IBM Cloud Docs
Auditing events for IBM Cloud Shell

Auditing events for IBM Cloud Shell

As a security officer, auditor, or manager, you can use the IBM Cloud Activity Tracker service to track how users interact with IBM® Cloud Shell. Cloud Shell automatically generates events that you can analyze in the Activity Tracker service.

Activity Tracker records user-initiated activities that change the state of a service in IBM Cloud. You can use this service to investigate abnormal activity and critical actions and to comply with regulatory audit requirements. In addition, you can be alerted about actions as they happen. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard. For more information, see IBM Cloud Activity Tracker.

List of events

The following table lists actions in IBM Cloud Shell that generate an event.

Actions that generate events
Action Description
cloudshell.server.create An event is generated when a new session is created.
cloudshell.server.configure An event is generated when a session is configured. This event is generated for configuring new sessions and reconfiguring an existing session.
cloudshell.server.delete An event is generated when a session is deleted.
cloudshell.account-settings.update An event is generated when Cloud Shell settings are updated for an account.

Viewing events

Events that Cloud Shell generates are automatically forwarded to the Activity Tracker service instance that is available in the same location.

Activity Tracker can have only one instance per location. To view events, you must access the web UI of the Activity Tracker service in the same location where your service instance is available. For more information, see Launching the web UI through the IBM Cloud UI.

Analyzing events

Activity Tracker events contain fields that describe the action that occurred. Values in the requestData and responseData fields are specific to IBM Cloud Shell, and the other fields are common to all Activity Tracker events. For a more information about common fields, see Event fields.

When a user opens, configures, or closes a Cloud Shell session, the event that is triggered has an action field set to cloudshell.server.create, cloudshell.server.configure, or cloudshell.server.delete. The event includes the following fields:

  • The initiator.name field includes information about the user who interacted with the session.
  • The initiator.id field shows the IBMid of the user who interacted with the session.
  • The target.id field includes the Cloud Resource Name (CRN) of the Cloud Shell account and server where the session was modified, in the format crn:v1:bluemix:public:cloudshell:<REGION>:a/<ACCOUNT_ID>:<CLOUD_SHELL_SERVER_ID>::

When a session is successfully opened, configured, or closed, the corresponding event that is generated has an outcome that is set to success with a 200 reason.reasonCode. Otherwise, the event has an outcome of failure with the appropriate HTTP status code in reason.reasonCode, and the responseData field contains details about the error.

When an account owner or Cloud Shell administrator updates the Cloud Shell settings, the event that is triggered has an action field set to cloudshell.account-settings.update.