Skip to main content

Try Demo

Talk to Adoption Engineer

Whitepaper

1. Introduction

Corbado’s Security Log provides comprehensive event logging using the industry-standard OCSF (Open Cybersecurity Schema Framework). This standardized logging system captures authentication and identity management events in a vendor-agnostic format, making it ideal for SIEM integration, security monitoring, and threat detection.
Corbado also maintains a separate Audit Log with a custom format designed for compliance requirements. While some events appear in both logs, the Security Log uses the standardized OCSF schema for better interoperability with security tools.

1.1 Security Log vs. Audit Log

Corbado provides two separate logging systems that serve different purposes:
AspectSecurity LogAudit Log
FormatOCSF 1.6.0 (standardized)Custom format
Primary PurposeSIEM integration, security monitoringCompliance & regulatory requirements
Best ForSecurity teams, SOC analysts, threat detectionAuditors, compliance officers, regulatory audits
Event CoverageIAM events using OCSF classesBroader custom events for compliance needs
InteroperabilityHigh (vendor-agnostic standard)Custom (flexible for specific requirements)
When to use Security Log:
  • Integrating with SIEM platforms (Splunk, Datadog, etc.)
  • Real-time security monitoring and alerting
  • Standardized security event analysis
  • Cross-platform security correlation
When to use Audit Log:
  • Meeting specific compliance framework requirements (ISO 27001, SOC 2, HIPAA)
  • Custom audit trail requirements
  • Regulatory reporting with specific data fields
  • Long-term compliance record keeping

1.2 Key Features

  • OCSF Standardized Format: Based on OCSF (Open Cybersecurity Schema Framework), a widely adopted, vendor-agnostic global standard for cybersecurity event logging and reporting
  • SIEM-Ready: Pre-formatted for seamless integration with major SIEM platforms without custom parsing
  • Complete IAM Event Coverage: Automatically captures authentication, authorization, and identity management events
  • Tamper-Proof Storage: All security logs are stored using Write-Once-Read-Many (WORM) technology, ensuring data integrity and preventing unauthorized modifications
  • Long-Term Retention: Security logs are retained for up to 10 years, depending on your requirements
  • Real-Time Streaming: Stream security log events to external systems like SIEM platforms for real-time monitoring and analysis
Corbado Connect implements version 1.6.0 of the OCSF schema specification.

2. Event Types

Corbado captures security log events from different operational areas to provide comprehensive visibility into the authentication infrastructure. The security log covers the following event types (called classes in OCSF):
  • Account Change (3001): Captures user account management activities such as account creation, modification, deletion, password changes, status changes (enabled, disabled, locked, unlocked), and multi-factor authentication configuration updates (see schema)
  • Authentication (3002): Records authentication session activities including login and logout attempts (both successful and failed), authentication ticket requests, and other key authentication process stages. These events include details about the user, authentication method, and attempt status (see schema)
  • Entity Management (3004): Tracks activities performed by managed clients, microservices, or users at management consoles. Covers create, read, update, and delete operations on managed entities, as well as enrollment, status changes, and lifecycle management actions (see schema)
  • User Access Management (3005): Documents changes to user privileges, including the assignment and revocation of permissions that control access to specific resources (see schema)
  • Group Management (3006): Logs group-related operations including privilege assignments, user membership changes (additions and removals), subgroup management, and group lifecycle events such as creation and deletion (see schema)
  • API Activity (6003): Records general API operations following the CRUD pattern (Create, Read, Update, Delete), capturing API calls made across the infrastructure with details about the request, response, and affected resources (see schema)
Each event is accompanied by detailed metadata, including timestamps, user identifiers, and contextual information, which ensures comprehensive traceability. The following example illustrates an Authentication (3002) event: 
{
  "activity_id": 1,
  "activity_name": "Logon",
  "category_uid": 3,
  "category_name": "Identity & Access Management",
  "class_uid": 3002,
  "class_name": "Authentication",
  "metadata": {
    "uid": "1760617679583335734",
    "event_code": "passkey-login.completed",
    "version": "1.6.0",
    "product": {
      "name": "Corbado Security Log",
      "vendor_name": "Corbado"
    },
    "profiles": [
      "datetime",
      "host"
    ]
  },
  "severity_id": 1,
  "severity": "Informational",
  "time": 1760617679583,
  "time_dt": "2025-10-16T12:27:59Z",
  "type_uid": 300201,
  "actor": {
    "user": {
      "type_id": 1,
      "type": "User",
      "uid": "usr-2432600134296050303",
      "has_mfa": true
    }
  },
  "user": {
    "type_id": 1,
    "type": "User",
    "uid": "usr-2432600134296050303",
    "has_mfa": true
  },
  "device": {
    "type_id": 8,
    "type": "browser",
    "name": "Chrome 141.0.0",
    "ip": "84.161.151.216",
    "os": {
      "type_id": 300,
      "type": "macOS",
      "name": "macOS 14.8.1"
    },
    "location": {
      "country": "Germany",
      "city": "Munich"
    }
  },
  "src_endpoint": {
    "ip": "84.161.151.216",
    "os": {
      "type_id": 300,
      "type": "macOS",
      "name": "macOS 14.8.1"
    },
    "location": {
      "country": "Germany",
      "city": "Munich"
    }
  },
  "auth_protocol_id": 99,
  "auth_protocol": "WebAuthn",
  "auth_factors": [
    {
      "factor_type_id": 10,
      "factor_type": "WebAuthn",
      "provider": "Corbado"
    }
  ],
  "is_mfa": true,
  "timezone_offset": 0,
  "service": {
    "name": "Backend API"
  },
  "http_request": {
    "uid": "req-1235123340092569853",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
  },
  "observables": [
    {
      "type_id": 2,
      "type": "IP Address",
      "name": "src_endpoint.ip",
      "value": "84.161.151.216"
    },
    {
      "type_id": 16,
      "type": "HTTP User-Agent",
      "name": "http_request.user_agent",
      "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"
    },
    {
      "type_id": 31,
      "type": "User Object: uid",
      "name": "actor.user.uid",
      "value": "usr-2432600134296050303"
    }
  ],
  "unmapped": {
    "project_id": "pro-1",
    "webauthn_ceremony": {
      "type": "webauthn.get",
      "origin": "https://app.corbado.com",
      "challenge": "mSXyjmkc3YtQpKFo9TDvd0ZCyiYfVVBTD1qv_TBUIh4",
      "signature": "MEQCID4SaaJt79loDgxultgsKarc4IkPcGFpq_thpzEngShDAiBRF1s2ZKhF7p6iscEdkD6JKXvp8x8ej27nYcZ54MyGqw",
      "user_present": true,
      "user_verified": false,
      "backup_eligible": true,
      "backup_status": true,
      "attested_data": false,
      "extension_data": false
    },
    "credentials": [
      {
        "uid": "cre-712296467142127448",
        "public_key": "pQECAyYgASFYIOCpQwp-ojzrvoBftTvvSjNY3c1adsQE-7NrWwpAwGV1Ilgg-ggHwROg9qzUPpTASW-alryfPApBicZUf0MDLozXCXI",
        "public_key_details": {
          "algorithm": "ES256",
          "key_type": "EC2",
          "ec2": {
            "curve": "P-256",
            "x": "4KlDCn6iPOu-gF-1O-9KM1jdzVp2xAT7s2tbCkDAZXU",
            "y": "-ggHwROg9qzUPpTASW-alryfPApBicZUf0MDLozXCXI"
          }
        },
        "used": true,
        "created_time": 1754555286000,
        "last_used_time": 1760617679000,
        "age_days": 70,
        "authenticator_aaguid": "fbfc3007-154e-4ecc-8c0b-6e020557d7bd",
        "authenticator_attachment": "platform",
        "authenticator_transport": "hybrid, internal"
      }
    ]
  },
  "status_id": 1,
  "status": "Success"
}
Authentication events are logged for all user interactions across your entire authentication infrastructure. This includes both end-users of your application using Corbado Connect and administrative users accessing the Corbado Management Console. All authentication attempts, whether successful or failed, are captured with full context to ensure complete security coverage and support investigations.

3. Streaming

All security log events can be streamed in real-time to external systems for monitoring, analysis, and compliance purposes. Our streaming implementation includes robust retry logic to ensure reliable delivery of security events. This capability is particularly useful for feeding security log events into your SIEM (Security Information and Event Management) system for centralized security monitoring and alerting.

3.1. Supported Destinations

Corbado supports streaming to the following systems:
  • Amazon EventBridge
  • Coralogix
  • Datadog
  • Dynatrace
  • Elastic
  • Honeycomb
  • LogicMonitor
  • New Relic
  • Snowflake
  • Splunk
  • Sumo Logic
Additionally, you can stream events to a HTTP endpoint, providing maximum flexibility to connect security logs to any system of your choice.
I