000023752 - Audit logs events and their descriptions

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023752
Applies To

Here is a list of the audit events and their description in passmark system:

ENROLL_START - The user has started the enrollment process
ENROLL_CANCEL - The user started the enrollment process, but cancelled before  completing. Must always have an ENROLL_START event in the same session prior to this event.
ENROLL_COMPLETED  - The user completed the enrollment process. Must always have an ENROLL_START event in the same session prior to this event.
ENROLL_CONFIRMED  - Enrollment was confirmed by client. This event is logged in standalone mode when PassMark server does not know that the passed username is a valid username or not
                                 and client sends a confirmation message after enroll is completed.
USER_DELETED - User was unenrolled from PassMark system.
USER_BOUND - The new user-device binding has been created.
USER_UNBOUND - The user-device binding has been removed.
USER_DECLINED_BIND - The user had the opportunity to bind to a device, but declined.  Typically comes up during challenge scenarios.
USER_SIGNIN_WITH_NO_PM  - A user signin is occurring where the password form will be rendered with no PM image or phrase.
USER_SIGNIN - A normal signin request has been initiated.
DEVICE_ID_CREATED - A new deviceID is registered in the database.
DEVICE_ID_RECOVERED - A deviceID has been recovered with token-less recovery.
USER_ID_NOT_FOUND  -An attempt to look up a user by name in the DB couldn't find that  user.
USER_ID_NOT_VERIFIED  - At signin, a user is referenced who is not in the VERIFIED state.
USER_ID_UNLOCKED - A user that was locked out has been reset to VERIFIED.
LOCKING_OUT_USER_ID - A user is being locked out .
USER_ID_LOCKED_OUT - At signin, a user who is in the LOCKOUT state is attempting to signin.
USER_NAME_CHANGED - user name was changed to a new given user name.
USER_GROUP_CHANGED - user group membership was changed to a new given group.
USER_CHALLENGED - At signin, a user is being presented with a challenge question.
USER_FAILED_CHALLENGE  - The user failed to answer a challenge question correctly.
RESET_REENROLL_START - Client requested to reset user and start the user on the reenrollment process; that is to reset their image, phrase and questions and ask the user to set them again.
RESET_MAINT_QUESTION_START - Client requested to reset user and start the user on the question maintenance process so that user can see her previous questions and if desired change them.
RESET_QUESTION_START  - Client requested to reset user and start the user on the question maintenance process with the exception that user's question are cleared first and she needs to set them again.
USER_RESET - Received the "reset" flag during signin. This event occurs when client has verified the legitimacy of a locked out user and is asking PassMark to reset the user.
MAINT_IMG_START  - The user began doing image maintenance.
MAINT_CHL_START  - The user began doing challenge questions maintenance.
USER_CONFIRMED_IMG_MAINT - The user completed and confirmed their image maintenance.
USER_CONFIRMED_CHL_MAINT - The user completed and confirmed their challenge question maintenance.
USER_CANCELED_IMG_MAINT  - The user cancelled their image maintenance.
USER_CANCELED_CHL_MAINT - The user cancelled their challenge question maintenance.
ACCESS_BLOCKED - The user has attempted an unauthorized access that was detected by the system. This is typically recording during state machine precondition violations.
CHALLENGE_ABANDONED  - The user was challenged during signin, but they never responded to  the challenge (i.e. they abandoned their session).
PASSMARK_PAGE_SERVED - During signin, the S2U image is displayed on a password entry  form. This is the final event of a successful signin session.
DEVICE_TOKEN_HEADER_MISMATCH  - The system detected a mismatch between the device token and the value stored in the device record in database.
DEVICE_HIGH_RISK - The system detected that the user request originated from a device that was previously flagged as high-risk (token leakage or token theft).
AGGREGATOR_IP_ONLY  - User coming from an aggregator IP with no aggregator device.
AGGREGATOR_DEVICE_ONLY - User is *not* coming from an aggregator IP but has an aggregator device.
QUESTION_RESET - Received a "reset" flag during reenrollment which tells PassMark to reset user's questions.
ENROLL_RESET - Client requested to reenroll the user which means clearing previous phrase, image and questions and starting the enrollment process again.
FORENSIC_SCORE  - Forensic score associated with the event.
AGGREGATED_FORENSIC_SCORE - Aggregated Forensic score associated with the event list.
OOB_CHALLENGE_FAILED - User failed the out of band challenge.
OOB_NOTIFIED_STARTED - Notifying user for an out of band challenge started.
OOB_NOTIFIED_SUCCESS - Notifying user for an out of band challenge succeeded.
OOB_NOTIFIED_FAILED - Notifying user for an out of band challenge failed.
USER_CONTACTS_CHANGED - User modified her contact information (add, edit, remove).
USER_TRANSACTION  - A normal transaction request has been initiated.
AUTH_RESULT  -Shows the details of authenticating a credential.

IssueAudit logs events and their descriptions
Legacy Article IDa35816