Difference between revisions of "OAuth 2.0 Security Event Monitoring"

From PegaWiki
Jump to navigation Jump to search
m
Tag: Visual edit
m (Bot action - changed email parameter value)
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
+
{{Design pattern
{{New request|Curator Assigned=Leon Brown|Version=8.6|Request to Publish=Yes|Description=OAuth 2.0 security event monitoring advice|Applications=Pega Platform|Capability Area=Security|E-mail notification sent=True
+
|E-mail notification sent=True
 +
|Title=OAuth 2.0 Security Event Monitoring|Description=Advice for monitoring and interpreting OAuth 2.0 security events|Version=8.6|Applications=Pega Platform|Capability Area=Security|Owner=Juan Mojica
 
}}
 
}}
 
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ '''<big>Please Read Below</big>''' ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
 
 
Below are steps and guidance to get you started writing a design pattern.
 
 
# Click on the “info box” in the upper left hand corner of this draft and click the “Edit” button that appears.
 
# Complete the following fields in the “info box”, "Pega Infinity version", "Design pattern description", "Pega Platform or Application" and "Capability or Industry Area" then click “Apply changes” to save your updates.
 
# Begin writing your design pattern by clicking anywhere on the draft. To assist in the writing, a basic design pattern template has been provided as a guide. Feel free to use the template as needed or change it up to meet the needs of your content.
 
# Click the “Save page” button in the upper right hand side to save your work. If you leave the page and need to come back and continue working on it, click the "Watchlist" link located at the upper right hand side of any page and then click on the page you are looking for.
 
# When you are ready to publish, click on the “info box” in the upper left hand corner then click the “Edit” button. Update the “Request to Publish” field to “Yes”, click “Apply changes button” then click "Save page". Once saved, your content will be placed in the Curation/Editing queue for review and publication.
 
 
If you have any questions or need any assistance please reference the PegaWiki help located on the left hand navigation panel or contact us
 
 
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ '''<big>The above text will be removed prior to being published</big>''' ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
 
 
 
OAuth 2.0 Security Event Monitoring
 
  
 
= Introduction =
 
= Introduction =
This document provides advice for those responsible for ensuring the ongoing security of their Pega applications.  It focuses on the OAuth 2.0 events that are written to the security events log whenever an event occurs that concerns OAuth 2.0 processing, e.g., dynamic client registration, token revocation, etc.  It provides guidance for how to interpret the contents contained in the log.  For more information about the security events log, see <nowiki>https://community.pega.com/knowledgebase/articles/security/86/security-events-log</nowiki>.
+
This document provides advice for users responsible for ensuring the ongoing security of their Pega applications. It focuses on the OAuth 2.0 events that are written to the security events log whenever an event occurs that concerns OAuth 2.0 processing, such as dynamic client registration and token revocation. This document also provides guidance for how to interpret the log's contents. For more information, see [https://community.pega.com/knowledgebase/articles/security/86/security-events-log Security events log].
  
  
All events are always enabled.
+
'''Note:''' All events are always enabled.
[[File:OAuth 2.0 Events.png|thumb]]
 
 
 
 
= OAuth 2.0 Events =
 
= OAuth 2.0 Events =
 +
[[File:OAuth 2.0 Events.png|thumb|alt=|none]]
  
 
== Fields common to all events ==
 
== Fields common to all events ==
The following table lists the fields and their values that are the same for all Data Access Events
+
The following table lists the fields and their values that are the same for all OAuth 2.0 events.
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''eventCategory'''
 
|'''eventCategory'''
Line 48: Line 31:
 
|-
 
|-
 
|'''timestamp'''
 
|'''timestamp'''
|Date & time of the request
+
|Date and time of the request
 
|-
 
|-
 
|'''appName'''
 
|'''appName'''
 
|Name of application
 
|Name of application
 
|}
 
|}
 
 
 
== Invalid token requests ==
 
== Invalid token requests ==
  
 
=== Advice ===
 
=== Advice ===
Monitor frequently for excessive requests using a particular client ID or originating from a particular IP address.  Block the IP address if the requests are not recognized.
+
Monitor frequently for excessive requests using a particular client ID or originating from a particular IP address. Block the IP address if the requests are not recognized.
  
 
=== Event message fields ===
 
=== Event message fields ===
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''eventType'''
 
|'''eventType'''
Line 88: Line 69:
 
=== Example 2 ===
 
=== Example 2 ===
 
{"HTTP Status Code":"400","appName":"PegaRULES","client_id":"32538105954914023226","eventCategory":"OAuth 2.0","eventType":"Token endpoint invoked","id":"2395b9a5-a05a-47a9-9866-3de7a0ccc617","ipAddress":"10.233.64.0","message":"Invalid value provided for code parameter","nodeID":"pega-web-7654775556-br9n4","outcome":"invalid_grant","tenantID":"shared","timeStamp":"Tue 2021 Nov 16, 14:29:20:088"}  
 
{"HTTP Status Code":"400","appName":"PegaRULES","client_id":"32538105954914023226","eventCategory":"OAuth 2.0","eventType":"Token endpoint invoked","id":"2395b9a5-a05a-47a9-9866-3de7a0ccc617","ipAddress":"10.233.64.0","message":"Invalid value provided for code parameter","nodeID":"pega-web-7654775556-br9n4","outcome":"invalid_grant","tenantID":"shared","timeStamp":"Tue 2021 Nov 16, 14:29:20:088"}  
 
 
 
== API requests with invalid client credentials ==
 
== API requests with invalid client credentials ==
  
Line 98: Line 77:
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''eventType'''
 
|'''eventType'''
Line 125: Line 104:
  
 
=== Advice ===
 
=== Advice ===
Monitor regularly to identify unexpected token revocation requests.  Block requests from IP address if requests are unexpected.
+
Monitor regularly to identify unexpected token revocation requests. Block requests from IP addresses if requests are unexpected.
  
 
=== Fields ===
 
=== Fields ===
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''eventType'''
 
|'''eventType'''
Line 141: Line 120:
 
|“The server cannot process as it is malformed syntax”
 
|“The server cannot process as it is malformed syntax”
 
|-
 
|-
|'''Client_id'''
+
|'''client_id'''
 
|“xyz”
 
|“xyz”
 
|-
 
|-
Line 148: Line 127:
 
|}
 
|}
  
=== Example 1 (failed token revocation request) ===
+
=== Example (failed token revocation request) ===
 
"HTTP Status Code":"400","appName":"PegaRULES","client_id":"xyz","eventCategory":"OAuth 2.0","eventType":"Revocation token endpoint invoked","id":"630a9001-8eb9-4641-9aa7-14ef137079ff","ipAddress":"10.233.66.0","message":"The server cannot process as it is malformed syntax","nodeID":"pega-web-68484dd67f-fdwxd","outcome":"Bad Request","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 18:51:59:315"}  
 
"HTTP Status Code":"400","appName":"PegaRULES","client_id":"xyz","eventCategory":"OAuth 2.0","eventType":"Revocation token endpoint invoked","id":"630a9001-8eb9-4641-9aa7-14ef137079ff","ipAddress":"10.233.66.0","message":"The server cannot process as it is malformed syntax","nodeID":"pega-web-68484dd67f-fdwxd","outcome":"Bad Request","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 18:51:59:315"}  
  
 
== Regeneration of client secret from rule form ==
 
== Regeneration of client secret from rule form ==
This event is logged whenever the ‘Regenerate client secret’ button on the OAuth 2.0 Client Registration rule form is pressed.
+
The system logs this event whenever the '''Regenerate client secret''' button on the OAuth 2.0 Client Registration rule form is enabled.
  
 
=== Advice ===
 
=== Advice ===
Monitor periodically.
+
Monitor periodically. If this event is observed but not expected, block access to the operator/IP address from which the request occurred.
 
+
=== Fields ===
 
 
If this event is observed but not expected block access to the operator/IP address from which the request occurred.
 
 
 
Fields
 
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''HTTP Status Code'''
 
|'''HTTP Status Code'''
Line 169: Line 144:
 
|-
 
|-
 
|'''client_id'''
 
|'''client_id'''
|Registered client ID
+
|“Registered client ID”
 
|-
 
|-
 
|'''eventType'''
 
|'''eventType'''
 
|“Done from client registration rule form”
 
|“Done from client registration rule form”
 
|-
 
|-
|'''Message'''
+
|'''message'''
 
|“client secret regenerated successfully”
 
|“client secret regenerated successfully”
 
|-
 
|-
Line 187: Line 162:
  
 
=== Advice ===
 
=== Advice ===
Monitor daily.  Ensure all entries are legitimate requests for token revocation.  Block requests from IP addresses for unexpected revocation requests.
+
Monitor daily. Ensure all entries are legitimate requests for token revocation. Block requests from IP addresses for unexpected revocation requests.
  
 
=== Fields ===
 
=== Fields ===
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''HTTP Status Code'''
 
|'''HTTP Status Code'''
Line 216: Line 191:
  
 
=== Advice ===
 
=== Advice ===
Monitor daily.  In production the deletion of a client from the rule form should be extremely rare to non-existent.  If the deletion is not expected, block access to the operator/IP address from which the request originated and restore the deleted client record.
+
Monitor daily. In production, the deletion of a client from the rule form should be extremely rare to non-existent. If the deletion is not expected, block access to the operator/IP address from which the request originated and restore the deleted client record.
  
 
=== Fields ===
 
=== Fields ===
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''eventType'''
 
|'''eventType'''
Line 235: Line 210:
 
=== Example ===
 
=== Example ===
 
{"Http Status Code":"204","appName":"Company","client_id":"10721402601335077786","eventCategory":"OAuth 2.0","eventType":"Client deletion","id":"1e712ffa-09ad-4294-8703-17058cb3f3fe","ipAddress":"10.2.207.35","message":"Client registration is deleted from rule form","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Client deleted","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 15:56:37:523"}  
 
{"Http Status Code":"204","appName":"Company","client_id":"10721402601335077786","eventCategory":"OAuth 2.0","eventType":"Client deletion","id":"1e712ffa-09ad-4294-8703-17058cb3f3fe","ipAddress":"10.2.207.35","message":"Client registration is deleted from rule form","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Client deleted","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 15:56:37:523"}  
 
 
 
== Dynamic client registration ==
 
== Dynamic client registration ==
  
 
=== Advice ===
 
=== Advice ===
This event is logged whenever a new client is created via the Pega API.  Monitor daily.  Any unexpected client registrations should be addressed immediately.  Block the source of the requests and immediately delete the client record (at a minimum revoke access tokens via rule form button).
+
The system logs this event whenever a new client is created via the Pega API. Monitor daily. Any unexpected client registrations should be addressed immediately. Block the source of the requests and immediately delete the client record (at a minimum revoke access tokens via the rule form button).
  
 
=== Fields ===
 
=== Fields ===
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''HTTP Status'''
 
|'''HTTP Status'''
Line 264: Line 237:
 
|“invalid_request_data”
 
|“invalid_request_data”
 
|}
 
|}
<nowiki>*</nowiki>This message is misleading only the Pega API endpoint generates this event.  Creating a new client registration from the rule form does NOT generate this event.
+
<nowiki>*</nowiki>This message is misleading as only the Pega API endpoint generates this event. Creating a new client registration from the rule form does not generate this event.
  
 
=== Example 1 (successful registration) ===
 
=== Example 1 (successful registration) ===
Line 271: Line 244:
 
=== Example 2 (unsuccessful registration) ===
 
=== Example 2 (unsuccessful registration) ===
 
{"HTTP Status Code":"400","appName":"Company","eventCategory":"OAuth 2.0","eventType":"Done from client registration rule form","id":"e8440d38-f518-4b30-a69c-6316d5ebf861","ipAddress":"10.2.207.35","message":"Request parsing failed","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"invalid_request_data","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 18:20:11:857"}  
 
{"HTTP Status Code":"400","appName":"Company","eventCategory":"OAuth 2.0","eventType":"Done from client registration rule form","id":"e8440d38-f518-4b30-a69c-6316d5ebf861","ipAddress":"10.2.207.35","message":"Request parsing failed","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"invalid_request_data","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 18:20:11:857"}  
 
 
 
== Resource API invocation using invalid access token ==
 
== Resource API invocation using invalid access token ==
  
 
=== Advice ===
 
=== Advice ===
Monitor daily.  Repeated events of access requests with an invalid token from a given user/IP address might indicate malicious activity.  Examine the source of the requests and block if necessary.
+
Monitor daily. Repeated events of access requests with an invalid token from a given user/IP address might indicate malicious activity. Examine the source of the requests and block if necessary.
  
 
=== Fields ===
 
=== Fields ===
 
{| class="wikitable"
 
{| class="wikitable"
 
|'''Field Name'''
 
|'''Field Name'''
|'''Value/description'''
+
|'''Value/Description'''
 
|-
 
|-
 
|'''Description'''
 
|'''Description'''
Line 299: Line 270:
 
|}
 
|}
  
=== Example 1 ===
+
=== Example ===
 
{"Description":"Access token validation failed","HTTP Status Code":"401","appName":"PegaRULES","eventCategory":"OAuth 2.0","eventType":"Access token validation while accessing resources","id":"c69e56d4-3701-4d74-ad57-4aaf007f9c6f","ipAddress":"10.233.68.1","message":"Invalid token or expired.","nodeID":"pega-web-849fc7f948-k7zmx","outcome":"invalid_token","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 09:50:21:238"}
 
{"Description":"Access token validation failed","HTTP Status Code":"401","appName":"PegaRULES","eventCategory":"OAuth 2.0","eventType":"Access token validation while accessing resources","id":"c69e56d4-3701-4d74-ad57-4aaf007f9c6f","ipAddress":"10.233.68.1","message":"Invalid token or expired.","nodeID":"pega-web-849fc7f948-k7zmx","outcome":"invalid_token","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 09:50:21:238"}

Latest revision as of 11:01, 1 February 2022

OAuth 2.0 Security Event Monitoring

Description Advice for monitoring and interpreting OAuth 2.0 security events
Version as of 8.6
Application Pega Platform
Capability/Industry Area Security



Introduction[edit]

This document provides advice for users responsible for ensuring the ongoing security of their Pega applications. It focuses on the OAuth 2.0 events that are written to the security events log whenever an event occurs that concerns OAuth 2.0 processing, such as dynamic client registration and token revocation. This document also provides guidance for how to interpret the log's contents. For more information, see Security events log.


Note: All events are always enabled.

OAuth 2.0 Events[edit]

Fields common to all events[edit]

The following table lists the fields and their values that are the same for all OAuth 2.0 events.

Field Name Value/Description
eventCategory “OAuth 2.0”
ipAddress IP address where the request originated
nodeID Node ID on which the request was processed
operatorID Operator ID issuing the request
timestamp Date and time of the request
appName Name of application

Invalid token requests[edit]

Advice[edit]

Monitor frequently for excessive requests using a particular client ID or originating from a particular IP address. Block the IP address if the requests are not recognized.

Event message fields[edit]

Field Name Value/Description
eventType “Token endpoint invoked”
HTTP Status Code “400”
client_id Client ID specified in the request
message “The request is missing a required parameter”

“Invalid value provided for code parameter”

outcome “invalid_request”, “invalid_grant”

Example 1[edit]

{"HTTP Status Code":"400","appName":"PegaRULES","client_id":"32538105954914023226","eventCategory":"OAuth 2.0","eventType":"Token endpoint invoked","id":"a844af32-dc51-440c-8a64-c273f8d92e0b","ipAddress":"10.233.66.0","message":"The request is missing a required parameter.","nodeID":"pega-web-68484dd67f-fdwxd","outcome":"invalid_request","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 21:42:12:908"}

Example 2[edit]

{"HTTP Status Code":"400","appName":"PegaRULES","client_id":"32538105954914023226","eventCategory":"OAuth 2.0","eventType":"Token endpoint invoked","id":"2395b9a5-a05a-47a9-9866-3de7a0ccc617","ipAddress":"10.233.64.0","message":"Invalid value provided for code parameter","nodeID":"pega-web-7654775556-br9n4","outcome":"invalid_grant","tenantID":"shared","timeStamp":"Tue 2021 Nov 16, 14:29:20:088"}

API requests with invalid client credentials[edit]

Advice[edit]

Monitor periodically.

Event message fields[edit]

Field Name Value/Description
eventType “Token endpoint invoked”
Description “Invalid client secret”
HTTP Status Code “401”
client_id OAuth 2.0 client ID used in the request
message “Client authentication failed”
outcome “invalid_client”

Example[edit]

{"Description":"Invalid client secret","HTTP Status Code":"401","appName":"PegaRULES","client_id":"32538105954914023226","eventCategory":"OAuth 2.0","eventType":"Token endpoint invoked","id":"7c821a91-f9d0-4851-b2a6-79fb1e9f96e5","ipAddress":"10.233.68.0","message":"Client authentication failed ","nodeID":"pega-web-7654775556-br9n4","outcome":"invalid_client","tenantID":"shared","timeStamp":"Tue 2021 Nov 16, 19:36:23:110"}

Token revocation from Rest API[edit]

Advice[edit]

Monitor regularly to identify unexpected token revocation requests. Block requests from IP addresses if requests are unexpected.

Fields[edit]

Field Name Value/Description
eventType “Revocation token endpoint invoked”
HTTP Status Code “400”
message “The server cannot process as it is malformed syntax”
client_id “xyz”
outcome “Bad Request”

Example (failed token revocation request)[edit]

"HTTP Status Code":"400","appName":"PegaRULES","client_id":"xyz","eventCategory":"OAuth 2.0","eventType":"Revocation token endpoint invoked","id":"630a9001-8eb9-4641-9aa7-14ef137079ff","ipAddress":"10.233.66.0","message":"The server cannot process as it is malformed syntax","nodeID":"pega-web-68484dd67f-fdwxd","outcome":"Bad Request","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 18:51:59:315"}

Regeneration of client secret from rule form[edit]

The system logs this event whenever the Regenerate client secret button on the OAuth 2.0 Client Registration rule form is enabled.

Advice[edit]

Monitor periodically. If this event is observed but not expected, block access to the operator/IP address from which the request occurred.

Fields[edit]

Field Name Value/Description
HTTP Status Code “201”
client_id “Registered client ID”
eventType “Done from client registration rule form
message “client secret regenerated successfully”
outcome “status created”

Example[edit]

{"HTTP Status Code":"201","appName":"PegaDevelopment","client_id":"50595752443336245654","eventCategory":"OAuth 2.0","eventType":"Done from client registration rule form","id":"6f62ed9d-2dc5-48ad-8b4c-2ef1b9ada1f4","ipAddress":"10.233.67.0","message":"client secret regenerated successfully","nodeID":"pega-web-68484dd67f-fdwxd","operatorID":"xyz","outcome":"status created","requestorIdentity":"20170317T160417","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 19:20:35:481"}

Token revocation from rule form[edit]

Advice[edit]

Monitor daily. Ensure all entries are legitimate requests for token revocation. Block requests from IP addresses for unexpected revocation requests.

Fields[edit]

Field Name Value/Description
HTTP Status Code 200
eventType “Done from client registration rule form
outcome “status ok”
client_id Client ID specified in the request
message “access token and refresh token revoked”

Example[edit]

{"HTTP Status Code":"200","appName":"PegaDevelopment","client_id":"32538105954914023226","eventCategory":"OAuth 2.0","eventType":"Done from client registration rule form","id":"05d57aa5-30be-484a-a341-195ed419e07a","ipAddress":"10.233.67.0","message":"access token and refresh token revoked","nodeID":"pega-web-68484dd67f-fdwxd","operatorID":"solomSDE","outcome":"status ok","requestorIdentity":"20170317T160417","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 22:24:08:122"}

Delete client instance from rule form[edit]

Advice[edit]

Monitor daily. In production, the deletion of a client from the rule form should be extremely rare to non-existent. If the deletion is not expected, block access to the operator/IP address from which the request originated and restore the deleted client record.

Fields[edit]

Field Name Value/Description
eventType “Client deletion”
message “Client registration is deleted from rule form
outcome “Client deleted”

Example[edit]

{"Http Status Code":"204","appName":"Company","client_id":"10721402601335077786","eventCategory":"OAuth 2.0","eventType":"Client deletion","id":"1e712ffa-09ad-4294-8703-17058cb3f3fe","ipAddress":"10.2.207.35","message":"Client registration is deleted from rule form","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"Client deleted","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 15:56:37:523"}

Dynamic client registration[edit]

Advice[edit]

The system logs this event whenever a new client is created via the Pega API. Monitor daily. Any unexpected client registrations should be addressed immediately. Block the source of the requests and immediately delete the client record (at a minimum revoke access tokens via the rule form button).

Fields[edit]

Field Name Value/Description
HTTP Status “201”, “400”
client_id Registered client’s client ID value
eventType “Done from client registration rule form”*
message “client details saved successfully to the database”

“request parsing failed”

outcome “invalid_request_data”

*This message is misleading as only the Pega API endpoint generates this event. Creating a new client registration from the rule form does not generate this event.

Example 1 (successful registration)[edit]

{"HTTP Status Code":"201","appName":"PegaRULES","client_id":"91190346154444541571","eventCategory":"OAuth 2.0","eventType":"Done from client registration rule form","id":"fcaccfbf-1fa8-4c87-bd68-671a1ad38714","ipAddress":"10.233.67.0","message":"client details saved successfully to the database","nodeID":"pega-web-849fc7f948-k7zmx","operatorID":"abcdef","outcome":"client created","requestorIdentity":"20211115T114220","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 11:47:29:395"}

Example 2 (unsuccessful registration)[edit]

{"HTTP Status Code":"400","appName":"Company","eventCategory":"OAuth 2.0","eventType":"Done from client registration rule form","id":"e8440d38-f518-4b30-a69c-6316d5ebf861","ipAddress":"10.2.207.35","message":"Request parsing failed","nodeID":"8b1bb39d3e5c4776c7b62c232ffa4133","operatorID":"Companyauthor","outcome":"invalid_request_data","requestorIdentity":"20211103T153639","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 18:20:11:857"}

Resource API invocation using invalid access token[edit]

Advice[edit]

Monitor daily. Repeated events of access requests with an invalid token from a given user/IP address might indicate malicious activity. Examine the source of the requests and block if necessary.

Fields[edit]

Field Name Value/Description
Description “Access token validation failed”
HTTP Status Code “401”
eventType “Access token validation while accessing resources”
Message “Invalid token or expired”
outcome “invalid_token”

Example[edit]

{"Description":"Access token validation failed","HTTP Status Code":"401","appName":"PegaRULES","eventCategory":"OAuth 2.0","eventType":"Access token validation while accessing resources","id":"c69e56d4-3701-4d74-ad57-4aaf007f9c6f","ipAddress":"10.233.68.1","message":"Invalid token or expired.","nodeID":"pega-web-849fc7f948-k7zmx","outcome":"invalid_token","tenantID":"shared","timeStamp":"Mon 2021 Nov 15, 09:50:21:238"}