Security auditing
Track system changes to understand how your system functions and be alerted of potential problems. By default, Pega Platform™ tracks many types of security events, such as failed logins, password changes, and changes to Rules and data.
System auditing
Pega Platform provides comprehensive Security Information and Event Management (SIEM) features with which you can:
- Monitor all security-related activity in the system.
- Create reports that analyze patterns of system usage.
- Identify patterns of suspicious behavior.
- Determine the scope of the damage if any vulnerabilities are exploited.
Data auditing
The History- class supports auditing by capturing all data changes in Rules and Cases. The History- class automatically captures the following updates:
- Changes to the operator ID for Rules and Cases.
- Any changes to field-level tracking for standard properties.
Audit user and developer actions
In addition to tracking data changes in Rules and Cases, you can audit user and developer actions that might affect the security of your application. This information might potentially indicate suspicious behavior by a developer or user.
All security events include the following information:
- Date and time
- Application name
- Node
- IP address
- Tenant ID
- Operator ID
- Event class (authentication or authorization)
- Event type
Event types that can be audited
You can audit three types of events in Security Event Configuration: authentication events, data access events, and security administration events. The Security Event Configuration is accessible in the menu in the header of Dev Studio.
Authentication events
Authentication events assist developers by tracking successful and failed login attempts, password changes, session terminations, logouts, failed pre- and post-authentication validation for authentication service mapping, and changes to operator records.
Data access events
Data access events assist developers by tracking successful attempts to open cases, attempts to open cases if the attempt fails because of security policies, SQL queries to the database, changes to report filters, runs of report definition, every malformed request received from the client, and full-text searches.
Security administration events
Security administration events assist developers by tracking the following items:
- Changes to security authentication policies
- Changes to attribute-based access control (ABAC) policies and policy conditions
- Changes to role-based access control (RBAC), including changes to Rule-Access-Role-Obj (RARO) rules
- Changes to dynamic system settings
- Changes to content security policies (CSP)
- Changes to Access Groups
- Changes to work queues
- Invocations of Access Manager
- Changes to security event configuration
- BIX form changes and executions
- Changes to workbasket role settings
- Every request to Disable/Enable operator
- Every request to add, update, or remove a servlet or filter
OAuth 2.0 events
OAuth 2.0 events assist developers by tracking token requests, token revocations, invalid tokens, API requests, changes in the client Rule form, and dynamic client registration.
Field-level auditing
Field-level auditing enables you to monitor changes to important data values in your cases. From a security perspective, tracking modifications when sensitive data is involved is useful.
You can easily configure fields in App Studio or Dev Studio to track changes in a case type. As a result, you can maintain compliance and follow changes to critical information in critical cases. The Rule changes are saved as an instance of the History-Rule class, and data instances are saved as an instance of a subclass of the History-Data- Class.
When field-level auditing is active, it captures the property name, the values added (if any are added), and hanged values (the from value and the to value).
Field-level auditing captures the following details for aggregate properties:
- Two entries when a value changes: one entry about deleting the earlier value and another about adding the new value.
- Only one level of nested PageList mode properties because only one level is supported. Nested PageGroup mode properties are not supported.
For more information, see Auditing changes to aggregate properties.
Field-level auditing does not support data reference, page group property, value group property, and value list property field types.
Field-level auditing in Constellation is limited to simple fields, such as Booleans or text fields.
To enable security auditing for a data class or a Rule Type, you must create a data transform and a declare trigger. For more information, see Enabling security auditing for a data class or Rule Type and Auditing field-level changes to security Rule and data instances.
For more information about security auditing, see the following topics:
Check your knowledge with the following interaction: