With Pega Platform, you can track many types of security events, such as failed logins, password changes, and changes to rules and data. By tracking all of these events, you can understand how your system functions and detect any potential problems.
Pega Platform provides comprehensive security information and event management (SIEM) features with which you can:
- Monitor all security-related activity in the system.
- Create reports that analyze patterns of system usage.
- Identify patterns of suspicious behavior.
- Determine the scope of the damage if any vulnerabilities are exploited.
The Pega Platform History- class supports auditing by capturing all data changes in rules and cases. The History- class automatically captures the following updates:
- For rules and cases - changes to the operator ID
- For standard properties - any changes to field-level tracking
For more information, see:
Audit user and developer actions
In addition to tracking data changes in rules and cases, you can audit user and developer actions that might affect the security of your application. This information might potentially indicate suspicious behavior by a developer or user.
All security events include the following information:
- Date and time
- Application name
- IP address
- Tenant ID
- Operator ID
- Event class (authentication or authorization)
- Event type
Event types that can be audited
In Security Event Configuration, there are 3 types of events you can audit: Authentication events, Data access events, and Security administration events. Specific information about these events is available below.
To access the Security Event Configuration, in the header of Dev Studio, click.
Authorization events assists developers by tracking:
- Successful and failed login attempts
- Password changes
- Session terminations
- Changes to operator records
The table below describes the Authorization events on the Security Event Configuration tab.
Authorization event Default setting Successful and failed login attempts Not selected Password changes Not selected Session terminations Selected Logouts Selected Changes to operator records Selected
Data access events
Data access events assists developers by tracking:
- Successful attempts to open cases
- Attempts to open cases if the attempt fails because of security policies
- SQL queries to the database
- Changes to report filters
- Full-text searches
The table below describes the Data access events on the Security Event Configuration tab.
Data access event Default setting Every open of a work- class object on the clipboard that succeeds Not selected Every SQL query that executed Not selected Changes to report definition filters Not selected Search queries Not selected Every open of a work- class object on the clipboard that fails due to security policies Selected Every report definition that executed Selected Every malformed request received from client Selected
Security administration events
Security administration events assists developers by tracking:
- Changes to security authentication policies
- Changes to attribute-based access control (ABAC) policies and policy conditions
- Changes to role-based access control (RBAC), including changes to Rule-Access-Role-Obj (RARO) rules
- Changes to dynamic system settings
- Changes to content security policies (CSP)
- Changes to access groups
- Changes to work queues
- Invocations of Access Manager
The table below describes the Security administration events on the Security Event Configuration tab.
Security administration event Default setting Every invocation of access manager Not selected Every BIX form changes and executions Not selected Every change to ABAC security policies Selected Every change to CBAC security policies Selected Every change to dynamic system settings Selected Every change to content security policy (CSP) Selected Every change to security authentication policies Selected Every change to security event configuration Selected Every change to RBAC security policies (including RADO and RARO) Selected Every change to access group settings Selected Every change to workbasket role settings Selected Every request to Disable/Enable operator Selected Every request to add/update/removal of servlet Selected
OAuth 2.0 events
OAuth 2.0 events assists developers by tracking:
- Token requests
- Token revocations
- Invalid tokens
- API requests
- Client rule form changes
- Dynamic client registration
The table below describes the OAuth 2.0 events on the Security Event Configuration tab.
|OAuth 2.0 events||Default setting|
|Invalid token requests||Selected|
|API requests with invalid client credentials||Selected|
|Token revocation from Rest API||Selected|
|Regeneration of client secret from rule form||Selected|
|Token revocation from rule form||Selected|
|Delete client instance from rule form||Selected|
|Dynamic client registration||Selected|
|Resource API invocation using invalid access token||Selected|
You can toggle custom events ON and OFF.
You can define your own custom security events that you want to log.
For more information, see Tracking and auditing actions by developers and users.
- Tracking and auditing changes to data
Pega Platform maintains a historical record of changes to certain data classes and rule types. You can use this history to diagnose system issues and to demonstrate compliance to internal and external auditors.
- Tracking and auditing actions by developers and users
The security event configuration feature is part of security information and event management (SIEM) that combines security information management (SIM) and security event management (SEM). Use the Security Event Configuration landing page to configure the logging of security events so that you can diagnose system issues and demonstrate compliance to auditors.
- Monitoring security alerts and events
Pega Platform generates security alerts and events for situations such as attempts to hijack a user session. You can review the security alerts and events by viewing their respective logs.
- Logging each use of harness and flow action rules
Your application can create an audit record each time an operator requests either a harness form or a flow action.