With Pega Platform, you can track many types of security events, such as failed logins, password changes, and changes to rules and data. By tracking all of these events, you can understand how your system functions and detect any potential problems.
Pega Platform provides comprehensive security information and event management (SIEM) features with which you can:
- Monitor all security-related activity in the system.
- Create reports that analyze patterns of system usage.
- Identify patterns of suspicious behavior.
- Determine the scope of the damage if any vulnerabilities are exploited.
The Pega Platform History- class supports auditing by capturing all data changes in rules and cases. The History- class automatically captures the following updates:
- For rules and cases - changes to the operator ID
- For standard properties - any changes to field-level tracking
For more information, see:
Audit user and developer actions
In addition to tracking data changes in rules and cases, you can audit user and developer actions that might affect the security of your application. This information might potentially indicate suspicious behavior by a developer or user.
All security events include the following information:
- Date and time
- Application name
- IP address
- Tenant ID
- Operator ID
- Event class (authentication or authorization)
- Event type
Event types that can be audited
In Security Event Configuration, there are 3 types of events you can audit: Authentication events, Data access events, and Security administration events. Specific information about these events is available below.
To access the Security Event Configuration, in the header of Dev Studio, click.
Authorization events assists developers by tracking:
- Successful and failed login attempts
- Password changes
- Session terminations
- Changes to operator records
The table below describes the Authorization events on the Security Event Configuration tab.
Successful and failed login
Changes to operator records
Data access events
Data access events assists developers by tracking:
- Successful attempts to open cases
- Attempts to open cases if the attempt fails because of security policies
- SQL queries to the database
- Changes to report filters
- Full-text searches
The table below describes the Data access events on the Security Event Configuration tab.
Data access event
Every open of a work- class object on the
clipboard that succeeds
Every SQL query that executed
Changes to report definition
Every open of a work- class object on the
clipboard that fails due to security
Every report definition that
Every malformed request received from
Security administration events
Security administration events assists developers by tracking:
- Changes to security authentication policies
- Changes to attribute-based access control (ABAC) policies and policy conditions
- Changes to role-based access control (RBAC), including changes to Rule-Access-Role-Obj (RARO) rules
- Changes to dynamic system settings
- Changes to content security policies (CSP)
- Changes to access groups
- Changes to work queues
- Invocations of Access Manager
The table below describes the Security administration events on the Security Event Configuration tab.
Security administration event
Every invocation of access
Every BIX form changes and
Every change to ABAC security
Every change to CBAC security
Every change to dynamic system
Every change to content security policy
Every change to security authentication
Every change to security event
Every change to RBAC security policies (including
RADO and RARO)
Every change to access group
Every change to workbasket role
Every request to Disable/Enable
Every request to add/update/removal of
OAuth 2.0 events
OAuth 2.0 events assists developers by tracking:
- Token requests
- Token revocations
- Invalid tokens
- API requests
- Client rule form changes
- Dynamic client registration
The table below describes the OAuth 2.0 events on the Security Event Configuration tab.
|OAuth 2.0 events||Default setting|
|Invalid token requests||Selected|
|API requests with invalid client credentials||Selected|
|Token revocation from Rest API||Selected|
|Regeneration of client secret from rule form||Selected|
|Token revocation from rule form||Selected|
|Delete client instance from rule form||Selected|
|Dynamic client registration||Selected|
|Resource API invocation using invalid access token||Selected|
You can toggle custom events ON and OFF.
You can define your own custom security events that you want to log.
For more information, see Tracking and auditing actions by developers and users.