CloudGuard Dome9 User Guide

Audit Trail Events


You can configure Dome9 to send audit trail messages to an AWS SNS topic. The tables below list the messages, grouped by type.

Message-EventType

Audit parent type

Audit child type

Description

AssessmentCompletionEvent

A Dome9 Continuous Compliance assessment was completed

AccountTrustCreatedEvent

Account Trust relation

Trust relation was created

Trust relation between accounts was created

AccountTrustDeletedEvent

Account Trust relation

Trust relation was deleted

Trust relation between accounts was deleted

AccountTrustUpdatedEvent

Account Trust relation

Trust relation was updated

Trust relation between accounts was updated

--------------------------------------

Dome9 account

Dome9 account created

Dome9 Account was created

ManagedAccountCreatedEvent

Managed account event

Dome9 managed account was created

Dome9 Managed account was created

ManagedAccountDeletedEvent

Managed account event

Dome9 managed account was deleted

Dome9 Managed account was deleted

ManagedAccountUpdatedEvent

Managed account event

Dome9 managed account was updated

Dome9 Managed account was updated

AccountLicenseUpdatedEvent

Dome9 account

Account license updated

The license plan was updated.

AccountNameUpdatedEvent

Dome9 account

Account name updated

Dome9 Account name was updated

CrossAccountIdentifierCreatedEvent

Dome9 account

Cross account identifier was generated

A cross account identifer was generated for the account (for MSP)

AccountBillingUpdatedEvent

Dome9 account

Account billing updated

Billing details were updated.

AccountLicenseStateChangedEvent

Dome9 account

Account license state changed

License state changed (Active / Suspended)

AuditDataExportEvent

Audit data exported

A user exported the Audit trail content.

AlertTriggeredEvent

Alerts events

Alert triggered

Alert was triggered on a security group

AlertClosedEvent

Alerts events

Alert resolved

Alert was resolved on a security group

AlertUpdatedEvent

Alerts events

Alert updated

Alert content was updated on a security group

BillingCalculationEvent

Billing calculation

Obsolete

AwsAccountAddEvent

Cloud account

Cloud account created

New cloud account was added to Dome9 Console

CloudAccountRenameEvent

Cloud account

Cloud account renamed

Cloud account was renamed

ProfileBehaviorChangedEvent

Cloud account

Region configuration updated

Region configuration updated for a cloud account

ProtectionModeChangedEvent

Cloud account

Protection mode updated

Protection mode updated for cloud account

InvalidAwsCredentialsEvent

Cloud account

Invalid cloud credentials

The cloud account have invalid credentials

AwsCredentialsValidatedEvent

Cloud account

Cloud credentials validated

The cloud account that had invalid credentials is now valid

NewAwsSecGroupCreatedEvent

Cloud security groups

Security group created

Security group was created from Dome9 Console

AwsSecGroupTagsUpdatedEvent

Cloud security groups

Security group updated

Security group was updated from Dome9 Console

AwsSecGroupDeletedEvent

Cloud security groups

Security group deleted

Security group was deleted from Dome9 Console

CloudSecGroupTamperDetectedEvent

Cloud security groups

Security group tamper detected and handled

A change was detected on a full protected security group and it was reverted

CloudSecGroupChangesDetectedEvent

Cloud security groups

Security group change detected

A change was detected on a read only security group

CloudSecGroupPushEvent

Cloud security groups

Security group push

A Security group change was pushed to AWS

ObsoletePermissionsDetectedEvent

Cloud security groups

Policy normalized

The security group policy was normalized

CloudSecGroupImportedEvent

Cloud security groups

Security group imported

Security group was imported from your cloud account

CloudSecGroupProtectionModeUpdateFailed

Cloud security groups

Security group protection mode update failed

Failed to update protection mode of security group (Full protection / Read only)

InstanceCreatedEvent

Instance event

New instance created

New instance was created on your cloud account

InstanceStateChanged

Instance event

Instance state changed

Instance state changed

InstanceTagsChangeDetectedEvent

Instance event

Instance updated

A change was detected on an instance and updated in Dome9

--------------------------------------

Cloud security service (port)

Cloud security group configuration change

Cloud security groups configuration related audits

AwsServiceCreatedEvent

Cloud security group configuration change

Security group service created

Security group service created from Dome9 Console

AwsServiceDeletedEvent

Cloud security group configuration change

Security group service deleted

Security group service deleted from Dome9 Console

AwsServiceUpdatedEvent

Cloud security group configuration change

Security group service updated

Security group service modified from Dome9 Console

AwsOutboundServiceCreatedEvent

Cloud security group configuration change

Security group outbound service created

Security group outbound service created from Dome9 Console

AwsOutboundServiceDeletedEvent

Cloud security group configuration change

Security group outbound service deleted

Security group outbound service deleted from Dome9 Console

AwsOutboundServiceUpdatedEvent

Cloud security group configuration change

Security group outbound service updated

Security group outbound service modified from Dome9 Console

AwsLeaseAcquiredEvent

Cloud access leases

Access lease acquired

An access lease was acquired by a user

AwsLeaseEndedEvent

Cloud access leases

Access lease ended

An access lease was ended when the time period finished

LeaseTerminatedEvent

Cloud access leases

Access lease terminated

An access lease was terminated manually by the user

BlacklistUpdatedEvent

Blacklist

Blacklist updated

Blacklist for the Agents were updated with new content.

BlacklistItemExpiredEvent

Blacklist

Blacklist item expired

A blacklist item was expired

EmergencyPolicyTimeoutUpdatedEvent

Emergency policy

Emergency timeout updated

The timeout for Agents emergency policy was updated

EmergencyPolicyUpdatedEvent

Emergency policy

Emergency policy updated

The emergency policy for the Agents was updated.

EventsIntegrationCreatedEvent

Events integration

Events integration created

SNS integration created

EventsIntegrationUpdatedEvent

Events integration

Events integration updated

SNS integration updated

EventsIntegrationDeletedEvent

Events integration

Events integration deleted

SNS integration deleted

NewIPListCreatedEvent

IP List

IP List created

Created new IP List

IPListDeletedEvent

IP List

IP List deleted

Deleted IP List

IPListUpdatedEvent

IP List

IP List updated

An IP List was updated

InvitationCreatedEvent

Invitations

Invitation created

An access lease invitation was created

InvitationUsedEvent

Invitations

Invitation used

An access lease invitation was used

InvitationExpiredUsageAttemptEvent

Invitations

Expired Invitation usage attempt

An access lease expired invitation usage was detected

UsedInvitationUsageAttemptEvent

Invitations

Used Invitation usage attempt

An access lease used invitation usage was detected

InvitationCancelledEvent

Invitations

Invitation canceled

An access lease invitation was canceled

NewSecurityGroupCreatedEvent

Dome9 security groups

Security group created

New Agent security group was created

SecurityGroupUpdatedEvent

Dome9 security groups

Security group updated

Agent security group was updated

SecurityGroupDeletedEvent

Dome9 security groups

Security group deleted

Agent security group was deleted

SecurityGroupFIMDisabledEvent

Dome9 security groups

Security group FIM policy disabled

FIM policy disabled

On an agent security group

SecurityGroupFIMEnabledEvent

Dome9 security groups

Security group FIM policy enabled

FIM policy enabled

On an agent security group

NewServerCreatedEvent

Dome9 Agents

Agent created

New agent installed on an instance

ServerUpdatedEvent

Dome9 Agents

Agent configuration updated

Agent configuration was changed (Name / attached security groups)

ServerStateChangedEvent

Dome9 Agents

Agent state changed

Agent state changed from: state to: state

ServerDeletedEvent

Dome9 Agents

Agent deleted

Agent deleted from an instance

ServerReinstallEvent

Dome9 Agents

Agent reinstalled

Agent was reinstalled

AgentUpgradedEvent

Dome9 Agents

Agent upgraded

Agent was upgraded

AgentObsoleteVersionEvent

Dome9 Agents

Agent has obsolete version

The Agent version is obsolete and needs to be updated

AllFIMAlertsAcknowledgedEvent

FIM Alerts acknowledged

FIM Alerts were acknowledged by the user

FIMScannerStateChangedEvent

--------------------------------------

FIM Scan started or ended.

--------------------------------------

Dome9 security group service (port)

Agent security group configuration change

Security group rule configuration was changed

ServicePortCreatedEvent

Agent security group configuration change

Security group service created

Security group service created from Dome9 Console

ServicePortDeletedEvent

Agent security group configuration change

Security group service deleted

Security group service deleted from Dome9 Console

SecurityGroupUpdatedEvent

Agent security group configuration change

Security group service updated

Security group service modified from Dome9 Console

OutboundServicePortCreatedEvent

Agent security group configuration change

Security group outbound service created

Security group outbound service created from Dome9 Console

OutboundServicePortDeletedEvent

Agent security group configuration change

Security group outbound service deleted

Security group outbound service deleted from Dome9 Console

OutboundServicePortUpdatedEvent

Agent security group configuration change

Security group outbound service updated

Security group outbound service modified from Dome9 Console

AwsLeaseAcquiredEvent

Dome9 access leases

Access lease acquired

An access lease was acquired by a user

AwsLeaseEndedEvent

Dome9 access leases

Access lease ended

An access lease was ended when the time period finished

LeaseTerminatedEvent

Dome9 access leases

Access lease terminated

An access lease was terminated manually by the user

NewUserRegisteredEvent

Users

New user registered

New user registered to the account

UserForgotPasswordEvent

Users

Forgotten password

The user reported forgotten password

-----------------------------------

Users

Users management

User management audits

UserDisconnectedFromSSOEvent

Users management

User disconnected from SSO

User was set to login with user and password and not with SSO

UserConnectedToSSOEvent

Users management

User connected to SSO

User was set to login with SSO authentication

NewUserCreatedEvent

Users management

User created

New user created on the account

UserDeletedEvent

Users management

User deleted

User was deleted

UserPermissionsUpdatedEvent

Users management

Permissions changed

User permissions were changed from - to

AccountOwnerChanged

Users management

Account ownership transfer

The account owner user was changed

ApiKeyCreatedEvent

Users management

API Key created

API key was created to a user

ApiKeyDeletedEvent

Users management

API Key deleted

API key was deleted

AuthenticationProviderChangedEvent

Users management

Multi factor authentication

MFA was set for a user

UserChangedPasswordEvent

Users

Password change

Password changed by a user

UserResetPasswordEvent

Users

Password was reset

Password was reset by a user

UserEmailConfirmedEvent

Users

Email confirmation

Email confirmation was sent to a user

UserLogOnEvent

Users

User logged on

User logged on to the system

UserAssumeRoleEvent

Users

User switched role

UserProvisionEvent

Users

SSO based on role

UserLogOnFailureEvent

Users

Failed logon

User failed to login to the system

SSOUserLogOnFailureEvent

Users

SSO login failed

SSO login failed by a user

UserRoleDeletedEvent

User role event

User role deleted

Role was deleted

UserRoleCreatedEvent

User role event

User role created

New role was created

UserRoleUpdatedEvent

User role event

User role updated

Role permissions were updated

GoogleCloudAccountAddedEvent

Google Cloud Account

Google Cloud Account was added

GoogleCloudAccountDeletedEvent

Google Cloud Account

Google Cloud Account was deleted

AzureCloudAccountAddEvent

Azure Cloud Account

Azure Cloud Account created

New Azure cloud account was added to Dome9 Console

AzureCloudAccountDeleteEvent

Azure Cloud Account

Azure Cloud Account deleted

Azure cloud account was deleted from Dome9 Console

--------------------------------------

D9 Azure base resource event

D9 Azure security group event

Azure NSG related audits

AzureSecurityGroupImportedEvent

D9 Azure security group event

Azure network security group imported

New Azure security group imported

AzureSecurityGroupUpdatedEvent

D9 Azure security group event

Azure network security group change detected

Change detected on network security group

--------------------------------------

D9 Azure base resource event

D9 Azure security group policy event

Azure NSG policy related audits

AzureSgPolicyCreatedEvent

D9 Azure security group policy event

Azure network security group created

New security group was created from Dome9 Console

AzureSgPolicyDeletedEvent

D9 Azure security group policy event

Azure network security group deleted

Network security group was deleted

AzureSgPolicyServicesUpdatedEvent

D9 Azure security group policy event

Azure network security group updated

Network security group was updated

--------------------------------------

D9 Azure base resource event

Azure network security group service

Azure NSG service related audits

AzurePolicyServiceCreatedEvent

Azure network security group service

Azure network security group service created

Service created on Azure NSG

AzurePolicyServiceDeletedEvent

Azure network security group service

Azure network security group service deleted

Service deleted on Azure NSG

AzurePolicyServiceUpdatedEvent

Azure network security group service

Azure network security group service updated

Service on Azure NSG was updated