Auditing
With Pega Platform, you can track many types of security events, such as failed logins, password changes, and changes to rules and data. By tracking all of these events, you can understand how your system functions and detect any potential problems.
System auditing
Pega Platform provides comprehensive security information and event management (SIEM) features with which you can:
- Monitor all security-related activity in the system.
- Create reports that analyze patterns of system usage.
- Identify patterns of suspicious behavior.
- Determine the scope of the damage if any vulnerabilities are exploited.
Data auditing
The Pega Platform History- class supports auditing by capturing all data changes in rules and cases. The History- class automatically captures the following updates:
- For rules and cases - changes to the operator ID
- For standard properties - any changes to field-level tracking
For more information, see:
Audit user and developer actions
In addition to tracking data changes in rules and cases, you can audit user and developer actions that might affect the security of your application. This information might potentially indicate suspicious behavior by a developer or user.
All security events include the following information:
- Date and time
- Application name
- Node
- IP address
- Tenant ID
- Operator ID
- Event class (authentication or authorization)
- Event type
Event types that can be audited
In Security Event Configuration, there are 3 types of events you can audit: Authentication events, Data access events, and Security administration events. Specific information about these events is available below.
To access the Security Event Configuration, in the header of Dev Studio, click
.Authorization events
Authorization events assists developers by tracking:
- Successful and failed login attempts
- Password changes
- Session terminations
- Logouts
- Changes to operator records
The table below describes the Authorization events on the Security Event Configuration tab.
Authorization event | Default setting |
Successful and failed login attempts | Not selected |
Password changes | Not selected |
Session terminations | Selected |
Logouts | Selected |
Changes to operator records | Selected |
Data access events
Data access events assists developers by tracking:
- Successful attempts to open cases
- Attempts to open cases if the attempt fails because of security policies
- SQL queries to the database
- Changes to report filters
- Full-text searches
The table below describes the Data access events on the Security Event Configuration tab.
Data access event | Default setting |
Every open of a work- class object on the clipboard that succeeds | Not selected |
Every SQL query that executed | Not selected |
Changes to report definition filters | Not selected |
Search queries | Not selected |
Every open of a work- class object on the clipboard that fails due to security policies | Selected |
Every report definition that executed | Selected |
Every malformed request received from client | Selected |
Security administration events
Security administration events assists developers by tracking:
- Changes to security authentication policies
- Changes to attribute-based access control (ABAC) policies and policy conditions
- Changes to role-based access control (RBAC), including changes to Rule-Access-Role-Obj (RARO) rules
- Changes to dynamic system settings
- Changes to content security policies (CSP)
- Changes to access groups
- Changes to work queues
- Invocations of Access Manager
The table below describes the Security administration events on the Security Event Configuration tab.
Security administration event | Default setting |
Every invocation of access manager | Not selected |
Every BIX form changes and executions | Not selected |
Every change to ABAC security policies | Selected |
Every change to CBAC security policies | Selected |
Every change to dynamic system settings | Selected |
Every change to content security policy (CSP) | Selected |
Every change to security authentication policies | Selected |
Every change to security event configuration | Selected |
Every change to RBAC security policies (including RADO and RARO) | Selected |
Every change to access group settings | Selected |
Every change to workbasket role settings | Selected |
Every request to Disable/Enable operator | Selected |
Every request to add/update/removal of servlet | Selected |
OAuth 2.0 events
OAuth 2.0 events assists developers by tracking:
- Token requests
- Token revocations
- Invalid tokens
- API requests
- Client rule form changes
- Dynamic client registration
The table below describes the OAuth 2.0 events on the Security Event Configuration tab.
OAuth 2.0 events | Default setting |
Invalid token requests | Selected |
API requests with invalid client credentials | Selected |
Token revocation from Rest API | Selected |
Regeneration of client secret from rule form | Selected |
Token revocation from rule form | Selected |
Delete client instance from rule form | Selected |
Dynamic client registration | Selected |
Resource API invocation using invalid access token | Selected |
Custom events
You can toggle custom events ON and OFF.
You can define your own custom security events that you want to log.
For more information, see Tracking and auditing actions by developers and users.
- Tracking and auditing changes to data
Pega Platform maintains a historical record of changes to certain data classes and rule types. You can use this history to diagnose system issues and to demonstrate compliance to internal and external auditors.
- Tracking and auditing actions by developers and users
The security event configuration feature is part of security information and event management (SIEM), which combines security information management (SIM) and security event management (SEM). Use the Security Event Configuration landing page to configure the logging of security events so that you can diagnose system issues and demonstrate compliance to auditors.
- Monitoring security alerts and events
Pega Platform generates security alerts and events for situations such as attempts to hijack a user session. You can review the security alerts and events by viewing their respective logs.
- Logging each use of harness and flow action rules
Your application can create an audit record each time an operator requests either a harness form or a flow action.
Previous topic Defining security information for an operator Next topic Tracking and auditing changes to data