The following security events are emitted as OCSF-aligned JSON by the Base software; each is identified by its activity_name. The outcome of each event (that is, success or failure) is carried in the status field. Web-server access events (the final subsection) are also OCSF-aligned JSON but do not carry an activity_name, they are identified by their request-and-response structure.
🚧The following events are not available on cloud-managed appliances:
- Support sessions
- Appliance reboot
- Factory reset
- Default-site change
- Account and two-factor changes
- SAML configuration
| Event | Trigger |
|---|
| Logon | An administrator signs in to the appliance. |
| Event | Trigger |
|---|
| Create | An administrator account is created. |
| Delete | An administrator account is deleted. |
| Account Update | An existing administrator account is edited. |
| Password Change | A user changes their own password at sign-in when a change is required. |
| Password Reset | The administrator account is reset to factory-default credentials. |
| MFA Factor Enable | Two-factor authentication is enabled for an account. |
| MFA Factor Disable | Two-factor authentication is disabled for an account. |
| MFA Backup Codes Generated | Two-factor backup codes are generated. |
| MFA Backup Code Used | A two-factor backup code is used to sign in. |
| Event | Trigger |
|---|
| Open | A support tunnel is opened. |
| Close | A support tunnel is closed. |
| Event | Trigger |
|---|
| Install | A software update is installed. |
| Update | A software patch is installed. |
| Event | Trigger |
|---|
| Certificate Create | A certificate is generated or issued. |
| Certificate Request Create | A certificate signing request (CSR) is generated. |
| Certificate Export | A certificate is exported. |
| Certificate Delete | A certificate is deleted. |
| Certificate Request Delete | A certificate signing request is deleted. |
| Certificate Renew | A certificate is renewed. |
| Certificate Import | A certificate is imported. |
| Certificate Expiry | A certificate is approaching expiry. |
| Event | Trigger |
|---|
| SAML Metadata Export | Service-provider metadata is downloaded. |
| SAML Metadata Import | Identity-provider metadata is uploaded. |
| SAML IdP Delete | A configured identity provider is removed. |
| SAML Settings Update | SAML settings are changed. |
| SAML Key Create | A service-provider signing key is generated. |
| SAML Key Delete | A service-provider signing key is deleted. |
| SAML Key Import | A service-provider signing key is uploaded. |
| Event | Trigger |
|---|
| Syslog Server Change | A remote syslog destination is added, edited, or removed. |
| Default Site Change | The default site is changed. |
| ACME Server Register | An ACME server is registered. |
| ACME Server Deregister | An ACME server is deregistered. |
| System Reboot | An administrator reboots the appliance. |
| Update Check | The appliance checks for software updates. |
| Update Schedule | The automatic-update schedule is changed. |
| Update Settings Change | An automatic-update setting is changed. |
| Application Connect | An application connection is accepted or rejected. |
| Setting Change | A configuration setting is changed. |
| Factory Reset | A factory reset is initiated. |
| Event | Trigger |
|---|
| Secret Read | Reading a secret from the secret store fails. |
| Secret Update | Writing a secret to the secret store fails. |
| Secret Delete | Deleting a secret from the secret store fails. |
When the HTTP category is enabled, the appliance records one event per web-server request. These events do not have an activity_name, message, or status. They are identified by their request-and-response structure and carry the fields listed under Web-server access fields.
ℹ️For more information on response structure, see Message format.