src data: blob: filesystem: mediastream: \u0027self\u0027 cid: cid *; media-src * data: blob: filesystem: mediastream:; object-src * data: blob: filesystem: mediastream:; script-src * \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027 data: blob: filesystem: mediastream:; style-src * \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027 data: blob: filesystem: mediastream:; default-src * data: blob: filesystem: mediastream:; child-src * data: blob: filesystem: mediastream:; ","policyID":"RULE-ACCESS-CSP COMPANY #20211102T195809.378 GMT","policyName":"Company","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 19:59:13:724"}

Every change to security authentication policies[edit]

These events represent changes to the various policy settings on the Security Policies landing page (Configure > System > Settings > Security Policies).

Fields[edit]

Field Name Value/Description
eventType "Authentication policy changed"

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Authentication policy changed","id":"838ed584-0315-453d-846b-0b4b7e84d997","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 15:56:54:864"}

Every change to security event configuration[edit]

Fields[edit]

Field Name Value/Description
eventType “security event configuration changed”
message "security event configuration has been modified."

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"security event configuration changed","id":"16b99386-901a-497d-87c2-786fd1961166","ipAddress":"10.2.203.48","message":"security event configuration has been modified.","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Tue 2021 Nov 02, 19:30:00:366"}

Every change to RBAC security policies (including RADO and RARO)[edit]

Fields[edit]

Field Name Value/Description
eventType “Role name changed”

"Access of role to object rule changed"

“Deny rule changed”

Operation “import”, “update”, “delete”
roleName Name of the role
roleNameID Full ID of the role
roleObjectID Full ID of the RARO
roleObjectName Name of the role
denyObjectID Full ID of the RADO
denyObjectName Description of the RADO

Example 1 (Role)[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Role name changed","id":"c164e9fe-e1d0-4e00-819b-028f4d0ae7f7","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"import","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","roleName":"Company:NoAccess","roleNameID":"RULE-ACCESS-ROLE-NAME COMPANY:NOACCESS #20211103T182053.208 GMT","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:21:10:985"}

Example 2 (Rule-Access-Role-Obj)[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Access of role to object rule changed","id":"9d007168-e9ef-4ee4-9a16-39a5bd36e556","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","roleObjectID":"RULE-ACCESS-ROLE-OBJ COMPANY:NOACCESS @BASECLASS","roleObjectName":"Company:NoAccess","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:27:04:639"}

Example 3 (Rule-Access-Deny-Obj)[edit]

{"appName":"Company","denyObjectID":"RULE-ACCESS-DENY-OBJ COMPANY:USER @BASECLASS","denyObjectName":"just testing","eventCategory":"Security administration event","eventType":"Deny rule changed","id":"1268df12-62f6-4ef1-bb7d-4180822860c7","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:51:29:476"}

Every change to access group settings[edit]

Fields[edit]

Field Name Value/Description
accessGroupID Full ID of the access group
accessGroupName Name of the access group
eventType “Access group changed”
operation “update”, “delete”

Example[edit]

{"accessGroupID":"DATA-ADMIN-OPERATOR-ACCESSGROUP COMPANY:AUTHORS","accessGroupName":"Author","appName":"Company","eventCategory":"Security administration event","eventType":"Access group changed","id":"b98ced14-1cae-41c0-80ca-30b6bd650b16","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20210803T190228","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 18:15:34:974"}

Every change to workbasket role settings[edit]

The system generates these events whenever a work queue instance is created, updated, or deleted.

Fields[edit]

Field Name Value/Description
eventType Workbasket has changed”
Operation “update”, “delete”
workBasketID Full ID of the work basket (work queue)
workBasketName Name of the work basket (work queue)

Example[edit]

{"appName":"Company","eventCategory":"Security administration event","eventType":"Workbasket has changed","id":"9191fd84-2b77-457a-bae7-79204b930b56","ipAddress":"10.2.204.140","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"update","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 19:17:37:000","workBasketID":"DATA-ADMIN-WORKBASKET COMPANYHOME:USERS","workBasketName":"Users"}

Every change to Disable/Enable operator[edit]

Advice[edit]

The system logs this event whenever an operator is disabled (prevented from logging in) or enabled (allowed to log in). These situations may be expected. Monitor these events closely and determine if they are expected. If not, block the user/IP address from which the action was taken and correct the affected operator’s settings. These events are generated only through the User Management API. Disable or enable events via the operator rule form. Security policy settings do not generate these events.

Fields[edit]

Field Name Value/Description
UserList List of operator IDs included in the request
disablementReason “Security profile changed”
eventType “DisableOperators”, “EnableOperators”
message “User disablement requested with a list of users”

“User enablement requested with a list of users”

outcome “Success”

Example 1 (disable request)[edit]

{"UsersList":"\"user1\"","appName":"Company","disablementReason":"Security profile changed","eventCategory":"Security administration event","eventType":"DisableOperators","id":"04160808-32aa-4300-abd6-2ca051113e8c","ipAddress":"10.2.204.140","message":"User disablement requested with a list of users","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Success","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 19:44:06:177"}

Example 2 (enable request)[edit]

{"UsersList":"\"CompanyGuest\"","appName":"Company","eventCategory":"Security administration event","eventType":"EnableOperators","id":"8ceb3eca-6311-480f-a270-8960dccc1ab2","ipAddress":"10.2.204.140","message":"User enablement requested with a list of users","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Success","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Wed 2021 Nov 03, 21:07:04:296"}

Every change to add/update/remove a servlet or filter[edit]

Fields[edit]

Field Name Value/Description
FilterName Name of the filter configuration
eventType “Filter configuration updated”
Operation “filter updated”

“filter added”

“filter removed”

ClassName Name of the filter class

Example 1 (filter updated)[edit]

{"FilterName":"IPFilter","appName":"Company","eventCategory":"Security administration event","eventType":"Filter configuration updated","id":"6fa8aff5-89f0-4ca1-95b0-97dabde8959c","ipAddress":"10.2.207.32","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"filter updated","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 18:39:24:008"}

Example 2 (filter added)[edit]

{"ClassName":"net.jvmhost.test.IPFilter","FilterName":"filter2","appName":"Company","eventCategory":"Security administration event","eventType":"Filter configuration updated","id":"87b3e853-cbf8-48d3-8b95-d9fd7a7d01d2","ipAddress":"10.2.207.32","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"filter added","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 18:43:25:692"}

Example 3 (filter removed)[edit]

{"ClassName":"net.jvmhost.test.IPFilter","FilterName":"filter2","appName":"Company","eventCategory":"Security administration event","eventType":"Filter configuration updated","id":"42e31022-1f50-4ade-ae8c-b2b67546798b","ipAddress":"10.2.207.32","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operation":"filter removed","operatorID":"Companyauthor","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Fri 2021 Nov 05, 18:46:04:158"}