DekelIsraeli88107 (Customer) asked a question.
Trusted Application monitoring - How to find activity logs
Having trusted applications defined
How can I find which API was invoked by which trusted application?
I need:
time, trusted application, source IP or hostname, API used
most of the information is available in V_AV_AUDIT_EVENTS
The only thing I've noticed, is that when an API is sent with a trusted application token, the CLIENT_IDENTITY value (in V_AV_AUDIT_EVENTS) is populated with SYSTEM, and not with the clientid of the trusted application (as I would expect)
I expected to see a built in view under Admin / Web Service
or at least have a clear view in the DB
Isn't it important information for the administrator
why is it hidden?
How to create report of trusted applications access?
Under Admin -> Web Services you can find the configuration and description of the available APIs.
I don't think the view V_AV_AUDIT_EVENTS is hidden.
You can easily create a report based on this view
The view is not hidden
the security data is not easily exposed
When I run the following:
select * from V_AV_AUDIT_EVENTS
where 1=1
and value like 'loginTrustedApp'
order by id desc
I can find the trusted application clinet ID
But only in some of the requests
others have much shorter number - which can't be related to specific trusted app
(or, at least, I don't see clear connetion between them)
in addition
when querying:
select * from V_AV_AUDIT_EVENTS
where 1=1
--and id >= 5522690
--and value like 'loginTrustedApp'
and client_identity = 'MY_CLIENT_ID'
order by id desc
I see the following:
another thing
How can I see which API was called?
How can I see if trusted application tried to call API which is not allowed for it?
The wrong indication for a successful Trusted Application (TA) login (The WebService command 'loginTrustedApp' execution is failed) has been fixed in v8 P10 (not released yet).
Currently for a successful TA API request, the system capture CLIENT_IDENTITY as System. I've created a ticket for it.
You can reference this ticket if you reach out to support - ACM-137070
If you are trying to use an API which isn't allowed, some information is captured in the avesaServer.log
I suggest you reach out to RSA support to submit an enhancement request to make these attempts visible in EVENTS view
Thanks
How can I post enhancement request?
is it via the standard support email?
You can do it via the standard support process.
Or via this URL - https://community.rsa.com/s/idea-exchange
or directly here - https://www.surveymonkey.com/r/JQG3KN6