IBM Cloud Docs
About Activity Tracker in IBM Cloud

About Activity Tracker in IBM Cloud

Use the IBM Cloud® Activity Tracker service to capture a record of your IBM Cloud activities and monitor the activity of your IBM Cloud account. You can use this service to investigate abnormal activity and critical actions, and comply with regulatory audit requirements. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard.

As of 28 March 2024 the IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs, which replaces these two services, prior to 30 March 2025. For information about IBM Cloud Logs, see the IBM Cloud Logs documentation.

Compliance with internal policies and industry regulations is a key requirement in any organization's strategy, regardless of where applications run: on-premises, in a hybrid cloud, or in a public cloud. The IBM Cloud Activity Tracker service provides the framework and functionality to monitor API calls to services on the IBM Cloud and produces the evidence to comply with corporate policies and market industry-specific regulations.

When you work in a cloud environment, such as the IBM Cloud, you must plan the cloud strategy for auditing and monitoring workloads and data in accordance with your internal policies and with industry and country-based compliance requirements. You can use the information that is registered through the IBM Cloud Activity Tracker service to identify security incidents, detect unauthorized access, and comply with regulatory and internal auditing requirements.

  • IBM Cloud Activity Tracker supports high-level security governance for your IT resources in the cloud.
  • IBM Cloud Activity Tracker provides a solution for administrators to capture, store, view, search, and monitor API activity in a single place. It also offers a notification feature to alert you by using any of the supported notification channels.
  • IBM Cloud Activity Tracker provides capabilities to export events that you can then use to generate an audit trail report. These reports might be required so that your organization complies with internal regulations and external industry and country regulations.

The IBM Cloud platform combines platform as a service (PaaS) with infrastructure as a service (IaaS) to provide an integrated experience. In addition, it offers a common and unified solution to monitor these services in any IBM Cloud account. Services generate auditing events automatically in the IBM Cloud platform. These events comply with the Cloud Auditing Data Federation (CADF) standard. You can monitor the activity of your IBM Cloud account through these events. Furthermore, you can analyze the information provided in each event through continuous security audits; you can investigate abnormal activity and critical actions; and you can use them to comply with regulatory audit requirements in your organization and in the industry. IBM Cloud administrators can configure an IBM Cloud account to collect auditing events automatically for most enabled-services. However, some services might require an upgrade of the service plan, a configuration setting, or both, for you to be able to collect and analyze them due to the high volumes of data that they generate. Learn more about enabling Activity Tracker events.

For information on the services sending events to Activity Tracker, see IBM Cloud services that generate Activity Tracker events.

CADF standard

The CADF standard defines a full event model that includes the information that is needed to certify, manage, and audit security of applications and services in cloud environments. The CADF event model includes the following components:

  • Action: The action is the operation or activity that an initiator performs, attempts to perform, or is waiting to complete.

  • Initiator: The initiator is the resource that makes an API call and generates a CADF event. The event that is triggered depends on the action that is requested by the API call.

  • Observer: The observer is the resource that creates and stores a CADF record from information available in a CADF event

  • Outcome: The outcome is the status of the action against the target.

  • Target: The target is the resource against which the action is performed, attempted to perform, or is pending to complete.

Selecting your IBM Cloud Activity Tracker offering

Depending on your compliance and organizational requirements, you can choose IBM Cloud Activity Tracker Event Routing or an IBM Cloud Activity Tracker hosted event search offering.

  • Application environments seeking to maintain Financial Services (FS) validation status on IBM Cloud should use IBM Cloud Activity Tracker Event Routing.
  • Application environments seeking compliance with PCI, SOC2, Privacy Shield and HIPAA should use an IBM Cloud Activity Tracker hosted event search offering.

Getting started with Event Routing Getting started with hosted event and search

Financial Services Validated status

If you're the account owner, you can enable your IBM Cloud® account to be Financial Services Validated, which means your account stores and manages regulated financial services information. Services that are designated as IBM Cloud for Financial Services Validated leverage the industry’s highest levels of encryption certification, provides preventive and compensatory controls for financial services regulatory workloads, multi-architecture support and proactive, and automated security. For more information on how to enable your account, see Enabling your account to use Finantial Services Validated products.

The IBM Cloud for Financial Services Validated designation is available for services that are operating in the Dallas (us-south), Washington DC (us-east), Frankfurt (eu-de), and London (eu-gb) multizone regionsA region that is spread across physical locations in multiple zones to increase fault tolerance..

Use Activity Tracker Event Routing to manage auditing events in your account while maintaining Financial Services Validated status.

PCI, SOC2, Privacy Shield and HIPAA compliance

Activity Tracker offers ready to run event search offerings that you can use to expedite your time to greater insights. You can choose to retain your events for 7, 14, or 30 days. In addition, a 30 day HIPAA compliant offering is also available. For more information on these offerings, see Service plans.

Use the Activity Tracker hosted event search offering to manage events through the UI or to manage auditing events that are not routed by Activity Tracker Event Routing.

Features

IBM Cloud Activity Tracker provides the follow features:

  • Simplify compliance sign-off tasks

    Boost audit tasks on your IBM Cloud account by automatically collecting events that report on actions to resources in your account. Analyze and get notified on the events that report out of compliance actions.

  • Accelerate detection of security incidents

    Get alert notifications of important events and errors when things are out of compliance. Create custom views and get notified immediately. You can configure multi-channel alert notifications based on pattern matching to a variety of direct integrations such as email, Slack, PagerDuty, or your own custom webhooks.

  • Improve visibility on actions in your IBM Cloud account

    Improve the visibility into user and resource activity in your account by easily identifying the initiator who requested an action, the object on which the action was requested, and the time when the action took place.

  • Adhere to standards

    Events comply with the Cloud Auditing Data Federation (CADF) standard. Use simple to use keyword-based search to search across your events instead of using custom query languages. Apply the same keyword search to instantly build time series graphs.

Core features offered by the IBM Cloud Activity Tracker service
Activity Tracker hosted event search UI functionality

For example, you can use the IBM Cloud Activity Tracker events to identify the following information:

  • The users who made API calls to cloud services
  • The time-stamp when the API calls were made
  • The status of the API call
  • The criticality of the action