Message events

Overview

The following security events are emitted as OCSF-aligned JSON by the Base software; each is identified by its activity_name. The outcome of each event (that is, success or failure) is carried in the status field. Web-server access events (the final subsection) are also OCSF-aligned JSON but do not carry an activity_name, they are identified by their request-and-response structure.

🚧

Important information

The following events are not available on cloud-managed appliances:

  • Support sessions
  • Appliance reboot
  • Factory reset
  • Default-site change
  • Account and two-factor changes
  • SAML configuration

Sign-in

EventTrigger
LogonAn administrator signs in to the appliance.

Account changes

EventTrigger
CreateAn administrator account is created.
DeleteAn administrator account is deleted.
Account UpdateAn existing administrator account is edited.
Password ChangeA user changes their own password at sign-in when a change is required.
Password ResetThe administrator account is reset to factory-default credentials.
MFA Factor EnableTwo-factor authentication is enabled for an account.
MFA Factor DisableTwo-factor authentication is disabled for an account.
MFA Backup Codes GeneratedTwo-factor backup codes are generated.
MFA Backup Code UsedA two-factor backup code is used to sign in.

Support session

EventTrigger
OpenA support tunnel is opened.
CloseA support tunnel is closed.

Software updates

EventTrigger
InstallA software update is installed.
UpdateA software patch is installed.

Certificate operations

EventTrigger
Certificate CreateA certificate is generated or issued.
Certificate Request CreateA certificate signing request (CSR) is generated.
Certificate ExportA certificate is exported.
Certificate DeleteA certificate is deleted.
Certificate Request DeleteA certificate signing request is deleted.
Certificate RenewA certificate is renewed.
Certificate ImportA certificate is imported.
Certificate ExpiryA certificate is approaching expiry.

SAML configuration

EventTrigger
SAML Metadata ExportService-provider metadata is downloaded.
SAML Metadata ImportIdentity-provider metadata is uploaded.
SAML IdP DeleteA configured identity provider is removed.
SAML Settings UpdateSAML settings are changed.
SAML Key CreateA service-provider signing key is generated.
SAML Key DeleteA service-provider signing key is deleted.
SAML Key ImportA service-provider signing key is uploaded.

System and configuration

EventTrigger
Syslog Server ChangeA remote syslog destination is added, edited, or removed.
Default Site ChangeThe default site is changed.
ACME Server RegisterAn ACME server is registered.
ACME Server DeregisterAn ACME server is deregistered.
System RebootAn administrator reboots the appliance.
Update CheckThe appliance checks for software updates.
Update ScheduleThe automatic-update schedule is changed.
Update Settings ChangeAn automatic-update setting is changed.
Application ConnectAn application connection is accepted or rejected.
Setting ChangeA configuration setting is changed.
Factory ResetA factory reset is initiated.

Secret operations

EventTrigger
Secret ReadReading a secret from the secret store fails.
Secret UpdateWriting a secret to the secret store fails.
Secret DeleteDeleting a secret from the secret store fails.

Web-server access (HTTP category -- on-premises only)

When the HTTP category is enabled, the appliance records one event per web-server request. These events do not have an activity_name, message, or status. They are identified by their request-and-response structure and carry the fields listed under Web-server access fields.

ℹ️

For more information on response structure, see Message format.


©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.