This section contains a list of the custom audit events that are generated by policies in each driver. These events are sent to the Identity Vault Collector. It parses the events and stores this information in the Sentinelâ„¢ data store.
These events are used to inject business relevance instead of the sending raw data events. This allows you to verify that your business policies and processes are being enforced.
In the past, Sentinel tracked Add, Delete, and Modify events. Sentinel could report on how many events occurred, but not if that event was supposed to occur. The custom events track granting and revoking of entitlements. The entitlements generate Add, Delete, or Modify events. Sentinel tracks which entitlement generated the Add event, and the reports show when and why an Add event occurred, instead of just when an Add event occurred.
Figure 9-1 represents the common components that make up the event structure. Each item in the illustration is part of an event. The different items are tracked to verify the uniqueness of the event.
Figure 9-1 Components of the Event Structure
Table 9-1 contains the general event structure. The defined events are in the dirxml_custom.lsc file that is on the Identity Manager 3.6 media.
Table 9-1 General Event Structure
Descriptive Name |
Description |
Format |
Audit Field Name |
Sample Data |
---|---|---|---|---|
Audit Event ID |
1200-1299 |
Int/Hex |
|
|
Version |
Sequential number incremented by one whenever the event structure changes. |
Int |
Value 3 (3) |
|
Originator |
Always the driver DN. |
String |
Originator (B) |
|
Target |
Object (account) in the connected application. |
String |
Target (U) |
|
Target Type |
0=None 1=DN in Slash Notation 2=DN in Dot Notation 3=DN in LDAP Notation 4=Association |
Int |
targetType (V) |
|
Sub Target |
Entitlements/attribute name. |
String |
Sub-Target (Y) |
|
Status |
Identity Manager status. |
Int |
value (1) |
0=success 1=retry 2=warning 3=error 4=fatal |
IDM Event ID |
@event-id from XDS document |
String |
Text 3 (F) |
|
Identity |
GUID |
B64 encoded octet string value |
Text 1 (S) |
|
The following events are defined:
This is the Account Create By Entitlements Grant. The following table contains the fields of this EventID, with the proper values.
Table 9-2 Account Create By Entitlements Grant
Fields |
Values |
---|---|
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU created by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
This is the Account Delete By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.
Table 9-3 Account Delete By Entitlements Revoke
Fields |
Values |
---|---|
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU deleted by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
This is the Account Disabled By Entitlements Revoke. The following table contains the fields of this EventID, with the proper values.
Table 9-4 Account Disabled By Entitlements Revoke
Fields |
Values |
---|---|
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU disabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
This is the Account Enable By Entitlements Grant. The following table contains the fields of this EventID with the proper values.
Table 9-5 Account Enable By Entitlements Grant
Fields |
Values |
---|---|
Originator (B) Title |
Driver DN |
Target (U) Title |
Target account DN or the association |
Subtarget (V) Title |
Entitlement |
Text1 (S) Title |
Source Identity DN or GUID |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
This is the Driver Health State Change. The following table contains the fields of this EventID, with the proper values.
Table 9-6 Driver Health State Change
Fields |
Values |
---|---|
Originator (B) Title |
Driver DN |
Target (U) Title |
|
Subtarget (V) Title |
|
Text1 (S) Title |
|
Text2 (T) Title |
|
Text3 (F) Title |
|
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
|
Data Type |
|
Display Schema |
[$TC] $SO: Account $SU enabled by entitlement $SV; Status:$N1 Driver:$SB from $iR\n |
This is a Generic Event. The following table contains the fields of this EventID with the proper values.
Table 9-7 Generic Event
Fields |
Values |
---|---|
Originator (B) Title |
Driver DN |
Target (U) Title |
Target Object DN |
Subtarget (V) Title |
Object Class |
Text1 (S) Title |
Source Identity DN |
Text2 (T) Title |
Detail |
Text3 (F) Title |
Identity Manager EventID |
Value1 (1) Title |
Status |
Value1 Type |
N |
Value2 (2) Title |
|
Value2 Type |
|
Value3 (3) Title |
Version |
Value3 Type |
N |
Group (G) Title |
|
Group Type |
|
Data (D) Title |
XML Document |
Data Type |
S |
Display Schema |
[$TC] $SO: Event: $ST; Src DN: $SS; Object: $SU |