Activity tracking events for Secrets Manager
IBM Cloud services, such as IBM Cloud® Secrets Manager, generate activity tracking events.
Audit devices that you can enable with Vault, such as the syslog audit device, are not supported by Secrets Manager.
Activity tracking events report on activities that change the state of a service in IBM Cloud. You can use the events to investigate abnormal activity and critical actions and to comply with regulatory audit requirements.
You can use IBM Cloud Activity Tracker Event Routing, a platform service, to route auditing events in your account to destinations of your choice by configuring targets and routes that define where activity tracking events are sent. For more information, see About IBM Cloud Activity Tracker Event Routing.
You can use IBM Cloud Logs to visualize and alert on events that are generated in your account and routed by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Logs instance.
As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.
Activity Tracker supported regions
For more information about regions where Secrets Manager supports IBM Cloud Activity Tracker events, check out Regions and endpoints.
Viewing events
Events that are generated by an instance of the Secrets Manager service are automatically forwarded to the IBM Cloud Activity Tracker service instance that is available in the same location.
IBM Cloud Activity Tracker can have only one instance per location. To view events, you must access the web UI of the IBM Cloud Activity Tracker service in the same location where your service instance is available. For more information, see Launching the UI through the IBM Cloud UI.
Analyzing events
Successful events that are generated by an instance of the Secrets Manager service contain various fields that can help you to identify the initiator, the target resource, and the outcome of each completed action in your instance. For more information about the components that make up an event, see the IBM Cloud Activity Tracker documentation.
Due to the sensitivity of secrets, when an IBM Cloud Activity Tracker event is generated as a result of an API call to the Secrets Manager service, the generated event does not include the actual contents of a secret. Sensitive data, such as an API key or password, is replaced with identifying information about the secret only, or it is omitted from generated events altogether.
You can create views and alerts from all of your Secrets Manager instances, or from a specific instance.
To target a specific instance, replace host:secrets-manager with app:{INSTANCE_CRN}.
Query for finding all create secret actions:
Run the following query to find all create secret actions.
host:secrets-manager action:secrets-manager.secret.create
The action value can be replaced with any other applicable action.
Query for finding unauthorized access attempts
To see unauthorized access attempts, run the following query.
host:secrets-manager reason.reasonType:Unauthorized
To learn more about creating views and alerts, see the IBM Cloud Activity Tracker documentation.
Launching IBM Cloud Logs from the Observability page
For information on launching the IBM Cloud Logs UI, see Launching the UI in the IBM Cloud Logs documentation.
Events for secrets
The following table lists the secret actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.secret.create |
Create a secret. |
secrets-manager.secrets.list |
List secrets. |
secrets-manager.secret.read |
Get a secret. |
secrets-manager.secret.delete |
Delete a secret. |
secrets-manager.secret-metadata.read |
View the metadata of a secret. |
secrets-manager.secret-metadata.update |
Update the metadata of a secret. |
secrets-manager.secret-action.create |
Create a secret action |
secrets-manager.secret-versions.list |
List versions of a secret |
secrets-manager.secret-version.create |
Create a new secret version |
secrets-manager.secret-version.read |
Get a secret version |
secrets-manager.secret-version-metadata.update |
Update the metadata of a secret version |
secrets-manager.secret-version-metadata.read |
Get the metadata of a secret version |
secrets-manager.secret-version-data.delete |
Delete the data of a secret version |
secrets-manager.secret-version-action.create |
Create a version action |
Events for secret groups
The following table lists the secret group actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.secret-group.create |
Create a secret group. |
secrets-manager.secret-groups.list |
List secret groups. |
secrets-manager.secret-group.read |
View the details of a secret group. |
secrets-manager.secret-group.update |
Update a secret group. |
secrets-manager.secret-group.delete |
Delete a secret group. |
Events for secret locks
The following table lists the secret lock actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.secret-locks.create |
Create a secret lock. |
secrets-manager.secret-locks.list |
List secrets and their locks |
secrets-manager.secret-locks.delete |
Delete a secret lock. |
secrets-manager.secrets-locks.list |
List secret locks. |
secrets-manager.secret-version-locks.create |
Create secret version locks. |
secrets-manager.secret-version-locks.list |
List secret version locks. |
secrets-manager.secret-version-locks.delete |
Delete secret version locks. |
Events for instance operations
The following table lists the instance operation actions that generate an event.
| Action | Description |
|---|---|
secrets-manager.instance.login |
Log in to Vault. |
secrets-manager.configuration.create |
Create a new configuration. |
secrets-manager.configuration-action.create |
Create a new configuration action. |
secrets-manager.configurations.list |
List configurations. |
secrets-manager.configuration.read |
View the details of a configuration. |
secrets-manager.configuration.update |
Update a configuration. |
secrets-manager.configuration.delete |
Delete a configuration. |
secrets-manager.endpoints.view |
Get service instance endpoints. |
secrets-manager.notifications-registration.create |
Create a registration with Event Notifications. |
secrets-manager.notifications-registration.read |
Get Event Notifications registration details. |
secrets-manager.notifications-registration.delete |
Delete an Event Notifications registration. |
secrets-manager.notifications-registration.test |
Send a test event. |