Vault Audit Action Codes
The following table lists the action codes available in the User and Safe Activities (LogList) report that can be exported to a SIEM solution using Syslog protocol.
|
Alerts indicate that an unauthorized operation was performed, such as performing a task without permission, authentication failure, etc. |
Recommended Action Codes for Monitoring
The Vault has a large number of action codes that can be used to monitor different behaviors. For general monitoring, we recommend monitoring the action codes listed in the table below.
| Code | Action |
|---|---|
| 4 | User Authentication |
| 22 | CPM Verify Password |
| 24 | CPM Change Password |
| 31 | CPM Reconcile Password |
| 38 | CPM Verify Password Failed |
| 57 | CPM Change Password Failed |
| 60 | CPM Reconcile Password Failed |
| 130 | CPM Disable Password |
| 295 | Retrieve Password succeeded |
| 300 | PSM Connect |
| 302 | PSM Disconnect |
| 308 | Use Password |
| 319 | Retrieve Password (from Provider) |
| 344 | Privileged Command Initiated |
| 346 | Privileged Command Completed |
| 359 | PSM SQL Command |
|
360 |
PSM SQL Command Failure |
| 361 | PSM Keystrokes |
|
362 |
PSM Keystrokes failure |
| 378 | PSM Secure Connect Session Start |
| 380 | PSM Secure Connect Session End |
| 411 | PSM Window Title |
|
412 |
PSM Windows Title Failure |
All Action Codes
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 0 | Delete Directory Map |
Username (map name) |
ü |
||||
| 1 | Delete Directory Map |
Username (map name) |
|||||
| 2 | Add External User | Username | |||||
| 3 | Get LDAP configuration data |
ü |
|||||
| 4 | User Authentication | Network area |
ü |
||||
| 5 | Unauthorized Station | Network area |
ü |
||||
| 6 | External Audit |
ü |
|||||
| 7 | Logon | Network area | Network area | ||||
| 8 | Logoff | Network area | |||||
| 9 | External Audit |
ü |
|||||
| 10 | Update user station failed, not authorized | Username |
ü |
||||
| 11, 12 | Update Safe Share |
ü |
|||||
| 13, 14 | Safe Access through Gateway |
ü |
|||||
| 15 | Impersonation not by an agent |
ü |
|||||
| 16 | Update Your Trusted Network Areas | Username |
ü |
||||
| 17 | Add Safe |
ü |
|||||
| 18 | Non authorized impersonation | Username |
ü |
||||
| 19 | Full Gateway Connection | Username | |||||
| 20 | Partial Gateway Connection | Username | |||||
| 21 | Partial Gateway Connection | Username |
ü |
||||
| 22 | CPM Verify Password | Filename | Additional Info |
ü |
|||
| 23 | Action On Closed Safe | Filename |
ü |
||||
| 24 | CPM Change Password | Filename | Additional Info |
ü |
|||
| 25, 26 | Open/Close Safe |
ü |
|||||
| 27 | Open Safe (Unsecured Station) |
ü |
|||||
| 28, 29, 30 | Add/Update Owner | Username |
ü |
||||
| 31 | CPM Reconcile Password | Filename | Additional Info |
ü |
|||
| 32 | Add Owner | Username | |||||
| 33 | Update Owner | Username | |||||
| 34, 35 | Rename Safe |
ü |
|||||
| 36 | Confirm Open Safe | Username | |||||
| 37 | Confirm Get File | Filename | Username |
ü |
|||
| 38 | CPM Verify Password | Filename | Additional Info |
ü |
ü |
||
| 39 | Rename Safe | ||||||
| 40, 41 | List Files | Filename |
ü |
||||
| 42, 43 | Retrieve File | Filename |
ü |
ü |
|||
| 44, 45 | Store File | Filename |
ü |
||||
| 46, 47 | Delete File | Filename |
ü |
||||
| 48, 49 | Add Note |
ü |
|||||
| 50 | Store File | Filename |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 51 | Retrieve File succeeded | Filename |
ü |
||||
| 52 | Delete File | Filename | |||||
| 53, 54 | Get Notes | ||||||
| 55, 56 | Find Files | Filename |
ü |
||||
| 57 | CPM Change Password | Filename | Additional Info |
ü |
ü |
||
| 58 | Clear User History | ||||||
| 59 | Clear Safe History | ||||||
| 60 | CPM Reconcile Password | Filename | Additional Info |
ü |
ü |
||
| 61 | Update Trusted Network Areas | Network area | |||||
| 62 | Create File Version | Filename | |||||
| 63, 65 | Rename User | Username | Username |
ü |
|||
| 64, 66 | Rename User | Username | Username | ||||
| 67 | CPM Auto Detection Add Password | Filename | Additional Info |
ü |
|||
| 68 | Update Trusted User | Username | |||||
| 69 | Add Location | Location | |||||
| 70 | Add Location | Location |
ü |
||||
| 71 | Update Location | Location | |||||
| 72 | Update Location | Location |
ü |
||||
| 73 | Delete Location | Location | |||||
| 74 | Delete Location | Location |
ü |
||||
| 75 | Take Quota Ownership | ||||||
| 76, 77 | Take Quota Ownership |
ü |
|||||
| 78 | Rename/Move Location | Location | Location |
ü |
|||
| 79 | Rename/Move Location | Location | Location | ||||
| 80 | Add External Group |
Username (group) |
|||||
| 81 | Update Address | Network area | |||||
| 82 | Clear User History | Username |
ü |
||||
| 83 | Clear User History | Username | |||||
| 84 | CPM Auto Detection Update Password | Filename | Additional Info |
ü |
|||
| 85 | Update Network Area | Network area |
ü |
||||
| 86 | Update Network Area | Network area | |||||
| 87 | Update Address | Network area |
ü |
||||
| 88 | Set Password | ||||||
| 89 | Set Password |
ü |
|||||
| 90 | Rename Network Area | Network area |
ü |
||||
| 91 | Rename Network Area | Network area | |||||
| 92 | Move Network Area | Network area |
ü |
||||
| 93 | Move Network Area | Network area | |||||
| 94 | Backup Safe | ||||||
| 95 | Restore Safe | ||||||
| 96, 97 | Backup Safe |
ü |
|||||
| 98 | Open File (Write Only) | Filename | |||||
| 99 | Open File | Filename | |||||
| 100, 101 | Open File | Filename |
ü |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 102 | User Time Limit Restriction | Network area |
ü |
||||
| 103 | User Has Expired | Network area |
ü |
||||
| 104 | User Is Disabled | Network area |
ü |
||||
| 105 | Add File Category | Filename | Category | ||||
| 106 | Update File Category | Filename | Category | ||||
| 107 | Delete File Category | Filename | Category | ||||
| 108 | Open Safe Request | ||||||
| 109 | Get File Request | Filename |
ü |
||||
| 110 | Add Safe (More Secured Than Station) |
ü |
|||||
| 111 | Delete Open Safe Request | Username | |||||
| 112 | Delete Get File Request | Filename | Username | ||||
| 113 | Cannot use station because time limits | Network area |
ü |
||||
| 114 | Last Required Confirmation To Open Safe Given | Username | |||||
| 115 | Last Required Confirmation To Get File Given | Filename | Username | ||||
| 116, 117 | Confirmation Status |
ü |
|||||
| 118 | Reject Open Safe Request | Username | |||||
| 119 | Reject Get File Request | Filename | Username |
ü |
|||
| 120 | Add automatic location | Location | |||||
| 121 | Move File | Filename | |||||
| 122 | Undelete File | Filename | |||||
| 123 | Move File (Cont.) | Filename | |||||
| 124 | Rename File | Filename | |||||
| 125 | Rename File (Cont.) | Filename | |||||
| 126 | Unlock File | Filename | |||||
| 127 | Hide Open Safe Request | Username | |||||
| 128 | Hide Get File Request | Filename | Username | ||||
| 129 | CPM Auto Detection Archive Password | Filename | Additional Info |
ü |
|||
| 130 | CPM Disable Password | Filename | Additional Info |
ü |
ü |
||
| 131 | Update Safe (More Secured Than Station) |
ü |
|||||
| 132, 133 | Add Safe Event |
ü |
|||||
| 134, 135 | Get Safe Events List |
ü |
|||||
| 136 | CPM Release Password | Filename | Additional Info |
ü |
|||
| 137 | CPM Release Password Failed | Filename | Additional Info |
ü |
ü |
||
| 138 | Rename Folder |
Filename (folder) |
|||||
| 139 | Move Folder |
Filename (folder) |
|||||
| 140 | Rename Folder (Cont.) |
Filename (folder) |
|||||
| 141 | Move Folder (Cont.) |
Filename (folder) |
|||||
| 142 | Delete Safe |
ü |
|||||
| 143 | Store Picture | Username | |||||
| 144 | Delete Picture | Username | |||||
| 145 | Delete Safe |
ü |
|||||
| 146, 147 | Update Safe |
ü |
|||||
| 148, 149 | Delete Safe |
ü |
|||||
| 150 | Restore Safe |
ü |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
|
151 |
Add Folder |
|
|
|
|
|
|
| 152, 153 | Add Folder |
ü |
|||||
| 154, 155 | Delete Folder |
ü |
|||||
| 156 | Backup Safe | Network area |
ü |
||||
| 157 | Get License Information |
ü |
|||||
| 158, 159 | Move/Rename Folder |
ü |
|||||
| 160, 161 | Move File | Filename |
ü |
||||
| 162, 163 | Undelete File | Filename |
ü |
||||
| 164, 165 | Rename File | Filename |
ü |
||||
| 166, 167 | Unlock File | Filename |
ü |
||||
| 168, 169 | Clear Expired History |
ü |
|||||
| 170 | Delete Safe (Has Unexpired Files) |
ü |
|||||
| 171 | Update Picture | Username |
ü |
||||
| 172 | Update Your Picture | Username |
ü |
||||
| 173 | Add User |
ü |
|||||
| 174 | Update User | Username |
ü |
||||
| 175 | Update Your User | Username |
ü |
||||
| 176 | Delete User | Username |
ü |
||||
| 177 | Delete Your User | Username |
ü |
||||
| 178 | Get User's Details | Username |
ü |
||||
| 179 | Get Your User's Details | Username |
ü |
||||
| 180 | Add User | Username | |||||
| 181 | Update Safe | ||||||
| 182 | Update User | Username | |||||
| 183 | Delete Safe | ||||||
| 184 | Delete User | Username | |||||
| 185 | Add Safe | ||||||
| 186 | Get UserDetails By Identifier |
ü |
|||||
| 187 | Add Folder |
Filename (folder) |
|||||
| 188 | Delete Folder |
Filename (folder) |
|||||
| 189 | Delete Folder (Has Unexpired Files) |
Filename (folder) |
ü |
||||
| 190 | Lock As Draft | Filename | |||||
| 191 | Lock As Draft | Filename |
ü |
||||
| 192 | Unlock Draft | Filename | |||||
| 193 | Unlock Draft | Filename |
ü |
||||
| 194 | Backup Safe | ||||||
| 195 | Object content validated | Filename | |||||
| 196, 197 | Update Owners |
ü |
|||||
| 198 | Delete Folder (Has Locked Files) |
Filename (folder) |
ü |
||||
| 199 | Object content invalidated | Filename | |||||
| 200, 201 | Monitoring old backup files |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 202, 203 | Deleting old backup files | ||||||
| 204 | Retrieve File (Wrong Key) | Filename |
ü |
||||
| 205 | Store File (Wrong Key) | Filename |
ü |
||||
| 206 | External Object Operation | Username |
ü |
||||
| 207, 208 | Compress Safe |
ü |
|||||
| 209 | Compress Safe | ||||||
| 211 | Update User Detailed Information | Additional Info | |||||
| 214 | Add Directory Map LDAP Branch |
Username (map name) |
ü |
||||
| 215 | Update Directory Map LDAP Branch |
Username (map name) |
ü |
||||
| 216 | Delete Directory Map LDAP Branch |
Username (map name) |
ü |
||||
| 217 | Add Directory Map LDAP Branch |
Username (map name) |
|||||
| 218 | Update Directory Map LDAP Branch |
Username (map name) |
|||||
| 219 | Delete Directory Map LDAP Branch |
Username (map name) |
|||||
|
220 |
Protect Local Folder |
|
|
|
|
|
|
| 221 | Ownership Expired |
ü |
|||||
| 222 | List Directory Map LDAP Branches |
Username (map name) |
ü |
||||
|
223 |
Unprotect Local Folder |
|
|
|
|
|
|
| 224 | Load metadata to backup | ||||||
| 229 | Object content status pending | Filename | |||||
| 236 | Metadata backup file fetched | ||||||
| 237, 238 | Rules List |
ü |
|||||
| 239 | Update Directory Map Detailed Information | Additional Info | |||||
| 240 | Release Gw Locks | ||||||
| 241 | Prepare Backup Metadata |
|
|||||
| 243 | Update user safe options failed |
ü |
|
||||
| 244 | Update user safe options failed |
ü |
|
||||
| 246 | LDAP Synchronization start |
|
|||||
|
247 |
LDAP Synchronization end |
|
|
|
|
|
|
| 248, 249 | Add Rule | Filename |
ü |
|
|||
| 250 | Restore metadata | Network area |
ü |
|
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 251 | Restore metadata | Network area | |||||
| 252 | Update Directory Map |
Username (map name) |
|||||
| 253 | Update Directory Map |
Username (map name) |
ü |
||||
| 254 | Add Directory Map |
Username (map name) |
|||||
| 255 | Add Directory Map |
Username (map name) |
ü |
||||
| 256 | Update External User | Username | |||||
| 257 | Update External Group |
Username (group) |
|||||
| 259 | Add/Update Group |
Username (group) |
|||||
| 260 | Add/Update Group |
Username (group) |
ü |
||||
| 261 | Add Group Member |
Username (group) |
ü |
||||
| 262 | Delete Group Member |
Username (group) |
ü |
||||
| 263 | Update Group |
Username (group) |
ü |
||||
| 264 | Update Group |
Username (group) |
|||||
| 265 | Add Group Member |
Username (group) |
Username | ||||
| 266 | Remove Group Member |
Username (group) |
Username | ||||
| 269 | Delete Group |
Username (group) |
ü |
||||
| 270 | Delete Group |
Username (group) |
|||||
| 271 | List Group Members |
Username (group) |
ü |
||||
| 272 | Delete Folder |
Filename (folder) |
ü |
||||
| 273 | Remove Owner | Username | |||||
| 276 | Delete External User | Username | |||||
| 277 | Delete External Group |
Username (group) |
|||||
| 278 | Add Rule | Filename | Username | ||||
| 279 | Delete Rule | Filename | Username | ||||
| 280, 281 | Delete Rule | Filename |
ü |
||||
|
282 |
Read email key |
|
|
|
|
|
|
|
283 |
Delete email key |
|
|
|
|
|
|
| 284 | Unauthorized Firewall Network Areas refresh |
ü |
|||||
| 285 | Firewall Network Areas refresh | ||||||
| 286 | Add Group Member - Sync From Ldap |
Username (group) |
|||||
| 287 | Delete Group Member - Sync From Ldap |
Username (group) |
|||||
| 288 | Auto Clear Users History start | ||||||
| 289 | Auto Clear Users History end | ||||||
| 290 | Auto Clear Safes History start | ||||||
| 291 | Auto Clear Safes History end | ||||||
| 292 | Auto Download Certificate Revocation List Data start | ||||||
| 293 | Auto Download Certificate Revocation List Data end | ||||||
| 294 | Store password | Filename |
ü |
||||
| 295 | Retrieve password | Filename |
ü |
||||
| 296 | Open Safe | ||||||
| 297, 298 | Rules List | Filename |
ü |
||||
| 300 | PSM Connect | Filename | Additional Info |
ü |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 301 | PSM Connect Failed | Filename | Additional Info |
ü |
ü |
||
| 302 | PSM Disconnect | Filename | Additional Info |
ü |
|||
| 303 | PSM Disconnect Failed | Filename | Additional Info |
ü |
ü |
||
| 304 | PSM Upload Recording | Filename | Additional Info |
ü |
|||
| 305 | Run Report | ||||||
| 306, 307 | Use Password | Filename |
ü |
ü |
|||
| 308 | Use Password | Filename |
ü |
||||
| 309 | Undefined User Logon | Report Name |
ü |
||||
| 310 | Monitor DR Replication start | V5.50 | |||||
| 311 | Monitor DR Replication end | V5.50 | |||||
| 312 | Monitor Backup Replication start | V5.50 | |||||
| 313 | Monitor Backup Replication end | V5.50 | |||||
| 314 | Reset Password User | Username |
ü |
V5.50 | |||
| 315 | Reset Password Your User | Username |
ü |
V5.50 | |||
| 316 | Reset User Password Detailed Information | Username | Additional Info | V5.50 | |||
| 317 | Reset User Password | Username | V5.50 | ||||
| 318 | Activate/Deactivate Trusted Network Areas | Username | V5.50 | ||||
| 319 | Retrieve password (From Provider) | Filename |
ü |
V5.50 | |||
| 320 | Retrieve password (From Provider) | Filename |
ü |
ü |
V5.50 | ||
| 321 | Add Report Definition | V6.00 | |||||
| 322 | Edit Report Definition | V6.00 | |||||
| 323 | Delete Report Definition | V6.00 | |||||
| 324 | Hide Report | V6.00 | |||||
| 325 | Send Report | V6.00 | |||||
| 326 | CPM Auto Detection Start Automatic Detection | V6.00 | |||||
| 327 | CPM Auto Detection End Automatic Detection | V6.00 | |||||
| 328 | CPM Auto Detection Add Usage | Filename | Additional Info |
ü |
V6.00 | ||
| 329 | CPM Auto Detection Update Usage | Filename | Additional Info |
ü |
V6.00 | ||
| 330 | CPM Auto Detection Delete Usage | Filename | Additional Info |
ü |
V6.00 | ||
| 331 | Add User By Template | Username | V6.00 | ||||
| 333 | Add Privileged Command failed | Filename | Username |
ü |
V6.00 | ||
| 334 | Add Privileged Command succeeded | Filename | Username | Resource | V6.00 | ||
| 336 | Delete Privileged Command failed | Filename | Username |
ü |
V6.00 | ||
| 337 | Delete Privileged Command succeeded | Filename | Username | Resource | V6.00 | ||
|
338 |
Add Privileged Command failed |
Platform Name |
Username |
|
|
ü |
V6.00 |
| 339 | Add Privileged Command | Platform Name | Username |
ü |
V6.00 | ||
| 340 | Add Privileged Comman succeeded | Platform Name | Username | Resource | V6.00 | ||
| 342 | Delete Privileged Command | Platform Name | Username |
ü |
V6.00 | ||
| 343 | Delete Privileged Command succeeded | Platform Name | Username | Resource | V6.00 | ||
| 344 S | Privileged command initiated | Filename | Additional Info |
ü |
V6.00 | ||
| 345 S | Privileged command initiation failed | Filename | Additional Info |
ü |
ü |
V6.00 | |
| 346 S | Privileged command completed | Filename | Additional Info |
ü |
V6.00 | ||
| 347 S | OPM failed to execute privileged command | Filename | Additional Info |
ü |
ü |
V6.00 | |
| 348 S | PIMSu recording uploaded | Filename | Additional Info |
ü |
V6.00 | ||
| 349, 350 | Update Privileged Command | Filename | Username |
ü |
V6.00 |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 351 | Update Privileged Command | Platform Name | Username | Resource | V6.00 | ||
| 352, 353 | Update Privileged Command | Platform Name | Username |
ü |
V6.00 | ||
| 354 | Update Privileged Command | Platform Name | Username | Resource | V6.00 | ||
| 355 | Monitor License Expiration Date start | Username | V6.00 | ||||
| 356 | Monitor License Expiration Date end | Username | V6.00 | ||||
| 357 | Monitor FW rules start | Username | V6.00 | ||||
| 358 | Monitor FW Rules end | Username | V6.00 | ||||
| 359 | SQL command | Username | Safe | File |
ü |
V7.00 | |
| 360 | SQL Command audit failed | Username | Account Safe | Account Object |
ü |
ü |
V7.10 |
| 361 | SSH Command | Username | Safe | File |
ü |
V7.00 | |
| 362 | Keystroke logging audit failed | Username | Account Safe | Account Object |
ü |
ü |
V7.10 |
| 363 | Ownership not yet active | Username | Safe |
ü |
V7.00 | ||
| 364 | LDAP Configuration Refresh success | Username | V7.00 | ||||
| 365 | LDAP Configuration Refresh failed | Username |
ü |
V7.00 | |||
| 366 | Object content validated failed | Username | Safename | File name |
ü |
V6.00 | |
| 367 | Update Email Notifications Configuration | Username | V7.00 | ||||
| 368 | Forget My Password Requested | Username | Username | Note | V6.00 | ||
| 369 | Forget My Password Requested | Username | Username | Note |
ü |
V6.00 | |
| 370 | Forget My Password Completed | Username | Username | Note | V6.00 | ||
| 371 | Forget My Password Completed | Username | Username | Note |
ü |
V6.00 | |
| 372 | Terminate Session | Username | Recordings Safe | Target Session File |
ü |
V7.10 | |
| 373 | Terminate Session Failed | Username | Recordings Safe | Target Session File |
ü |
ü |
V7.10 |
| 374 | Monitor Session Start | Username | Recordings Safe | Target Session File |
ü |
V7.10 | |
| 375 | Monitor Session Start Failed | Username | Recordings Safe | Target Session File |
ü |
ü |
V7.10 |
| 376 | Monitor Session End | Username | Recordings Safe | Target Session File |
ü |
V7.10 | |
| 377 | Monitor Session End Failed | Username | Recordings Safe | Target Session File |
ü |
ü |
V7.10 |
| 378 | PSM Secure Connect Session Start | Username | PSM Internal Accounts Safe | Secure Connect Internal Account Object name |
ü |
V7.10 | |
| 379 | PSM Secure Connect Session Start Failed | Username | PSM Internal Accounts Safe | Secure Connect Internal Account Object name |
ü |
ü |
V7.10 |
| 380 | PSM Secure Connect Session End | Username | PSM Internal Accounts Safe | Secure Connect Internal Account Object name |
ü |
V7.10 | |
| 381 | PSM Secure Connect Session End Failed | Username | PSM Internal Accounts Safe | Secure Connect Internal Account Object name |
ü |
ü |
V7.10 |
| 382 | Add App Authentication | Username | Target Application ID | [auth type] auth value | V7.1.7 | ||
| 383 | Delete App Authentication | Username | Target Application ID | [auth type] auth value | V7.1.7 | ||
| 384 | Avector Integration Audit | ||||||
|
385 |
Changes were made successfully to the Master Policy |
Action |
|
|
|
|
V9.6 |
| 386 | Changes to the Master Policy failed | Action |
ü |
V9.6 | |||
| 387 | Process has started with admin rights added to token | Filename | Additional Info |
ü |
V7.2.10 | ||
| 388 | Process has been started from the shell context menu with admin rights added to token | Filename | Additional Info |
ü |
V7.2.10 | ||
| 389 | Process has started with admin rights added to token, which were inherited from its parent. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 390 | Process has started with admin rights dropped from token. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 391 | Process has been started from the shell context menu with admin rights dropped from token. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 392 | Process has started with admin rights dropped from token, which were inherited from its parent. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 393 | Process has started with no change to the access token (passive mode). | Filename | Additional Info |
ü |
V7.2.10 | ||
| 394 | Process started from shell context menu with no change to the access token (passive mode). | Filename | Additional Info |
ü |
V7.2.10 | ||
| 395 | Process started with no change to the access token inherited from parent (passive mode). | Filename | Additional Info |
ü |
V7.2.10 | ||
| 396 | Process has started with user’s default rights enforced. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 397 | Process has started from the shell context menu with user’s default rights enforced. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 398 | Process has started with user’s default rights enforced, which were inherited from its parent. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 399 | Process requires elevated rights to run. | Filename | Additional Info |
ü |
ü |
V7.2.10 | |
| 400 | Process has started with custom token applied. | Filename | Additional Info |
ü |
V7.2.10 |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
| 401 | Process has started from the shell context menu with user’s custom token applied. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 402 | Process has started with custom token applied, which was inherited from its parent. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 403 | Process execution was blocked. | Filename | Additional Info |
ü |
ü |
V7.2.10 | |
| 404 | Process has stopped (deprecated). | Filename | Additional Info |
ü |
ü |
V7.2.10 | |
| 405 | Process started in the context of the authorizing user. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 406 | Process started from the shell menu in the context of the authorizing user. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 407 | Process execution was cancelled by the user. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 408 | Privileged group modification blocked. | Filename | Additional Info |
ü |
ü |
V7.2.10 | |
| 409 | Process execution was blocked, the maximum number of challenge/response failures was exceeded. | Filename | Additional Info |
ü |
ü |
V7.2.10 | |
| 410 | Unknown elevation-related operation performed on process. | Filename | Additional Info |
ü |
V7.2.10 | ||
| 411 | PSM Window Titles | V7.2.10 | |||||
| 412 | Keystroke logging | Filename | Additional Info |
ü |
V8.6 | ||
| 413 | Keystroke logging failed | Filename | Additional Info |
ü |
ü |
V8.6 | |
|
414 |
CPM Verify SSH Key |
|
|
|
|
|
|
|
415 |
CPM Verify SSH Key Failed |
|
|
|
|
|
|
|
416 |
CPM Rotate SSH Key |
|
|
|
|
|
|
|
417 |
CPM Rotate SSH Key Failed |
|
|
|
|
|
|
|
418 |
CPM Reconcile SSH Key |
|
|
|
|
|
|
|
419 |
CPM Reconcile SSH Key Failed |
|
|
|
|
|
|
|
420 |
CPM Release SSH Key |
|
|
|
|
|
|
|
421 |
CPM Release SSH Key Failed |
|
|
|
|
|
|
|
422 |
User creation success |
|
|
|
|
|
|
|
423 |
User creation failed |
|
|
|
|
|
|
|
424 |
User group assignment |
|
|
|
|
|
|
|
425 |
User group assignment failed |
|
|
|
|
|
|
|
426 |
CPM Disable SSH Key |
|
|
|
|
|
|
|
427 |
Store SSH Key |
|
|
|
|
|
|
|
428 |
Retrieve SSH Key |
|
|
|
|
|
|
|
429 |
User Deletion Success |
|
|
|
|
|
|
|
430 |
User Deletion Failed |
|
|
|
|
|
|
|
431 |
User De-Provision Failed |
|
|
|
|
|
|
|
432 |
UID Change Success |
|
|
|
|
|
|
|
433 |
UID Change Failed |
|
|
|
|
|
|
|
434 |
CPM has deleted the public SSH key |
|
|
|
|
|
|
|
435 |
CPM failed to delete the SSH key |
|
|
|
|
|
|
| 436 | SCP Command | Username | File |
ü |
|
V7.2.17 | |
|
440 |
Get SSH Public Keys Failed |
Username |
Username |
|
|
ü |
V9.6 |
|
441 |
Add SSH Public Keys Succeeded |
Username |
Username |
|
|
|
V9.6 |
|
442 |
Add SSH Public Keys Failed |
Username |
Username |
|
|
ü |
V9.6 |
|
443 |
Delete SSH Public Keys Succeeded |
Username |
Username |
|
|
|
V9.6 |
|
444 |
Delete SSH Public Keys Failed |
Username |
Username |
|
|
ü |
V9.6 |
|
Code |
Action |
Info1 |
Info2 |
Info3 |
File Cat. for Syslog |
Alert |
Ver. |
|---|---|---|---|---|---|---|---|
|
460 |
Privileged Threat Analytics event for managed account |
Filename |
Anomaly name triggered in PTA |
Full PTA event details |
|
|
9.10 (external) / 9.99 (Internal) |
|
461 |
Privileged Threat Analytics event for Vault user |
|
|
Full PTA event details |
|
|
9.10 (external) / 9.99 (Internal) |
|
462 |
Password sent to endpoint |
|
|
|
|
|
10.2 |
|
463 |
Agent successfully changed the password for account |
|
|
|
|
|
10.2 |
|
464 |
Agent failed to change the password for account |
|
|
|
|
ü |
10.2 |
|
471 |
Grant Administrative Access Succeeded |
|
|
|
|
|
10.6 |
|
472 |
Grant Administrative Access Failed |
|
|
|
|
|
10.6 |
|
473 |
Remove Administrative Access Succeeded |
|
|
|
|
|
10.6 |
|
474 |
Remove Administrative Access Failed |
|
|
|
|
|
10.6 |
|
475 |
Security warning - Failed to rotate OpenID token keys
|
|
|
|
|
ü |
11.5 |
|
476 |
Security warning - Failed to rotate custom token keys
|
|
|
|
|
ü |
11.5 |
|
477 |
New DR or Satellite Vault registration succeeded
|
Username
|
Source Address
|
|
|
|
11.5 |
|
478 |
New DR or Satellite Vault registration failed
|
Username
|
Source Address
|
|
|
ü |
11.5 |
|
479 |
Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.
|
Vault Address |
|
|
|
ü |
11.5
|
