Application Admin Event Logging (SIEM Integration)
Description
Record every administrative action performed through the application management interface into a structured, tamper-evident audit log, and forward events in real time to a centralized SIEM for correlation and alerting. Each log entry captures the authenticated actor, the operation performed, the target resource, a before/after state diff, the source IP, and a timestamp. The SIEM ingests these events and evaluates them against detection rules tuned to the application threat model — for example, alerting when an identity provider mapper of type hardcoded-role-mapper is created targeting a high-privilege role, or when an OAuth client redirect URI is modified. Distinct from OS-level audit logging (auditd, Falco) which operates below the application and cannot interpret application-domain semantics such as role names, policy changes, or resource ownership. Prevents attackers from making undetected administrative changes by ensuring that every privileged operation is recorded with sufficient context for security analysts to distinguish legitimate administration from exploitation.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Compensating control: administrative actions are logged with application-domain context and forwarded to a SIEM in real time; the attacker must evade application-level audit logging or accept near-immediate detection, significantly increasing attack complexity. |
CWE Relationships
Verification
Verify that application admin event logging is enabled and events are forwarded to the SIEM. Perform a sensitive administrative action and confirm the event appears in the SIEM within the expected latency.
# Expected: adminEventsEnabled: true, adminEventsDetailsIncluded: true