Audit Activities
Audit reporting caches incoming audit messages and provides endpoints to request audit events for a specified date range. The /activities endpoint returns all audit log events over the specified period of time. The response shows complete audit entries, and it pages the returned data if the number of entries requires multiple pages.
|
The |
The following events and actors are tracked:
-
Actions
Logs any action or activity against a defined PingOne resource. The audit message includes the ID for the resource affected by the event.
-
Actors
Tracks the actor or agent who initiated the action. The audit message includes the unique identifier and the friendly name of the actor (end user) responsible for the event and the client used by the actor to perform the action on the resource.
-
Date and time
The date and time the audit activity was recorded.
-
Status
Tracks and caches the resulting status of the action. The audit message specifies the success or failure of the event, and if a failure occurred, it provides the reason for the failure.
Audit reporting data model
| Property | Description |
|---|---|
|
A string that specifies the description of the action performed. |
|
A string that specifies the type of action performed (such as authentication or password reset). |
|
A string that specifies the ID of the client. |
|
A string that specifies the name assigned to the client for PingOne sign on. |
|
A string that specifies the type of actor. Options are |
|
A string that specifies the URL for the specified client resource. |
|
A string that specifies the ID of the environment resource associated with the client. |
|
A string that specifies the ID of the user. |
|
A string that specifies the name assigned to the user for PingOne sign on. |
|
A string that specifies the URL for the specified user resource. |
|
A string that specifies the type of actor. Options are |
|
A string that specifies the ID of the environment resource associated with the user. |
|
A string that specifies the ID of the population resource associated with the user. |
|
A string that specifies a PingOne identifier for multiple messages in a transaction. |
|
The date and time at which the event was created (ISO 8601 format). |
|
A string that specifies the ID of the audit activity event. |
|
A string that specifies the PingOne actor session ID. |
|
A string that specifies the PingOne transaction ID. |
|
The date and time at which the event was recorded (ISO 8601 format). |
|
A string that specifies the URL for the specified resource. |
|
A string that specifies the ID assigned as the key for the identifier resource (such as the environment, population or event message). |
|
A string that can be either the user name or the name of the environment, based on the resource type. |
|
A string that specifies the type of resource associated with the event. Options are |
|
The UUID assigned as the key for the population resource. |
|
A string that specifies the description of the result of the operation. |
|
A string that specifies the ID for the result of the operation. |
|
A string that specifies the result of the operation. Options are |
|
The IP address of the originating HTTP request. |
|
The User-Agent header value of the originating HTTP request. |
|
A string identifying the activity as the action of an administrator on other administrators. |
Filtering data
The GET {{apiPath}}/environments/{{envID}}/activities and POST {{apiPath}}/environments/{{envID}}/activities requests accept SCIM filtering expressions to fine-tune the response data. For large collections, additional filtering expressions can be added to the request URL to focus on particular event types.
The minimum filter must include:
-
A date range for the recorded event time.
| Filter | Description |
|---|---|
recordedat lt "yyyy-MM-dd’T’HH:mm:ss.SSSZ" |
Audit events recorded before the specified time. |
recordedat gt "yyyy-MM-dd’T’HH:mm:ss.SSSZ" |
Audit events recorded after the specified time. |
For example, this SCIM filter returns audit events from the start date of "2018-01-01" and an end date of "2018-03-31":
https://api.pingone.com/v1/environments/{{envID}}/activities?filter=recordedat gt "2018-01-01T00:00:00Z" AND recordedat lt "2018-03-31T23:59:00Z"The filter can also include any one of the following:
-
Population ID
-
Actor ID and optional population ID.
-
Action Type and optional population ID
-
Resource ID
-
Resource Type and optional population ID
| Filter | Description |
|---|---|
resources.population.id eq ":id" |
Audit events associated with the specified population. |
actors.user.id eq ":id" |
Audit events performed by the specified user ID or client ID. Optionally, you can include the associated population. |
action.type |
Audit events recorded for the specified type of action (such as, authentication, password reset). Optionally, you can include the associated population. |
resources.id eq ":id" |
Audit events recorded for the specified resource. |
resources.type |
Audit events recorded for the specified type of resource. This can be any one of the following: ALL, USER, ENVIRONMENT, ORGANIZATION. Optionally, you can include the associated population. |
tags |
Audit events for the |
These SCIM operators can be applied to the following attributes:
-
eq(equals)Supported attributes:
correlationid,actors.user.id,actors.user.name,actors.client.id,action.type,resources.id,resources.type,resources.population.id,org.id,environment.id -
gt(greater than)Supported attributes:
recordedat -
lt(less than)Supported attributes:
recordedat -
ge(greater than or equal to)Supported attributes:
recordedat -
le(less than or equal to)Supported attributes:
recordedat -
and(logical AND)Logical AND for building compound expressions in which both expressions are true.
-
or(logical OR)Logical OR for building compound expressions if either expression is true.
|
These SCIM operators are not supported: |
For more information about SCIM syntax and operators, refer to Conventions.