Security Event and Information Management (SIEM) is a recognized standard for collecting, aggregating, and analyzing events that take place on a website or within an app. Identity Cloud’s SIEM event delivery service can inform you, in near real-time, each time that one of the following events occur:

  • config_change. A customer configuration value was changed by using Identity Cloud APIs.
  • new_email_verification. A user successfully verified their email address.
  • legacy_social_registration. A user successfully registered by using a third-party identity provider.
  • legacy_social_signin. A user successfully authenticated by using a third-party identity provider.
  • legacy_sso_signin. An end user was automatically authenticated by using single sign-on.
  • legacy_traditional_registration. A user successfully registered by using an email address and password.
  • legacy_traditional_signin. A user successfully authenticated by using an email address and password.
  • password_recover. A user changed their password after clicking the Forgot Password link on the sign-in screen.
  • profile_create. A user profile database record was created.
  • profile_delete. A user profile database record was deleted.
  • profile_update. A user profile database record was updated.
  • entityCreated. A new entity type record (new user profile) was created.
  • entityUpdated. An entity type record was updated.
  • entityDeleted. A record was deleted from an entity type database.
  • authenticationFailedKnownUser. Registration failed for a known user (for example, a user recognized by his or her email address).
  • credentialAuthenticationAttemptsExceededKnownUser. A known user (as determined by a unique identifier such as the user’s email address) exceeded the login attempts threshold.
  • credentialAuthenticationAttemptsExceededUnknownUser. An unknown user (e.g., a user without a registered email address) exceeded the login attempts threshold.

For example, SIEM can send a notification each time a user tries, and fails, to log in. A handful of failed logins is to be expected. On the other hand, a sudden flurry of failed logins might be cause for alarm. For example, that sudden flurry can indicate anything from network congestion to a problem with your sign-in process to an Internet attack of some kind. Regardless, SIEM alerts you to the problem, giving you the opportunity to respond as, and when, needed.

To a certain extent, working with the SIEM falls outside the purview of the SIEM event delivery service API. For example, SIEM events are delivered to an Amazon Web Services S3 bucket. However, the SIEM event delivery service API can’t be used to retrieve those events, nor can they be used to import those events into a SIEM analysis tool such as Splunk or IBM QRadar.

However, the SIEM API does enable you to:

  • Activate and deactivate the service. Event notifications are only sent – and are only maintained – when the service is active.

  • Manage the SIEM event blocklist. SIEM notifications aren't sent for any of the event types listed on the blocklist. For example, if entityDeleted is on the blocklist then you won’t receive a notification any time a user profile is deleted. Use the APIs to add event types to, and remove event types from, the blocklist.

  • Manage your SIEM event delivery service public keys. These keys provide access to the Amazon S3 bucket.