| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-05-01 |
IBM Cloud, Activity Tracker, overview |
cloud-activity-tracker |
{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:download: .download} {:important: .important} {:note: .note} {:deprecated: .deprecated}
{: #activity_tracker_ov}
Use the {{site.data.keyword.cloudaccesstrailfull}} service to track how applications interact with the {{site.data.keyword.cloud_notm}} services. Use {{site.data.keyword.cloudaccesstrailshort}} to monitor for abnormal activity, and comply with regulatory audit requirements. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. {:shortdesc}
{{site.data.keyword.cloudaccesstrailfull}} is deprecated. As of 9 May 2019, you cannot provision new {{site.data.keyword.cloudaccesstrailshort}} instances. Existing premium plan instances are supported until 9 October 2019. To continue monitoring the activity of your {{site.data.keyword.cloud_notm}} account, provision an instance of the {{site.data.keyword.at_full}}. {: deprecated}
- {{site.data.keyword.cloudaccesstrailshort}} offers high-level security governance for your IT resources in the cloud.
- {{site.data.keyword.cloudaccesstrailshort}} provides a solution for administrators to capture, store, view, search, and monitor API activity in a single place.
- {{site.data.keyword.cloudaccesstrailshort}} provides capabilities to download events that you can then use to generate an audit trail report. You might require these reports so that your organization complies with internal regulations and external industry and country regulations.
Compliance with internal policies and industry regulations is a key requirement in any organization's strategy, regardless of where applications run: on-premises, in a hybrid cloud, or in a public cloud. The {{site.data.keyword.cloudaccesstrailshort}} service provides the framework and functionality to monitor API calls and produce the evidence to comply with corporate policies and market industry-specific regulations.
When you work in a cloud environment, such as the {{site.data.keyword.cloud_notm}}, you must plan the cloud strategy for auditing and monitoring workloads and data in accordance with your internal policies and with industry and country-based compliance requirements. You can use the information that is registered through the {{site.data.keyword.cloudaccesstrailshort}} service to identify security incidents, detect unauthorized access, and comply with regulatory and internal auditing requirements.
For example, you can use the {{site.data.keyword.cloudaccesstrailshort}} activity logs to identify the following information:
- The users who made API calls to cloud services.
- The source IP address from where the API calls were made.
- The time-stamp when the API calls were made.
- The status of the API call.
{: #activity_tracker_ov_collect}
The {{site.data.keyword.cloudaccesstrailshort}} service captures activity data that is related to API calls and other actions that are made to selected cloud services in the {{site.data.keyword.cloud_notm}}.
- Events are collected automatically.
- Events that are collected in {{site.data.keyword.cloudaccesstrailshort}} comply with the Cloud Auditing Data Federation (CADF) standard. The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications in cloud environments.
- {{site.data.keyword.cloudaccesstrailshort}} stores and groups events by domain. There is an account domain per region, and a space domain per Cloud Foundry space.
The CADF event model includes the following components:
| Component | Description |
|---|---|
| Action | The action is the operation or activity that an initiator performs, attempts to perform, or is waiting to complete. |
| Initiator | The initiator is the resource that makes an API call and generates a CADF event. The event that is triggered depends on the action that is requested by the API call. |
| Observer | The observer is the resource that creates and stores a CADF record from information available in a CADF event. |
| Outcome | The outcome is the status of the action against the target. |
| Target | The target is the resource against which the action is performed, attempted to perform, or is pending to complete. |
Consider the following information when you work with the {{site.data.keyword.cloudaccesstrailshort}} log in the {{site.data.keyword.IBM_notm}} public cloud:
- You can store only audit records for API calls made to resources that run in the {{site.data.keyword.IBM_notm}} public cloud.
- Only {{site.data.keyword.IBM_notm}} public cloud storage is used to collect events.
- Information is stored for 3 days. After that, the information is deleted on a first-in, first-out (FIFO) method.
- CADF events of type Activity are supported by the {{site.data.keyword.cloudaccesstrailshort}} service.
{: #activity_tracker_ov_provision}
To view events that are available through an account domain, you must provision the {{site.data.keyword.cloudaccesstrailshort}} service in a Cloud Foundry space in the region where you want to monitor API activity. Only the account owner can see account events.
To view events that are available through a space domain, you must provision the {{site.data.keyword.cloudaccesstrailshort}} service in the space where you want to monitor API activity.
To learn how to provision the {{site.data.keyword.cloudaccesstrailshort}} service, see Provisioning the {{site.data.keyword.cloudaccesstrailshort}} service.
{: #activity_tracker_ov_analyze}
You can analyze activity logs through the {{site.data.keyword.cloudaccesstrailshort}} UI in the {{site.data.keyword.cloud_notm}}, or by using Kibana, an open source tool. You can monitor events that are available in a specific space or at the account level.
You can search, analyze, and monitor activity logs for the last 24 hours through the {{site.data.keyword.cloudaccesstrailshort}} UI in the {{site.data.keyword.cloud_notm}}. For more information, see Navigating to the {{site.data.keyword.cloudaccesstrailshort}} UI.
You can search, analyze, and monitor activity logs for the last 3 days through Kibana by using the {{site.data.keyword.cloudaccesstrailshort}} Kibana dashboard, or by creating your own custom dashboards. * Note: This feature is available for Premium plan users.
- For more information on how to launch Kibana, see Navigating to the Kibana dashboard.
- For a list of fields that you can use to analyze events in Kibana, see {{site.data.keyword.cloudaccesstrailshort}} event fields
{: #activity_tracker_ov_regions}
The {{site.data.keyword.cloudaccesstrailshort}} service is available in the following regions:
- Germany
- Sydney
- United Kingdom (Only Lite plan is available)
- US South
{: #activity_tracker_ov_plan}
The {{site.data.keyword.cloudaccesstrailshort}} service provides multiple plans.
You can change a plan through the {{site.data.keyword.cloud_notm}} UI or through the command line. You can upgrade or reduce your plan at any time. For more information about service plan upgrades, see Changing the plan.
The following table outlines the plans that are available:
| Plan | Event Ingestion | Event Retention | Export events |
|---|---|---|---|
| Lite (default) | No | Last 3 days | No |
| Premium | Yes | Configurable number of days. | Yes |
| Plan | API | CLI | Kibana |
|---|---|---|---|
| Lite (default) | No | No | No |
| Premium | Yes | Yes | Yes |
Note: The monthly cost of event storage is calculated as an average of the billing cycle.
{: #activity_tracker_ov_security}
Consider the following information about security when you work with the {{site.data.keyword.cloudaccesstrailshort}} service:
- IBM services that generate {{site.data.keyword.cloudaccesstrailshort}} events follow the {{site.data.keyword.IBM_notm}} Cloud security policy. For more information, see Trust the security and privacy of IBM Cloud
{: new_window}. - The {{site.data.keyword.cloudaccesstrailshort}} service captures user-initiated actions that change the state of Cloud services. The information does not provide direct access to databases or applications.
- Only authorized users can view and monitor {{site.data.keyword.cloudaccesstrailshort}} event logs. Each user is identified by their unique ID in the {{site.data.keyword.cloud_notm}}.